Maintained by: NLnet Labs

edns client subnet fallback or blacklisting?

Ralph Dolmans
Wed Jan 3 14:43:09 CET 2018


Hi Dan,

Thanks for reporting. That nameserver is really broken. They indicate to
support EDNS0 and not support it at the same time. BADVERS must not be
used for unknown options. The nameserver answers to EDNS0 queries,
Unbound treats the server as if it can handle EDNS0. Unbound does not
try to send OPT records without EDNS options if things go wrong. This
really is an issue on the nameserver side, and should be fixed there.

You should not configure Unbound to send the ECS option to all available
addresses. ECS has "by design" serious issues, including disclosure of
privacy sensitive information and increasing the risk of cache poisoning
using a birthday attack. See section 11 of RFC7871. Sending ECS options
only to nameservers that support it is therefore advisable, and has the
extra benefit of not breaking on servers that don't properly handle
unknown EDNS options.

Regards,
-- Ralph

On 02-01-18 21:14, Dan McCombs via Unbound-users wrote:
> Hello,
> 
> I've come across an authoritative that responds with BADVERS when edns
> client subnet is sent in a query to it, for example it can only be
> queried with dig if edns is turned off and no subnet is set:
> 
> fails:
> 
> dig www.tsp.gov @ns2.tsp.gov
> 
> ; <<>> DiG 9.11.2 <<>> www.tsp.gov @ns2.tsp.gov
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 44363
> ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; Query time: 18 msec
> ;; SERVER: 74.113.204.34#53(74.113.204.34)
> ;; WHEN: Tue Jan 02 15:09
> 
> fails:
> 
> dig +noedns www.tsp.gov @ns2.tsp.gov +subnet=162.88.100.192
> 
> ; <<>> DiG 9.11.2 <<>> +noedns www.tsp.gov @ns2.tsp.gov
> +subnet=162.88.100.192
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 60645
> ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; Query time: 19 msec
> ;; SERVER: 74.113.204.34#53(74.113.204.34)
> ;; WHEN: Tue Jan 02 15:10:21 EST 2018
> ;; MSG SIZE  rcvd: 23
> 
> works:
> 
> dig +noedns www.tsp.gov @ns2.tsp.gov
> 
> ; <<>> DiG 9.11.2 <<>> +noedns www.tsp.gov @ns2.tsp.gov
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50317
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;www.tsp.gov.                   IN      A
> 
> ;; ANSWER SECTION:
> www.tsp.gov.            900     IN      A       74.113.204.129
> 
> ;; AUTHORITY SECTION:
> tsp.gov.                900     IN      NS      ns1.tsp.gov.
> tsp.gov.                900     IN      NS      ns2.tsp.gov.
> 
> ;; ADDITIONAL SECTION:
> ns1.tsp.gov.            900     IN      A       74.113.206.34
> ns2.tsp.gov.            900     IN      A       74.113.204.34
> 
> ;; Query time: 19 msec
> ;; SERVER: 74.113.204.34#53(74.113.204.34)
> ;; WHEN: Tue Jan 02 15:10:38 EST 2018
> ;; MSG SIZE  rcvd: 113
> 
> 
> When I query this host through an Unbound resolver with edns client
> subnet enabled for 0.0.0.0, it returns a SERVFAIL. Removing
> send-client-subnet from the Unbound's config allows it to resolve.
> 
> Is there any config I'm missing to allow Unbound to fallback to querying
> without edns client subnet if a query with it fails? Or is there a way
> to blacklist just those authoritatives without having to whitelist all
> other subnets?
> 
> Thanks,
> 
> -Dan
>