[dns-operations] dnspooq

Ralf Weber dns at fl1ger.de
Thu Jan 21 13:15:16 UTC 2021


Moin!

On 21 Jan 2021, at 13:48, Yasuhiro Orange Morishita / 森下泰宏 wrote:
> I know that section 6 of RFC 5452 describes 'in-domain checking'
> for full-service resolvers, but I can't find any RFCs describing the
> same checking for DNS forwarders...
The DNS forwarders term didn’t appear in an RFC before 7719, so I guess
there is no such description.

> Moreover, the whitepaper describes this as follows:
>
>   "We acknowledge that this is not a vulnerability per se, and
>   moreover is reasonable behavior, though it magnifies the attack and
>   similar types of attacks."
>
> Isn't it really a vulnerability?
I agree for a real DNS forwarder (aka proper resolver acting as a
forwarder), but for a DNS proxy there really is no other option then
to give the packet back to the client (stub resolver) and let it deal
with it.

So long
-Ralf
——-
Ralf Weber



More information about the dns-operations mailing list