OpenDNS DNS Tampering

From Digibase Knowledge Base
Revision as of 20:17, 17 January 2014 by Kradorex Xeron (talk | contribs)
Jump to: navigation, search

Preface/Definitions

OpenDNS

OpenDNS is a DNS resolution provider that offers open public DNS servers for people to use as an alternative to the ones issued by ISPs. OpenDNS's resolvers are located at 208.67.222.222 and 208.67.220.220 (possibly others)

NXDOMAIN

Non-Existent Domain, a DNS-specification response for a domain that does not exist within the DNS hierarchy.

Resource Record (RR)

A resource record is a record held by an authoritative DNS server that is responded to queries.

Authoritative Server

A server that is capable of responding affirmatively with a RR response for a domain or subdomain.

Resolver

A server that is used by clients to access DNS for the purposes of looking up RRs.

Domain Name System (DNS)

The Domain Name System (DNS) is a hierarchical system that provides RRs to querying clients. Most commonly, translating names (e.g. digibase.ca) to IP addresses (e.g. 72.38.129.202) by way of Address (A) type RRs. The full workings of DNS is beyond the scope of this document.

The Problem

OpenDNS offers mechanisms to provide filtering of domain names for parental filtering, ad blocking, malware blocking, also offers "suggestion" pages for domains that return an NXDOMAIN response. While this may be useful, it should be discouraged as it is a violation of the DNS standard as DNS is not the place for such filtering as it requires OpenDNS's servers to act authoritatively for domains in which they do not operate. OpenDNS claims these features can be turned off by a web control panel.

Details/Example

Consider the following example of a known working name: ip.digibase.ca which is our website for obtaining your own IP: We will use the DNS diagnostic "dig" tool. We will not utilize our own resolver to provide impartiality of these results. We will utilize 4.2.2.4, which is operated by Level3, an internet backbone provider and 208.67.222.222 which is operated by OpenDNS.

Test for existing name: ip.digibase.ca

Level3 Response:

; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>> ip.digibase.ca @4.2.2.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15400
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ip.digibase.ca.                        IN      A

;; ANSWER SECTION:
ip.digibase.ca.         7200    IN      A       72.38.129.202

;; Query time: 90 msec
;; SERVER: 4.2.2.4#53(4.2.2.4)
;; WHEN: Fri Jan 17 18:58:34 EST 2014
;; MSG SIZE  rcvd: 59

OpenDNS Response:

; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>> ip.digibase.ca @208.67.222.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33452
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ip.digibase.ca.                        IN      A

;; ANSWER SECTION:
ip.digibase.ca.         7200    IN      A       72.38.129.202

;; Query time: 56 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Jan 17 19:00:04 EST 2014
;; MSG SIZE  rcvd: 59

Both are good and correct responses.

Test for non-existing name: fasdiofanjsiofoasgfa.digibase.ca

Now, with the above in mind consider the following example for a DNS name that does not exist: fasdiofanjsiofoasgfa.digibase.ca.

Level3 Response:

; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>> fasdiofanjsiofoasgfa.digibase.ca @4.2.2.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37843
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;fasdiofanjsiofoasgfa.digibase.ca. IN   A

;; AUTHORITY SECTION:
digibase.ca.            7200    IN      SOA     ns.digibase.ca. admin.digibase.ca. 1376043521 10800 3600 950400 7200

;; Query time: 143 msec
;; SERVER: 4.2.2.4#53(4.2.2.4)
;; WHEN: Fri Jan 17 19:02:11 EST 2014
;; MSG SIZE  rcvd: 106

Notice the "NXDOMAIN" status, which is correct since the name (and in extension, the RR) does not exist.

OpenDNS Response:

; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>> fasdiofanjsiofoasgfa.digibase.ca @208.67.222.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9133
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;fasdiofanjsiofoasgfa.digibase.ca. IN   A

;; ANSWER SECTION:
fasdiofanjsiofoasgfa.digibase.ca. 0 IN  A       67.215.65.132

;; Query time: 48 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Jan 17 19:07:08 EST 2014
;; MSG SIZE  rcvd: 77

Notice here how OpenDNS has responded with an RR to this lookup where it should have sent no RR and an NXDOMAIN response. This is a violation of the DNS standard as it has spoken authoritatively for a name it has no authority for.

The Issue with this