[dns-operations] NXDOMAIN for some types and not others (Was: Too Open (Was: OpenDNS makes your Internet work better
David Ulevitch
davidu at everydns.net
Wed Jul 12 13:12:17 UTC 2006
On Jul 12, 2006, at 5:20 AM, Florian Weimer wrote:
> * David Ulevitch:
>
>> On Jul 12, 2006, at 4:58 AM, Florian Weimer wrote:
>>
>>> * Stephane Bortzmeyer:
>>>
>>>> ~ % dig AAAA www.nic.rf
>>>>
>>>> ; <<>> DiG 9.2.4 <<>> AAAA www.nic.rf
>>>> ;; global options: printcmd
>>>> ;; Got answer:
>>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25198
>>>
>>> Good catch. This results in a DoS attack vector if you put another
>>> caching resolver between your clients and the OpenDNS servers. 8-/
>>
>> Can you expand on this? It's not obvious to me who the DoS attack
>> victim would be in that scenario.
>
> Users of the caching resolver. The NXDOMAIN is cached, and applied to
> all RR types (including A).
Doing a quick check of a real zone would show that things work.
The bug reported only seemed to apply to zones that didn't exist.
What did I miss?
-davidu
root at m3:~# host -t AAAA -vv nic.fr 208.67.222.222
Trying "nic.fr"
Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51405
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;nic.fr. IN AAAA
Received 24 bytes from 208.67.222.222#53 in 1 ms
root at m3:~# host -t AAAA -vv nic.fr 4.2.2.1
Trying "nic.fr"
Using domain server:
Name: 4.2.2.1
Address: 4.2.2.1#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8995
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;nic.fr. IN AAAA
;; AUTHORITY SECTION:
nic.fr. 10800 IN SOA maya.nic.fr.
hostmaster.nic.fr. 2006071200 21600 3600 3600000 86400
Received 76 bytes from 4.2.2.1#53 in 3215 ms
More information about the dns-operations
mailing list