Re: QNAME minimisation question

Mon, 02 Jun 2025 04:31:16 -0700 

On 6/2/25 12:01, Nick Tait via bind-users wrote:

I can reproduce the issue by clearing the BIND cache, and then running the 
following DIG command, to attempt a reverse DNS lookup of 45.90.5.195



On 6/2/25 12:54, Carlos Horowicz via bind-users wrote:

The problem seems related to "No zone cut at 90.45.in-addr.arpa." , 
shouldn't trigger a SERVFAIL with qname-minimisation relaxed


That's not a correct interpretation of what's happening.


In short, with an empty cache, BIND will exceed pre-configured limit on 
number of queries it can do. This is protection from various attacks 
which misuse DNS to attack itself.



Here's how I found out.

To test cold-cache scenario, the easiest is to run:

delv +ns +qmin -d99 195.5.90.45.in-addr.arpa. PTR &> log

See delv man page for what +ns and -d99 do:
https://bind9.readthedocs.io/en/v9.20.9/manpages.html#delv-dns-lookup-and-validation-utility

With debugging on, you will find numerous warnings:


;; exceeded max queries resolving 'third-dns.netcup.net/NS' 
(max-recursion-queries, querycount=50)
;; exceeded max queries resolving 'root-dns.netcup.net/NS' 
(max-recursion-queries, querycount=51)
;; exceeded max queries resolving 'third-dns.netcup.net/A' 
(max-recursion-queries, querycount=51, maxqueries=50)
;; exceeded max queries resolving 'root-dns.netcup.net/A' 
(max-recursion-queries, querycount=51, maxqueries=50)
;; exceeded max queries resolving 'netcup.net/DS' 
(max-recursion-queries, querycount=51, maxqueries=50)
;; exceeded max queries resolving 'second-dns.netcup.net/A' 
(max-recursion-queries, querycount=51, maxqueries=50)
;; exceeded max queries resolving '195.5.90.45.in-addr.arpa/PTR' 
(max-recursion-queries, querycount=51, maxqueries=50)


HTH

--
Petr Špaček
Internet Systems Consortium
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to