[dns-operations] A denial of server catastrophy waiting to happen ...
Mark Andrews
marka at isc.org
Fri Dec 9 01:39:09 UTC 2016
Microsoft's DNS servers return NOERROR NODATA to EDNS(1) queries
rather than the perform EDNS version negotiation or even return the
requested data. The one godsend is that the EDNS version field is
less than the requested EDNS version so a careful resolver can
detect this garbage response and toss it. If the rcode was BADVERS
then this would be correct.
Did we really do such a bad job of specifying EDNS version negotiation
or are Microsoft's developers and QA department just plain incompentent?
Mark
% dig www.activateacard.com.au @ns2-06.azure-dns.net +norec
; <<>> DiG 9.11.0 <<>> www.activateacard.com.au @ns2-06.azure-dns.net +norec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4665
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: 5083e3fb75b0d3c8 (echoed)
;; QUESTION SECTION:
;www.activateacard.com.au. IN A
;; ANSWER SECTION:
www.activateacard.com.au. 3600 IN A 119.9.58.46
;; Query time: 162 msec
;; SERVER: 64.4.48.6#53(64.4.48.6)
;; WHEN: Fri Dec 09 12:21:07 EST 2016
;; MSG SIZE rcvd: 81
% dig www.activateacard.com.au @ns2-06.azure-dns.net +norec +edns=1
; <<>> DiG 9.11.0 <<>> www.activateacard.com.au @ns2-06.azure-dns.net +norec +edns=1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37273
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;www.activateacard.com.au. IN A
;; Query time: 18 msec
;; SERVER: 64.4.48.6#53(64.4.48.6)
;; WHEN: Fri Dec 09 12:21:14 EST 2016
;; MSG SIZE rcvd: 53
%
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list