[dns-operations] DNS error reporting

Shane Kerr shane at time-travellers.org
Fri Feb 12 14:35:49 UTC 2016


George,

At 2016-02-12 11:43:23 +0000
George Ross <gdmr at inf.ed.ac.uk> wrote:

> > Can we invent something which is structured enough so the end node can
> > translate the message for the user? Or even advise what might be wrong?  
> 
> Can we invent something where the error response is smaller than, or at
> least not much bigger than, the original request?  It would be as well not
> to provide another DDoS amplifier.

Since the question is copied back in the answer to a DNS query, this is
tricky. :)

The only way I can see to do this is by padding the query packet so
that the response is never bigger than the query.

This results in three unpleasant alternatives though:

1. If the stub resolvers gets a SERVFAIL then re-send the query asking
   for an error, with padding, and hope that you see the exact same
   error again.

2. Or, the recursive resolver can send an error ID to the client, which
   the client can then use to get the full error information by using a
   special query with padding.

3. The stub resolver can pad *every* query.

Option 3 is probably the easiest, and maybe not so bad in these days of
no-copy packet processing?

Option 2 is arguably the "best", except that now a recursive resolver
has yet more state to track. Maybe that doesn't matter, although it may
be troublesome if the error involves memory problems that mean that it
can't add any more state.

Option 1 is nondeterministic. It also means more packets on the wire at
the exact time when the system is under stress. :(

Cheers,

--
Shane



More information about the dns-operations mailing list