[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Nits]

Versions: 00

Network Working Group                                          R. Bellis
Internet-Draft                                                Nominet UK
Intended status: Standards Track                                A. Bligh
Expires: April 18, 2010                       Silverscale Associates Ltd
                                                           W. Wijngaards
                                                              NLnet Labs
                                                        October 15, 2009

       DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on April 18, 2010.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Bellis, et al.           Expires April 18, 2010                 [Page 1]

Internet-Draft              DNS Proxy Bypass                October 2009


   This document describes a method for a DNS client resolver to
   discover the IP addresses of the upstream recursive DNS resolvers and
   hence bypass the local DNS proxy.  It also directs IANA to reserve
   the "LOCAL.ARPA" domain name and to create a registry for well known
   sub-domains of that domain name, such sub-domains being reserved for
   use within any network's administrative boundary.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3

   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 4

   3.  LOCAL.ARPA  . . . . . . . . . . . . . . . . . . . . . . . . . . 4

   4.  DOMAIN.LOCAL.ARPA - Server behaviour  . . . . . . . . . . . . . 4

   5.  DOMAIN.LOCAL.ARPA - Client Behaviour  . . . . . . . . . . . . . 5

   6.  LOCAL.ARPA - Proxy behaviour  . . . . . . . . . . . . . . . . . 6

   7.  Security Considerations . . . . . . . . . . . . . . . . . . . . 7

   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7

   9.  IAB Considerations  . . . . . . . . . . . . . . . . . . . . . . 8

   10. References  . . . . . . . . . . . . . . . . . . . . . . . . . . 8
     10.1.  Normative References . . . . . . . . . . . . . . . . . . . 8
     10.2.  Informative References . . . . . . . . . . . . . . . . . . 8

   Appendix A.  Change Log . . . . . . . . . . . . . . . . . . . . . . 8

   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . . 9

Bellis, et al.           Expires April 18, 2010                 [Page 2]

Internet-Draft              DNS Proxy Bypass                October 2009

1.  Introduction

   Client DNS resolvers [RFC1035] usually must send their queries to a
   recursive resolver which performs the iterative lookups on the
   client's behalf and returns the complete result, often from a local

   However, particularly in consumer and small office networks, the
   client resolver often does not talk directly to a recursive resolver.
   A very common configuration is that the client talks to a 'proxy'
   embedded in their local internet access gateway which acts as a
   simple intermediary between the client and the recursive servers.
   The term 'proxy' is used within this document to indicate any device
   to which the queries generated by the client resolver are addressed
   at an IP level; as such they may include devices such as NAT devices,
   firewalls, and DSL gateways.

   This configuration is a side-effect of the need for the DHCP server
   embedded in such gateways to issue DNS server addresses before those
   addresses have been learnt from the upstream network (see Section 5.3
   of [RFC5625]).

   These proxies have however been found to be generally deficient in
   their implementation of the DNS protocols (see [SAC035], [RFC5625]),
   to the extent that modern DNS extensions may fail to work correctly.
   Common problems include failure to deal properly with large DNS
   packets (including poor support for EDNS0 (ref), poor support for IP
   fragments, and truncation due to apparent buffer size limitations),
   and failure to deal with unknown RR types.

   Thus, whilst the devices may appear to be functional for standard DNS
   protocols, they may fail to properly process all queries, in
   particular DNSSEC [RFC4033] queries, which use RR types that the
   device concerned may not understand, and typically have larger
   responses.  Field tests indicate that such devices are in general far
   more competent at passing through DNS queries addressed directly to
   the recursive resolvers (and the replies to such queries) than they
   are at processing queries addressed directly to them.

   This document therefore proposes a method whereby a client resolver
   may discover the IP addresses of the intended recursive resolvers
   such that subsequent queries may be sent directly to those resolvers
   without passing through the gateway's DNS proxy.

   To support this method IANA are directed to reserve a new domain name
   ("LOCAL.ARPA") which is not present in the .ARPA zone file but exists
   only on the recursive DNS servers local to the client stub resolver
   concerned.  IANA are also redirected to create a registry of well

Bellis, et al.           Expires April 18, 2010                 [Page 3]

Internet-Draft              DNS Proxy Bypass                October 2009

   known sub-domains of "LOCAL.ARPA", and this document further directs
   IANA to record "DOMAIN.LOCAL.ARPA" in that registry.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].


