[dnsdist] [EXT] Re: dnsdist timeout with unknown opcode query

Remi Gacogne remi.gacogne at powerdns.com
Wed Sep 23 15:26:34 UTC 2020


On 9/23/20 5:17 PM, Stephane Bortzmeyer wrote:
> On Wed, Sep 23, 2020 at 04:56:05PM +0200,
>  Remi Gacogne via dnsdist <dnsdist at mailman.powerdns.com> wrote 
>  a message of 76 lines which said:
> 
>> +header-only instructs dig to send a query without a question
>> section (qdcount is 0), and dnsdist doesn't support that. The query
>> is deemed invalid and discarded before any counter can be
>> incremented.
> 
> But in that case, surely dnsdist should reply FORMERR instead?

It can easily be argued that way, yes. An other option would be to
refactor the code so that we can signal such a query to the various
rules and actions that expect a valid qname.
I believe it's the first time someone actually cares about that case,
and I wouldn't be surprised if at the moment 100% of such "queries" were
non-DNS traffic somehow reaching us, especially over HTTP(S). I know
rfc7873 specifies a way to request an EDNS cookie with a packet whose
qdcount is 0, but I have never seen that used in practice. I guess we'll
need to think about it now that this exact packet has been made a
conformance test to rfc8906..

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200923/8695c9fe/attachment.sig>


More information about the dnsdist mailing list