Re: [dns-operations] Spurious NXDOMAIN response from a DNS hosting provider
Winfried
walists at mailbox.org
Thu Apr 3 14:01:39 UTC 2025
Hi,
Are you asking a resolver or the authority on the server itself when this happens? Someone might be more likely to help if you show us a real-world example (using dig) with the affected zone.
Winfried
Am 3. April 2025 15:18:10 MESZ schrieb "Emmanuel Fusté" <manu.fuste at gmail.com>:
>Hello,
>
>I'm facing a very disturbing DNS behavior from a DNS hosting provider (a big LoadBalancer maker).
>I have strong opinion about it, but before reporting to my client, I would like to get the opinions/arguments of experts present on this list as you can never be careful enough and should always approach things with humility.
>
>Months ago I noticed some spurious NXDOMAIN response from authoritative servers from one of my customer.
>It even could occur on the A or SOA record of the zone apex and was hard to reproduce.
>We end up with a test of 200 udp request in a row on the A record of the zone apex witch sometimes in the day trigger some NXDOMAIN answers, not the rest of time.
>We suspected a configuration issue, a race condition in the automated maintenance of zone data, server deployments, etc.
>This took months (almost a year) and exchange of numerous request/response logs on our end with the provider witch indicated that some fix/tuning was (unsuccessfully made) to finally get a definite answer:
>
>"A user is making multiple requests to a non-existing DNS domain. This behavior triggers a DDoS protection mechanism, which blocks the user's IP address.
>As a result, requests from the blocked IP return NXDOMAIN on existing records"
>
>Clarification about "non-existing DNS domain": We do query which end up with an authoritative NXDOMAIN. We do not do DNS query for witch the offended DNS is not authoritative for.
>
>My opinion is:
>- They break all DNS protocol promises, presenting "alternate" reality based on query rate
>- They talk about DDOS protection. But there is nothing "distributed" with one IP
>- It is even not a DOS protection mechanism as the server continue to answer NXDOMAIN at full rate
>- There is no rationale behind returning NXDOMAIN
>- It appears that no query rate limiting of any kind is implemented on their side.
>
>- IP based query rate limiting/drop is one of the core mechanism essential to any modern DNS implementation.
>- DNS should never completely stop responding to one IP, just as it should never arbitrary alter the value of an answer.
>
>I could be wrong and it's in fact a good behavior.
>I could be right and there is even more standard/RFC compliance arguments that could be leveraged against.
>
>Thank you.
>Emmanuel.
>_______________________________________________
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list