[dns-operations] A denial of server catastrophy waiting to happen ...

Mark Andrews marka at isc.org
Thu Dec 15 00:39:43 UTC 2016 

In message <CY1PR0301MB0843CDECD8229D9C72E6FBFCFD9A0 at CY1PR0301MB0843.namprd03.p
rod.outlook.com>, Jeff Westhead writes:
>
> Thanks for pointing that out, Mark. I will look into it. We should be
> returning BADVERS here but we are not.

Thanks.

Can you also get the servers to stop echoing back unknown EDNS
options?  Bing.com and Azure servers would then need to be upgraded.

nsX.msft.net servers are also non compliant returning FORMERR to
EDNS(1) and unknown EDNS options.  Fixing these will fix the main
site for Microsoft.

Mark
 
> -----Original Message-----
> From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On Behalf=
>  Of Mark Andrews
> Sent: Thursday, December 8, 2016 5:39 PM
> To: dns-operations at dns-oarc.net
> Subject: [dns-operations] A denial of server catastrophy waiting to happen =
> ...
> 
> 
> Microsoft's DNS servers return NOERROR NODATA to EDNS(1) queries rather tha=
> n the perform EDNS version negotiation or even return the requested data.  =
> The one godsend is that the EDNS version field is less than the requested E=
> DNS version so a careful resolver can detect this garbage response and toss=
>  it.  If the rcode was BADVERS then this would be correct.
> 
> Did we really do such a bad job of specifying EDNS version negotiation or a=
> re Microsoft's developers and QA department just plain incompentent?
> 
> Mark
> 
> % dig https://na01.safelinks.protection.outlook.com/?url=3Dwww.activateacar=
> d.com.au&data=3D02%7C01%7Cjeff.westhead%40microsoft.com%7C027a057b6f1c48fb6=
> 73b08d41fd5596f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63616844858669=
> 9307&sdata=3DZXzYUYUCJYsJcbdzV4WPZaZkW8TS8k2BnqF3ug9y1%2Bw%3D&reserved=3D0 =
> @ns2-06.azure-dns.net +norec
> 
> ; <<>> DiG 9.11.0 <<>> https://na01.safelinks.protection.outlook.com/?url=
> =3Dwww.activateacard.com.au&data=3D02%7C01%7Cjeff.westhead%40microsoft.com%=
> 7C027a057b6f1c48fb673b08d41fd5596f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7=
> C0%7C636168448586699307&sdata=3DZXzYUYUCJYsJcbdzV4WPZaZkW8TS8k2BnqF3ug9y1%2=
> Bw%3D&reserved=3D0 @ns2-06.azure-dns.net +norec ;; global options: +cmd ;; =
> Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4665 ;; flags: qr aa; Q=
> UERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4000
> ; COOKIE: 5083e3fb75b0d3c8 (echoed)
> ;; QUESTION SECTION:
> ;https://na01.safelinks.protection.outlook.com/?url=3Dwww.activateacard.com=
> .au&data=3D02%7C01%7Cjeff.westhead%40microsoft.com%7C027a057b6f1c48fb673b08=
> d41fd5596f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636168448586699307&=
> sdata=3DZXzYUYUCJYsJcbdzV4WPZaZkW8TS8k2BnqF3ug9y1%2Bw%3D&reserved=3D0.
> 	IN	A
> 
> ;; ANSWER SECTION:
> https://na01.safelinks.protection.outlook.com/?url=3Dwww.activateacard.com.=
> au&data=3D02%7C01%7Cjeff.westhead%40microsoft.com%7C027a057b6f1c48fb673b08d=
> 41fd5596f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636168448586699307&s=
> data=3DZXzYUYUCJYsJcbdzV4WPZaZkW8TS8k2BnqF3ug9y1%2Bw%3D&reserved=3D0. 3600
> 	=
> IN	A	119.9.58.46
> 
> ;; Query time: 162 msec
> ;; SERVER: 64.4.48.6#53(64.4.48.6)
> ;; WHEN: Fri Dec 09 12:21:07 EST 2016
> ;; MSG SIZE  rcvd: 81
> 
> % dig https://na01.safelinks.protection.outlook.com/?url=3Dwww.activateacar=
> d.com.au&data=3D02%7C01%7Cjeff.westhead%40microsoft.com%7C027a057b6f1c48fb6=
> 73b08d41fd5596f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63616844858669=
> 9307&sdata=3DZXzYUYUCJYsJcbdzV4WPZaZkW8TS8k2BnqF3ug9y1%2Bw%3D&reserved=3D0 =
> @ns2-06.azure-dns.net +norec +edns=3D1
> 
> ; <<>> DiG 9.11.0 <<>> https://na01.safelinks.protection.outlook.com/?url=
> =3Dwww.activateacard.com.au&data=3D02%7C01%7Cjeff.westhead%40microsoft.com%=
> 7C027a057b6f1c48fb673b08d41fd5596f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7=
> C0%7C636168448586699307&sdata=3DZXzYUYUCJYsJcbdzV4WPZaZkW8TS8k2BnqF3ug9y1%2=
> Bw%3D&reserved=3D0 @ns2-06.azure-dns.net +norec +edns=3D1 ;; global options=
> : +cmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37273 ;; flags: qr; QUE=
> RY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4000
> ;; QUESTION SECTION:
> ;https://na01.safelinks.protection.outlook.com/?url=3Dwww.activateacard.com=
> .au&data=3D02%7C01%7Cjeff.westhead%40microsoft.com%7C027a057b6f1c48fb673b08=
> d41fd5596f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636168448586699307&=
> sdata=3DZXzYUYUCJYsJcbdzV4WPZaZkW8TS8k2BnqF3ug9y1%2Bw%3D&reserved=3D0.
> 	IN	A
> 
> ;; Query time: 18 msec
> ;; SERVER: 64.4.48.6#53(64.4.48.6)
> ;; WHEN: Fri Dec 09 12:21:14 EST 2016
> ;; MSG SIZE  rcvd: 53
> 
> %=20
> 
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE:	+61 2 9871 4742		         INTERNET: marka at isc.org
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list