Maintained by: NLnet Labs

edns client subnet fallback or blacklisting?

Dan McCombs
Wed Jan 3 14:55:25 CET 2018


Thanks Ralph. Going down that line of thought, is there any community 
maintained list of generally trusted nameservers which support EDNS0 
rather than starting a list from scratch?

I'll see if I can contact the admins of that nameserver to at least make 
sure they're aware of the problem.

Take care,

-Dan


On 01/03/2018 08:43 AM, Ralph Dolmans via Unbound-users wrote:
> Hi Dan,
>
> Thanks for reporting. That nameserver is really broken. They indicate to
> support EDNS0 and not support it at the same time. BADVERS must not be
> used for unknown options. The nameserver answers to EDNS0 queries,
> Unbound treats the server as if it can handle EDNS0. Unbound does not
> try to send OPT records without EDNS options if things go wrong. This
> really is an issue on the nameserver side, and should be fixed there.
>
> You should not configure Unbound to send the ECS option to all available
> addresses. ECS has "by design" serious issues, including disclosure of
> privacy sensitive information and increasing the risk of cache poisoning
> using a birthday attack. See section 11 of RFC7871. Sending ECS options
> only to nameservers that support it is therefore advisable, and has the
> extra benefit of not breaking on servers that don't properly handle
> unknown EDNS options.
>
> Regards,
> -- Ralph
>
> On 02-01-18 21:14, Dan McCombs via Unbound-users wrote:
>> Hello,
>>
>> I've come across an authoritative that responds with BADVERS when edns
>> client subnet is sent in a query to it, for example it can only be
>> queried with dig if edns is turned off and no subnet is set:
>>
>> fails:
>>
>> dig www.tsp.gov @ns2.tsp.gov
>>
>> ; <<>> DiG 9.11.2 <<>> www.tsp.gov @ns2.tsp.gov
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 44363
>> ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>> ;; WARNING: recursion requested but not available
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; Query time: 18 msec
>> ;; SERVER: 74.113.204.34#53(74.113.204.34)
>> ;; WHEN: Tue Jan 02 15:09
>>
>> fails:
>>
>> dig +noedns www.tsp.gov @ns2.tsp.gov +subnet=162.88.100.192
>>
>> ; <<>> DiG 9.11.2 <<>> +noedns www.tsp.gov @ns2.tsp.gov
>> +subnet=162.88.100.192
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: BADVERS, id: 60645
>> ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>> ;; WARNING: recursion requested but not available
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; Query time: 19 msec
>> ;; SERVER: 74.113.204.34#53(74.113.204.34)
>> ;; WHEN: Tue Jan 02 15:10:21 EST 2018
>> ;; MSG SIZE  rcvd: 23
>>
>> works:
>>
>> dig +noedns www.tsp.gov @ns2.tsp.gov
>>
>> ; <<>> DiG 9.11.2 <<>> +noedns www.tsp.gov @ns2.tsp.gov
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50317
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
>> ;; WARNING: recursion requested but not available
>>
>> ;; QUESTION SECTION:
>> ;www.tsp.gov.                   IN      A
>>
>> ;; ANSWER SECTION:
>> www.tsp.gov.            900     IN      A       74.113.204.129
>>
>> ;; AUTHORITY SECTION:
>> tsp.gov.                900     IN      NS      ns1.tsp.gov.
>> tsp.gov.                900     IN      NS      ns2.tsp.gov.
>>
>> ;; ADDITIONAL SECTION:
>> ns1.tsp.gov.            900     IN      A       74.113.206.34
>> ns2.tsp.gov.            900     IN      A       74.113.204.34
>>
>> ;; Query time: 19 msec
>> ;; SERVER: 74.113.204.34#53(74.113.204.34)
>> ;; WHEN: Tue Jan 02 15:10:38 EST 2018
>> ;; MSG SIZE  rcvd: 113
>>
>>
>> When I query this host through an Unbound resolver with edns client
>> subnet enabled for 0.0.0.0, it returns a SERVFAIL. Removing
>> send-client-subnet from the Unbound's config allows it to resolve.
>>
>> Is there any config I'm missing to allow Unbound to fallback to querying
>> without edns client subnet if a query with it fails? Or is there a way
>> to blacklist just those authoritatives without having to whitelist all
>> other subnets?
>>
>> Thanks,
>>
>> -Dan
>>