Blocking invalid DNS requests

Andris Kalnozols andris at hpl.hp.com
Wed Jun 27 23:21:07 UTC 2001


> At 12:09 PM -0500 6/27/01, WEBMASTER wrote:
> 
> >  How do I stop these requests at my DNS server, so that they don't
> >  get forwarded to the ROOT server?  I can't keep the users from making
> >  these requests, and I find that allowing my DNS server to query WINS
> >  doesn't help either.  I am running a port of BIND 8.2.x.
> 
> Brad Knowles <brad.knowles at skynet.be> wrote:
>
> 	You should really fix the clients.  However, that said, I believe 
> that there was some comments for a recent update of BIND 9 that would 
> refuse to forward queries to the root servers, if it obviously could 
> not be answered.
> 
> 	However, this would require that you upgrade the version of BIND 
> you're using, to at least 9.1.2-REL, or preferably the latest release 
> candidate for 9.1.3.

Actually, 8.2.4 has the feature as well (albeit indirectly):

   --- 8.2.4-T1B released --- (Thu Apr 19 14:38:30 PDT 2001)

   1187.   [support]       Don't accept in a query names which would
                           be rejected in responses.

It's enabled by the 'check-names response fail' config. option.
Enabling this feature will spare the root nameservers from needless
junk queries but can affect delivery of mail if the following
conditions are true:

  1) The site sending you mail has a broken DNS configuration.
     This can be something like an SOA record with "Administrator."
     in the RNAME field (common mistake with some Windows DNS
     implementations - the GUI doesn't catch this).

  2) Your MTA is a pre 8.12.0 version of sendmail.

How can a broken SOA RR affect delivery of mail?  When the MTA's
first DNS query is a QTYPE of ANY and there are no locally cached
RRs for the domain.  The local nameserver then passes the query to
an authoritative source, gets th response, and then complains:

Jun 27 02:15:26 deimos named[17707]: mail name "administrator"
  (owner "dataunion.gr") IN (query from [195.242.148.2]) is invalid
  - rejecting

The MTA sees the SERVFAIL query status and either rejects the
incoming message (if doing DNS lookups on the originator address)
or queues the message for later attempts if trying to send a message.
In the latter case, the messages tend to languish until the queue
timeout interval is reached.

This should cease to be an issue since the following gem appears in
the release notes for sendmail 8.12.0:

  T_ANY queries are no longer used by sendmail.

Another scenario where 'check-names response fail' will impede
mail delivery is if an A/MX query would return RRs with illegal
names, e.g.,

  orquest.com.            1D IN MX        5 orquest_gw5.orquest.com.

Conceivably, any MTA would be afected by this if using a BIND 8
nameserver with 'check-names response fail' enabled.

It appears that none of these scenarios would be a problem with
BIND 9 since the 'check-names' option is not implemented and
(from the documentation) there are no plans for doing so.

Andris Kalnozols
Hewlett-Packard Laboratories
andris at hpl.hp.com



More information about the bind-users mailing list