Silently drop queries for AAAA records

Mark Andrews marka at isc.org
Wed Dec 15 00:36:48 UTC 2010 

In message <OF3594834A.8808664D-ON862577F9.00718549-862577F9.0075B045 at notes.cat.c
om>, "David A. Evans" writes:
> bind-users-bounces+evans_david_a=cat.com at lists.isc.org wrote on 12/13/2010 
> 05:37:43 PM:
> 
> > Caterpillar: Confidential Green Retain Until: 01/12/2011 
> > 
> > 
> > In message <4D06A75F.7080400 at chrysler.com>, Kevin Darcy writes:
> > > On 12/7/2010 5:31 PM, David A. Evans wrote:
> > > >
> > > >         I'm in the mood to prove a point.   I have a very poorly 
> > > > written application that is generating a few hundred queries per 
> > > > second of completely bogus AAAA records before attempting a lookup 
> of 
> > > > the correct A records.  This is because the application was compiled 
> 
> > > > with a IPv6 interface enabled on the severs so it assumes that v6 is 
> 
> > > > available.  It is not.  The application owner does not see an issue 
> as 
> > > > they get the handful NXDOMAIN responses back in ~2 ms for each valid 
> 
> > > > response and don't see any performance hit.
> > > >
> > > >         I would like to silently drop the AAAA record lookups 
> instead 
> > > > of responding back with NXDOMAIN.
> > >
> > > NXDOMAIN? Is the application looking up a different *name* for its 
> AAAA 
> > > queries than for its A queries? If a single name owned A records but 
> no 
> > > AAAA records then the correct response from an AAAA-capable resolver 
> to 
> > > an AAAA query of the name, would be the so-called "NODATA" response 
> > > (NOERROR with 0 answers and an SOA RR in Authority Section for 
> negative 
> > > caching purposes, see RFC 2308 for details). NXDOMAIN, as another 
> poster 
> > > pointed out, could inhibit even A-record queries of the name, and 
> would 
> > > be the wrong response in that situation.
> > 
> > It's likely to be applying the search list to AAAA queries and *not*
> > stopping on NODATA then applying the search list to A queries.  I've
> > argued that this is wrong behaviour and that searches should stop
> > on NODATA but some people are worried that this change in behaviour
> > will break something that is depending on the searches skipping
> > NODATA responses.
> 
> 
> This is exactly what the app is doing,  and they have a long search list, 
> and the application is walking through each suffix in the search list 
> chopping
>  off one domain at a time all the way down to .com so it is duplicating 
> many of the bogus queries several times on its way through the search 
> list.
> I had them fully qualify the DNS names they put into the app with the 
> trailing 
> "." and it still appended the search list. (Even Microsoft gets that right
> most of the time.)

Point them at RFC 1535 which states that automatically building
search list by stripping off components is a security risk.  Search
lists should be explicit and also should not have elements that are
not under the control of the administrative control of the organisation
using the search list.

As for using "." to prevent searching I would suggest that they
only search on single label inputs.  Using "." at the end of the
name to prevent searching is only a convention on some systems.
Also a "host.example.net." is not a legal hostname (periods at the
end are not allowed) though some applications accept them.  Hostnames
on the wire should always be absolute and have no trailing period.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list