[dns-operations] ag.gov not providing NXDOMAIN responses

Petr Špaček pspacek at isc.org
Fri Apr 12 10:13:27 UTC 2024 

On 11. 04. 24 6:15, Stephane Bortzmeyer wrote:
> On Tue, Apr 09, 2024 at 01:09:20PM -0500,
>   David Zych <dmrz at illinois.edu> wrote
>   a message of 121 lines which said:
> 
>> The problem: when queried for a record underneath ag.gov. which does
>> not exist, these nameservers do not return a proper NXDOMAIN
>> response; instead, they don't answer at all.
> 
> Funny enough, it depends on the QTYPE.
> 
> % dig @ns2.usda.gov. nonono.ag.gov A
> ;; communications error to 2600:12f0:0:ac04::206#53: timed out
> ;; communications error to 2600:12f0:0:ac04::206#53: timed out
> ;; communications error to 2600:12f0:0:ac04::206#53: timed out
> ;; communications error to 199.141.126.206#53: timed out
> 
> ; <<>> DiG 9.18.24-1-Debian <<>> @ns2.usda.gov. nonono.ag.gov A
> ; (2 servers found)
> ;; global options: +cmd
> ;; no servers could be reached
> 
> % dig @ns2.usda.gov. nonono.ag.gov NS
> 
> ; <<>> DiG 9.18.24-1-Debian <<>> @ns2.usda.gov. nonono.ag.gov NS
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44750
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1220
> ; COOKIE: 108e6a3526539745cbe04caf6617b75afc5cf42f25232e56 (good)
> ;; QUESTION SECTION:
> ;nonono.ag.gov.		IN NS
> 
> ;; AUTHORITY SECTION:
> ag.gov.			900 IN SOA ns1.usda.gov. duty\.officer.usda.gov. (
> ...
> 
>> The practical trouble this causes has to do with an increasingly popular DNS privacy feature called QNAME Minimization, which depends upon authoritative DNS servers like yours responding in a standards-compliant way to queries like
>>
>> _.ag.gov IN A
>> _.ars.ag.gov IN A
>> _.tucson.ars.ag.gov IN A
> 
> More fun: the previous version of QNAME minimisation used QTYPE=NS. It
> then changed to QTYPE=A precisely to work around broken
> middleboxes. (And also to avoid sticking out.)

This is not only in violation of
https://datatracker.ietf.org/doc/html/rfc8906
but it is an outright security issue because it allows attackers to mess 
up load balancing in resolvers. See
https://indico.dns-oarc.net/event/47/contributions/1018/attachments/959/1802/pre-silence-not-golden-dns-orac.pdf

I predict you have much better chance getting this fixed if you go 
through respective CERT team and point them to this presentation.


Answering before some asks: No, we are not going to workaround this in 
BIND resolver. It has to be fixed on the auth side. This is not a 
security bug in BIND. See
https://bind9.readthedocs.io/en/latest/chapter7.html#dns-resolvers

-- 
Petr Špaček
Internet Systems Consortium

More information about the dns-operations mailing list