[Unbound-users] reddit.com issue
W.C.A. Wijngaards
wouter at nlnetlabs.nl
Mon Aug 25 13:36:03 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Dave,
On 08/25/2014 03:24 PM, Dave Duchscher wrote:
> On Aug 25, 2014, at 7:56 AM, Dave Duchscher <daved at nostrum.com>
> wrote:
>
>> On Aug 25, 2014, at 6:05 AM, Maciej Soltysiak
>> <maciej at soltysiak.com> wrote:
>>
>>> On Mon, Aug 25, 2014 at 9:16 AM, W.C.A. Wijngaards
>>> <wouter at nlnetlabs.nl> wrote:
>>>> Yes. The reddit servers (or likely, their load-balancers)
>>>> are not following the DNS specifications. They are dropping
>>>> the query and they should be replying. There was a draft at
>>>> the IETF even to mark this as harmful, but it did not
>>>> progress through the standards track, I believe. If they
>>>> want to refuse the query for unclear reasons (what is wrong
>>>> with responding NXDOMAIN?) they could choose from nice error
>>>> codes like SERVFAIL and FORMERR and REFUSED.
>>> Yup. I have a domain that goes through cloudflare. I just
>>> asked cloudflare NSes for a name with a colon and it behaves
>>> the same (drop) When I asked the parents, they answered.
>>>
>>> Cloudflare seems to do the same thing for their customers.
>>>
>>> If not FORMERR, they could've at least send ICMP
>>> administratively prohibited to mark that this particular comms
>>> is not ok with them. That would've made unbound record a
>>> failure.
>>>
>>> It's silly because in order to immunize your cache against this
>>> you would have to start your own filtering... That shouldn't be
>>> the point.
>>
>> Not a customer of Cloudflare but their help system allows
>> outsiders to submit so I have submitted a help request for this
>> problem (172999). Maybe this is a bug.
>
> Cloudflare's response:
>
>> Hey there,
>>
>> Because the DNS query "http://reddit.com" is technically not
>> valid (since DNS queries should not contain the protocol URI),
>> CloudFlare's DNS servers will not respond to them.
>>
>> Since these kinds of invalid queries don't get this far in the
>> normal DNS system (since they get dropped at the root servers)
>>
>> Let us know if you need any other help Thanks
>
>
> *sigh*
The root servers certainly respond. I got a very neat referral to .com.
Well, they list "http://reddit.com" which is a dotCOM domain with a
colon in it, that stops somewhere at the .com servers. And does not
reach CloudFlare, so they are right about that one.
But the trouble is with "http://www.reddit.com" because the DNS
servers for 'reddit.com' do not respond for it.
Best regards,
Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJT+zvDAAoJEJ9vHC1+BF+NlYUQAKJvcY4nolr5NMARnmRmYRnv
GrMY2GwWKXUaSZuPoz7eryHdAiMkuyIHxdU+5amQKG4ccfdFJ9kbXOsusgVtuGl1
PZpugVhcBVOYHJeT0/fA2HeUoFYAdcN/tMz4JmnhDwSm9OxFdXi2asttichs9uOn
R6sWgKShv3Re/5qQPTDlyeLbNx+Fkz72ku5BjQBhyXZOL8NkDXJvb0fkRVnX4v9I
CaPYdU+D1a8sQTjPgtTECGBYxfre3VCzRE92dtJQj5NVJZWaycZRc8cPXWyBAiB7
dVRul1SuflDwP32XfFqVV9eQAFaGoAr+jcqRBEKt1/kO/u0a4c31S5gAeDZ1QS2q
KQcKog6h3yBw8e04m74ZqujFnsej8GBB7ZmXi1k+W3ZB1uXQ56LPEx1uJ+Uz59aQ
FrXi5APRuNtP5IXvkGQ4eO0FTv5GMvqWHbWzB86fuzfngfOB/lwXZ5CrvY6gY1Uj
Z2gmYVb9bz37ZcSyOZV9EfVr/bIXhV4QnHyTOuB5kADaWGExHjvwXXn9e783dWRa
ay6F6ZdPRRwWmug8HY2lJU6/OLQD1cfTp6+cg7O0Ez+8sMtwwTC+xazikPxx9wNK
U8Dx63ooUy7QG+emcimFYYiC1HmgJvGHKBCHpHT5oqFYmyFdNIeir2dwblyt6T6L
uhV4XVwBJo39CsPX0IaN
=030q
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list