draft-ietf-dnsop-no-response-issue-08.txt   draft-ietf-dnsop-no-response-issue-09.txt 
Network Working Group M. Andrews Network Working Group M. Andrews
Internet-Draft ISC Internet-Draft ISC
Intended status: Best Current Practice March 3, 2017 Intended status: Best Current Practice July 18, 2018
Expires: September 4, 2017 Expires: January 19, 2019
A Common Operational Problem in DNS Servers - Failure To Respond. A Common Operational Problem in DNS Servers - Failure To Respond.
draft-ietf-dnsop-no-response-issue-08 draft-ietf-dnsop-no-response-issue-09
Abstract Abstract
The DNS is a query / response protocol. Failure to respond or to The DNS is a query / response protocol. Failing to respond to
respond correctly to queries causes both immediate operational queries, or responding incorrectly, causes both immediate operational
problems and long term problems with protocol development. problems and long term problems with protocol development.
This document identifies a number of common kinds of queries to which This document identifies a number of common kinds of queries to which
some servers either fail to respond or else respond incorrectly. some servers either fail to respond or else respond incorrectly.
This document also suggests procedures for TLD and other zone This document also suggests procedures for TLD and other zone
operators to apply to help reduce / eliminate the problem. operators to apply to help reduce / eliminate the problem.
The document does not look at the DNS data itself, just the structure The document does not look at the DNS data itself, just the structure
of the responses. of the responses.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 4, 2017. This Internet-Draft will expire on January 19, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Consequences . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Consequences . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Common queries kinds that result in non responses. . . . . . 5 3. Common queries kinds that result in non responses. . . . . . 5
3.1. Basic DNS Queries . . . . . . . . . . . . . . . . . . . . 5 3.1. Basic DNS Queries . . . . . . . . . . . . . . . . . . . . 5
3.1.1. Zone Existence . . . . . . . . . . . . . . . . . . . 5 3.1.1. Zone Existence . . . . . . . . . . . . . . . . . . . 5
3.1.2. Unknown / Unsupported Type Queries . . . . . . . . . 5 3.1.2. Unknown / Unsupported Type Queries . . . . . . . . . 5
3.1.3. DNS Flags . . . . . . . . . . . . . . . . . . . . . . 6 3.1.3. DNS Flags . . . . . . . . . . . . . . . . . . . . . . 6
3.1.4. Unknown DNS opcodes . . . . . . . . . . . . . . . . . 6 3.1.4. Unknown DNS opcodes . . . . . . . . . . . . . . . . . 6
3.1.5. Recursive Queries . . . . . . . . . . . . . . . . . . 6 3.1.5. Recursive Queries . . . . . . . . . . . . . . . . . . 6
3.1.6. TCP Queries . . . . . . . . . . . . . . . . . . . . . 6 3.1.6. TCP Queries . . . . . . . . . . . . . . . . . . . . . 6
3.2. EDNS Queries . . . . . . . . . . . . . . . . . . . . . . 7 3.2. EDNS Queries . . . . . . . . . . . . . . . . . . . . . . 6
3.2.1. EDNS Queries - Version Independent . . . . . . . . . 7 3.2.1. EDNS Queries - Version Independent . . . . . . . . . 7
3.2.2. EDNS Queries - Version Specific . . . . . . . . . . . 7 3.2.2. EDNS Queries - Version Specific . . . . . . . . . . . 7
3.2.3. EDNS Options . . . . . . . . . . . . . . . . . . . . 7 3.2.3. EDNS Options . . . . . . . . . . . . . . . . . . . . 7
3.2.4. EDNS Flags . . . . . . . . . . . . . . . . . . . . . 7 3.2.4. EDNS Flags . . . . . . . . . . . . . . . . . . . . . 7
3.2.5. Truncated EDNS Responses . . . . . . . . . . . . . . 8 3.2.5. Truncated EDNS Responses . . . . . . . . . . . . . . 8
