Peculiar DNS queries
Lars Kollstedt
lk at man-da.de
Mon Dec 23 09:49:47 UTC 2019
Hi Fred,
On Montag, 23. Dezember 2019 01:08:54 CET Fred Morris wrote:
> but in cache e.g. isc.org matches ISC.ORG or isc.ORG, or
> ISC.org... hopefully you get the idea.
Thats expected behavior. And has IMHO something to do with
https://tools.ietf.org/html/rfc4343
and the elder DNS RFCs not with dnsext-dns0x20 but the implementations of the
case insensitivity in the public DNS were much older.
The dnsext-dns0x20 uses the previously present behavior of many
implementations to echo back the character case of the request in the reply
but matching case insensitive. If it gets anything else and no DNS Cookie back
the resolver will wait a short while for a better matching answer, and then
give the non matching back. That's at least my reading of this. The matching
in the cache is still done case insensitive, and the character case is re
randomized on each resolver and DNS Client supporting this.
As far as i've seen some client libraries are leaking the camel case back,
which might cause problems. But that's a problem between the library and the
application using it and can be fixed in both.
dnsext-dns0x20 addresses recent spoofing problems on well connected resolvers
since the source port randomization doesn't provide enough entropy for them
and the attacks were already seen in the wild.
If your client application is really asking in lowercase it still will get
lowercase back.
So you can ask for WwW.iSC.oRg and you will get an answer for WwW.iSC.oRg back
with the same result as for www.isc.org or WWW.ISC.ORG.
But if a library gets a query for www.isc.org from the application it's used
by and is randomizing this e.g. to WwW.iSC.oRg it should hopefully return a
result for www.isc.org again. Other behavior might break things. ;-)
Kind regards
Lars
--
Lars Kollstedt
Telefon: +49 6151 16-71027
E-Mail: lk at man-da.de
man-da.de GmbH
Dolivostraße 11
64293 Darmstadt
Sitz der Gesellschaft: Darmstadt
Amtsgericht Darmstadt, HRB 9484
Geschäftsführer: Andreas Ebert
More information about the bind-users
mailing list