Weird DNS behaviour resolution issues when more labels are present in a zone
Prasanna Mathivanan (pmathiva)
pmathiva at cisco.com
Sat Dec 12 09:36:40 UTC 2020
Hi everyone,
I have an issue in resolving a domain, from logs I see its timing out.
And from dig output we are getting SERV fail response.
The bind version we are using 9.14.10, same domain resolves in bind version 9.11 and lower.
Example domain:- a.b.c.eample.com
When we took tcpdump and saw what’s happening when we do a dig, we see its querying the wrong domain “_.b.c.example.com” , and it’s not able to query the NS for this domain and we get timeout in logs.
Adding to that we get SERVFAIL response when doing dig.
We don’t see this behaviour for bind version 9.11 or lower and works with +trace as well.
If anyone can explain why this behaviour is happening, it will be very helpful in understanding the issue.
After looking into the problem, it appears that bind 9.14 ships with Query Name Minimisation feature as defined by RFC 7816 enabled by default.
few have experienced this behaviour and solution was to disable QNAME minimization.
How does QNAME Minimisation alter this behaviour? To quote from RFC 7816:
Instead of sending the full QNAME and the original QTYPE upstream, a resolver that implements QNAME minimisation and does not already have the answer in its cache sends a request to the name server authoritative for the closest known ancestor of the original QNAME. The request is done with:
* the QTYPE NS
* the QNAME that is the original QNAME, stripped to just one label more than the zone for which the server is authoritative
A resolver using QNAME Minimisation implicitly assumes that each label in the query name corresponds to a zone cut. The resolver queries a parent zone server, using an abbreviated query name that is truncated after the name of the immediate child label and uses a query type of NS.
Am adding the following links to justify this behaviour, but just wanted a suggestion if we are good with doing this.
https://datatracker.ietf.org/doc/rfc7816/?include_text=1
https://blog.apnic.net/2019/08/12/dns-query-privacy/
https://labs.ripe.net/Members/wouter_de_vries/make-dns-a-bit-more-private-with-qname-minimisation
https://github.com/iagox86/dnscat2/issues/144
Disabling QMIN does fix the issue, but I would like to understand why delegation breaks if there are more labels.
And why the query goes to underscore domain even though it doesn’t exist.
--
Thanks
Prasanna
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20201212/dcaf0e39/attachment-0001.htm>
More information about the bind-users
mailing list