Resolving and caching illegal names

John Thurston john.thurston at alaska.gov
Wed Jan 25 17:36:57 UTC 2023 

> - Why *must* you forward everything to Akamai?

I am forced to "forward only;" to Akamai for all external queries. It 
hasn't always been this way, but the decision was made "above my pay 
grade", and it is not open to negotiation.

> - Was that a real example of a daft query: 10.11.12.13 type A?

"10.11.12.13 is, indeed, a query I found in my log.

> what's the issue with returning SERVFAIL?

On my validating "recursive" servers, "SERVFAIL" is the response from 
_my_ server. That is the result of Akamai saying "Here's your answer!" 
and my server going through the work of trying to validate it (and failing).

On my non-validating "recursive" servers, I send back the answer Akamai 
sends me:

> ;; ANSWER SECTION:
> 10.11.12.13.            10      IN      A       10.11.12.13

I think SERVFAIL is the correct answer for all of these queries. I do 
not want to encourage any customers in thinking they can get an address 
back from me by asking for the address of an address.


> - Do Akamai have any knobs you can tweak

{chuckle} I'm not allowed in the control room. And Akamai's response to 
my question was quoted in my original message. From their perspective, 
this behavior is a feature, not a defect. I don't expect them to let 
their customer disable their "features". If I want to change this 
behavior, I'm going to have to do it within my sphere of influence.

Off-list, it was suggested to me that I _could_ handle this in my RPZ, 
by enumerating all 255 illegal TLDs (e.g. *.10  CNAME . )

I tried this, and it works as expected when dnssec validation is 
disabled (either globally, or with "validate-except". My idea right now 
is I can enumerate TLD of the numerics I see in my logs, and ignore the 
rest. I think this will get me what I want, at a level of complexity I 
can accept.

--
Do things because you should, not just because you can.

John Thurston    907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska

On 1/24/2023 10:26 PM, Greg Choules wrote:
> - Why *must* you forward everything to Akamai?
> - Was that a real example of a daft query: 10.11.12.13 type A? If not, 
> do you have some real examples of queries being made to your servers 
> please?
> - Notwithstanding the nature of these illegal queries, if they *are* 
> illegal (or misguided, or errors, or malicious, or whatever - anything 
> but valid), what's the issue with returning SERVFAIL? GIGO Or does 
> that then prejudice genuine queries, for some reason?
> - Are you *only* forwarding to Akamai?
> - Do you have "forward only;" or "forward first;"?
> - Do Akamai have any knobs you can tweak (I believe they have a 
> customer web portal for viewing/changing settings?) that would make 
> them behave like an RFC compliant DNS server?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230125/96bf6592/attachment.htm>

More information about the bind-users mailing list