--- Begin Message ---
Hi,
Are you asking a resolver or the authority on the server itself when this
happens? Someone might be more likely to help if you show us a real-world
example (using dig) with the affected zone.
Winfried
Am 3. April 2025 15:18:10 MESZ schrieb "Emmanuel Fusté" <[email protected]>:
>Hello,
>
>I'm facing a very disturbing DNS behavior from a DNS hosting provider (a big
>LoadBalancer maker).
>I have strong opinion about it, but before reporting to my client, I would
>like to get the opinions/arguments of experts present on this list as you can
>never be careful enough and should always approach things with humility.
>
>Months ago I noticed some spurious NXDOMAIN response from authoritative
>servers from one of my customer.
>It even could occur on the A or SOA record of the zone apex and was hard to
>reproduce.
>We end up with a test of 200 udp request in a row on the A record of the zone
>apex witch sometimes in the day trigger some NXDOMAIN answers, not the rest of
>time.
>We suspected a configuration issue, a race condition in the automated
>maintenance of zone data, server deployments, etc.
>This took months (almost a year) and exchange of numerous request/response
>logs on our end with the provider witch indicated that some fix/tuning was
>(unsuccessfully made) to finally get a definite answer:
>
>"A user is making multiple requests to a non-existing DNS domain. This
>behavior triggers a DDoS protection mechanism, which blocks the user's IP
>address.
>As a result, requests from the blocked IP return NXDOMAIN on existing records"
>
>Clarification about "non-existing DNS domain": We do query which end up with
>an authoritative NXDOMAIN. We do not do DNS query for witch the offended DNS
>is not authoritative for.
>
>My opinion is:
>- They break all DNS protocol promises, presenting "alternate" reality based
>on query rate
>- They talk about DDOS protection. But there is nothing "distributed" with one
>IP
>- It is even not a DOS protection mechanism as the server continue to answer
>NXDOMAIN at full rate
>- There is no rationale behind returning NXDOMAIN
>- It appears that no query rate limiting of any kind is implemented on their
>side.
>
>- IP based query rate limiting/drop is one of the core mechanism essential to
>any modern DNS implementation.
>- DNS should never completely stop responding to one IP, just as it should
>never arbitrary alter the value of an answer.
>
>I could be wrong and it's in fact a good behavior.
>I could be right and there is even more standard/RFC compliance arguments that
>could be leveraged against.
>
>Thank you.
>Emmanuel.
>_______________________________________________
>dns-operations mailing list
>[email protected]
>https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
