Possible flaw exposed before coming drops

[ukbackorder]

Just received this anonymously. Don't know if it's true because it'd take 60 days to test and I guess if it is then only a few tags will know (ie the ones who caught so many last year). Just letting you all know. I'm sure it'll be noticeable if someone sweeps up all the drops as they did last year. I've contacted nominet but I doubt they'll respond. This is it word for word but I've edited the example domain to choose one that doesn't exist.

'New DAC / EPP Flaw that will be used this week to catch domains in the mass drops happening over the next 15 days. Flaw proceeds in this way. Before a domain name becomes suspended, add bogus nameservers with EPP. For example, add ns100.thedomainABC.co.uk (even if you don’t own thedomainABC.co.uk). It won’t show up on the active whois. On the face of it this makes no difference to anything. Fast forward to the day that the domain name thedomainABC.co.uk is due to drop. You can perform checks for that nameserver (ns100.thedomainABCco.uk) via your EPP host:check. Checks are performed synchronously and at a superior rate than the DAC. It is 1ms slower than the DAC which is still good, but come the days of the large .uk drops. Millions of checks per day per EPP are significant. The maximum number of checkers per EPP tag would be 17,280,000 per day. This has been ongoing for at least 12 months. Don’t believe? Request Nominet check out the nameservers for the top names that are due to drop this week. There are at least 5 catchers that have been using it. Check the EPP logs, they are huge – 40gb per day if 5 people are still using it. You won’t use the flaw for this week. You need to add the nameservers via your EPP before they are moved into a suspended status. It will be 60 days before you can see the results of the test, but again, ask Nominet if what am detailing is true. Nominet say they are being proactive, but they were warned about this in May and it is still active. Even as other flaws were revealed, they didn’t tell anyone about this one. Shame on Nominet. Why am I telling you this? because Nominet have warned for using it but are still letting others use it. Sick of the hypocrisy. '

 

[Siusaidh]

True or false, I've sent it in to Nominet staff and Nominet board, requesting they undertake a technical check, and providing 16 premium names that are dropping, to see if anything gets picked up.

Whether that's worth doing...

 

[ukbackorder]

It's not the 'premium' domains as they would be chased by pretty much everyone and, if the email is correct, would still not be guaranteed. It is more the 'sweeping up' of hundreds of 3 letter domains, lesser premiums, etc as we saw in the last drop. A deletion of all nameservers for a domain the day before it drops would eliminate that totally if it exists. Either that or just include a nameserver check for domains not on your tag in the same EPP quota for checking a domain not on your tag.

 

[Hay]

Right seen as thought the admins are keen or deleting truth... Lets have it right shall we..

Firstly Rob, i didnt know about the above findings so kudos on your work!

Secondly, it sounds like a load of rubbish to me but lets put this into perspective for those that read this on face value and listen to the rubbish on here...

You say you need to add the nameservers 60-90 days before the domain is due to drop... The domain could then be renewed at any stage but lets say it does not get renewed... You then need to send millions of requests all day on the day the domain is due to drop... and like you say there is still no guarantee you will get the domain, your also not even checking DAC your just going off the host:check response?

This sounds like a load of rubbish in order to cause chaos prior to next weeks drops and even if this is true... thats an awful lot of work months before the domain is due to drop and still does not guarantee you get the domain

 

[lazarus]

Might be reading this wrong but why would setting a bogus nameserver on your own domain help you catch a domain you already own?

 

[lazarus]

OK thanks Rob for filling me in. Thanks for publishing it.
This is obviously going to be shit show if nominet do not make a 1000 EPP limit for nameserver checking via their EPP. Why no limits?

 

[ukbackorder]

I found the nameserver (or 1 of them) they have added to thousands of domains and given the info to nominet. They should be able to find out from the logs who did it and who has been checking it with their EPP.

*edited
only been able to find one nameserver so far - maybe that's all there is. It's on tons of domains though that will be dropping.
But for example it is added to gng.co.uk and rev.co.uk tomorrow so someone could just keep checking that nameserver via their EPP and, when it changes, the domain has dropped. As fast as the dac but uses NO quota. Nominet need to close this down.

 

[untagged]

Thanks for posting this, its very interesting and when you think about it, a simple idea really. Wonder how long it will take Nominet to fix this and make catching domains fair again? Or at least limit the Host EPP query. Hopefully its done already lol but I doubt it.

