Hacker News new | comments | show | ask | jobs | submit login
Show HN: Recursive DNS Server Fingerprint (recdnsfp.github.io)
120 points by pjf on Apr 21, 2017 | hide | past | web | favorite | 13 comments

It's nice to see a country as large as Brazil having 24% of its domains with DNSSEC records (973k out of 3.9m domains). I expected it to be close to zero.

This is very interesting work. I wish there was an easy way to see DNSSEC statistics for each ccTLD side-by-side with the fingerprint report.

brazil is the only country other than US that understood internet control.

they have their own, centralized registrar, and they use proper tlds such as gov, jus (justice) etc with their own tls system (which sometimes update faster than browsers can keep up so you have to add root signatures manually to your systems)

I was actually surprised when Kaspersky announced NIC.br was compromised and many banking sites where hijacked. If I remember correctly, they (NIC.br) identified a vulnerability but then denied Kaspersky claims.


Did anyone ever release any more info on this?

so far, all points to the bank falling for a scam and releasing credentials to nic.br

Probably wouldn’t be terribly hard to generate that data.

This is a very cool use of RIPE Atlas!

Note that it's not going to flag many of the censorship apparatus, because they will inject replies only for queries matching their denied patterns.

Reversing that list in a useful way remains tricky, to say the least.

Seems odd that their tests have a drastically different number of probes from different source countries. total_probes ought to be exactly the same from every source, for a more rigorous experiment.

It sounds like they used all the probes available. Many of the countries simply have very few RIPE Atlas probes available; I don't think it's reasonable to only select 5 probes from the US, because that's how many are installed in Vietnam; if you did, you're unlikely to pick any of the probes that showed this behavior.

Instead, it's better to report the total and suspicious numbers, and take the percentages with a grain of salt on low total probes.

If anyone is interested expanding the research in countries with low RIPE Atlas coverage, we can provide free research access to our Probe API which has over 10x more probes than Atlas. More here> http://probeapi.speedchecker.xyz/

I thought the point was that they queried many available DNS servers, not that they did so from as many different locations as possible. Even if they only have a dozen sources in a given country, can't they still query all the DNS servers they know of from there?

> We used all RIPE Atlas probes (~9000 probes) to send DNS queries to Each probe issued several queries, a single query covered one of the features described above (e.g. DNSSEC validation, IPv6 only-domain reachability, NXDOMAIN redirection, …).

My understanding was that they did the same queries from as many network locations as possible, and looked for unexpected results.

Querying more known public dns IPs would provide better confidence that a given probe was attached to a network that hijacked DNS, but still wouldn't tell you very much about the internet in a country with a low probe count.

If you are not represented, join us!



If I remember correctly, when submitting jobs to run on the network, N numbers of nodes are selected randomly. RIPE has the biggest concentration of probes in the EU and then US[1].

[1]: https://atlas.ripe.net/results/maps/network-coverage/

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact