[dns-operations] DNS ANY requests / UltraDNS

Mark Andrews marka at isc.org
Thu Jan 10 01:02:37 UTC 2013 

In message <48187E5711D3204C991CB60EC396B754689FD5FD at VCVANMAILMB1.vci.local>, Scott Brynen writes:
> 
> In an interesting development to this, UltraDNS are starting to REFUSE a 
> UDP/ANY request on some of their name servers.  As they're unicast, your 
> local ones may or may not. The implication is that any software making an 
> ANY query will start to fail when they're all switched over.  In my 
> region (W.Canada):
> UDNS1.ULTRADNS.NET,  UDNS2.ULTRADNS.NET, PDNS1.ULTRADNS.NET, 
> PDNS2.ULTRADNS.NET, all refuse a UDP/ANY, whereas PDNS3.ULTRADNS.ORG, 
> PDNS4.ULTRADNS.ORG, PDNS5.ULTRADNS.INFO and PDNS6.ULTRADNS.CO.UK still 
> accept them

This is ill thought out.  It won't stop any query being made.
Resolver vendors will just hack their code to force these to TCP
as they often have *no* control over the client base, this ISPs.

Instead of just causing everyone to hack their code to force TCP
just return NOERROR, TC=1 and legitimate client will fallback to TCP
without all the other side effects of this ill considered change.

Even that change will only have short term benefits.

> qmail is the 1st piece of software out there that jumps to mind that is 
> going to break, but what else is there out there that makes these 
> queries? When all 6 start refusing ANYs, I predict there may be some 
> backlash.
> 
> I published a one line fix for djbdns (on the djbdns list) if you use it 
> as a local cache, to force an ANY query via TCP instead of UDP 
> (dns_transmit.c, line 220)
>         -     if (len + 16 > 512) return firsttcp(d);
>         +     if ((len + 16 > 512) || byte_equal(qtype,2,DNS_T_ANY)) 
> return firsttcp(d);
> which (partly) solves the issue in case you have software making ANY 
> queries; but it also has the downside that misconfigured DNS servers that 
> don't listen on TCP then don't work correctly; (such as midco.net's name 
> servers).
> 
> 
> I really wish that ISPs would solve the root problem here, which is 
> allowing spoofed packets to exit their networks, then a reflected DNS/UDP 
> attack simply wouldn't be possible.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list