Is this definitely a leak? about northkoreadnsleak HOT 7 CLOSED

@joeyhub you really think they'd want everyone to know their biggest bank is called "Silly bank" ?　😂

from northkoreadnsleak.

If they were going to make them public, they'd proxy them through some place else first. Bandwidth into and out of North Korea is likely significantly more expensive than some cheap data center elsewhere. Opening up their live local sites like this does not seem like a good idea as they presumably wouldn't have (or want to have) enough infrastructure to handle the increased traffic volume.

from northkoreadnsleak.

These domains were available years ago. Internet Archive has copies from several years:

• https://web.archive.org/web/*/airkoryo.com.kp
• https://web.archive.org/web/*/cooks.org.kp
• https://web.archive.org/web/*/friend.com.kp
• and so on...

I don't think this is a leak.

from northkoreadnsleak.

I think there's some confusion between what reporters have been saying and what I have actually posted here.

This is certainly a leak of North Koreas top level domain data, unless the thought is that North Korea wanted to somehow increase traffic to their sites/get news attention by enabling DNS zone transfers on just one of their TLD nameservers. I can think of a bunch of better ways to leak this information, especially since they likely wouldn't know that someone would immediately discover this via doing AXFRs against their nameservers. Unless I'm secretly in on it :) which certainly isn't the case.

To support the accidental leak theory, North Korea has now patched their ns2.kptc.kp to fix the mistake. If they wanted people to have this data - why patch it at all?

Most of these sites have been available previously but we've never had confirmation of the entire list of North Korea domain names/DNS data until this leak occurred. Before that there was only speculation of how many domains North Korea actually had for .kp. News reporters have sort of warped this information, but then again, they also are saying that this is a project made by Github ;).

from northkoreadnsleak.

Wow. That's pretty dumb.

Thanks for pointing that out @emijrp

from northkoreadnsleak.

Thanks mandatoryprogrammer. This is a really interesting project so in a way, it's quite good that the news channels are raising awareness of novel ways to utilise github even if clueless journalists are talking a load of rubbish half the time. I saw another interesting project recently that uses github to add comments to a blog (the website with data is basically on git). I've seen other people using it for their custom user profile such as vim/bash defaults which was also quite innovative. It has changed the way I think about using github.

I think if they patched it, that suggests strongly enough to consider it accidental unless being super pedantic especially in combination with it only being set on one server out of many servers (you could say they intentionally did it/didn't care then rolled back after they realised they could not handle the traffic). That doesn't mean we have 100% proof of it being an accident, but probably enough to get away with calling it that. It's possible they didn't care and you have just given North Korea a massive surge in traffic to their external sites for free. People get paid a lot of money for that normally so you're missing out this time around... :(

The reason I asked is because while you would assume someone doing that was an accident in a normal scenario, for small scale setups and particularly with a strange case like North Korea you tend to find more unusual approaches to solving common problems as well as "unique" setups or concerns. The other reason is personal opinion, I'm expecting North Korea do to something along these lines.

North Korea might have a vested interest in leaking their domains like this. Currently nearly all news and information about North Korea goes through South Korea then the western press which is very bad for them in that it is completely one sided. Their continued policy of total secrecy is one that has turned out catastrophic when it comes to global opinion or perception. They leave a lot to the imagination. China isn't big on externalising its news so there is no compensation there. China conforms its stereotype of being more concerned with keeping things out than sending things out. Russia likes to send things out but this primarily caters to its own concerns, it does not cover North Korea very well. So it actually definitely would not be unusual for North Korea to want to externalise more via the internet to change people's perception of it, especially given that it is currently headed by a western educated leader that likely has a strong grasp of the notion of foreign perception.

Github isn't really the place for this kind of speculation and political analysis but I think I'll be forgiven for expressing my motive in trying to understand more about whether we can reliably assume that this was not a deliberate action.

Just to add some really pedantic stuff:

I tend to agree that they might not think that "someone was watching" but unless there's something I don't know about your process (IE it is indirect) wouldn't they see the failed requests in the log if they had that enabled? If it were repetitive it would be creating a lot of noise that would stand out.

For emijrp's argument, looking at the listing I am pretty sure that the kp domain is primarily used for external things. Anything on there even not external seems to be firewalled against external access. I suspect internally on a national basis they may have their own TLD's (or overlay TLD) entirely. Think of it like a huge corporate LAN where some people literally make their own TLD "lan" or something to the same effect. So it might both be a leak and one that is largely ineffectual. My guess is the ones that are not accessible like the university ones might be firewalled to only allow access for example to university ip ranges for some universities or educational facilities in China. I doubt that there is anything on the kp TLD that isn't accessible and known somewhere outside of North Korea.

For ubiko's argument, the currency in English is pronounced the same as the Chosen One. In both South and North Korea they have a common word that sounds very much like the most forbidden word in primarily English speaking countries. There is a video online of a US GI going berzerk because of what he thinks they are saying on a bus and attacking people because of it, it's that bad. I don't think they care.

I wonder if North Korea realises how much money it could create selling its TLD to a certain sauce manufacturer. Open sauce for North Korea! Forgive me, it's a Friday night.

from northkoreadnsleak.

That doesn't mean we have 100% proof of it being an accident, but probably enough to get away with calling it that.

Absolutely, and obviously the only way to be 100% sure would be to get inside the mind of the NK DNS admin (even asking we may get a convenient lie that says this was intentional when it wasn't, etc). Especially because there would be a big incentive for the DNS admin of NK to lie about his/her screw up.

I tend to agree that they might not think that "someone was watching" but unless there's something I don't know about you process (IE it is indirect) wouldn't they see the failed requests in the log if they had that enabled? If it were repetitive it would be creating a lot of noise that would stand out.

It would if they were logging these requests verbosely (which I've done in the past for other DNS research projects). I believe (and I could be totally wrong) that this isn't the default mainly because you normally get a lot of DNS queries and this type of logging will flood your disk, especially if you're a nameserver for a TLD. Again, this doesn't prove/disprove anything but just trying to examine both sides.

The other reason is personal opinion, I'm expecting North Korea do to something along these lines.

Is there past cases of especially clever things like this being done by them? Wouldn't surprise me but if there was another example where they used technology/the Internet to do so then that would lend credence to the idea that it was intentional.

As far as speculation on their firewall/network setup I don't think I can comment because my knowledge on this is very thin and I haven't examined past information about it. I think the idea of querying this stuff from multiple geographical areas would be incredibly interesting though. I'm currently planning out a V2 of TLDR so I may roll this into that.

Appreciate the thoughts on this, I'm going to close this thread since this is all in the speculative realm and is more about North Korea's propaganda capacity then DNS (as you said).

from northkoreadnsleak.