[dns-operations] DNS ANY requests / UltraDNS

Mark Andrews marka at isc.org
Thu Jan 10 08:05:02 UTC 2013 

Mark Andrews writes:
> 
> In message <87hampzf4z.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
> > * Mark Andrews:
> > 
> > > Instead of just causing everyone to hack their code to force TCP
> > > just return NOERROR, TC=1 and legitimate client will fallback to TCP
> > > without all the other side effects of this ill considered change.
> > 
> > This will still break things because prior to the change, large
> > authoritative ANY responses are truncated without setting TC=1.  After
> > the change, large ANY responses enter the cache and trigger TC=1
> > responses to stub resolvers (recursors do not silently truncate ANY
> > responses, it seems), which may not be prepared to accept such large
> > responses (or even fall back to TCP).
> 
> Such stubs are already broken.  TC=1 has always been a expected result.
> 
> > Some breakage is unavoidable.  Considering that ANY queries rarely
> > give the results expected by the sender, refusing them outright makes
> > sense to me.
> 
> So now recursive servers need to try all the authoritative servers
> trying to get a find non broken server.  Then they will return SERVFAIL
> to the clients which you the hope will do something sensible with the
> SERVFAIL response.
> 
> This is a DoS attack on the recursive resolvers.  STOP IT.
> 
> Mark
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

Additionally the inevitable response will be to code around the problem.

I really don't want to have to commit the following.

Mark

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 0b30a8c..6cfe6ee 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6984,6 +6984,14 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	if ((message->flags & DNS_MESSAGEFLAG_TC) != 0)
 		truncated = ISC_TRUE;
 
+	/*
+	 * Treat ULTRADNS REFUSED/ANY/UDP as TC=1.
+	 */
+	if (message->rcode == dns_rcode_refused &&
+	    (options & DNS_FETCHOPT_TCP) == 0 &&
+	    fctx->type == dns_rdatatype_any)
+		truncated = ISC_TRUE;
+
 	if (truncated) {
 		inc_stats(fctx->res, dns_resstatscounter_truncated);
 		if ((options & DNS_FETCHOPT_TCP) != 0) {
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list