[dns-operations] [DNSOP] bind fails to continue recursing on one specific query

jmurray at pdknox.org jmurray at pdknox.org
Wed Mar 29 12:57:51 UTC 2023


* Viktor Dukhovni <ietf-dane at dukhovni.org> [230328 00:05]:
> The queries for "_.extglb.tn.gov. IN A ?" in your PCAP are a novelty to
> me.  Are these some form of query minimisation, or some sort of sanity
> check of the delegation?  Sadly, the "tn.gov" nameserver just drops
> these without responding, so their failure could well contribute to the
> problems you observe.

A little more info here. My informant was cadgy, but I think I understand that they are providing a whitelist of extant domains and their upstream is using that to filter queries as a mitigation measure. "Scrubbing terabytes of malicious traffic" was mentioned. 

Having found this,

https://gitlab.isc.org/isc-projects/bind9/-/issues/3331

though I can't access the ticket mentioned, I was inspired to try finding the zone cuts on tn.gov using NS queries; none my queries were dropped as those with underscore labels were.

Take it with a grain of salt as I really have no idea what I'm doing, but if this is a common anti-ddos technique then maybe this goes on the NS side of the qname minimization balance.




More information about the dns-operations mailing list