Maintained by: NLnet Labs

[Unbound-users] reddit.com issue

Dave Duchscher
Mon Aug 25 15:24:17 CEST 2014


On Aug 25, 2014, at 7:56 AM, Dave Duchscher <daved at nostrum.com> wrote:

> On Aug 25, 2014, at 6:05 AM, Maciej Soltysiak <maciej at soltysiak.com> wrote:
> 
>> On Mon, Aug 25, 2014 at 9:16 AM, W.C.A. Wijngaards <wouter at nlnetlabs.nl> wrote:
>>> Yes.  The reddit servers (or likely, their load-balancers) are not
>>> following the DNS specifications.  They are dropping the query and
>>> they should be replying.  There was a draft at the IETF even to mark
>>> this as harmful, but it did not progress through the standards track,
>>> I believe.  If they want to refuse the query for unclear reasons (what
>>> is wrong with responding NXDOMAIN?) they could choose from nice error
>>> codes like SERVFAIL and FORMERR and REFUSED.
>> Yup. I have a domain that goes through cloudflare. I just asked
>> cloudflare NSes for a name with a colon and it behaves the same (drop)
>> When I asked the parents, they answered.
>> 
>> Cloudflare seems to do the same thing for their customers.
>> 
>> If not FORMERR, they could've at least send ICMP administratively
>> prohibited to mark that this particular comms is not ok with them.
>> That would've made unbound record a failure.
>> 
>> It's silly because in order to immunize your cache against this you
>> would have to start your own filtering... That shouldn't be the point.
> 
> Not a customer of Cloudflare but their help system allows outsiders to
> submit so I have submitted a help request for this problem (172999).
> Maybe this is a bug.

Cloudflare's response:

> Hey there,
> 
> Because the DNS query "http://reddit.com" is technically not valid (since DNS queries should not contain the protocol URI), CloudFlare's DNS servers will not respond to them.
> 
> Since these kinds of invalid queries don't get this far in the normal DNS system (since they get dropped at the root servers)
> 
> Let us know if you need any other help
> Thanks


*sigh*

--
Dave