[176512] in North American Network Operators' Group
Re: Comcast residential DNS contact
daemon@ATHENA.MIT.EDU (Jared Mauch)
Wed Dec 3 10:28:38 2014
X-Original-To: nanog@nanog.org
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <547F196E.3080200@satchell.net>
Date: Wed, 3 Dec 2014 10:28:29 -0500
To: Stephen Satchell <list@satchell.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
So have A record queries. Do you filter those as well?
Jared Mauch
> On Dec 3, 2014, at 9:08 AM, Stephen Satchell <list@satchell.net> wrote:
>=20
>> On 12/03/2014 04:04 AM, Niels Bakker wrote:
>> * shortdudey123@gmail.com (Grant Ridder) [Wed 03 Dec 2014, 12:54 CET]:
>>> Both of Google=E2=80=99s public DNS servers return complete results ever=
y time
>>> and one of the two comcast ones works fine.
>>>=20
>>> If this is working by design, can you provide the RFC with that info?
>>=20
>> An ANY query will typically return only what's already in the cache. So
>> if you ask for MX records first and then query the same caching resolver
>> for ANY it won't return, say, any TXT records that may be present at the
>> authoritative nameserver.
>>=20
>> This could be implementation dependent, but Comcast's isn't wrong, and
>> you should not rely on ANY queries returning full data. This has been
>> hashed out to tears in the past, for example when qm**l used to do these
>> queries in an attempt to optimise DNS query volumes and RTT.
>=20
> At the ISP I consult to, I filter all ANY queries, because they have
> been used for DNS amplification attacks.