3.2.6. DNSSEC . . . . . . . . . . . . . . . . . . . . . . . 8 3.2.6. DO Bit Handling . . . . . . . . . . . . . . . . . . . 8
3.2.7. EDNS over TCP . . . . . . . . . . . . . . . . . . . . 8 3.2.7. EDNS over TCP . . . . . . . . . . . . . . . . . . . . 8
4. Firewalls and Load Balancers . . . . . . . . . . . . . . . . 8 4. Firewalls and Load Balancers . . . . . . . . . . . . . . . . 8
5. Scrubbing Services . . . . . . . . . . . . . . . . . . . . . 9 5. Scrubbing Services . . . . . . . . . . . . . . . . . . . . . 9
6. Whole Answer Caches . . . . . . . . . . . . . . . . . . . . . 9 6. Whole Answer Caches . . . . . . . . . . . . . . . . . . . . . 10
7. Response Code Selection . . . . . . . . . . . . . . . . . . . 10 7. Response Code Selection . . . . . . . . . . . . . . . . . . . 10
8. Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 8. Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.1. Testing - Basic DNS . . . . . . . . . . . . . . . . . . . 11 8.1. Testing - Basic DNS . . . . . . . . . . . . . . . . . . . 11
8.1.1. Is The Server Configured For The Zone? . . . . . . . 11 8.1.1. Is The Server Configured For The Zone? . . . . . . . 11
8.1.2. Testing Unknown Types . . . . . . . . . . . . . . . . 11 8.1.2. Testing Unknown Types . . . . . . . . . . . . . . . . 12
8.1.3. Testing Header Bits . . . . . . . . . . . . . . . . . 12 8.1.3. Testing Header Bits . . . . . . . . . . . . . . . . . 12
8.1.4. Testing Unknown Opcodes . . . . . . . . . . . . . . . 14 8.1.4. Testing Unknown Opcodes . . . . . . . . . . . . . . . 14
8.1.5. Testing Recursive Queries . . . . . . . . . . . . . . 15 8.1.5. Testing Recursive Queries . . . . . . . . . . . . . . 15
8.1.6. Testing TCP . . . . . . . . . . . . . . . . . . . . . 15 8.1.6. Testing TCP . . . . . . . . . . . . . . . . . . . . . 15
8.2. Testing - Extended DNS . . . . . . . . . . . . . . . . . 16 8.2. Testing - Extended DNS . . . . . . . . . . . . . . . . . 16
8.2.1. Testing Minimal EDNS . . . . . . . . . . . . . . . . 16 8.2.1. Testing Minimal EDNS . . . . . . . . . . . . . . . . 16
8.2.2. Testing EDNS Version Negotiation . . . . . . . . . . 16 8.2.2. Testing EDNS Version Negotiation . . . . . . . . . . 16
8.2.3. Testing Unknown EDNS Options . . . . . . . . . . . . 17 8.2.3. Testing Unknown EDNS Options . . . . . . . . . . . . 17
8.2.4. Testing Unknown EDNS Flags . . . . . . . . . . . . . 18 8.2.4. Testing Unknown EDNS Flags . . . . . . . . . . . . . 18
8.2.5. Testing EDNS Version Negotiation With Unknown EDNS 8.2.5. Testing EDNS Version Negotiation With Unknown EDNS
skipping to change at page 3, line 20 skipping to change at page 3, line 20
9. Remediation . . . . . . . . . . . . . . . . . . . . . . . . . 22 9. Remediation . . . . . . . . . . . . . . . . . . . . . . . . . 22
10. Security Considerations . . . . . . . . . . . . . . . . . . . 24 10. Security Considerations . . . . . . . . . . . . . . . . . . . 24
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 24
12.1. Normative References . . . . . . . . . . . . . . . . . . 24 12.1. Normative References . . . . . . . . . . . . . . . . . . 24
12.2. Informative References . . . . . . . . . . . . . . . . . 25 12.2. Informative References . . . . . . . . . . . . . . . . . 25
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 25 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 25
1. Introduction 1. Introduction
The DNS [RFC1034], [RFC1035] is a query / response protocol. Failure The DNS [RFC1034], [RFC1035] is a query / response protocol. Failing
to respond to queries or to respond incorrectly causes both immediate to respond to queries, or responding incorrectly, causes both
operational problems and long term problems with protocol immediate operational problems and long term problems with protocol
development. development.
