APRICOT 2018 | anuragbhatia.com

Mapping Facebook's FNA (CDN) nodes across the world!

Just back from APRICOT 2018. As I mentioned in my previous blog post, APNIC had its first Hackathon and it was fun (blog post of APNIC here). There was one project on the ranking of CDNs using RIPE Atlas data. To achieve this team was trying to find strings/hostnames which they can trace to and figure out nearby CDN.
As part of that, I suggested them to look into www.facebook.com and carefully noting the sources from where elements get loaded. It’s quite common that Facebook.com (or Google.com for the logic) would be hosted on some server at a large PoP while FNA (or GGC) would serve only specific static content out of it. FNA, of course, sits on the IPs of the ISP hosting it.
So in the source list, we found scontent.fktm1-1.fna.fbcdn.net and that gives an idea that FNA strings are around logic: scontent.fxxx1-1.fna.fbcdn.net where xxx is the airport code. 1-1 means 1st PoP in 1st ISP over there probably (strong guess!). If there are more FNA nodes in a given area, the number goes further up. The team used it and for now, the project is over. But while I was on the way back to India, I thought that this is very interesting data if we pull the full picture by querying all possible IATA airport codes with a logic.
This logic can be used for two things:

Finding locations of all FNA nodes and plot them on the map
Find which networks/ASNs in the world host it

In my check with a script querying it all, I found there are 1689 of FNA’s nodes deployed across the world. Here’s a map of the presence of FNA:

Some of the interesting regional stats from the data

India

Bharti Airtel AS9498 is hosting Facebook caching FNA nodes at Bangalore, Mumbai, Calcutta, Delhi, Hyderabad, Chandigarh, Jaipur, Chennai and Patna i.e 9 cities while in case of Jio they are hosted in 19 cities – Agra, Ahmedabad, Bhubaneswar, Bhopal, Bangalore, Mumbai, Calcutta, Cochin, Delhi, Delhi, Guwahati, Hyderabad, Jammu, Jaipur, Madras, Nagpur, Patna, Simla, Srinagar. IDEA Cellular has them at 6 locations Bangalore
Mumbai, Delhi, Hyderabad, Indore and Pune.

