dns at fl1ger.de
Thu Jan 21 13:15:16 UTC 2021
On 21 Jan 2021, at 13:48, Yasuhiro Orange Morishita / 森下泰宏 wrote:
> I know that section 6 of RFC 5452 describes 'in-domain checking'
> for full-service resolvers, but I can't find any RFCs describing the
> same checking for DNS forwarders...
The DNS forwarders term didn’t appear in an RFC before 7719, so I guess
there is no such description.
> Moreover, the whitepaper describes this as follows:
> "We acknowledge that this is not a vulnerability per se, and
> moreover is reasonable behavior, though it magnifies the attack and
> similar types of attacks."
> Isn't it really a vulnerability?
I agree for a real DNS forwarder (aka proper resolver acting as a
forwarder), but for a DNS proxy there really is no other option then
to give the packet back to the client (stub resolver) and let it deal
More information about the dns-operations