
Show HN: Recursive DNS Server Fingerprint - pjf
https://recdnsfp.github.io/
======
gtirloni
It's nice to see a country as large as Brazil having 24% of its domains with
DNSSEC records (973k out of 3.9m domains). I expected it to be close to zero.

This is very interesting work. I wish there was an easy way to see DNSSEC
statistics for each ccTLD side-by-side with the fingerprint report.

~~~
gcb0
brazil is the only country other than US that understood internet control.

they have their own, centralized registrar, and they use proper tlds such as
gov, jus (justice) etc with their own tls system (which sometimes update
faster than browsers can keep up so you have to add root signatures manually
to your systems)

~~~
dschulz
I was actually surprised when Kaspersky announced NIC.br was compromised and
many banking sites where hijacked. If I remember correctly, they (NIC.br)
identified a vulnerability but then denied Kaspersky claims.

[https://www.wired.com/2017/04/hackers-hijacked-banks-
entire-...](https://www.wired.com/2017/04/hackers-hijacked-banks-entire-
online-operation/)

~~~
gcb0
Did anyone ever release any more info on this?

so far, all points to the bank falling for a scam and releasing credentials to
nic.br

------
willscott
This is a very cool use of RIPE Atlas!

Note that it's not going to flag many of the censorship apparatus, because
they will inject replies only for queries matching their denied patterns.

Reversing that list in a useful way remains tricky, to say the least.

------
JoshTriplett
Seems odd that their tests have a drastically different number of probes from
different source countries. total_probes ought to be exactly the same from
every source, for a more rigorous experiment.

~~~
toast0
It sounds like they used all the probes available. Many of the countries
simply have very few RIPE Atlas probes available; I don't think it's
reasonable to only select 5 probes from the US, because that's how many are
installed in Vietnam; if you did, you're unlikely to pick any of the probes
that showed this behavior.

Instead, it's better to report the total and suspicious numbers, and take the
percentages with a grain of salt on low total probes.

~~~
JoshTriplett
I thought the point was that they queried many available DNS servers, not that
they did so from as many different locations as possible. Even if they only
have a dozen sources in a given country, can't they still query all the DNS
servers they know of from there?

~~~
toast0
> We used all RIPE Atlas probes (~9000 probes) to send DNS queries to 8.8.8.8.
> Each probe issued several queries, a single query covered one of the
> features described above (e.g. DNSSEC validation, IPv6 only-domain
> reachability, NXDOMAIN redirection, …).

My understanding was that they did the same queries from as many network
locations as possible, and looked for unexpected results.

Querying more known public dns IPs would provide better confidence that a
given probe was attached to a network that hijacked DNS, but still wouldn't
tell you very much about the internet in a country with a low probe count.