FNA nodes in Indian metro cities

ASN	AS Name	IPv4	IPv6	Airport Code	Airport Desc
9498	BBIL-AP BHARTI Airtel Ltd., IN	157.240.191.17	2a03:2887:ff05:0:face:b00c:0:a7	BOM	Bombay
45769	DVOIS-IN D-Vois Broadband Pvt Ltd, IN	1.186.190.17	2400:1f00:0:d:face:b00c:0:a7	BOM	Bombay
55836	RELIANCEJIO-IN Reliance Jio Infocomm Limited, IN	49.44.63.17	2405:200:1602:2885:face:b00c:0:a7	BOM	Bombay
55644	IDEANET1-IN Idea Cellular Limited, IN	223.196.3.81	2400:c700:0:5:face:b00c:0:a7	BOM	Bombay
58678	INTECHONLINE-IN Intech Online Private Limited, IN	124.108.16.209	2404:bd00:1:4:face:b00c:0:a7	BOM	Bombay
55352	MCPL-IN Microscan Computers Private Limited, IN	103.226.191.209	2406:9e00:3:1:face:b00c:0:a7	BOM	Bombay
18196	SEVENSTAR-AS Seven Star Internet Service Provider, IN	202.134.164.209	2402:f200:301:0:face:b00c:0:a7	BOM	Bombay
45194	SIPL-AS Syscon Infoway Pvt. Ltd., IN	110.5.75.17	2401:a100:2:4:face:b00c:0:a7	BOM	Bombay
45117	INPL-IN-AP Ishan_s Network, IN	103.214.129.17		BOM	Bombay
133720	SOFTCALLCOC-AS SOFT CALL CUST-O-CARE PRIVATE LIMITED, IN	139.5.47.209		BOM	Bombay
133232	SAMPARKESTATES-AS-IN SAMPARK ESTATES PVT. LTD., IN	103.69.221.17	2001:df7:6e00:3:face:b00c:0:a7	BOM	Bombay
17665	IN2CABLE-AP AS Number of In2cable.com (India) Ltd., IN	203.192.223.145		BOM	Bombay
55832	HOMESYSTEM-AS-AP HOME SYSTEMS PVT.LTD, IN	120.88.176.145		BOM	Bombay
55862	WNET-IN Wan & Lan Internet Pvt Ltd, IN	49.128.164.17		BOM	Bombay
24554	FIVE-NET-AS-IN Fivenetwork Solution India Pvt Ltd Internet, IN	202.177.230.145		BOM	Bombay
17488	HATHWAY-NET-AP Hathway IP Over Cable Internet, IN	202.88.184.17		BOM	Bombay
38266	HUTCHVAS-AS Vodafone Essar Ltd., Telecommunication – Value Added Services, IN	1.38.8.17	2402:3a80:c002:13:face:b00c:0:a7	BOM	Bombay
17747	ZIML-AP SITI NETWORKS LIMITED, IN	103.225.178.209	2406:3c80:1:3:face:b00c:0:a7	CCU	Calcutta
55836	RELIANCEJIO-IN Reliance Jio Infocomm Limited, IN	49.44.63.209	2405:200:1606:2885:face:b00c:0:a7	CCU	Calcutta
23860	ALLIANCE-GATEWAY-AS-AP Alliance Broadband Services Pvt. Ltd., IN	203.171.243.145		CCU	Calcutta
9498	BBIL-AP BHARTI Airtel Ltd., IN	157.240.185.17	2a03:2887:ff06:0:face:b00c:0:a7	CCU	Calcutta
45804	MEGHBELA-IN MEGHBELA BROADBAND, IN	103.56.238.17		CCU	Calcutta
45334	AIRCEL-AS-AP Dishnet Wireless Limited, IN	202.148.205.17	2402:4c00:ffff:ffed:face:b00c:0:a7	CCU	Calcutta
38266	HUTCHVAS-AS Vodafone Essar Ltd., Telecommunication – Value Added Services, IN	1.38.7.209	2402:3a80:c009:13:face:b00c:0:a7	CCU	Calcutta
NA	NA	223.196.149.145	2400:c700:a000:0:face:b00c:0:a7	CCU	Calcutta
9498	BBIL-AP BHARTI Airtel Ltd., IN	157.240.189.17	2a03:2887:ff03:0:face:b00c:0:a7	DEL	Delhi
55644	IDEANET1-IN Idea Cellular Limited, IN	223.196.64.17	2400:c700:4000:0:face:b00c:0:a7	DEL	Delhi
55836	RELIANCEJIO-IN Reliance Jio Infocomm Limited, IN	49.44.63.145	2405:200:160b:2885:face:b00c:0:a7	DEL	Delhi
17747	ZIML-AP SITI NETWORKS LIMITED, IN	103.217.246.17	2402:ea80:0:1:face:b00c:0:a7	DEL	Delhi
132116	ANINETWORK-IN Ani Network Pvt Ltd, IN	45.248.174.81		DEL	Delhi
132453	TRIPLE-PLAY-IN TRIPLE PLAY BROADBAND PRIVATE LIMITED, IN	150.242.84.145		DEL	Delhi
58965	ABSPL-AS-IN ANJANI BROADBAND SOLUTIONS PVT.LTD., IN	103.233.117.81		DEL	Delhi
133982	EXCITEL-AS-IN Excitel Broadband Private Limited, IN	103.56.230.209		DEL	Delhi
45184	DEN-ISP-AS-IN-AP Den Digital Entertainment Pvt. Ltd. AS ISP india, IN	112.196.177.17		DEL	Delhi
133982	EXCITEL-AS-IN Excitel Broadband Private Limited, IN	103.48.198.209		DEL	Delhi
55836	RELIANCEJIO-IN Reliance Jio Infocomm Limited, IN	49.44.62.145	2405:200:1605:2885:face:b00c:0:a7	DEL	Delhi
17488	HATHWAY-NET-AP Hathway IP Over Cable Internet, IN	202.88.147.145		DEL	Delhi
38266	HUTCHVAS-AS Vodafone Essar Ltd., Telecommunication – Value Added Services, IN	1.38.7.81	2402:3a80:c005:13:face:b00c:0:a7	DEL	Delhi
NA	NA	233.196.145.145	2400:c700:a001:0:face:b00c:0:a7	DEL	Delhi
133275	GIGANTIC-AS Gigantic Infotel Pvt Ltd, IN	103.59.199.145		DEL	Delhi
38266	HUTCHVAS-AS Vodafone Essar Ltd., Telecommunication – Value Added Services, IN	1.38.5.17	2402:3a80:c006:13:face:b00c:0:a7	DEL	Delhi
9498	BBIL-AP BHARTI Airtel Ltd., IN	157.240.190.17	2a03:2887:ff04:0:face:b00c:0:a7	MAA	Madras
55836	RELIANCEJIO-IN Reliance Jio Infocomm Limited, IN	49.44.63.81	2405:200:1607:2885:face:b00c:0:a7	MAA	Madras
24309	CABLELITE-AS-AP Atria Convergence Technologies Pvt. Ltd. Broadband Internet Service Provider INDIA, IN	49.207.35.17	2406:7400:b7:0:face:b00c:0:a7	MAA	Madras
45334	AIRCEL-AS-AP Dishnet Wireless Limited, IN	202.148.204.145	2402:4c00:ffff:ffec:face:b00c:0:a7	MAA	Madras
38266	HUTCHVAS-AS Vodafone Essar Ltd., Telecommunication – Value Added Services, IN	1.38.8.145	2402:3a80:c00b:13:face:b00c:0:a7	MAA	Madras
17488	HATHWAY-NET-AP Hathway IP Over Cable Internet, IN	202.88.160.81		MAA	Madras

