[nsd-users] * CNAME loop
Roy Arends
roy at dnss.ec
Tue Nov 19 19:43:50 UTC 2013
Interesting…
The combination of wildcards and cnames with a nonexistent canonical name in a single record is not a good idea in general. If these records can be found in the wild, on an NSD-only server pool, this can lead to denial of service attacks against resolvers.
There is some clarifications of wildcards in the DNS that deals with CNAME. That can be found in RFC 4592. I’ve quickly glanced over it, and it seems that the behaviour is consistent with that RFC. (I might be wrong though).
Roy
On 19 Nov 2013, at 14:14, Chris LaVallee <clavallee at edgecast.com> wrote:
> Hi,
>
> I'm testing:
>
> $ sudo nsd-control status
> version: 4.0.1
> verbosity: 2
>
> I found a loop problem with this record:
> * IN CNAME none
> ("none" means no matching record in zone and therefore match * again)
>
> Queries that use "* CNAME" will result in a loop. The response will use TCP and will be limited to 65k bytes
>
> $ dig @127.0.0.1 sdfgsfg.test.com
>
> ;; Truncated, retrying in TCP mode.
>
> ; <<>> DiG 9.8.1-P1 <<>> @127.0.0.1 sdfgsfg.test.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30440
> ;; flags: qr aa tc rd; QUERY: 1, ANSWER: 4678, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;sdfgsfg.test.com. IN A
>
> ;; ANSWER SECTION:
> sdfgsfg.test.com. 6400 IN CNAME none.test.com.
> none.test.com. 6400 IN CNAME none.test.com.
> none.test.com. 6400 IN CNAME none.test.com.
> none.test.com. 6400 IN CNAME none.test.com.
> none.test.com. 6400 IN CNAME none.test.com.
> none.test.com. 6400 IN CNAME none.test.com.
> none.test.com. 6400 IN CNAME none.test.com.
> none.test.com. 6400 IN CNAME none.test.com.
> none.test.com. 6400 IN CNAME none.test.com.
> none.test.com. 6400 IN CNAME none.test.com.
> none.test.com. 6400 IN CNAME none.test.com.
> none.test.com. 6400 IN CNAME none.test.com.
> none.test.com. 6400 IN CNAME none.test.com.
> none.test.com. 6400 IN CNAME none.test.com.
> .
> .
> .
> none.test.com. 6400 IN CNAME none.test.com.
> none.test.com. 6400 IN CNAME none.test.com.
> none.test.com. 6400 IN CNAME none.test.com.
> none.test.com. 6400 IN CNAME none.test.com.
>
> ;; Query time: 85 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Nov 19 08:36:52 2013
> ;; MSG SIZE rcvd: 65531
>
> --------------------------------------------
>
> A more likely example of this problem is below
> * IN CNAME www.google.com (ending dot is missing)
>
> ;; QUESTION SECTION:
> ;sdfgsf.test.com. IN A
>
> ;; ANSWER SECTION:
> sdfgsf.test.com. 6400 IN CNAME www.google.com.test.com.
> www.google.com.test.com. 6400 IN CNAME www.google.com.test.com.
> www.google.com.test.com. 6400 IN CNAME www.google.com.test.com.
> www.google.com.test.com. 6400 IN CNAME www.google.com.test.com.
> www.google.com.test.com. 6400 IN CNAME www.google.com.test.com.
> www.google.com.test.com. 6400 IN CNAME www.google.com.test.com.
> www.google.com.test.com. 6400 IN CNAME www.google.com.test.com.
> www.google.com.test.com. 6400 IN CNAME www.google.com.test.com.
>
>
> Chris
>
>
>
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20131119/b7f1f3b0/attachment.bin>
More information about the nsd-users
mailing list