[atlas] List of Atlas probes subjected to DNS traffic interception (MITM)

Have you also looked at this project from the last RIPE DNS hackaton? https://recdnsfp.github.io/

Follow-up at https://www.ietf.org/proceedings/99/slides/slides-99-maprg-fingerprint-based-detection-of-dns-hijacks-using-ripe-atlas-01.pdf

Cheers,
Andrea


----- Original Message -----
From: "Baptiste Jonglez" <baptiste.jonglez at imag.fr>
To: ripe-atlas at ripe.net
Sent: Friday, September 29, 2017 1:56:12 PM
Subject: [atlas] List of Atlas probes subjected to DNS traffic interception	(MITM)

Hi,

I am looking for a list of Atlas probes that suffer from DNS traffic
interception, to exclude them from my measurements.  What I mean by
"traffic interception" is that DNS queries from the probe to a third-party
DNS server do not reach the server, but are intercepted and answered by a
middle-box instead.

I started building this list myself, but it's a long and potentially
error-prone process.

It seems that the "DNS Root Instances" map could be used for that purpose,
because DNS traffic interception shows up as if the probe was contacting
an "Unknown" root instance.  To get the list of probes, I ended up using
an URL like the following, showing probes for all possible "unknown" root
instance hostnames:

https://atlas.ripe.net/results/maps/root-instances/?server=1&question=10300&af=4&filter=&show_only=dns1.com2com.ru%2Cnl1.dnscrypt.eu ...

However, there seems to be a limit on the size of the URL so I cannot get
all probes, and they are just displayed on the map without any obvious way
to get the raw list of probes instead.

Is there a way to get the raw list of probes from this map?  Or has
anybody already done this classification work independently?  I also
looked for DNS-related tags on probes, but could not find anything useful.

Thanks,
Baptiste