[dns-operations] Spurious NXDOMAIN response from a DNS hosting provider

Emmanuel Fusté manu.fuste at gmail.com
Thu Apr 3 13:18:10 UTC 2025 

Hello,

I'm facing a very disturbing DNS behavior from a DNS hosting provider (a 
big LoadBalancer maker).
I have strong opinion about it, but before reporting to my client, I 
would like to get the opinions/arguments of experts present on this list 
as you can never be careful enough and should always approach things 
with humility.

Months ago I noticed some spurious NXDOMAIN response from authoritative 
servers from one of my customer.
It even could occur on the A or SOA record of the zone apex and was hard 
to reproduce.
We end up with a test of 200 udp request in a row on the A record of the 
zone apex witch sometimes in the day trigger some NXDOMAIN answers, not 
the rest of time.
We suspected a configuration issue, a race condition in the automated 
maintenance of zone data, server deployments, etc.
This took months (almost a year) and exchange of numerous 
request/response logs on our end with the provider witch indicated that 
some fix/tuning was (unsuccessfully made) to finally get a definite answer:

"A user is making multiple requests to a non-existing DNS domain. This 
behavior triggers a DDoS protection mechanism, which blocks the user's 
IP address.
As a result, requests from the blocked IP return NXDOMAIN on existing 
records"

Clarification about "non-existing DNS domain": We do query which end up 
with an authoritative NXDOMAIN. We do not do DNS query for witch the 
offended DNS is not authoritative for.

My opinion is:
- They break all DNS protocol promises, presenting "alternate" reality 
based on query rate
- They talk about DDOS protection. But there is nothing "distributed" 
with one IP
- It is even not a DOS protection mechanism as the server continue to 
answer NXDOMAIN at full rate
- There is no rationale behind returning NXDOMAIN
- It appears that no query rate limiting of any kind is implemented on 
their side.

- IP based query rate limiting/drop is one of the core mechanism 
essential to any modern DNS implementation.
- DNS should never completely stop responding to one IP, just as it 
should never arbitrary alter the value of an answer.

I could be wrong and it's in fact a good behavior.
I could be right and there is even more standard/RFC compliance 
arguments that could be leveraged against.

Thank you.
Emmanuel.

More information about the dns-operations mailing list