[dns-operations] Spurious NXDOMAIN response from a DNS hosting provider

Sat, 05 Apr 2025 03:34:01 -0700 

Hello,
I'm facing a very disturbing DNS behavior from a DNS hosting provider (a big LoadBalancer maker). I have strong opinion about it, but before reporting to my client, I would like to get the opinions/arguments of experts present on this list as you can never be careful enough and should always approach things with humility. 


Months ago I noticed some spurious NXDOMAIN response from authoritative 
servers from one of my customer.
It even could occur on the A or SOA record of the zone apex and was hard 
to reproduce.
We end up with a test of 200 udp request in a row on the A record of the 
zone apex witch sometimes in the day trigger some NXDOMAIN answers, not 
the rest of time.
We suspected a configuration issue, a race condition in the automated 
maintenance of zone data, server deployments, etc.
This took months (almost a year) and exchange of numerous 
request/response logs on our end with the provider witch indicated that 
some fix/tuning was (unsuccessfully made) to finally get a definite answer:



"A user is making multiple requests to a non-existing DNS domain. This 
behavior triggers a DDoS protection mechanism, which blocks the user's 
IP address.
As a result, requests from the blocked IP return NXDOMAIN on existing 
records"



Clarification about "non-existing DNS domain": We do query which end up 
with an authoritative NXDOMAIN. We do not do DNS query for witch the 
offended DNS is not authoritative for.


My opinion is:

- They break all DNS protocol promises, presenting "alternate" reality 
based on query rate
- They talk about DDOS protection. But there is nothing "distributed" 
with one IP
- It is even not a DOS protection mechanism as the server continue to 
answer NXDOMAIN at full rate

- There is no rationale behind returning NXDOMAIN

- It appears that no query rate limiting of any kind is implemented on 
their side.



- IP based query rate limiting/drop is one of the core mechanism 
essential to any modern DNS implementation.
- DNS should never completely stop responding to one IP, just as it 
should never arbitrary alter the value of an answer.


I could be wrong and it's in fact a good behavior.

I could be right and there is even more standard/RFC compliance 
arguments that could be leveraged against.


Thank you.
Emmanuel.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations






















					Reply via email to