[176526] in North American Network Operators' Group
Re: Comcast residential DNS contact
daemon@ATHENA.MIT.EDU (Grant Ridder)
Wed Dec 3 13:10:14 2014
X-Original-To: nanog@nanog.org
In-Reply-To: <CAPiURgXbHabUCrXYXUxpcj3nS8RQNEuRNZNLhY9xmXd82syQpw@mail.gmail.com>
Date: Wed, 3 Dec 2014 10:07:04 -0800
From: Grant Ridder <shortdudey123@gmail.com>
To: Brian Rak <brak@gameservers.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Did more digging and found the RFC regarding ANY queries:
3.2.3 - * 255 A request for all records
https://www.ietf.org/rfc/rfc1035.txt
However Wikipedia (http://en.wikipedia.org/wiki/List_of_DNS_record_types)
lists this as a request for "All cached records" instead of "A request for
all records" per the RFC.
-Grant
On Wed, Dec 3, 2014 at 9:54 AM, Grant Ridder <shortdudey123@gmail.com>
wrote:
> Hi Everyone,
>
> Thanks for the replies! After reading them, i am doing some digging into
> DNS RFC's and haven't found much with respect to ANY queries. Not
> responding with full results to protect against being used in an attack
> makes sense. However, I find it odd that only 1 of the 4 anycast servers=
I
> tried would institute this.
>
> Also, as a side note, i hit all 4 anycast servers on both v4 and v6 with
> similar results already.
>
> -Grant
>
> On Wed, Dec 3, 2014 at 7:46 AM, Brian Rak <brak@gameservers.com> wrote:
>
>> Shouldn't everyone be on IPv6 these days anyway ;)
>>
>>
>> On 12/3/2014 10:28 AM, Jared Mauch wrote:
>>
>>> So have A record queries. Do you filter those as well?
>>>
>>> Jared Mauch
>>>
>>> On Dec 3, 2014, at 9:08 AM, Stephen Satchell <list@satchell.net> wrote=
:
>>>>
>>>> On 12/03/2014 04:04 AM, Niels Bakker wrote:
>>>>> * shortdudey123@gmail.com (Grant Ridder) [Wed 03 Dec 2014, 12:54 CET]=
:
>>>>>
>>>>>> Both of Google=E2=80=99s public DNS servers return complete results =
every time
>>>>>> and one of the two comcast ones works fine.
>>>>>>
>>>>>> If this is working by design, can you provide the RFC with that info=
?
>>>>>>
>>>>> An ANY query will typically return only what's already in the cache.
>>>>> So
>>>>> if you ask for MX records first and then query the same caching
>>>>> resolver
>>>>> for ANY it won't return, say, any TXT records that may be present at
>>>>> the
>>>>> authoritative nameserver.
>>>>>
>>>>> This could be implementation dependent, but Comcast's isn't wrong, an=
d
>>>>> you should not rely on ANY queries returning full data. This has bee=
n
>>>>> hashed out to tears in the past, for example when qm**l used to do
>>>>> these
>>>>> queries in an attempt to optimise DNS query volumes and RTT.
>>>>>
>>>> At the ISP I consult to, I filter all ANY queries, because they have
>>>> been used for DNS amplification attacks.
>>>>
>>>
>>
>