Failure to respond to a query is indistinguishable from a packet loss Failure to respond to a query is indistinguishable from packet loss
without doing a analysis of query response patterns. Additionally without doing an analysis of query-response patterns. Additionally
failure to respond results in unnecessary queries being made by DNS failure to respond results in unnecessary queries being made by DNS
clients, and delays being introduced to the resolution process. clients, and introduces delays to the resolution process.
Due to the inability to distinguish between packet loss and Due to the inability to distinguish between packet loss and
nameservers dropping EDNS [RFC6891] queries, packet loss is sometimes nameservers dropping EDNS [RFC6891] queries, packet loss is sometimes
misclassified as lack of EDNS support which can lead to DNSSEC misclassified as lack of EDNS support which can lead to DNSSEC
validation failures. validation failures.
Servers which fail to respond to queries results in developers being The existance of servers which fail to respond to queries results in
hesitant to deploy new standards. Such servers need to be developers being hesitant to deploy new standards. Such servers need
identified. to be identified and remediated.
The DNS has response codes that cover almost any conceivable query The DNS has response codes that cover almost any conceivable query
response. A nameserver should be able to respond to any conceivable response. A nameserver should be able to respond to any conceivable
query using them. There should be no need to drop queries because a query using them. There should be no need to drop queries because a
nameserver does not understand them. nameserver does not understand them.
Unless a nameserver is under attack, it should respond to all queries Unless a nameserver is under attack, it should respond to all queries
directed to it. Additionally, the nameserver should not assume that directed to it. When a nameserver is under attack it may wish to
there isn't a delegation to the server even if it is not configured drop packets. A common attack is to use a nameserver as a amplifier
to serve the zone. Broken nameservers are a common occurrence in the by sending spoofed packets. This is done because response packets
DNS and receiving queries for zones that the server is not configured are bigger than the queries and big amplification factors are
for is not necessarily an indication that the server is under attack. available especially if EDNS is supported. Limiting the rate of
Parent zone operators are supposed to regularly check that the responses is reasonable when this is occurring and the client should
delegating NS records are consistent with those of the delegated zone retry. This however only works if legitimate clients are not being
and to correct them when they are not [RFC1034]. Doing this forced to guess whether EDNS queries are accepted or not. While
regularly should reduce the instances of broken delegations. there is still a pool of servers that don't respond to EDNS requests,
clients have no way to know if the lack of response is due to packet
loss, EDNS packets not being supported, or rate limiting due to the
server being under attack. Misclassification of server behaviour is
unavoidable when rate limiting is used until the population of
servers which fail to respond to well formed queries drops to near
zero.
When a nameserver is under attack it may wish to drop packets. A A nameserver should not assume that there isn't a delegation to the
common attack is to use a nameserver as a amplifier by sending server even if it is not configured to serve the zone. Misconfigured
spoofed packets. This is done because response packets are bigger nameservers are a common occurrence in the DNS and receiving queries
than the queries and big amplification factors are available for zones that the server is not configured for is not necessarily an
especially if EDNS is supported. Limiting the rate of responses is indication that the server is under attack. Parent zone operators
reasonable when this is occurring and the client should retry. This are advised to regularly check that the delegating NS records are
however only works if legitimate clients are not being forced to consistent with those of the delegated zone and to correct them when
guess whether EDNS queries are accepted or not. While there is still they are not [RFC1034]. Doing this regularly should reduce the
a pool of servers that don't respond to EDNS requests, clients have instances of broken delegations.
no way to know if the lack of response is due to packet loss, EDNS
packets not being supported or rate limiting due to the server being
under attack. Misclassification of server behaviour is unavoidable
when rate limiting is used until the population of servers which fail
to respond to well formed queries drops to near zero.
2. Consequences 2. Consequences
Not following the relevant DNS RFCs has multiple adverse Failure to follow the relevant DNS RFCs has multiple adverse
consequences. Some resulting directly from the non-compliant consequences. Some are caused directly from the non-compliant
behaviour and others as a result of work-arounds forced on recursive behaviour and others as a result of work-arounds forced on recursive
servers. Addressing known issues now will reduce future servers. Addressing known issues now will reduce future
interoperability issues as the DNS protocol continues to evolve and interoperability issues as the DNS protocol continues to evolve and
clients make use of newly introduced DNS features. clients make use of newly-introduced DNS features.