South Asian neighbours of India

Kathmandu

ASN	AS Name	IPv4	IPv6	Airport Code	Airport Desc
23752	NPTELECOM-NP-AS Nepal Telecommunications Corporation, Internet Services, NP	120.89.99.17		KTM	Kathmandu
38565	NCELL-AS-NP Ncell Pvt. Ltd., NP	116.68.215.17		KTM	Kathmandu
17501	WLINK-NEPAL-AS-AP WorldLink Communications Pvt Ltd, NP	139.5.68.17	2400:1a00:4:139:face:b00c:0:a7	KTM	Kathmandu
45845	NEPAL-IIG-AS NEPAL INTERNATIONAL INTERNET GATEWAY, NP	202.51.79.17	2405:6600:709:0:face:b00c:0:a7	KTM	Kathmandu
4613	MOS-NP Mercantile Office Systems, NP	27.111.22.17		KTM	Kathmandu
55915	CLASSIC-NP Classic Tech Pvt. Ltd., NP	202.94.66.145		KTM	Kathmandu
45650	VIANET-NP Vianet Communications Pvt. Ltd., NP	110.44.120.81	2404:7c00:1:1:face:b00c:0:a7	KTM	Kathmandu
17501	WLINK-NEPAL-AS-AP WorldLink Communications Pvt Ltd, NP	139.5.68.145	2400:1a00:4:13a:face:b00c:0:a7	KTM	Kathmandu
4007	SUBISU-CABLENET-AS-AP Subisu Cablenet (Pvt) Ltd, Baluwatar, Kathmandu, Nepal, NP	182.93.66.17	2403:3800::face:b00c:0:a7	KTM	Kathmandu

