QNAME minimisation question
Petr Špaček
pspacek at isc.org
Mon Jun 2 11:30:16 UTC 2025
On 6/2/25 12:01, Nick Tait via bind-users wrote:
>> I can reproduce the issue by clearing the BIND cache, and then running the following DIG command, to attempt a reverse DNS lookup of 45.90.5.195
On 6/2/25 12:54, Carlos Horowicz via bind-users wrote:
> The problem seems related to "No zone cut at 90.45.in-addr.arpa." ,
> shouldn't trigger a SERVFAIL with qname-minimisation relaxed
That's not a correct interpretation of what's happening.
In short, with an empty cache, BIND will exceed pre-configured limit on
number of queries it can do. This is protection from various attacks
which misuse DNS to attack itself.
Here's how I found out.
To test cold-cache scenario, the easiest is to run:
delv +ns +qmin -d99 195.5.90.45.in-addr.arpa. PTR &> log
See delv man page for what +ns and -d99 do:
https://bind9.readthedocs.io/en/v9.20.9/manpages.html#delv-dns-lookup-and-validation-utility
With debugging on, you will find numerous warnings:
;; exceeded max queries resolving 'third-dns.netcup.net/NS'
(max-recursion-queries, querycount=50)
;; exceeded max queries resolving 'root-dns.netcup.net/NS'
(max-recursion-queries, querycount=51)
;; exceeded max queries resolving 'third-dns.netcup.net/A'
(max-recursion-queries, querycount=51, maxqueries=50)
;; exceeded max queries resolving 'root-dns.netcup.net/A'
(max-recursion-queries, querycount=51, maxqueries=50)
;; exceeded max queries resolving 'netcup.net/DS'
(max-recursion-queries, querycount=51, maxqueries=50)
;; exceeded max queries resolving 'second-dns.netcup.net/A'
(max-recursion-queries, querycount=51, maxqueries=50)
;; exceeded max queries resolving '195.5.90.45.in-addr.arpa/PTR'
(max-recursion-queries, querycount=51, maxqueries=50)
HTH
--
Petr Špaček
Internet Systems Consortium
More information about the bind-users
mailing list