Some examples of known consequences include: Some examples of known consequences include:
o The AD flag bit in a response cannot be trusted to mean anything o The AD flag bit in a response cannot be trusted to mean anything
as many servers incorrectly copied the flag bit from the request as some servers incorrectly copy the flag bit from the request to
to the response despite the prohibition. the response [RFC1035], [RFC4035].
o Widespread non response to EDNS queries has lead to recursive o Widespread non-response to EDNS queries has lead to recursive
servers having to assume EDNS may not supported and that fallback servers having to assume that EDNS is not supported and that
to plain DNS is required. Servers get incorrectly diagnosed as fallback to plain DNS is required, potentially causing DNSSEC
not supporting EDNS and when they also serve signed zones DNSSEC validation failures.
validation fails.
o Widespread non response to EDNS options, requires recursive o Widespread non-response to EDNS options, requires recursive
servers to have to decide whether to probe to see if it is the servers to have to decide whether to probe to see if it is the
EDNS option or just EDNS that is causing the non response. In the EDNS option or just EDNS that is causing the non response. In the
limited amount of time required to resolve a query before the limited amount of time required to resolve a query before the
client times out this is not possible. client times out this is not possible.
o Incorrectly returning FORMERR to a EDNS option being present, o Incorrectly returning FORMERR to a EDNS option being present,
leads to the recursive server not being able to determine if the leads to the recursive server not being able to determine if the
server is just broken in the handling of the EDNS option or server is just broken in the handling of the EDNS option or
doesn't support EDNS at all. doesn't support EDNS at all.
o Mishandling of unknown query types has contributed to the o Mishandling of unknown query types has contributed to the
abandoning of the transition of the SPF type. abandoning of the transition of the SPF type.
o Mishandling of unknown query types has slowed up the development o Mishandling of unknown query types has slowed up the development
of DANE and and result in additional rules being specified to of DANE and resulted in additional rules being specified to reduce
reduce the probability of interacting with a broken server when the probability of interacting with a broken server when making
making TLSA queries. TLSA queries.
The consequences of servers not following the RFCs will only grow if The consequences of servers not following the RFCs will only grow if
measures are not put in place to remove non compliant servers from measures are not put in place to remove non compliant servers from
the ecosystem. Working around issues due to non RFC compliance is the ecosystem. Working around issues due to non-compliance with RFCs
not sustainable. is not sustainable.
Most, if not all, of these consequences could have been avoided if Most (if not all) of these consequences could have been avoided if
action had been taken to remove non compliant servers as soon as action had been taken to remove non-compliant servers as soon as
people were aware of them. To actively seek out broken people were aware of them, i.e. to actively seek out broken
implementations and servers and inform their developers and operators implementations and servers and inform their developers and operators
that they need to fix their servers. that they need to fix their servers.
3. Common queries kinds that result in non responses. 3. Common queries kinds that result in non responses.
There are a number common query kinds that fail to respond today. There are a number common query kinds that fail to respond today.
They are: EDNS queries with and without extensions; queries for They are: EDNS queries with and without extensions; queries for
unknown (unallocated) or unsupported types; and filtering of TCP unknown (unallocated) or unsupported types; and filtering of TCP
queries. queries.
3.1. Basic DNS Queries 3.1. Basic DNS Queries
3.1.1. Zone Existence 3.1.1. Zone Existence
Initially to test existence of the zone, an SOA query should be made. Initially, to test existence of the zone, an SOA query should be
If the SOA record is not returned but some other response is made. If the SOA record is not returned but some other response is
returned, this is a indication of a bad delegation. If the server returned, this is a indication of a bad delegation. If the tester
fails to get a response to a SOA query, the Operator should make an A fails to get a response to a SOA query, the Operator should make an A
query for the zone, as some nameservers fail to respond to SOA query for the zone, as some nameservers fail to respond to SOA
queries but will respond to A queries. queries but will respond to A queries.
