The folks at Renesys pointed out earlier this week some interesting activity surrounding the L-root name server, highlighting some activity that should give us all yet another reason to be concerned about the security and integrity of the Internet DNS.
In short, L-root, operated by ICANN, was renumbered from 220.127.116.11 to 18.104.22.168. ICANN renumbered L-root into this 22.214.171.124/24 space after being allocated a "critical infrastructure" address block from ARIN, the old 126.96.36.199/24 block belongs to Bill Manning and ep.net. ICANN announced their intentions to renumber over six months ago, and stopped using the old address space for the authentic L-root on May 2.
Since ICANN (AS 20144) announced their intentions to stop using the old address space, three other networks (Community DNS, ep.net & Diyixian.com) have asserted reachability for that old address space. Normally, that wouldn't be such a big deal, as name servers on the Internet that hadn't yet picked up an updated root hints file would simply query the old IP, receive no response, and move on to another root. However, not only did these three networks assert reachability for the old address space, they were actually fielding DNS queries targeted to the root, and replied to the querier. All data presented to date seems to suggest that the responses they were providing were legitimate, but to me that's all together a different issue.
However, considering that a great deal of malware today tends to corrupt the DNS resolution path [PDF] in order to further exploit compromised end-systems, and that corruption, or any other actual end-system compromise, might well be unnecessary if the root were compromised — well, think of the possibilities!
The root DNS infrastructure is extremely resilient and well distributed, in part because of anycast and local instances of various root servers, and this is a good thing, IMO. However, the fact that I might initiate a DNS query that would find its way up the DNS tree to the root, and AN L-root resolver responds, and that L-root might not be the legitimate L-root, well, that should give every user on the Internet great reason for alarm, certainly those that are security-minded.
I trust ICANN and RSSAC will put new safeguards in place to ensure that these activities are detected much more quickly in the future (for all roots), and that they will also work on plans that both help avoid renumbering of roots, and monitoring of existing and old root address spaces (for both DNS queries and distributed Internet routing system state) to detect these sorts of threats. ICANN should also consider a more far-reaching mechanism for notification of root IP address changes (I'm not sure a blog post alone is considered reasonable, although I'm not aware of other methods that may have been employed to make folks aware of this critical change). Folks that do flow-based or other network transaction monitoring should ensure that you don't have DNS transactions targeting or sourced from old root address spaces. In addition, wrapping some contractual or legalese around these old address spaces to prohibit this type of activity (for whatever the incentive) would seem prudent.
By Danny McPherson, Senior Vice President and Chief Security Officer at Verisign
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Neustar DNS Services
Minds + Machines
Neustar DDoS Protection