[Unbound-users] reddit.com issue

W.C.A. Wijngaards wouter at nlnetlabs.nl
Mon Aug 25 13:36:03 UTC 2014

Hash: SHA1

Hi Dave,

On 08/25/2014 03:24 PM, Dave Duchscher wrote:
> On Aug 25, 2014, at 7:56 AM, Dave Duchscher <daved at nostrum.com>
> wrote:
>> On Aug 25, 2014, at 6:05 AM, Maciej Soltysiak
>> <maciej at soltysiak.com> wrote:
>>> On Mon, Aug 25, 2014 at 9:16 AM, W.C.A. Wijngaards
>>> <wouter at nlnetlabs.nl> wrote:
>>>> Yes.  The reddit servers (or likely, their load-balancers)
>>>> are not following the DNS specifications.  They are dropping
>>>> the query and they should be replying.  There was a draft at
>>>> the IETF even to mark this as harmful, but it did not
>>>> progress through the standards track, I believe.  If they
>>>> want to refuse the query for unclear reasons (what is wrong
>>>> with responding NXDOMAIN?) they could choose from nice error 
>>>> codes like SERVFAIL and FORMERR and REFUSED.
>>> Yup. I have a domain that goes through cloudflare. I just
>>> asked cloudflare NSes for a name with a colon and it behaves
>>> the same (drop) When I asked the parents, they answered.
>>> Cloudflare seems to do the same thing for their customers.
>>> If not FORMERR, they could've at least send ICMP
>>> administratively prohibited to mark that this particular comms
>>> is not ok with them. That would've made unbound record a
>>> failure.
>>> It's silly because in order to immunize your cache against this
>>> you would have to start your own filtering... That shouldn't be
>>> the point.
>> Not a customer of Cloudflare but their help system allows
>> outsiders to submit so I have submitted a help request for this
>> problem (172999). Maybe this is a bug.
> Cloudflare's response:
>> Hey there,
>> Because the DNS query "http://reddit.com" is technically not
>> valid (since DNS queries should not contain the protocol URI),
>> CloudFlare's DNS servers will not respond to them.
>> Since these kinds of invalid queries don't get this far in the
>> normal DNS system (since they get dropped at the root servers)
>> Let us know if you need any other help Thanks
> *sigh*

The root servers certainly respond.  I got a very neat referral to .com.

Well, they list "http://reddit.com" which is a dotCOM domain with a
colon in it, that stops somewhere at the .com servers.  And does not
reach CloudFlare, so they are right about that one.

But the trouble is with "http://www.reddit.com" because the DNS
servers for 'reddit.com' do not respond for it.

Best regards,

Version: GnuPG v1


More information about the Unbound-users mailing list