[prev in list] [next in list] [prev in thread] [next in thread] 

List:       djbdns
Subject:    Re: can't resolve some addresses
From:       Jeff King <peff () peff ! net>
Date:       2009-04-07 19:53:50
Message-ID: 20090407195350.GA12411 () coredump ! intra ! peff ! net
[Download RAW message or body]

On Tue, Apr 07, 2009 at 03:10:45PM -0400, Dean Anderson wrote:

> Except that, in this case, there is nothing wrong with putting RD in a
> query to an authoritive server that is authoritative for the zone you
> are querying.  The mozilla server doesn't need to recurse; its got the
> authority data.
> 
> The bug is in the mozilla server for refusing the query, even though it
> was authoritative for the answer.  Turning off recursion should only be
> cause queries to be refused if recursion was necessary; in this case,
> recursion wasn't necessary.

Whether refusing such queries is wrong or not, running dnscache with
FORWARDONLY but not forwarding to another resolver is a bad idea for two
reasons:

  1. There are obviously names which, right or wrong, will have
     problems resolving, as evidenced by the original poster in this
     thread.

  2. dnscache uses the RD bit for loop detection. A malicious content
     server can thus induce an infinite lookup loop in dnscache by
     referring the resolver to itself. This is easy to demonstrate via:

       dnscache-conf $U $U /tmp/dnscache 127.0.0.1
       tinydns-conf $U $U /tmp/tinydns 127.0.0.2
       (cd /tmp/tinydns
        (echo .bogus:127.0.0.2; echo \&loop.bogus:127.0.0.1:a) >root/data
        (cd root && make)
        ./run) &
       (cd /tmp/dnscache
        echo 1 >env/FORWARDONLY
        echo 127.0.0.2 >root/servers/bogus
        ./run) &
       DNSCACHEIP=127.0.0.1 dnsqr a loop.bogus

-Peff
[prev in list] [next in list] [prev in thread] [next in thread]