DNS/毒盛/攻撃手法/移転インジェクション/確認方法/bind

1. DNS/毒盛/移転インジェクション/確認方法/bind

Contents

DNS/毒盛/移転インジェクション/確認方法/bind
事前の問い合わせ
NS query
NSの切替を待つ
権威サーバーを覗いてみる
query 再開
切り替わった
NS ?

BINDではNSの問い合わせをはさんでもNS毒盛が起きる。　　

BINDが権威サーバーにNS queryを送っているかどうか、確認する必要がある。-- ToshinoriMaeno 2018-04-07 07:36:10

FreeBSD/bind-9.12.1/log

2. 事前の問い合わせ

tmaeno@u16:~$ dig b5.flip.e-ontap.com

; <<>> DiG 9.12.0 <<>> b5.flip.e-ontap.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13230
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;b5.flip.e-ontap.com.           IN      A

;; ANSWER SECTION:
b5.flip.e-ontap.com.    60      IN      A       150.42.6.1

;; Query time: 255 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 07 16:20:23 JST 2018
;; MSG SIZE  rcvd: 64

tmaeno@u16:~$ dig b6.flip.e-ontap.com

; <<>> DiG 9.12.0 <<>> b6.flip.e-ontap.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10549
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;b6.flip.e-ontap.com.           IN      A

;; ANSWER SECTION:
b6.flip.e-ontap.com.    60      IN      A       150.42.6.1

;; Query time: 914 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 07 16:20:36 JST 2018
;; MSG SIZE  rcvd: 64

3. NS query

tmaeno@u16:~$ dig -t ns flip.e-ontap.com

; <<>> DiG 9.12.0 <<>> -t ns flip.e-ontap.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2380
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;flip.e-ontap.com.              IN      NS

;; ANSWER SECTION:
flip.e-ontap.com.       3573    IN      NS      ns.flip.e-ontap.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 07 16:20:51 JST 2018
;; MSG SIZE  rcvd: 62

いつかキャッシュされた返答であることははっきりしている。TTLを見よ。

4. NSの切替を待つ

tmaeno@u16:~$ dig b7.flip.e-ontap.com

; <<>> DiG 9.12.0 <<>> b7.flip.e-ontap.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22706
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;b7.flip.e-ontap.com.           IN      A

;; ANSWER SECTION:
b7.flip.e-ontap.com.    60      IN      A       150.42.6.1

;; Query time: 13 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 07 16:21:19 JST 2018
;; MSG SIZE  rcvd: 64

tmaeno@u16:~$ dig b8.flip.e-ontap.com

; <<>> DiG 9.12.0 <<>> b8.flip.e-ontap.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32782
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;b8.flip.e-ontap.com.           IN      A

;; ANSWER SECTION:
b8.flip.e-ontap.com.    60      IN      A       150.42.6.1

;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 07 16:22:05 JST 2018
;; MSG SIZE  rcvd: 64

5. 権威サーバーを覗いてみる

tmaeno@u16:~$ dig b23.flip.e-ontap.com @150.42.6.1

; <<>> DiG 9.12.0 <<>> b23.flip.e-ontap.com @150.42.6.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41552
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;b23.flip.e-ontap.com.          IN      A

;; ANSWER SECTION:
b23.flip.e-ontap.com.   60      IN      A       150.42.6.1

;; AUTHORITY SECTION:
flip.e-ontap.com.       3600    IN      NS      ns.flip.e-ontap.com.

;; ADDITIONAL SECTION:
ns.flip.e-ontap.com.    3600    IN      A       150.42.6.1

;; Query time: 10 msec
;; SERVER: 150.42.6.1#53(150.42.6.1)
;; WHEN: Sat Apr 07 16:22:27 JST 2018
;; MSG SIZE  rcvd: 87

tmaeno@u16:~$ dig b24.flip.e-ontap.com @150.42.6.1

; <<>> DiG 9.12.0 <<>> b24.flip.e-ontap.com @150.42.6.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41304
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;b24.flip.e-ontap.com.          IN      A

;; ANSWER SECTION:
b24.flip.e-ontap.com.   60      IN      A       150.42.6.1

;; AUTHORITY SECTION:
flip.e-ontap.com.       3600    IN      NS      ns.flip.e-ontap.com.

