[dns-operations] Spurious NXDOMAIN response from a DNS hosting provider
Emmanuel Fusté
manu.fuste at gmail.com
Thu Apr 3 13:18:10 UTC 2025
Hello,
I'm facing a very disturbing DNS behavior from a DNS hosting provider (a
big LoadBalancer maker).
I have strong opinion about it, but before reporting to my client, I
would like to get the opinions/arguments of experts present on this list
as you can never be careful enough and should always approach things
with humility.
Months ago I noticed some spurious NXDOMAIN response from authoritative
servers from one of my customer.
It even could occur on the A or SOA record of the zone apex and was hard
to reproduce.
We end up with a test of 200 udp request in a row on the A record of the
zone apex witch sometimes in the day trigger some NXDOMAIN answers, not
the rest of time.
We suspected a configuration issue, a race condition in the automated
maintenance of zone data, server deployments, etc.
This took months (almost a year) and exchange of numerous
request/response logs on our end with the provider witch indicated that
some fix/tuning was (unsuccessfully made) to finally get a definite answer:
"A user is making multiple requests to a non-existing DNS domain. This
behavior triggers a DDoS protection mechanism, which blocks the user's
IP address.
As a result, requests from the blocked IP return NXDOMAIN on existing
records"
Clarification about "non-existing DNS domain": We do query which end up
with an authoritative NXDOMAIN. We do not do DNS query for witch the
offended DNS is not authoritative for.
My opinion is:
- They break all DNS protocol promises, presenting "alternate" reality
based on query rate
- They talk about DDOS protection. But there is nothing "distributed"
with one IP
- It is even not a DOS protection mechanism as the server continue to
answer NXDOMAIN at full rate
- There is no rationale behind returning NXDOMAIN
- It appears that no query rate limiting of any kind is implemented on
their side.
- IP based query rate limiting/drop is one of the core mechanism
essential to any modern DNS implementation.
- DNS should never completely stop responding to one IP, just as it
should never arbitrary alter the value of an answer.
I could be wrong and it's in fact a good behavior.
I could be right and there is even more standard/RFC compliance
arguments that could be leveraged against.
Thank you.
Emmanuel.
More information about the dns-operations
mailing list