3.1.2. Unknown / Unsupported Type Queries 3.1.2. Unknown / Unsupported Type Queries
Identifying servers that fail to respond to unknown or unsupported Identifying servers that fail to respond to unknown or unsupported
types can be done by making an initial DNS query for an A record, types can be done by making an initial DNS query for an A record,
making a number of queries for an unallocated type, then making a making a number of queries for an unallocated type, then making a
query for an A record again. IANA maintains a registry of allocated query for an A record again. IANA maintains a registry of allocated
skipping to change at page 6, line 33 skipping to change at page 6, line 30
NOTIMP is the expected rcode to an unknown or unimplemented opcode. NOTIMP is the expected rcode to an unknown or unimplemented opcode.
Note: while new opcodes will most probably use the current layout Note: while new opcodes will most probably use the current layout
structure for the rest of the message there is no requirement that structure for the rest of the message there is no requirement that
anything other than the DNS header match. anything other than the DNS header match.
3.1.5. Recursive Queries 3.1.5. Recursive Queries
A non-recursive server is supposed to respond to recursive queries as A non-recursive server is supposed to respond to recursive queries as
if the RD bit is not set. if the RD bit is not set [RFC1034].
3.1.6. TCP Queries 3.1.6. TCP Queries
All DNS servers are supposed to respond to queries over TCP All DNS servers are supposed to respond to queries over TCP
[RFC7766]. Firewalls that drop TCP connection attempts, they should [RFC7766]. While firewalls should not block TCP connection attempts
reset the connect attempt or send a ICMP/ICMPv6 administratively if they do they should cleanly terminate the connection by sending
prohibited message. Dropping TCP connections introduces excessive TCP RESET or sending ICMP/ICMPv6 Administratively Prohibited
delays to the resolution process. messages. Dropping TCP connections introduces excessive delays to
the resolution process.
Whether a server accepts TCP connections can be tested by first Whether a server accepts TCP connections can be tested by first
checking that it responds to UDP queries to confirm that it is up and checking that it responds to UDP queries to confirm that it is up and
operating, then attempting the same query over TCP. An additional operating, then attempting the same query over TCP. An additional
query should be made over UDP if the TCP connection attempt fails to query should be made over UDP if the TCP connection attempt fails to
confirm that the server under test is still operating. confirm that the server under test is still operating.
3.2. EDNS Queries 3.2. EDNS Queries
EDNS queries are specified in [RFC6891].
3.2.1. EDNS Queries - Version Independent 3.2.1. EDNS Queries - Version Independent
Identifying servers that fail to respond to EDNS queries can be done Identifying servers that fail to respond to EDNS queries can be done
by first identifying that the server responds to regular DNS queries, by first confirming that the server responds to regular DNS queries,
followed by a series of otherwise identical queries using EDNS, then followed by a series of otherwise identical queries using EDNS, then
making the original query again. A series of EDNS queries is needed making the original query again. A series of EDNS queries is needed
as at least one DNS implementation responds to the first EDNS query as at least one DNS implementation responds to the first EDNS query
with FORMERR but fails to respond to subsequent queries from the same with FORMERR but fails to respond to subsequent queries from the same
address for a period until a regular DNS query is made. The EDNS address for a period until a regular DNS query is made. The EDNS
query should specify a UDP buffer size of 512 bytes to avoid false query should specify a UDP buffer size of 512 bytes to avoid false
classification of not supporting EDNS due to response packet size. classification of not supporting EDNS due to response packet size.
If the server responds to the first and last queries but fails to If the server responds to the first and last queries but fails to
respond to most or all of the EDNS queries, it is probably faulty. respond to most or all of the EDNS queries, it is probably faulty.
skipping to change at page 7, line 43 skipping to change at page 7, line 41
version numbers that they do not support. version numbers that they do not support.
Some servers respond correctly to EDNS version 0 queries but fail to Some servers respond correctly to EDNS version 0 queries but fail to
set QR=1 when responding to EDNS versions they do not support. Such set QR=1 when responding to EDNS versions they do not support. Such
answers are discarded or treated as requests. answers are discarded or treated as requests.
