[dns-operations] A denial of server catastrophy waiting to happen ...

Jeff Westhead Jeff.Westhead at microsoft.com
Wed Dec 14 20:24:59 UTC 2016 

Thanks for pointing that out, Mark. I will look into it. We should be returning BADVERS here but we are not.

-----Original Message-----
From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On Behalf Of Mark Andrews
Sent: Thursday, December 8, 2016 5:39 PM
To: dns-operations at dns-oarc.net
Subject: [dns-operations] A denial of server catastrophy waiting to happen ...


Microsoft's DNS servers return NOERROR NODATA to EDNS(1) queries rather than the perform EDNS version negotiation or even return the requested data.  The one godsend is that the EDNS version field is less than the requested EDNS version so a careful resolver can detect this garbage response and toss it.  If the rcode was BADVERS then this would be correct.

Did we really do such a bad job of specifying EDNS version negotiation or are Microsoft's developers and QA department just plain incompentent?

Mark

% dig https://na01.safelinks.protection.outlook.com/?url=www.activateacard.com.au&data=02%7C01%7Cjeff.westhead%40microsoft.com%7C027a057b6f1c48fb673b08d41fd5596f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636168448586699307&sdata=ZXzYUYUCJYsJcbdzV4WPZaZkW8TS8k2BnqF3ug9y1%2Bw%3D&reserved=0 @ns2-06.azure-dns.net +norec

; <<>> DiG 9.11.0 <<>> https://na01.safelinks.protection.outlook.com/?url=www.activateacard.com.au&data=02%7C01%7Cjeff.westhead%40microsoft.com%7C027a057b6f1c48fb673b08d41fd5596f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636168448586699307&sdata=ZXzYUYUCJYsJcbdzV4WPZaZkW8TS8k2BnqF3ug9y1%2Bw%3D&reserved=0 @ns2-06.azure-dns.net +norec ;; global options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4665 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: 5083e3fb75b0d3c8 (echoed)
;; QUESTION SECTION:
;https://na01.safelinks.protection.outlook.com/?url=www.activateacard.com.au&data=02%7C01%7Cjeff.westhead%40microsoft.com%7C027a057b6f1c48fb673b08d41fd5596f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636168448586699307&sdata=ZXzYUYUCJYsJcbdzV4WPZaZkW8TS8k2BnqF3ug9y1%2Bw%3D&reserved=0.	IN	A

;; ANSWER SECTION:
https://na01.safelinks.protection.outlook.com/?url=www.activateacard.com.au&data=02%7C01%7Cjeff.westhead%40microsoft.com%7C027a057b6f1c48fb673b08d41fd5596f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636168448586699307&sdata=ZXzYUYUCJYsJcbdzV4WPZaZkW8TS8k2BnqF3ug9y1%2Bw%3D&reserved=0. 3600	IN	A	119.9.58.46

;; Query time: 162 msec
;; SERVER: 64.4.48.6#53(64.4.48.6)
;; WHEN: Fri Dec 09 12:21:07 EST 2016
;; MSG SIZE  rcvd: 81

% dig https://na01.safelinks.protection.outlook.com/?url=www.activateacard.com.au&data=02%7C01%7Cjeff.westhead%40microsoft.com%7C027a057b6f1c48fb673b08d41fd5596f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636168448586699307&sdata=ZXzYUYUCJYsJcbdzV4WPZaZkW8TS8k2BnqF3ug9y1%2Bw%3D&reserved=0 @ns2-06.azure-dns.net +norec +edns=1

; <<>> DiG 9.11.0 <<>> https://na01.safelinks.protection.outlook.com/?url=www.activateacard.com.au&data=02%7C01%7Cjeff.westhead%40microsoft.com%7C027a057b6f1c48fb673b08d41fd5596f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636168448586699307&sdata=ZXzYUYUCJYsJcbdzV4WPZaZkW8TS8k2BnqF3ug9y1%2Bw%3D&reserved=0 @ns2-06.azure-dns.net +norec +edns=1 ;; global options: +cmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37273 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;https://na01.safelinks.protection.outlook.com/?url=www.activateacard.com.au&data=02%7C01%7Cjeff.westhead%40microsoft.com%7C027a057b6f1c48fb673b08d41fd5596f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636168448586699307&sdata=ZXzYUYUCJYsJcbdzV4WPZaZkW8TS8k2BnqF3ug9y1%2Bw%3D&reserved=0.	IN	A

;; Query time: 18 msec
;; SERVER: 64.4.48.6#53(64.4.48.6)
;; WHEN: Fri Dec 09 12:21:14 EST 2016
;; MSG SIZE  rcvd: 53

% 

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:	+61 2 9871 4742		         INTERNET: marka at isc.org
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.dns-oarc.net%2Fmailman%2Flistinfo%2Fdns-operations&data=02%7C01%7Cjeff.westhead%40microsoft.com%7C027a057b6f1c48fb673b08d41fd5596f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636168448586699307&sdata=eXmoO31DNyAANKxqPpv%2BdosV9ZSOwykDthoqdBde%2B8Y%3D&reserved=0
dns-operations mailing list
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.dns-oarc.net%2Fmailman%2Flistinfo%2Fdns-operations&data=02%7C01%7Cjeff.westhead%40microsoft.com%7C027a057b6f1c48fb673b08d41fd5596f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636168448586699307&sdata=eXmoO31DNyAANKxqPpv%2BdosV9ZSOwykDthoqdBde%2B8Y%3D&reserved=0

More information about the dns-operations mailing list