[dns-operations] NXDOMAIN for some types and not others (Was: Too Open (Was: OpenDNS makes your Internet work better
Florian Weimer
fw at deneb.enyo.de
Wed Jul 12 12:20:40 UTC 2006
* David Ulevitch:
> On Jul 12, 2006, at 4:58 AM, Florian Weimer wrote:
>
>> * Stephane Bortzmeyer:
>>
>>> ~ % dig AAAA www.nic.rf
>>>
>>> ; <<>> DiG 9.2.4 <<>> AAAA www.nic.rf
>>> ;; global options: printcmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25198
>>
>> Good catch. This results in a DoS attack vector if you put another
>> caching resolver between your clients and the OpenDNS servers. 8-/
>
> Can you expand on this? It's not obvious to me who the DoS attack
> victim would be in that scenario.
Users of the caching resolver. The NXDOMAIN is cached, and applied to
all RR types (including A).
More information about the dns-operations
mailing list