Peculiar DNS queries

Lars Kollstedt lk at man-da.de
Mon Dec 30 22:48:41 UTC 2019 

Hi Tony,

on Monday, 30. Dezember 2019, 20:10:57 CET Tony Finch wrote:
> It's very difficult to make the DNS properly case-preserving, because a
> parent zone and a child zone can disagree with each other about the case
> of the parent zone.
dnsext-dns0x20-00 doesn't have anything to do with zones. If it's completely 
implemented each query has a different camel case. All caching an all 
comparisons are still done lowercase according to RFC4343.

e.g. with fully implemented dnsext-dns0x20-00
Client application on client1 comes wish to resolve the IPv4 Adress of  
www.iment.com.
client1 asks resolver1 for Www.IMent.coM IN A
The Autoritative NS RRs of com are already cached, to shorten this a bit. ;-)
resolver1 asks Autoritative of the com-Zone for ImenT.Com or wWw.ImenT.Com
resolver1 gets ImenT.com IN NS ns-b.ImenT.Com and ns-a.ImenT.Com back.
resolver1 writes both RRs in lowercase to it's cache.
resolver1 asks ns-b.iment.com for wwW.imEnT.cOM IN A
It gets wwW.imEnT.cOM IN A 216.55.100.245 back
It writes it in lowercase to its cache (www.iment.com)
client1 gets Www.IMent.coM IN A 216.55.100.245 back from resolver1
In the client application this is handled as answer for www.iment.com.

There are probably some authoriatatives that don't implement RFC4343 
correctly. In this case you will get the case from the zone back and resolver1 
will wait for a better answer if the spoofing protection isn't provided via 
other mechanisms (DNS cookies or DNSSEC).
And there are some more or less common authoritatives that implement RFC4343 
by answering always in lowercase until dnsext-dns0x20-00 was implemented.

If a resolver dosn't implement dnsext-dns0x20-00, implementing dnsext-
dns0x20-00 in the client application doesn't have any security effect, since 
many of the client applications will ask in lowercase. And even if they 
wouldn't the security effect by is gone if the attacker can do queries and 
choose the case the resolver queries. Some resolvers not implementing dnsext-
dns0x20-00 will also converted queries to lowercase when forwarded to the 
authoritative.

If the answer on a dnsext-dns0x20-00 query is done in lowercase and spoofing 
protection is not provided via other mechanisms there will be also a delay.

We're talking about Resolving here. Not about AXFR (between autoritiatives) 
and not about DNS UPDATE specified by RFC2136 (to dynamically update 
information on authoritatives). dnsext-dns0x20-00 can't be used for securing 
DNS UPDATE, since the sensitive information goes in the opposite direction 
there.

Kind regards
	Lars
	
-- 
Lars Kollstedt

Telefon: +49 6151 16-71027
E-Mail:  lk at man-da.de

man-da.de GmbH
Dolivostraße 11
64293 Darmstadt

Sitz der Gesellschaft: Darmstadt
Amtsgericht Darmstadt, HRB 9484
Geschäftsführer: Andreas Ebert

More information about the bind-users mailing list