Apple OS and DNS resolution (._dns-sd.udp. requests)

Mark Andrews marka at isc.org
Thu Apr 5 22:33:27 UTC 2012 

In message <20120405221836.GA4587 at fantomas.sk>, Matus UHLAR - fantomas writes:
> >In message <20120405090858.GA29261 at fantomas.sk>, Matus UHLAR - fantomas writ
> es:
> >> our customer (an ISP) reported that his clients have problems resolving
> >> sites like facebook, youtube, aplestores and that the problems only
> >> affect apple computers.
> >>
> >> I notice many requests for dns service discovery:
> >>
> >> Apr  5 09:47:20 t03 named[8324]: security: info: client 195.168.157.82#328
> 44:
> >>  query 'cf._dns-sd._udp.132.110.254.10.in-addr.arpa/TXT/IN' denied
> >> Apr  5 09:47:20 t03 named[8324]: security: info: client 195.168.157.82#490
> 19:
> >>  query 'cf._dns-sd._udp.132.110.254.10.in-addr.arpa/TXT/IN' denied
> >> Apr  5 09:47:20 t03 named[8324]: security: info: client 195.168.157.82#356
> 47:
> >>  query 'cf._dns-sd._udp.132.110.254.10.in-addr.arpa/TXT/IN' denied
> >>
> >> these requests are denied, because we use private IPS from those ranges
> >> and I don't want to make them available for users.
> >>
> >> Can these requests cause resolving problems on Apple computers?
> 
> On 06.04.12 08:09, Mark Andrews wrote:
> >Well you are leaking RFC 1918 answers.  I would close off the leak by
> >using views or different nameservers for your machines.
> 
> I am leaking? :) I am not. client is sending requests and I am denying 
> them. I have in plan to move those zones to different servers to avoid 
> this problem, and clients will get empty results.

You are *both* leaking RFC 1918 state.  The REFUSED is a leak.  You solution
sounds fine.
 
> I was curious if these can't cause the problem reported by user, 
> however it appears not to be the source of it. I'll have to dig 
> further.

REFUSED isn't a expected answer.
 
> -- 
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Saving Private Ryan...
> Private Ryan exists. Overwrite? (Y/N)
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list