   This document reserves "LOCAL.ARPA" for infrastructure use within the
   administrative boundaries of a local network.  A local network for
   these purposes means, in respect of a given recursive DNS server, all
   those hosts which are permitted to use that server to make recursive
   queries.  The exact boundaries of a local network are implementation
   dependent;.  It could be a corporate network, but it could also be an
   ISP access network including all of the customer networks connected
   to it.

   This domain name serves as an anchor point for the discovery of well
   known services within a network.  Whilst other technologies have been
   described for the discovery of services belonging to a specific
   domain (TODO: DNS-SD ref), the intent of "LOCAL.ARPA" is to support
   discovery of services on the current local network (dependent on
   which recursive nameserver it queries), regardless of the local
   domain name(s).

   Note that like "SINK.ARPA" (see [I-D.jabley-sink-arpa], this domain
   name MUST NOT actually appear in the IANA maintained zone file for
   .ARPA.  Queries for this domain name (and by extension any sub-domain
   thereof) which leak beyond the local network onto the global internet
   MUST receive an NXDOMAIN (RCODE == 3) response.

4.  DOMAIN.LOCAL.ARPA - Server behaviour

   A recursive server implementing this standard, in response to an A or
   AAAA query for the QNAME "DOMAIN.LOCAL.ARPA" MUST do exactly one of
   the following (subject to the normal situations where the server is
   permitted to return an error):

   (a) return a response containing a list of one or more A or AAAA
   records for the QNAME each of which is an IP address for a recursive
   name server that is configured to support recursive DNS lookups by
   the client which sent the initial query.  The server MAY

Bellis, et al.           Expires April 18, 2010                 [Page 4]

Internet-Draft              DNS Proxy Bypass                October 2009

   algorithmically generate such records; for instance, it may return
   one or more of its own IP addresses, for instance the destination IP
   address of the query packet it received or (after appropriate
   sanitisation to ensure the client can query them) a list of IP
   addresses of its own interfaces

   (b) return a CNAME record which, if followed, will yield a list as
   set out in (a) above.  The server MAY algorithmically generate the
   CNAME record, for instance to encode the querying IP address within
   it in an implementation dependent manner.  OR

   (c) return NXDOMAIN, without performing a query to the .ARPA

   A recursive server not implementing this standard will normally
   recursively query the .ARPA nameservers, which will result in an
   NXDOMAIN, which will be cached for future queries.

   An example of how a network operator running the Unbound recursive
   resolver might configure this is as follows:

         local-zone: "local.arpa."  static
         local-data: "domain.local.arpa. 3600 IN A"
         local-data: "domain.local.arpa. 3600 IN A"
         local-data: "domain.local.arpa. 3600 IN AAAA 2001:db8::1"

   indicating (for the IPv4 case) that recursive resolvers may be found
   at and

5.  DOMAIN.LOCAL.ARPA - Client Behaviour

   Typically when the DNS client is first started it will use DNS
   settings obtained via a DHCP lease which contains the IP address of
   the local internet access gateway in the Domain Name Server Option

   The DNS client resolver bootstrapped (whether as above using DHCP or
   otherwise) would send the query via its local DNS proxy, and receive
   a new list of DNS servers.

   Queries for A or AAAA records will as set out above either return
   NXDOMAIN (in the case where the recursive server does not support
   this standard, or where support is present but not configured), or an
   error code, or a list of A records or a CNAME which when followed
   will yield a list of A records.  The list of A records however
   obtained will contain one or more IP addresses corresponding to
   recursive name servers that are configured to support recursive DNS

Bellis, et al.           Expires April 18, 2010                 [Page 5]

Internet-Draft              DNS Proxy Bypass                October 2009

   lookups by the client which sent the initial query.

   Client resolvers supporting this standard MUST be capable of
   following CNAMEs and MUST follow any CNAME returned in response to a
   query for "DOMAIN.LOCAL.ARPA".

   If the client receives an NXDOMAIN, this indicates that the recursive
   server concerned does not support or is not configured to support
   this standard.  The client MAY continue to use its currently
   configured DNS server IP addresses.  It MAY repeat the query, but it
   MUST NOT issue such a repeat query for "DOMAIN.LOCAL.ARPA" for [60

   If the client receives an error or no response, this may be because
   the proxy does not have internet connectivity.  The client MAY repeat
   the query, but it MUST NOT issue such a repeat query for
   "DOMAIN.LOCAL.ARPA" for [1 second]

   If the client receives a list of one or more A or AAAA records, the
   client MAY then use these IP addresses as the destination for
   subsequent recursive DNS lookup queries in preference to those issued
   by the local DHCP server or otherwise configured.

