Maintained by: NLnet Labs

[Unbound-users] reddit.com issue

Eric Meddaugh
Mon Aug 25 16:13:13 CEST 2014


I alerted Cloud Flare last week and they have indicate they have engineers looking into it.  I opened the ticket as a DOS against any domains they provide hosing for.  As long as there are clients querying 'http://www.reddit.com' (or any other cloud flare hosted domain) it can keep that domain offline.  Our work-around as allowed reddit.com to appear to remain online.

---Eric

-----Original Message-----
From: Unbound-users [mailto:unbound-users-bounces at unbound.net] On Behalf Of John Peacock
Sent: Monday, August 25, 2014 9:45 AM
To: unbound-users at unbound.net
Subject: Re: [Unbound-users] reddit.com issue

On Mon, 2014-08-25 at 08:24 -0500, Dave Duchscher wrote:
> Cloudflare's response:
> 
> > Hey there,
> > 
> > Because the DNS query "http://reddit.com" is technically not valid (since DNS queries should not contain the protocol URI), CloudFlare's DNS servers will not respond to them.

That is what I would have predicted their response would have been.  A
broken client is making illegal DNS queries; that is the root cause of
the difficulty.  The fact that unbound itself doesn't return an error
for these illegal queries is only making matters worse.  Neither ':' nor
'/' are legal DNS hostname characters (see RFC-1035 and onwards), so it
should be the resolver library (i.e. unbound) that should be validating
the query before sending it on, IMNSHO.  The fact that reddit.com has an
unfriendly behavior WRT illegal queries doesn't mean it is their fault;
there is no requirement to return NXDOMAIN or SERVFAIL or anything at
all, so they chose to drop the query.

John

-- 
JOHN PEACOCK
senior software build and release engineer
www.messagesystems.com
twitter @MessageSystems

tel 410-872-4910 x239
email john.peacock at messagesystems.com
_______________________________________________
Unbound-users mailing list
Unbound-users at unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users