;; ADDITIONAL SECTION:
ns.flip.e-ontap.com.    3600    IN      A       150.42.6.1

;; Query time: 11 msec
;; SERVER: 150.42.6.1#53(150.42.6.1)
;; WHEN: Sat Apr 07 16:23:11 JST 2018
;; MSG SIZE  rcvd: 87

6. query 再開

tmaeno@u16:~$ dig b24.flip.e-ontap.com

; <<>> DiG 9.12.0 <<>> b24.flip.e-ontap.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29350
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;b24.flip.e-ontap.com.          IN      A

;; ANSWER SECTION:
b24.flip.e-ontap.com.   60      IN      A       150.42.6.1

;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 07 16:23:16 JST 2018
;; MSG SIZE  rcvd: 65

tmaeno@u16:~$ dig b25.flip.e-ontap.com

; <<>> DiG 9.12.0 <<>> b25.flip.e-ontap.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29201
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;b25.flip.e-ontap.com.          IN      A

;; ANSWER SECTION:
b25.flip.e-ontap.com.   60      IN      A       150.42.6.1

;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 07 16:23:55 JST 2018
;; MSG SIZE  rcvd: 65

tmaeno@u16:~$ dig b26.flip.e-ontap.com

; <<>> DiG 9.12.0 <<>> b26.flip.e-ontap.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61425
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;b26.flip.e-ontap.com.          IN      A

;; ANSWER SECTION:
b26.flip.e-ontap.com.   60      IN      A       150.42.6.1

;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 07 16:24:21 JST 2018
;; MSG SIZE  rcvd: 65

tmaeno@u16:~$ dig b2.flip.e-ontap.com

; <<>> DiG 9.12.0 <<>> b2.flip.e-ontap.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48493
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;b2.flip.e-ontap.com.           IN      A

;; ANSWER SECTION:
b2.flip.e-ontap.com.    60      IN      A       150.42.6.1

;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 07 16:24:32 JST 2018
;; MSG SIZE  rcvd: 64

tmaeno@u16:~$ dig c25.flip.e-ontap.com

; <<>> DiG 9.12.0 <<>> c25.flip.e-ontap.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19132
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;c25.flip.e-ontap.com.          IN      A

;; ANSWER SECTION:
c25.flip.e-ontap.com.   60      IN      A       150.42.6.1

;; Query time: 12 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 07 16:24:56 JST 2018
;; MSG SIZE  rcvd: 65

tmaeno@u16:~$ dig c251.flip.e-ontap.com

; <<>> DiG 9.12.0 <<>> c251.flip.e-ontap.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35748
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;c251.flip.e-ontap.com.         IN      A

;; ANSWER SECTION:
c251.flip.e-ontap.com.  60      IN      A       150.42.6.1

;; Query time: 12 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 07 16:25:04 JST 2018
;; MSG SIZE  rcvd: 66

7. 切り替わった

tmaeno@u16:~$ dig c258.flip.e-ontap.com

; <<>> DiG 9.12.0 <<>> c258.flip.e-ontap.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46914
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;c258.flip.e-ontap.com.         IN      A

;; ANSWER SECTION:
c258.flip.e-ontap.com.  60      IN      A       150.42.6.5

;; Query time: 41 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 07 16:25:19 JST 2018
;; MSG SIZE  rcvd: 66

8. NS ?

tmaeno@u16:~$ dig -t ns flip.e-ontap.com

; <<>> DiG 9.12.0 <<>> -t ns flip.e-ontap.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44888
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;flip.e-ontap.com.              IN      NS

;; ANSWER SECTION:
flip.e-ontap.com.       3274    IN      NS      ns.flip.internot.jp.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 07 16:25:50 JST 2018
;; MSG SIZE  rcvd: 78

MoinQ: DNS/毒盛/攻撃手法/移転インジェクション/確認方法/bind (last edited 2021-05-02 07:23:02 by ToshinoriMaeno)