3.2.3. EDNS Options 3.2.3. EDNS Options
Some servers fail to respond to EDNS queries with EDNS options set. Some servers fail to respond to EDNS queries with EDNS options set.
Unknown EDNS options are supposed to be ignored by the server Unknown EDNS options are supposed to be ignored by the server
[RFC6891]. [RFC6891], the original EDNS specifion left this behaviour undefined
[RFC2671].
3.2.4. EDNS Flags 3.2.4. EDNS Flags
Some servers fail to respond to EDNS queries with EDNS flags set. Some servers fail to respond to EDNS queries with EDNS flags set.
Server should ignore EDNS flags they do not understand and should not Server should ignore EDNS flags they do not understand and should not
add them to the response [RFC6891]. add them to the response [RFC6891].
3.2.5. Truncated EDNS Responses 3.2.5. Truncated EDNS Responses
Some EDNS aware servers fail to include a OPT record when a truncated Some EDNS aware servers fail to include an OPT record when a
response is sent. A OPT record is supposed to be included in a truncated response is sent. An OPT record is supposed to be included
truncated response [RFC6891]. in a truncated response [RFC6891].
Some EDNS aware server fail to honour the advertised EDNS buffer size Some EDNS aware server fail to honour the advertised EDNS buffer size
and send over sized responses. and send over-sized responses.
3.2.6. DNSSEC 3.2.6. DO Bit Handling
Servers should be checked to see if they support DNSSEC. Servers Some nameservers incorrectly only return a EDNS response when the DO
should also be checked to see if they support DNSSEC with EDNS. bit is present in the query. Additionally some nameservers fail to
copy the DO bit to the response despite clearly supporting DNSSEC by
returning RRSIG records to EDNS queries with the DO bit set.
3.2.7. EDNS over TCP 3.2.7. EDNS over TCP
Some EDNS aware servers incorrectly limit the TCP response sizes to Some EDNS aware servers incorrectly limit the TCP response sizes to
the advertised UDP response size. the advertised UDP response size.
4. Firewalls and Load Balancers 4. Firewalls and Load Balancers
Firewalls and load balancers can affect the externally visible Firewalls and load balancers can affect the externally visible
behaviour of a nameserver. Tests for conformance should to be done behaviour of a nameserver. Tests for conformance should to be done
from outside of any firewall so that the system as a whole is tested. from outside of any firewall so that the system is tested as a whole.
Firewalls and load balancers should not drop DNS packets that they Firewalls and load balancers should not drop DNS packets that they
don't understand. They should either pass the packets or generate an don't understand. They should either pass the packets or generate an
appropriate error response. appropriate error response.
Requests for unknown query types is normal client behaviour and Requests for unknown query types are normal client behaviour and
should not be construed as an attack. Nameservers have always been should not be construed as an attack. Nameservers have always been
expected to be able to handle such queries. expected to be able to handle such queries.
Requests for unknown query classes is normal client behaviour and Requests for unknown query classes are normal client behaviour and
should not be construed as an attack. Nameservers have always been should not be construed as an attack. Nameservers have always been
expected to be able to handle such queries. expected to be able to handle such queries.
Requests with unknown opcodes is normal client behaviour and should Requests with unknown opcodes are normal client behaviour and should
not be construed as an attack. Nameservers have always been expected not be construed as an attack. Nameservers have always been expected
to be able to handle such queries. to be able to handle such queries.
Requests with unassigned flags set (DNS or EDNS) is expected client Requests with unassigned flags set (DNS or EDNS) are expected client
behaviour and should not be construed as an attack. The behaviour behaviour and should not be construed as an attack. The behaviour
for unassigned flags is to ignore them in the request and to not set for unassigned flags is to ignore them in the request and to not set
them in the response. Dropping DNS / EDNS packets with unassigned them in the response. Dropping DNS / EDNS packets with unassigned
flags makes it difficult to deploy extensions that make use of them flags makes it difficult to deploy extensions that make use of them
due to the need to reconfigure and update firewalls. due to the need to reconfigure and update firewalls.