Dhaka

ASN	AS Name	IPv4	IPv6	Airport Code	Airport Desc
24432	AXIATA-ROBI-AS-AP TM International Bangladesh Ltd.Internet service Provider,Gulshan-1,Dhaka-1212, BD	202.134.8.17		DAC	Dhaka
24389	GRAMEENPHONE-AS-AP GrameenPhone Ltd., BD	123.108.241.17		DAC	Dhaka
24389	GRAMEENPHONE-AS-AP GrameenPhone Ltd., BD	123.108.242.17		DAC	Dhaka
45245	BANGLALINK-AS banglalink an Orascom Telecom Company, providing GSM Telecom service in Bangladesh, BD	203.223.95.209		DAC	Dhaka
58715	EARTHTELECOMMUNICATION-AS EARTH TELECOMMUNICATION (Pvt) LTD., BD	45.113.132.17		DAC	Dhaka
23688	LINK3-TECH-AS-BD-AP Link3 Technologies Ltd., BD	203.76.97.145	2400:ca00:1fb:fb01:face:b00c:0:a7	DAC	Dhaka
58689	ICCNET-DHK-BD ICC Communication, BD	103.41.213.145		DAC	Dhaka
134371	CIRCLENETWORK-BD CIRCLE NETWORK BANGLADESH, BD	202.136.90.209	2400:3dc0:200:1:face:b00c:0:a7	DAC	Dhaka
63996	MNL-AS-AP Mazeda Networks Limited, BD	103.60.174.145		DAC	Dhaka
58601	AAMRA-ATL-BD Aamra technologies limited, BD	43.245.195.81		DAC	Dhaka
134204	BUSINESSNETWORK-AS-AP Business Network, BD	203.76.223.209	2400:4d40:1:101:face:b00c:0:a7	DAC	Dhaka
45925	TELETALK-BD ASN For Teletalk Bangladesh Ltd., BD	103.230.105.145		DAC	Dhaka
59362	KSNETWORK-AS-AP KS Network Limited, BD	110.76.130.81		DAC	Dhaka
58682	LEVEL3-BD Level3 Carrier Ltd., BD	103.15.41.209	2404:c900:8:0:face:b00c:0:a7	DAC	Dhaka
45766	TRIANGLESERVICES Triangle Services Limited., BD	103.40.227.81		DAC	Dhaka
133854	X-PRESS-AS-AP X-press Technologies Limited., BD	103.43.149.81		DAC	Dhaka
58889	ZOL-BD Zx Online Ltd, BD	103.19.254.145		DAC	Dhaka
134382	ASN134382 Radisson Technologies, BD	103.88.235.17		DAC	Dhaka
55492	DFN-BD Dhaka Fiber Net Limited, BD	45.127.244.209		DAC	Dhaka
45905	STARGATE-AS-AP Stargate Communications Ltd., BD	45.118.245.145		DAC	Dhaka

Colombo, Sri Lanka

ASN	AS Name	IPv4	IPv6	Airport Code	Airport Desc
9329	SLTINT-AS-AP Sri Lanka Telecom Internet, LK	222.165.163.145	2402:d000:130:40:face:b00c:0:a7	CMB	Colombo
9329	SLTINT-AS-AP Sri Lanka Telecom Internet, LK	222.165.163.209	2402:d000:130:48:face:b00c:0:a7	CMB	Colombo
18001	DIALOG-AS Dialog Axiata PLC., LK	125.214.168.17	2404:f000:0:e:face:b00c:0:a7	CMB	Colombo
18001	DIALOG-AS Dialog Axiata PLC., LK	125.214.168.145	2404:f000:0:f:face:b00c:0:a7	CMB	Colombo
45224	BELLNET-AS-AP Lanka Bell Limited, LK	203.81.96.81	2406:c00:0:1:face:b00c:0:a7	CMB	Colombo
132045	AIRTEL-AS-ISP Bharti Airtel Lanka Pvt. Limited, LK	223.224.4.17	2400:ff00:2:0:face:b00c:0:a7	CMB	Colombo
17470	ETISALATLK-AS Etisalat Lanka (Pvt) Ltd., LK	43.252.12.145		CMB	Colombo

