ccTLD/cz/NXDOMAIN - moin.dnsq.info

1. ccTLD/cz/NXDomain

NXDomain response means more than "no such name".

SOA says closest zone cut above the query and not above the domain that queried server controls.

$ dnsq ns cz a.ns.nic.cz

2 cz:
91 bytes, 1+4+0+0 records, response, authoritative, noerror
query: 2 cz
answer: cz 18000 NS b.ns.nic.cz
answer: cz 18000 NS a.ns.nic.cz
answer: cz 18000 NS c.ns.nic.cz
answer: cz 18000 NS d.ns.nic.cz

2. poisoning attack

Reply from the cz Authoritative Server is NXDomain for xxxx.a.ns.nic.cz query.

$ dnsq a xxxx.a.ns.nic.cz a.ns.nic.cz

1 xxxx.a.ns.nic.cz:
81 bytes, 1+0+1+0 records, response, authoritative, nxdomain
query: 1 xxxx.a.ns.nic.cz
authority: nic.cz 1800 SOA a.ns.nic.cz hostmaster.nic.cz 1459343598 10800 3600 1209600 7200

3. SOA

This SOA means that there is nic.cz zone,（NS a.ns.nic.cz etc.）

but ns.nic.cz, a.ns.nic.cz are not zone.

Only the zone cut exists above ns.nic. No zone cut above includign xxxx.a.ns.nic.cz under nic.cz.

4. defence for Kaminsky - Mueller style poisoning

So if we get the reply that delegates ns.nic.cz to some host,
we can throw it away as poison.

Same for a.ns.nic.cz domain name.

-- ToshinoriMaeno 2016-03-31 05:10:25

5. nic.cz NS

$ dnsq ns nic.cz a.ns.nic.cz

2 nic.cz:
207 bytes, 1+3+0+6 records, response, authoritative, noerror
query: 2 nic.cz
answer: nic.cz 1800 NS a.ns.nic.cz
answer: nic.cz 1800 NS b.ns.nic.cz
answer: nic.cz 1800 NS d.ns.nic.cz
additional: a.ns.nic.cz 1800 A 194.0.12.1
additional: b.ns.nic.cz 1800 A 194.0.13.1
additional: d.ns.nic.cz 1800 A 193.29.206.1
additional: a.ns.nic.cz 1800 28 \040\001\006x\000\017\000\000\000\000\000\000\000\000\000\001
additional: b.ns.nic.cz 1800 28 \040\001\006x\000\020\000\000\000\000\000\000\000\000\000\001
additional: d.ns.nic.cz 1800 28 \040\001\006x\000\001\000\000\000\000\000\000\000\000\000\001

6. zone cuts

query name minimisation / Knot resolver query example and log

...