 

[pcourtney1]

Adrian ( Andrews & Arnold ISP ) might like rev.uk ( but I guess rev.co.uk might be useful)

https://www.revk.uk

 

[Siusaidh]

Yes, Adrian likes to be called Reverend doesn't he. Man, he writes even more than me. His blog is really quite a read.

 

[Hay]

Rob, if this is true... out the people using it then because there is only a handful of people this would trace back too. Also who ever is using it would have been catching domains this past week as they would have needed to test it prior to next week

 

[ukbackorder]

Well it is true but I don't think nominet really care. The nameserver must have been put on rev and gng at least 60 days ago. Also, yet again, if they don't run their systems properly it's really down to them - we always end up finding their bugs and flaws and telling them what they are. Ironic that they try to make out it's our fault for using their broken systems, extra quota, nameservers, etc. They just need to close it down. They have no excuse. As usual though they don't respond. 'Hey have a ferrari but DON'T drive it above 40mph. OK we're taking away everybody's cars'.
All they need to do to fix it is very simple:
1) remove all nameservers for a domain when it enters suspension. I suspect this is actually a fault as you can't create any more once that happens.
or
2) Include any EPP 'check' commands on domains/nameservers that aren't owned by the client, in their quota.
They make a big deal about fixing things and can take them years. I wonder really how 'technical' their team are.

If they haven't fixed it by the 3rd I'm debating about whether just telling everyone what the nameserver is and letting them all go for it. Of course then nominet will have no chance of sifting through logs (if they ever were going to).

 

[Hay]

The zone files dont reflect any random nameservers for the domains tomorrow nor those next week, How confident are you these nameservers are assigned on tomorrows domains and also how did you find out what the NS was?

 

[untagged]

The zone files dont reflect any random nameservers for the domains tomorrow nor those next week, How confident are you these nameservers are assigned on tomorrows domains and also how did you find out what the NS was?

The hostfile will only have active resolving domain names and nameservers.
You could guess the nameserver, eg write a script to query ns1, ns2, ns3, ns4 etc...

 

[ukbackorder]

100% confident. Once you know what it is you can look it up with an EPP check command and it responds as an existing nameserver '[here].rev.co.uk' avail="0" V289 Nameserver already exists.
Finding it was hard but was just a case of messing with nominet's panel.

 

[ukbackorder]

The hostfile will only have active resolving domain names and nameservers.
You could guess the nameserver, eg write a script to query ns1, ns2, ns3, ns4 etc...

Yeah this one is in the format LLLLLNNLL though and is not a dictionary word. Also a domain will only report nameservers in it's own zonefile (until suspended). The registered nameservers are kept in a separate file/database which nominet don't release in their zonefile (although com, net, org etc all do). However it seems that when a domain drops those entries go with it.
I can prove it - give me a (working) domain name and I'll create a nameserver for it that you can all query. That nameserver won't exist anywhere but will be tied to that domain until it drops.

*edit no need - I've just created helloacorn.acorndomains.co.uk
if acorn ever goes suspended that nameserver will still exist until the domain drops

 

[Hay]

@untagged - Yeah traditionally it could be ns1... ect but there is no telling what the first part of the string could be, im going to do some digging tonight, i suspect i know who is using it but time will tell

 

[untagged]

If they haven't fixed it by the 3rd I'm debating about whether just telling everyone what the nameserver is and letting them all go for it.

Why not just tell everyone? Its not your job to protect Nominet's EPP is it? lol
Freelancer vs Nominets coffers, they have enough cash, staff and resources to protect themselves and their delicate EPP im sure lol and if not, they should, maybe you telling everyone will force them to make the change because the Host command will get hammered lol.

 

[ukbackorder]

Because I've only just told nominet what the nameserver is - so that gives them the morning (office hours of course) to look at it with logs uncluttered.

 

[Hay]

Because I've only just told nominet what the nameserver is - so that gives them the morning (office hours of course) to look at it with logs uncluttered.

This is the best option because if others know the nameservers they will potentially try and figure this out causing more log entries and make it harder for Nominet to trace so its best to let Nominet investigate the logs because if this is true there will be millions or entries which should stand out like a saw thumb.