[dns-operations] dnspooq

Ralf Weber dns at fl1ger.de
Thu Jan 21 13:15:16 UTC 2021


On 21 Jan 2021, at 13:48, Yasuhiro Orange Morishita / 森下泰宏 wrote:
> I know that section 6 of RFC 5452 describes 'in-domain checking'
> for full-service resolvers, but I can't find any RFCs describing the
> same checking for DNS forwarders...
The DNS forwarders term didn’t appear in an RFC before 7719, so I guess
there is no such description.

> Moreover, the whitepaper describes this as follows:
>   "We acknowledge that this is not a vulnerability per se, and
>   moreover is reasonable behavior, though it magnifies the attack and
>   similar types of attacks."
> Isn't it really a vulnerability?
I agree for a real DNS forwarder (aka proper resolver acting as a
forwarder), but for a DNS proxy there really is no other option then
to give the packet back to the client (stub resolver) and let it deal
with it.

So long
Ralf Weber

More information about the dns-operations mailing list