Pakistan

ASN	AS Name	IPv4	IPv6	Airport Code	Airport Desc
9541	CYBERNET-AP Cyber Internet Services (Pvt) Ltd., PK	103.213.110.17		KHI	Karachi
132165	CONNECT-AS-AP Connect Communications, PK	111.119.161.209		KHI	Karachi
24499	TPP-AS-PK Telenor Pakistan, PK	43.224.238.81		KHI	Karachi
59257	CMPAKLIMITED-AS-AP CMPak Limited, PK	45.116.233.145		KHI	Karachi
23966	LDN-AS-PK LINKdotNET Telecom Limited, PK	119.30.107.81		KHI	Karachi
45595	PKTELECOM-AS-PK Pakistan Telecom Company Limited, PK	182.176.35.145	2404:7000:b100:0:face:b00c:0:a7	KHI	Karachi
9387	AUGERE-PK AUGERE-Pakistan, PK	103.11.60.145		KHI	Karachi
58895	EBONE1-PK Ebone Network (PVT.) Limited, PK	150.129.7.209		KHI	Karachi
55714	APNIC-FIBERLINK-PK Fiberlink Pvt.Ltd, PK	103.17.203.145		KHI	Karachi
38193	TWA-AS-AP Transworld Associates (Pvt.) Ltd., PK	110.93.194.81	2404:d400:4000:20:face:b00c:0:a7	KHI	Karachi
45595	PKTELECOM-AS-PK Pakistan Telecom Company Limited, PK	182.176.35.209	2404:7000:b110:0:face:b00c:0:a7	KHI	Karachi
45814	FARIYA-PK Fariya Networks Pvt. Ltd., PK	14.192.149.209		KHI	Karachi
38547	WITRIBE-AS-AP WITRIBE PAKISTAN LIMITED, PK	115.167.77.81		KHI	Karachi
24499	TPP-AS-PK Telenor Pakistan, PK	43.224.239.81		LHE	Lahore
59257	CMPAKLIMITED-AS-AP CMPak Limited, PK	45.116.235.145		LHE	Lahore
45595	PKTELECOM-AS-PK Pakistan Telecom Company Limited, PK	182.176.35.81	2404:7000:6100:0:face:b00c:0:a7	LHE	Lahore
23966	LDN-AS-PK LINKdotNET Telecom Limited, PK	119.30.107.17		LHE	Lahore
9541	CYBERNET-AP Cyber Internet Services (Pvt) Ltd., PK	124.29.210.81		LHE	Lahore
38264	WATEEN-IMS-PK-AS-AP National WiMAX/IMS environment, PK	58.27.171.17	2402:fd00::face:b00c:0:a7	LHE	Lahore
45595	PKTELECOM-AS-PK Pakistan Telecom Company Limited, PK	182.176.36.81	2404:7000:6000:0:face:b00c:0:a7	LHE	Lahore
38547	WITRIBE-AS-AP WITRIBE PAKISTAN LIMITED, PK	115.167.75.81		LHE	Lahore

Male, Maldives

ASN	AS Name	IPv4	IPv6	Airport Code	Airport Desc
55944	OOREDOO-MV Ooredoo Maldives Plc, MV	202.153.85.209		MLE	Male
7642	DHIRAAGU-MV-AP Dhivehi Raajjeyge Gulhun (Dhiraagu), MV	103.31.85.81	2406:e400:1:fb:face:b00c:0:a7	MLE	Male

What is amazing to see that is there are even nodes of Facebook in areas like Kabul

Kabul, Afghanistan

ASN	AS Name	IPv4	IPv6	Airport Code	Airport Desc
38742	AWCC-AS-AP AWCC, AF	61.5.206.209	2400:e500:0:16:face:b00c:0:a7	KBL	Kabul
45178	ROSHAN-AF Main Street, House No. 13 Wazir Akbar Khan, AF	103.28.134.81		KBL	Kabul
55330	GCN-DCN-AS AFGHANTELECOM GOVERNMENT COMMUNICATION NETWORK, AF	149.54.4.81		KBL	Kabul
55330	GCN-DCN-AS AFGHANTELECOM GOVERNMENT COMMUNICATION NETWORK, AF	149.54.4.17		KBL	Kabul

Link to complete data – ~~https://docs.google.com/spreadsheets/d/e/2PACX-1vQ18Ggi9x6QV-kLk6SrYEEQyA2U8gSHKTROfatNbhDISjfNZDEz-h2J8Qb10OIIQnEDvSrKS5Aj5XsP/pubhtml?gid=1674278445&single=true~~
***Update***
29 Nov 2019: Check the latest post here.
Limitations of data

As I often say – what is there is there. There can be more which is not there in data.
Mapping is based on airport codes and it’s a common practice to use airport codes in DNS records. Actual node location may be within a 100-200km radius of the airport code.

Encrypted DNS using DNSCrypt

Writing this post from my hotel room in Kathmandu. I found that many of the servers appear to be DNS resolvers which is unusual.
E.g:

dig @anuragbhatia.com . ns +short
a.root-servers.net.
b.root-servers.net.
c.root-servers.net.
d.root-servers.net.
e.root-servers.net.
f.root-servers.net.
g.root-servers.net.
h.root-servers.net.
i.root-servers.net.
j.root-servers.net.
k.root-servers.net.
l.root-servers.net.
m.root-servers.net.
dig @google.com . ns +short
b.root-servers.net.
c.root-servers.net.
d.root-servers.net.
e.root-servers.net.
f.root-servers.net.
g.root-servers.net.
h.root-servers.net.
i.root-servers.net.
j.root-servers.net.
k.root-servers.net.
l.root-servers.net.
m.root-servers.net.
a.root-servers.net.

