Maintained by: NLnet Labs

[Unbound-users] reddit.com issue

Jelte Jansen
Mon Aug 25 16:02:21 CEST 2014


On 08/25/2014 03:24 PM, Dave Duchscher wrote:
> 
> Cloudflare's response:
> 
>> Hey there,
>>
>> Because the DNS query "http://reddit.com" is technically not valid (since DNS queries should not contain the protocol URI), CloudFlare's DNS servers will not respond to them.
>>
>> Since these kinds of invalid queries don't get this far in the normal DNS system (since they get dropped at the root servers)
>>
>> Let us know if you need any other help
>> Thanks
> 
> 
> *sigh*
> 

Wow. Not only is that answer wrong, that approach makes these zones easy
to DoS on a number of resolvers.

Worse, as someone on IRC just commented, it also makes it much, much
easier to do kaminsky-style attacks on those zones.

Jelte