Saturday, April 25, 2015

domain name system - why does dig +trace sometimes reply with a list of authoritative nameservers as well as the record?



using the examples below



dig +trace stackoverflow.com
dig +trace google.com



dig +trace yahoo.com

dig +trace bbc.com



the first two show me only the A records for the queried domain, while the last two show me the A, or CNAME, as well as multiple NS records.



Can someone explain what config on the DNS server controls this behaviour, causing all of your nameservers being sent in response to this type of dig lookup. Also, is it possible to disable this behaviour so in the first two examples.. so that only the A record is sent and not the authoritative nameservers as well?



I would like to sync my domain with UltraDNS and configure the domain to use their nameservers to avoid DNS DDoS attacks on our DNS servers. But with the above behaviour, when people 'dig +trace' the domain it replies with our nameservers so making the exercise of trying to hide them pointless.



thanks
fLo



Answer



The difference is that yahoo.com and bbc.com are returning an AUTHORITY section, but stackoverflow.com and google.com are not.



$ dig @ns1.yahoo.com +noall +question +authority yahoo.com
;yahoo.com.                     IN      A
yahoo.com.              172800  IN      NS      ns2.yahoo.com.
yahoo.com.              172800  IN      NS      ns6.yahoo.com.
yahoo.com.              172800  IN      NS      ns5.yahoo.com.
yahoo.com.              172800  IN      NS      ns4.yahoo.com.
yahoo.com.              172800  IN      NS      ns3.yahoo.com.

yahoo.com.              172800  IN      NS      ns1.yahoo.com.
$ dig @ns1.google.com +noall +question +authority google.com
;google.com.                    IN      A


You could hide this from your trace with the +noauthority option, but it would also make the output largely useless as you would be hiding the AUTHORITY section from the intermediate nameservers as well. (which, being delegations, is pretty much all there is to be seen unless you've set +additional)



It is up to individual nameserver implementations whether or not they wish to supply an AUTHORITY section in scenarios where they are not strictly required by RFC. BIND is one of the server implementations that does display this information by default, but it also provides a minimal-responses option for disabling the behavior. I strongly recommend this option in customer facing recursion scenarios as it reduces the overhead of amplification attacks against spoofed source IPs. (sadly, BCP 38 is not as widely implemented as it needs to be)



From the BIND ARM:





minimal-responses
If yes, then when generating responses the server will only add records to the authority and additional data sections when they are required (e.g. delegations, negative responses). This may improve the performance of the server. The default is no.



-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...