This seems unusual and is the result of basically port 53 DNS hijack. Let’s try to verify it using popular “whoami.akamai.net” query.

dig @8.8.8.8 whoami.akamai.net a +short
202.79.32.164
dig @9.9.9.9 whoami.akamai.net a +short
202.79.32.164
dig @1.2.3.4 whoami.akamai.net a +short
202.79.32.164

So clearly something in middle is hijacking DNS queries and no matter whichever DNS resolver I try to use, the queries actually hit authoritative DNS via 202.79.32.164. This belongs to WorldLink Communications (ISP here in Nepal) and I am just 5 hops away from it.

So what can be done about these cases? Well, one way is VPN of course but with a setup where VPN server’s IP address is hardcoded in the client and not using DNS. It works and does the task but performance can vary greatly depending on how far is the tunnel server. A better and more modern way out of it is by using encryption in DNS by using a protocol named “DNSCrypt“. DNSCrypt offers to encrypt of DNS queries from clients to the DNS resolvers. (Beyond that resolver still, follow usual non-encrypted root chain to reach authoritative DNS servers).

So how does it work?
There’s no integrated support of DNSCrypt in OS’es at this time. There are number of projects like dnscrypt-osxclient available on GitHub which enable this support. Once configured, the client changes system’s DNS resolver to a local IP which listens for port 53 (regular/non-encrypted) requests.

cat /etc/resolv.conf |grep nameserver
nameserver 127.0.0.54

The client often offers support of various open resolvers like OpenDNS, Quad9 etc.

dig @127.0.0.54 whoami.akamai.net a +short
67.215.80.66

Here it shows that DNS resolver in my case happens to be Cisco’s OpenDNS. As soon as the client gets port 53 DNS queries, it encrypts it and sends via UDP port 443 (UDP or TCP depending on provider and client configuration). The encyption is based on trusted root CA’s and associated chain as popularly used in HTTPS. This is also one of reasons why DNSCrypt is also known as DNS over HTTPS.

Here’s an example of a DNS query to resolve A record of google.com while running tcpdumps in parallel:

sudo tcpdump -i lo0 'dst port 53' -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 262144 bytes
04:36:04.429212 IP 127.0.0.54.50966 > 127.0.0.54.53: 31576+ A? prd.col.aria.browser.skypedata.akadns.net. (59)
04:36:04.532015 IP 127.0.0.54.54914 > 127.0.0.54.53: 623+ [1au] A? google.com. (39)
^C
2 packets captured
4 packets received by filter
0 packets dropped by kernel

This shows request went in clear text to 127.0.0.54 which is configured on loopback. While in parallel if I watch for traffic towards OpenDNS public IPs, I get:

sudo tcpdump -i en0 'dst 208.67.220.220 or dst 208.67.222.222' -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
04:39:56.827824 IP 192.168.0.4.53763 > 208.67.220.220.443: UDP, length 512
^C
1 packet captured
63 packets received by filter
0 packets dropped by kernel

Thus all that appears here is just an encrypted packet to Cisco OpenDNS over UDP port 443.
I ran another query and saved it in pcap file. Here’s how it looks like in wireshark:

That’s all about it for now. I am going to keep encryption enabled especially when travelling from now onwards. Time to get some sleep. 🙂

Useful Links:

dnscrypt-osxclient – https://github.com/alterstep/dnscrypt-osxclient
DNSCrypt Wikipedia – https://en.wikipedia.org/wiki/DNSCrypt
DNS Over HTTPS (Google Public DNS) – https://developers.google.com/speed/public-dns/docs/dns-over-https
DNS over TLS (Quad9) – https://quad9.net/faq/#Does_Quad9_support_DNS_over_TLS

anuragbhatia.com

DNS, BGP, IPv6 and more!

Tag Archives: APRICOT 2018