topic Re: BT chooses to route to an instance of L-Root in Belarus in Everything else

BT chooses to route to an instance of L-Root in Belarus

rocra — Fri, 30 Aug 2024 15:57:42 GMT

I tried to raise the issue on the phone with Plusnet support but got a response saying we don't support domains. Hopefully there are people here who can raise this issue with BT NOC.

As you can see in the trace below BT selects to route to an instance of L-Root in Belarus. I believe it's a major security risk due to possible DNS manipulation from the owners of the instance.

mtr -4 -wzb -c4 l.root-servers.net Start: 2024-08-30T16:51:32+0100 HOST: xxxxxxxx.xxx Loss% Snt Last Avg Best Wrst StDev 1. AS??? 172.16.10.xx 0.0% 4 0.9 0.8 0.4 1.1 0.3 2. AS??? 100.0 4 0.0 0.0 0.0 0.0 0.0 3. AS6871 132.hiper04.sheff.dial.plus.net.uk (195.166.143.132) 0.0% 4 1.9 2.0 1.6 2.9 0.6 4. AS2856 peer2-et-0-0-4.slough.ukcore.bt.net (109.159.252.118) 0.0% 4 3.2 9.9 2.7 30.5 13.8 5. AS??? linx-224.retn.net (195.66.224.193) 0.0% 4 5.5 5.7 3.3 9.6 2.8 6. AS9002 ae5-9.rt.lim.waw.pl.retn.net (87.245.233.46) 0.0% 4 40.2 33.6 29.4 40.2 5.0 7. AS9002 gw-as6697.retn.net (87.245.245.135) 0.0% 4 34.2 34.7 34.2 35.1 0.4 8. AS6697 ie2.net.belpak.by (93.85.80.241) 0.0% 4 55.6 51.8 49.7 55.6 2.6 9. AS6697 core2.net.belpak.by (93.85.80.53) 0.0% 4 53.3 51.2 48.7 53.9 2.8 10. AS6697 93.84.125.193 0.0% 4 48.8 49.2 48.8 49.5 0.3 11. AS20144 l.root-servers.net (199.7.83.42) 0.0% 4 46.2 46.3 46.2 46.4 0.1

Re: BT chooses to route to an instance of L-Root in Belarus

paul_blitz — Fri, 30 Aug 2024 17:44:35 GMT

I'm not really sure what you are actually concerned about. Maybe this is no more than a 'conspiracy theory'?

There's currently 146 different instances around the world of the l.root-servers.net at 199.7.83.42 (there's a nice list of all the root server locations at https://root-servers.org/ ), and your ISP and others will work out a (probably dynamic) route to get to the 'closest' instance... for whatever reason, we are being sent to Belarus. Although, to be honest, in 99.9% of cases, it's not "WE" who are using it. "WE" use maybe the plusnet DNS servers, and it's THEY who access the root servers. Only a small percentage do their own recursive DNS lookups.

l.root is run by ICANN (although they have no involvement in the routing to get to them). In reality, the server will be a secondary DNS server, being regularly updated from the primary, wherever that is. I would imagine that ICANN would soon spot if someone was screwing with one of their root servers.

So, yes, I guess it's possible for ANYONE at the actual DNS server location OR on the data-path to 'poison' a DNS response, although, if I'm honest, I'd probably be more worried that any manipulation was being done in the UK than Belarus!!!!

So, what other countries are you worried about?

Re: BT chooses to route to an instance of L-Root in Belarus

rocra — Fri, 30 Aug 2024 18:45:07 GMT

@paul_blitz wrote:

I'm not really sure what you are actually concerned about. Maybe this is no more than a 'conspiracy theory'?

So, yes, I guess it's possible for ANYONE at the actual DNS server location OR on the data-path to 'poison' a DNS response, although, if I'm honest, I'd probably be more worried that any manipulation was being done in the UK than Belarus!!!!

So, what other countries are you worried about?

I'm not saying they're doing it. I'm saying it's a security risk. Belarus is known to use DNS spoofing in the past. https://humanconstanta.org/en/state-provider-spoofs-dns-responses-for-users/

The route goes via Belpak which is state-owned.

Overall the country is 25/100 on Freedom on the Net https://freedomhouse.org/country/belarus/freedom-net/2023

There were incidents where China leaked i-root instances in 2010 and k-root instances in 2021

Do you have links or evidence to support you implying UK spoofs DNS requests?

Re: BT chooses to route to an instance of L-Root in Belarus

paul_blitz — Sat, 31 Aug 2024 10:09:30 GMT

Thanks for the links, interesting reading.

The 'attack' in that first article wasn't related to the root servers, or any other DNS servers, as it was a form of MITM, or in-transit attack, where certain specific sites (mainly Belarus) were 'spoofed'.... so the vast majority would have been untouched.... but the issue is, of course, that they COULD have spoofed other sites too...

Under the terms of 'conspiracy theory' we have to actually assume this could happen on ANY DNS lookup, caused by whoever has a suitable gripe! From a practical perspective, 99.99% of my DNS lookup will be happening here in the UK, thus my comment about the UK, and with it being a conspiracy theory, no proof is needed 🙂

In real terms, given the sites that we are interested in, I suspect we remain pretty safe.

Re: BT chooses to route to an instance of L-Root in Belarus

dvorak — Sun, 01 Sep 2024 16:53:21 GMT

Moderators Note

This topic has been moved from Broadband to Everything Else