Maintained by: NLnet Labs

[Unbound-users] use-caps-for-id ignore list - feature request

Rygl Aleš
Mon Sep 15 09:50:07 CEST 2014


On Sunday 14 of September 2014 20:33:13 A. Schulze wrote:
> 
> > I have found out a temporary solution. I am forwarding troubled domains to 
a
> > another resolver without 0x20 support using forward zone:
> that sound very simple but _realy_ cool!
> 

Unfortunately it fixes just the cases where is a problem of mismatched caps in 
the query and response, of just in the response itself. Fox example McAfee 
uses DNS for some kind of virus signature identification and because they 
violate RFC and do not ignore caps in query. It's because the query is 
forwarded as capitalized...

# dig -t any  4z9p5tjmcbnblehp4557z1d136.avts.mcafee.com  @8.8.8.8

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> -t any 
4z9p5tjmcbnblehp4557z1d136.avts.mcafee.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26986
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;4z9p5tjmcbnblehp4557z1d136.avts.mcafee.com. IN ANY

;; ANSWER SECTION:
4z9p5tjmcbnblehp4557z1d136.avts.mcafee.com. 0 IN A 127.0.4.8
4z9p5tjmcbnblehp4557z1d136.avts.mcafee.com. 0 IN TXT 
"Rp1Sbjuoo7B6uu6iaGW9IBzlsS584bET/uInJVnd+U0AQa1mFbiyFyPEcywTg7S+pF2vD6JohGwl8BUidVhxNLWfHd1ckC4qwDM9VNCyzV5V1wynJUSIbLigRcOlEJiyzHaNevnYW6Vo2+zHMi3mIg1mMLnAJW4tt7q31eXgfOU="

My testing resolver on port 1053 with caps_for_id:

# dig -t any  4Z9p5tjmcbnblehp4557z1d136.avts.mcafee.com  @127.0.0.1 -p1053

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> -t any 
4Z9p5tjmcbnblehp4557z1d136.avts.mcafee.com @127.0.0.1 -p1053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18229
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;4Z9p5tjmcbnblehp4557z1d136.avts.mcafee.com. IN ANY

;; AUTHORITY SECTION:
avts.mcafee.com.        600     IN      SOA     mcafee.com. 
hostmaster.mcafee.com. 1410766772 1800 600 604800 600


Ales
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20140915/186b53bf/attachment.html>