cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BT chooses to route to an instance of L-Root in Belarus

rocra
Newbie
Posts: 4
Fixes: 1
Registered: ‎10-08-2024

BT chooses to route to an instance of L-Root in Belarus

‎30-08-2024 4:57 PM

I tried to raise the issue on the phone with Plusnet support but got a response saying we don't support domains. Hopefully there are people here who can raise this issue with BT NOC.

As you can see in the trace below BT selects to route to an instance of L-Root in Belarus. I believe it's a major security risk due to possible DNS manipulation from the owners of the instance.

 mtr -4 -wzb -c4 l.root-servers.net
Start: 2024-08-30T16:51:32+0100
HOST: xxxxxxxx.xxx                                                   Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. AS???    172.16.10.xx                                            0.0%     4    0.9   0.8   0.4   1.1   0.3
  2. AS???    Huh                                                    100.0     4    0.0   0.0   0.0   0.0   0.0
  3. AS6871   132.hiper04.sheff.dial.plus.net.uk (195.166.143.132)    0.0%     4    1.9   2.0   1.6   2.9   0.6
  4. AS2856   peer2-et-0-0-4.slough.ukcore.bt.net (109.159.252.118)   0.0%     4    3.2   9.9   2.7  30.5  13.8
  5. AS???    linx-224.retn.net (195.66.224.193)                      0.0%     4    5.5   5.7   3.3   9.6   2.8
  6. AS9002   ae5-9.rt.lim.waw.pl.retn.net (87.245.233.46)            0.0%     4   40.2  33.6  29.4  40.2   5.0
  7. AS9002   gw-as6697.retn.net (87.245.245.135)                     0.0%     4   34.2  34.7  34.2  35.1   0.4
  8. AS6697   ie2.net.belpak.by (93.85.80.241)                        0.0%     4   55.6  51.8  49.7  55.6   2.6
  9. AS6697   core2.net.belpak.by (93.85.80.53)                       0.0%     4   53.3  51.2  48.7  53.9   2.8
 10. AS6697   93.84.125.193                                           0.0%     4   48.8  49.2  48.8  49.5   0.3
 11. AS20144  l.root-servers.net (199.7.83.42)                        0.0%     4   46.2  46.3  46.2  46.4   0.1

 

Message 1 of 5
(626 Views)
Reply
0 Thanks
4 REPLIES 4
paul_blitz
Pro
Posts: 251
Thanks: 71
Fixes: 3
Registered: ‎20-07-2016

Re: BT chooses to route to an instance of L-Root in Belarus

‎30-08-2024 6:44 PM

I'm not really sure what you are actually concerned about. Maybe this is no more than a 'conspiracy theory'?

 

There's currently 146 different instances around the world of the l.root-servers.net at 199.7.83.42 (there's a nice list of all the root server locations at https://root-servers.org/ ), and your ISP and others will work out a (probably dynamic) route to get to the 'closest' instance... for whatever reason, we are being sent to Belarus. Although, to be honest, in 99.9% of cases, it's not "WE" who are using it. "WE" use maybe the plusnet DNS servers, and it's THEY who access the root servers. Only a small percentage do their own recursive DNS lookups.

 

l.root is run by ICANN (although they have no involvement in the routing to get to them). In reality, the server will be a secondary DNS server, being regularly updated from the primary, wherever that is. I would imagine that ICANN would soon spot if someone was screwing with one of their root servers.

 

So, yes, I guess it's possible for ANYONE at the actual DNS server location OR on the data-path to 'poison' a DNS response, although, if I'm honest, I'd probably be more worried that any manipulation was being done in the UK than Belarus!!!!

 

So, what other countries are you worried about?

Message 2 of 5
(589 Views)
Reply
0 Thanks
rocra
Newbie
Posts: 4
Fixes: 1
Registered: ‎10-08-2024

Re: BT chooses to route to an instance of L-Root in Belarus

‎30-08-2024 7:45 PM

@paul_blitz wrote:

I'm not really sure what you are actually concerned about. Maybe this is no more than a 'conspiracy theory'?

So, yes, I guess it's possible for ANYONE at the actual DNS server location OR on the data-path to 'poison' a DNS response, although, if I'm honest, I'd probably be more worried that any manipulation was being done in the UK than Belarus!!!!

 

So, what other countries are you worried about?

I'm not saying they're doing it. I'm saying it's a security risk. Belarus is known to use DNS spoofing in the past. https://humanconstanta.org/en/state-provider-spoofs-dns-responses-for-users/

The route goes via Belpak which is state-owned.

Overall the country is 25/100 on Freedom on the Net https://freedomhouse.org/country/belarus/freedom-net/2023

There were incidents where China leaked i-root instances in 2010 and k-root instances in 2021

Do you have links or evidence to support you implying UK spoofs DNS requests?

Message 3 of 5
(565 Views)
Reply
0 Thanks
paul_blitz
Pro
Posts: 251
Thanks: 71
Fixes: 3
Registered: ‎20-07-2016

Re: BT chooses to route to an instance of L-Root in Belarus

‎31-08-2024 11:09 AM

Thanks for the links, interesting reading.

The 'attack' in that first article wasn't related to the root servers, or any other DNS servers, as it was a form of MITM, or in-transit attack, where certain specific sites (mainly Belarus) were 'spoofed'.... so the vast majority would have been untouched.... but the issue is,  of course, that they COULD have spoofed other sites too...

Under the terms of 'conspiracy theory' we have to actually assume this could happen on ANY DNS lookup, caused by whoever has a suitable gripe! From a practical perspective, 99.99% of my DNS lookup will be happening here in the UK, thus my comment about the UK, and with it being a conspiracy theory, no proof is needed 🙂 

In real terms, given the sites that we are interested in, I suspect we remain pretty safe.

Message 4 of 5
(480 Views)
Reply
0 Thanks
dvorak
Moderator
Moderator
Posts: 29,733
Thanks: 6,603
Fixes: 1,485
Registered: ‎11-01-2008

Re: BT chooses to route to an instance of L-Root in Belarus

‎01-09-2024 5:53 PM


Moderators Note


This topic has been moved from Broadband to Everything Else

Customer / Moderator
If it helped click the thumb
If it fixed it click 'This fixed my problem'
Message 5 of 5
(416 Views)
Reply
0 Thanks