[dns-operations] [DNSOP] bind fails to continue recursing on one specific query
jmurray at pdknox.org
jmurray at pdknox.org
Wed Mar 29 12:57:51 UTC 2023
* Viktor Dukhovni <ietf-dane at dukhovni.org> [230328 00:05]:
> The queries for "_.extglb.tn.gov. IN A ?" in your PCAP are a novelty to
> me. Are these some form of query minimisation, or some sort of sanity
> check of the delegation? Sadly, the "tn.gov" nameserver just drops
> these without responding, so their failure could well contribute to the
> problems you observe.
A little more info here. My informant was cadgy, but I think I understand that they are providing a whitelist of extant domains and their upstream is using that to filter queries as a mitigation measure. "Scrubbing terabytes of malicious traffic" was mentioned.
Having found this,
https://gitlab.isc.org/isc-projects/bind9/-/issues/3331
though I can't access the ticket mentioned, I was inspired to try finding the zone cuts on tn.gov using NS queries; none my queries were dropped as those with underscore labels were.
Take it with a grain of salt as I really have no idea what I'm doing, but if this is a common anti-ddos technique then maybe this goes on the NS side of the qname minimization balance.
More information about the dns-operations
mailing list