[Pdns-users] PowerDNS vs. TopLayer - Response not RFC compliant?

Thu Sep 21 14:51:16 UTC 2006

Hi,

We are running into a strange problem with notifies to our secondary,  
PowerDNS based nameserver, which is hosted at NocSTER behind what is  
apparently a TopLayer IDS of some sort. The notify itself seems to  
get thru OK, but the response from the PowerDNS server gets blocked  
by the TopLayer device. We had them make an exception for us so the  
problem is solved for now, but it might be worth looking into.

Here's what we know, basically some of the responses from their people;

   The only packets I see being dropped are being detected as
   possible attacks. Specifically, they are being seen as the
   "DNS request contains inappropriate answer data" which, in
   laymans terms, means the packets are not matching standard
   DNS packets. More specifically, the QDCOUNT field of the
   packet (which corresponds to the Question Count field) has
   a value that is not equal to "1" - the only defined valid
   value for this is "1."

   This is a possible exploit - do you know of any reason this
   would be being seen?

---

   We are using TopLayer devices, but that should be irrelevant.
   It appears that PowerDNS does not follow RFC for DNS. It is
   not a big deal from my viewpoint, but as a user of their
   service I would recommend you pursue it to find out why. I
   will close this ticket out now as your problem with us
   appears to be solved.

Surprised me frankly, since problems with RFC compliance is not  
something I'd expect from PowerDNS. But who knows, it might be  
PowerDNS, it might be a bug in the TopLayer filters they are using.

To summarize; the primary DNS server (BIND 9.x) sends a notify to the  
secondary (PowerDNS) server, which in turn replies with an AXFR  
request if I am not mistaken. Those replies never get true, and the  
BIND server starts listing timeouts after a while.

Let me know if this makes any sense, or if you require more information.

Thanks,

Jonathan