Peculiar DNS queries
Lars Kollstedt
lk at man-da.de
Mon Dec 30 22:48:41 UTC 2019
Hi Tony,
on Monday, 30. Dezember 2019, 20:10:57 CET Tony Finch wrote:
> It's very difficult to make the DNS properly case-preserving, because a
> parent zone and a child zone can disagree with each other about the case
> of the parent zone.
dnsext-dns0x20-00 doesn't have anything to do with zones. If it's completely
implemented each query has a different camel case. All caching an all
comparisons are still done lowercase according to RFC4343.
e.g. with fully implemented dnsext-dns0x20-00
Client application on client1 comes wish to resolve the IPv4 Adress of
www.iment.com.
client1 asks resolver1 for Www.IMent.coM IN A
The Autoritative NS RRs of com are already cached, to shorten this a bit. ;-)
resolver1 asks Autoritative of the com-Zone for ImenT.Com or wWw.ImenT.Com
resolver1 gets ImenT.com IN NS ns-b.ImenT.Com and ns-a.ImenT.Com back.
resolver1 writes both RRs in lowercase to it's cache.
resolver1 asks ns-b.iment.com for wwW.imEnT.cOM IN A
It gets wwW.imEnT.cOM IN A 216.55.100.245 back
It writes it in lowercase to its cache (www.iment.com)
client1 gets Www.IMent.coM IN A 216.55.100.245 back from resolver1
In the client application this is handled as answer for www.iment.com.
There are probably some authoriatatives that don't implement RFC4343
correctly. In this case you will get the case from the zone back and resolver1
will wait for a better answer if the spoofing protection isn't provided via
other mechanisms (DNS cookies or DNSSEC).
And there are some more or less common authoritatives that implement RFC4343
by answering always in lowercase until dnsext-dns0x20-00 was implemented.
If a resolver dosn't implement dnsext-dns0x20-00, implementing dnsext-
dns0x20-00 in the client application doesn't have any security effect, since
many of the client applications will ask in lowercase. And even if they
wouldn't the security effect by is gone if the attacker can do queries and
choose the case the resolver queries. Some resolvers not implementing dnsext-
dns0x20-00 will also converted queries to lowercase when forwarded to the
authoritative.
If the answer on a dnsext-dns0x20-00 query is done in lowercase and spoofing
protection is not provided via other mechanisms there will be also a delay.
We're talking about Resolving here. Not about AXFR (between autoritiatives)
and not about DNS UPDATE specified by RFC2136 (to dynamically update
information on authoritatives). dnsext-dns0x20-00 can't be used for securing
DNS UPDATE, since the sensitive information goes in the opposite direction
there.
Kind regards
Lars
--
Lars Kollstedt
Telefon: +49 6151 16-71027
E-Mail: lk at man-da.de
man-da.de GmbH
Dolivostraße 11
64293 Darmstadt
Sitz der Gesellschaft: Darmstadt
Amtsgericht Darmstadt, HRB 9484
Geschäftsführer: Andreas Ebert
More information about the bind-users
mailing list