Requests with unknown EDNS options is expected client behaviour and Requests with unknown EDNS options are expected client behaviour and
should not be construed as an attack. The correct behaviour for should not be construed as an attack. The correct behaviour for
unknown EDNS options is to ignore there presence when constructing a unknown EDNS options is to ignore their presence when constructing a
reply. reply.
Requests with unknown EDNS versions is expected client behaviour and Requests with unknown EDNS versions are expected client behaviour and
should not be construed as an attack. The correct behaviour for should not be construed as an attack. The correct behaviour for
unknown EDNS versions is to return BADVERS along with the highest unknown EDNS versions is to return BADVERS along with the highest
EDNS version the server supports. Dropping EDNS packet breaks EDNS EDNS version the server supports. Dropping EDNS packets breaks EDNS
version negotiation. version negotiation.
Firewalls should not assume that there will only be a single response Firewalls should not assume that there will only be a single response
message to a requests. There have been proposals to use EDNS to message to a request. There have been proposals to use EDNS to
signal that multiple DNS messages be returned rather than a single signal that multiple DNS messages be returned rather than a single
UDP message that is fragmented at the IP layer. UDP message that is fragmented at the IP layer.
DNS, and EDNS in particular, are designed to allow clients to be able
to use new features against older servers without having to validate
every option. Indiscriminate blocking of messages breaks that
design.
However, there may be times when a nameserver mishandles messages However, there may be times when a nameserver mishandles messages
with a particular flag, EDNS option, EDNS version field, opcode, type with a particular flag, EDNS option, EDNS version field, opcode, type
or class field or combination there of to the point where the or class field or combination thereof to the point where the
integrity of the nameserver is compromised. Firewalls should offer integrity of the nameserver is compromised. Firewalls should offer
the ability to selectively reject messages with an appropriately the ability to selectively reject messages using an appropriately
constructed response based on all these fields while awaiting a fix constructed response based on all these fields while awaiting a fix
from the nameserver vendor. from the nameserver vendor.
DNS and EDNS in particular is designed to allow clients to be able to
use new features against older servers without having to validate
every option. Indiscriminate blocking of messages breaks that
design.
5. Scrubbing Services 5. Scrubbing Services
Scrubbing services, like firewalls, can affect the externally visible Scrubbing services can affect the externally visible behaviour of a
behaviour of a nameserver. If a operator uses a scrubbing service, nameserver in a similar way to firewalls. If a operator uses a
they should check that legitimate queries are not being blocked. scrubbing service, they should check that legitimate queries are not
being blocked.
Scrubbing services, unlike firewalls, are also turned on and off in Scrubbing services, unlike firewalls, are also turned on and off in
response to denial of service attacks. One needs to take care when response to denial of service attacks. One needs to take care when
choosing a scrubbing service and ask questions like mentioned above. choosing a scrubbing service.
Ideally, Operators should run these tests against a scrubbing service Ideally, Operators should run these tests against a scrubbing service
to ensure that these tests are not seen as attack vectors. to ensure that these tests are not seen as attack vectors.
6. Whole Answer Caches 6. Whole Answer Caches
Whole answer caches take a previously constructed answer and return Whole answer caches take a previously constructed answer and return
it to a subsequent query for the same qname, qtype and qclass, just it to a subsequent query for the same qname, qtype and qclass, just
updating the query id field and possibly the qname to match the updating the query id field and possibly the qname to match the
incoming query to avoid constructing each response individually. incoming query to avoid constructing each response individually.
skipping to change at page 24, line 33 skipping to change at page 24, line 33
11. IANA Considerations 11. IANA Considerations
There are no actions for IANA. There are no actions for IANA.
12. References 12. References
12.1. Normative References 12.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987,
<http://www.rfc-editor.org/info/rfc1034>. <https://www.rfc-editor.org/info/rfc1034>.
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <http://www.rfc-editor.org/info/rfc1035>. November 1987, <https://www.rfc-editor.org/info/rfc1035>.
[RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC", [RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC",
RFC 3225, DOI 10.17487/RFC3225, December 2001, RFC 3225, DOI 10.17487/RFC3225, December 2001,
<http://www.rfc-editor.org/info/rfc3225>. <https://www.rfc-editor.org/info/rfc3225>.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
<http://www.rfc-editor.org/info/rfc4035>. <https://www.rfc-editor.org/info/rfc4035>.