   If the A or AAAA records have a non-zero TTL, the client SHOULD treat
   the records as invalid after the TTL has expired.  The client MAY
   make repeat queries but SHOULD NOT make such repeat queries until
   half the TTL returned has expired.

6.  LOCAL.ARPA - Proxy behaviour

   Proxies MUST NOT intercept queries to "LOCAL.ARPA" or its subdomains.
   In particular, proxies MUST NOT return NXDOMAIN or A, AAAA or CNAME
   records for queries to "LOCAL.ARPA" or its subdomains unless such a
   response is sent to the proxy by a recursive nameserver.  A proxy for
   this purpose does not include a device which performs a full
   recursive caching nameservice which is compliant with EDNS0
   [RFC2671], DNSSEC, TCP support and is fully capable of handling
   maximum size UDP packets whether fragmented on not.

   A proxy MAY return SERVFAIL if it is aware it has no connectivity to
   a recursive nameserver without attempting to forward the packet
   concerned.  For instance if the proxy device is a DSL access gateway
   and the DSL line by which it would reach the recursive server is

   A proxy MUST pass UDP and TCP requests (and their responses) to
   recursive servers transparently and unmolested.  This means that

Bellis, et al.           Expires April 18, 2010                 [Page 6]

Internet-Draft              DNS Proxy Bypass                October 2009

   proxies MUST reassemble UDP fragments.  As the proxy may find it hard
   to detect which packets are addressed to or from the recursive
   nameserver, this might be achieved by applying similar considerations
   to all packets.

   It is recognised that proxies which assiduously follow this section
   are unlikely to be the proxies which gave rise to the need for this

7.  Security Considerations


8.  IANA Considerations

   This document directs the IANA to add the following record to the
   ARPA Reserved Names Registry [I-D.jabley-sink-arpa]:

   | Name       | Purpose              | RRTypes | Reference           |
   | LOCAL.ARPA | Locally administered | NONE    | This document       |
   |            | infrastructure       |         | (RFCXXXX)  S. 3     |

   This document further directs the IANA to create a new registry as

   | Parameter               | Value                                   |
   | Registry Name           | ARPA Reserved Local Names               |
   |                         |                                         |
   | Reference               | This document (RFCXXXX) Section 3       |
   |                         |                                         |
   | Registration Procedures | IETF Standards Action                   |

   with initial contents as follows:

   | Name       | Purpose             | RRTypes  | Reference           |
   | DOMAIN     | Recursive DNS       | A / AAAA | This document       |
   |            | Discovery           |          | (RFCXXXX)  S. 4     |

Bellis, et al.           Expires April 18, 2010                 [Page 7]

Internet-Draft              DNS Proxy Bypass                October 2009

9.  IAB Considerations

   The addition of "LOCAL.ARPA" to the ARPA Reserved Names Registry
   requires IAB approval.

   Note that addition of sub-domains of "LOCAL.ARPA" to the ARPA
   Reserved Local Names Registry only requires IETF Standards Action.

10.  References

10.1.  Normative References

              Abley, J. and O. Gudmundsson, "The Eternal Non-Existence
              of SINK.ARPA (and other stories)",
              draft-jabley-sink-arpa-00 (work in progress), May 2009.

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, November 1987.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC5625]  Bellis, R., "DNS Proxy Implementation Guidelines",
              BCP 152, RFC 5625, August 2009.

10.2.  Informative References

   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
              RFC 2671, August 1999.

   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "DNS Security Introduction and Requirements",
              RFC 4033, March 2005.

   [SAC035]   Bellis, R. and L. Phifer, "Test Report: DNSSEC Impact on
              Broadband Routers and Firewalls", September 2008,

Appendix A.  Change Log

   NB: to be removed by the RFC Editor before publication.


Bellis, et al.           Expires April 18, 2010                 [Page 8]

Internet-Draft              DNS Proxy Bypass                October 2009

      Initial draft

Authors' Addresses

   Ray Bellis
   Nominet UK
   Edmund Halley Road
   Oxford  OX4 4DQ
   United Kingdom

   Phone: +44 1865 332211
   Email: ray.bellis@nominet.org.uk
   URI:   http://www.nominet.org.uk/

   Alex Bligh
   Silverscale Associates Ltd
   15 Elsynge Road
   London  SW18 2HW
   United Kingdom

   Phone: +44 20 8812 3300
   Email: alex@alex.org.uk

   Wouter Wijngaards
   NLnet Labs
   Science Park 140
   Amsterdam  1098 XG
   The Netherlands

   Email: wouter@nlnetlabs.nl

Bellis, et al.           Expires April 18, 2010                 [Page 9]

Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/