[nsd-users] Unexpected responses to ANY queries over TCP

Tuomo Soini tis at foobar.fi
Thu May 7 20:47:10 UTC 2020


On Thu, 7 May 2020 22:26:58 +0200
Anand Buddhdev <anandb at ripe.net> wrote:

> Whether a resolver gets all these records from the authoritative
> server with a single ANY query, or by querying for the records
> individually, its response to a downstream client's ANY query will be
> the same. I can tell you with certainty that at least BIND behaves
> this way, because I have experimented and observed.

Sure. Named might work that way today. But the problem is all the dns
resolvers out there which are open. Not only latest named versions.

I haven't checked lately, but when I investigated these attacks,
hundreds of open dns servers queried any from authoritative dns. I can
only hope those are now updated to versions which refuse to answer to
any with udp - but can you guarantee that?

> Before you reply to this thread to tell me I'm wrong, please set up a 
> resolver or two, and test this yourself to understand it :)

I'm not saying what you say is wrong - but it is not complete story.
google dns might have fixed that issue now, I haven't checked that
lately either. Our authoritative dns serves were under attack for at
least two years and we were required to block ANY queries with firewall
because there was no way to disable any queries some years ago with
authoritative dns software.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>


More information about the nsd-users mailing list