[RFC6840] Weiler, S., Ed. and D. Blacka, Ed., "Clarifications and [RFC6840] Weiler, S., Ed. and D. Blacka, Ed., "Clarifications and
Implementation Notes for DNS Security (DNSSEC)", RFC 6840, Implementation Notes for DNS Security (DNSSEC)", RFC 6840,
DOI 10.17487/RFC6840, February 2013, DOI 10.17487/RFC6840, February 2013,
<http://www.rfc-editor.org/info/rfc6840>. <https://www.rfc-editor.org/info/rfc6840>.
[RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms
for DNS (EDNS(0))", STD 75, RFC 6891, for DNS (EDNS(0))", STD 75, RFC 6891,
DOI 10.17487/RFC6891, April 2013, DOI 10.17487/RFC6891, April 2013,
<http://www.rfc-editor.org/info/rfc6891>. <https://www.rfc-editor.org/info/rfc6891>.
[RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA [RFC6895] Eastlake 3rd, D., "Domain Name System (DNS) IANA
Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895, Considerations", BCP 42, RFC 6895, DOI 10.17487/RFC6895,
April 2013, <http://www.rfc-editor.org/info/rfc6895>. April 2013, <https://www.rfc-editor.org/info/rfc6895>.
[RFC7766] Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and [RFC7766] Dickinson, J., Dickinson, S., Bellis, R., Mankin, A., and
D. Wessels, "DNS Transport over TCP - Implementation D. Wessels, "DNS Transport over TCP - Implementation
Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016, Requirements", RFC 7766, DOI 10.17487/RFC7766, March 2016,
<http://www.rfc-editor.org/info/rfc7766>. <https://www.rfc-editor.org/info/rfc7766>.
12.2. Informative References 12.2. Informative References
[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
RFC 2671, DOI 10.17487/RFC2671, August 1999,
<https://www.rfc-editor.org/info/rfc2671>.
[RFC5001] Austein, R., "DNS Name Server Identifier (NSID) Option", [RFC5001] Austein, R., "DNS Name Server Identifier (NSID) Option",
RFC 5001, DOI 10.17487/RFC5001, August 2007, RFC 5001, DOI 10.17487/RFC5001, August 2007,
<http://www.rfc-editor.org/info/rfc5001>. <https://www.rfc-editor.org/info/rfc5001>.
[RFC7314] Andrews, M., "Extension Mechanisms for DNS (EDNS) EXPIRE [RFC7314] Andrews, M., "Extension Mechanisms for DNS (EDNS) EXPIRE
Option", RFC 7314, DOI 10.17487/RFC7314, July 2014, Option", RFC 7314, DOI 10.17487/RFC7314, July 2014,
<http://www.rfc-editor.org/info/rfc7314>. <https://www.rfc-editor.org/info/rfc7314>.
[RFC7871] Contavalli, C., van der Gaast, W., Lawrence, D., and W. [RFC7871] Contavalli, C., van der Gaast, W., Lawrence, D., and W.
Kumari, "Client Subnet in DNS Queries", RFC 7871, Kumari, "Client Subnet in DNS Queries", RFC 7871,
DOI 10.17487/RFC7871, May 2016, DOI 10.17487/RFC7871, May 2016,
<http://www.rfc-editor.org/info/rfc7871>. <https://www.rfc-editor.org/info/rfc7871>.
[RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS) [RFC7873] Eastlake 3rd, D. and M. Andrews, "Domain Name System (DNS)
Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016, Cookies", RFC 7873, DOI 10.17487/RFC7873, May 2016,
<http://www.rfc-editor.org/info/rfc7873>. <https://www.rfc-editor.org/info/rfc7873>.
Author's Address Author's Address
M. Andrews M. Andrews
Internet Systems Consortium Internet Systems Consortium
950 Charter Street 950 Charter Street
Redwood City, CA 94063 Redwood City, CA 94063
US US
Email: marka@isc.org Email: marka@isc.org
 End of changes. 64 change blocks. 
114 lines changed or deleted 125 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/