[Pdns-users] PowerDNS vs. TopLayer - Response not RFC compliant?
Jonathan (Listserv Account)
listlurker at datatruckers.net
Thu Sep 21 14:51:16 UTC 2006
We are running into a strange problem with notifies to our secondary,
PowerDNS based nameserver, which is hosted at NocSTER behind what is
apparently a TopLayer IDS of some sort. The notify itself seems to
get thru OK, but the response from the PowerDNS server gets blocked
by the TopLayer device. We had them make an exception for us so the
problem is solved for now, but it might be worth looking into.
Here's what we know, basically some of the responses from their people;
The only packets I see being dropped are being detected as
possible attacks. Specifically, they are being seen as the
"DNS request contains inappropriate answer data" which, in
laymans terms, means the packets are not matching standard
DNS packets. More specifically, the QDCOUNT field of the
packet (which corresponds to the Question Count field) has
a value that is not equal to "1" - the only defined valid
value for this is "1."
This is a possible exploit - do you know of any reason this
would be being seen?
We are using TopLayer devices, but that should be irrelevant.
It appears that PowerDNS does not follow RFC for DNS. It is
not a big deal from my viewpoint, but as a user of their
service I would recommend you pursue it to find out why. I
will close this ticket out now as your problem with us
appears to be solved.
Surprised me frankly, since problems with RFC compliance is not
something I'd expect from PowerDNS. But who knows, it might be
PowerDNS, it might be a bug in the TopLayer filters they are using.
To summarize; the primary DNS server (BIND 9.x) sends a notify to the
secondary (PowerDNS) server, which in turn replies with an AXFR
request if I am not mistaken. Those replies never get true, and the
BIND server starts listing timeouts after a while.
Let me know if this makes any sense, or if you require more information.
More information about the Pdns-users