khost, kdig - support for low-level IDN troubleshooting is missing
"keepass.info" domain was a victim of an "IDN" attack, article. Domain name xn--eepass-vbb.info
was already removed from DNS and most popular web browser block web page https://xn--eepass-vbb.info/
with a red warning shield.
Anyway, I tried to troubleshoot such issue and because "ķeepass.info" domain was already blocked/removed, I tried to test with domain https://www.háčkyčárky.cz/
I think that khost
, kdig
utilities miss support to troubleshoot IDN issues. The same applies to DNS utilities from "BIND" project...
Example
$ khost stránky.háčkyčárky.cz.
stránky.háčkyčárky.cz. is an alias for háčkyčárky.cz.
háčkyčárky.cz. has IPv4 address 217.31.205.51
háčkyčárky.cz. has IPv6 address 2001:1488:0:3::5
háčkyčárky.cz. mail is handled by 10 pošta.háčkyčárky.cz.
$ khost --version
khost (Knot DNS), version 2.7.8
This works, but there is no way to translate stránky.háčkyčárky.cz
or pošta.háčkyčárky.cz.
to punycode xn--strnky-rta.xn--hkyrky-ptac70bc.cz
and xn--pota-h6a.xn--hkyrky-ptac70bc.cz.
I just want to highlight that khost
and kdig
miss support for low level debugging of issues related to IDN, like an option to force these utilities to print queries and answers in punycode.
kdig
, no low level information at all:
$ kdig stránky.háčkyčárky.cz. @1.1.1.1
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 30112
;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; stránky.háčkyčárky.cz. IN A
;; ANSWER SECTION:
stránky.háčkyčárky.cz. 1800 IN CNAME háčkyčárky.cz.
háčkyčárky.cz. 60 IN A 217.31.205.51
;; Received 85 B
;; Time 2023-10-23 07:50:20 CEST
;; From 1.1.1.1@53(UDP) in 11.3 ms
kdig
in debug mode, only query is translated to punycode, result is in human friendly form only:
$ kdig -d stránky.háčkyčárky.cz. @1.1.1.1
;; DEBUG: Querying for owner(xn--strnky-rta.xn--hkyrky-ptac70bc.cz.), class(1), type(1), server(1.1.1.1), port(53), protocol(UDP)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 60942
;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; stránky.háčkyčárky.cz. IN A
;; ANSWER SECTION:
stránky.háčkyčárky.cz. 1748 IN CNAME háčkyčárky.cz.
háčkyčárky.cz. 8 IN A 217.31.205.51
;; Received 85 B
;; Time 2023-10-23 07:51:12 CEST
;; From 1.1.1.1@53(UDP) in 8.9 ms
khost
in debug mode, query is printed in punycode but answer is in human form only:
$ khost -d stránky.háčkyčárky.cz. 1.1.1.1
;; DEBUG: Querying for owner(xn--strnky-rta.xn--hkyrky-ptac70bc.cz.), class(1), type(1), server(1.1.1.1), port(53), protocol(UDP)
stránky.háčkyčárky.cz. is an alias for háčkyčárky.cz.
háčkyčárky.cz. has IPv4 address 217.31.205.51
;; DEBUG: Querying for owner(xn--strnky-rta.xn--hkyrky-ptac70bc.cz.), class(1), type(28), server(1.1.1.1), port(53), protocol(UDP)
háčkyčárky.cz. has IPv6 address 2001:1488:0:3::5
;; DEBUG: Querying for owner(xn--strnky-rta.xn--hkyrky-ptac70bc.cz.), class(1), type(15), server(1.1.1.1), port(53), protocol(UDP)
háčkyčárky.cz. mail is handled by 10 pošta.háčkyčárky.cz.