[dns-operations] dnspooq
Yasuhiro Orange Morishita / 森下泰宏
yasuhiro at jprs.co.jp
Mon Jan 25 11:49:55 UTC 2021
Ralph-san,
> The DNS forwarders term didn’t appear in an RFC before 7719, so I guess
> there is no such description.
As described in RFC 8499, "forwarder" was first appeared and defined
in RFC 2308, but it describes "a nameserver used to resolve queries
instead of directly using the authoritative nameserver chain"..
Anyway, I agree that no such description for the behavior of DNS
forwarders.
-- Orange
From: "Ralf Weber" <dns at fl1ger.de>
Subject: Re: [dns-operations] dnspooq
Date: Thu, 21 Jan 2021 14:15:16 +0100
> Moin!
>
> On 21 Jan 2021, at 13:48, Yasuhiro Orange Morishita / 森下泰宏 wrote:
>> I know that section 6 of RFC 5452 describes 'in-domain checking'
>> for full-service resolvers, but I can't find any RFCs describing the
>> same checking for DNS forwarders...
> The DNS forwarders term didn’t appear in an RFC before 7719, so I guess
> there is no such description.
>
>> Moreover, the whitepaper describes this as follows:
>>
>> "We acknowledge that this is not a vulnerability per se, and
>> moreover is reasonable behavior, though it magnifies the attack and
>> similar types of attacks."
>>
>> Isn't it really a vulnerability?
> I agree for a real DNS forwarder (aka proper resolver acting as a
> forwarder), but for a DNS proxy there really is no other option then
> to give the packet back to the client (stub resolver) and let it deal
> with it.
>
> So long
> -Ralf
> ――-
> Ralf Weber
>
More information about the dns-operations
mailing list