Re: [dns-operations] Name servers returning incorrectly truncated UDP responses
Ondřej Surý wrote: > I am 99% sure the fpdns is wrong and this is not djbdns. The fpdns relies on > subtle differences between various DNS implementations and is often wrong > because there’s either not enough data or just not enough differences. That’s > what I’ve seen when we started with Knot DNS - the quality implementations > just > didn’t had enough differences between than because they adhered to standards > that fpdns just could not tell the difference. If you run fpdns with "-d" it will print out the queries/responses, and fpdns does observe some stereotypical (but maybe not exclusively?) djbdns behavior like dropping queries that aren't for domains the server is configured to be authoritative for. "a.ns", "b.ns" etc. is a nameserver-naming pattern used in the tinydns documentation. For the djbdns suite, tinydns only serves UDP traffic and you have to install an extra daemon called axfrdns to handle TCP queries and AXFR traffic. If you request an AXFR for a zone that axfrdns is authoritative for but your source IP isn't on its allowlist, axfrdns _exit()'s without sending anything, which is consistent with: $ dig +tries=1 +tcp +norec @e.ns.email.sonyentertainmentnetwork.com -t AXFR email.sonyentertainmentnetwork.com ;; communications error to 207.251.96.133#53: end of file Regarding the truncation behavior, the djbdns documentation states: "dnscache ends the packet before all records." It doesn't say how tinydns behaves but it looks like the code is the same. The answer count in the header is not updated, which seems to be what is upsetting the various message parsers. According to the CHANGES file: 2210 internal: response_tc() reduces len, simplifying udprespond(). ui: response_tc() now truncates immediately after query. this should work around the Squid parsing bug reported by Stuart Henderson. So I'm inclined to think they probably actually are using djbdns, or maybe a load balancer in front of djbdns. At least I don't see anything inconsistent with this being a djbdns deployment. You are right about high quality implementations not having enough subtle idiosyncratic differences to reliably distinguish between them, though. -- Robert Edmonds ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Name servers returning incorrectly truncated UDP responses
On Sat, Jul 30, 2022 at 11:14 AM Ondřej Surý wrote: > I am 99% sure the fpdns is wrong and this is not djbdns. The fpdns relies > on subtle differences between various DNS implementations and is often > wrong because there’s either not enough data or just not enough > differences. That’s what I’ve seen when we started with Knot DNS - the > quality implementations just didn’t had enough differences between than > because they adhered to standards that fpdns just could not tell the > difference. > If there are SUBTLE differences between DJB DNS and anything else, I would die of shock. I will offer a beer to anyone who shows me anything even remotely close to as broken as that POS. (The DNS community should maybe start offering rewards for replacing it, to anyone running djbdns, in real currency, just to purge it from the internet.) Brian > > Cheers, > -- > Ondřej Surý (He/Him) > > On 30. 7. 2022, at 19:37, Puneet Sood wrote: > > > > > On Sat, Jul 30, 2022 at 10:26 AM Dave Lawrence wrote: > >> Greg Choules via dns-operations writes: >> > I am including in this mail the RNAME from the SOA (same for both >> > zones) in the hope that someone who is responsible for DNS at Sony >> > entertainment will see this and take note. >> >> And tell us what in the world DNS software they're running, and why >> they chose it. >> > > Jaap up-thread used fpdns to figure out the first question. > > fpdns e.ns.email.sonyentertainmentnetwork.com > fingerprint (e.ns.email.sonyentertainmentnetwork.com, 207.251.96.133): DJ > Bernstein TinyDNS 1.05 [Old Rules] > >> ___ >> dns-operations mailing list >> dns-operations@lists.dns-oarc.net >> https://lists.dns-oarc.net/mailman/listinfo/dns-operations >> > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Name servers returning incorrectly truncated UDP responses
I am 99% sure the fpdns is wrong and this is not djbdns. The fpdns relies on subtle differences between various DNS implementations and is often wrong because there’s either not enough data or just not enough differences. That’s what I’ve seen when we started with Knot DNS - the quality implementations just didn’t had enough differences between than because they adhered to standards that fpdns just could not tell the difference. Cheers, -- Ondřej Surý (He/Him) > On 30. 7. 2022, at 19:37, Puneet Sood wrote: > > > > >> On Sat, Jul 30, 2022 at 10:26 AM Dave Lawrence wrote: >> Greg Choules via dns-operations writes: >> > I am including in this mail the RNAME from the SOA (same for both >> > zones) in the hope that someone who is responsible for DNS at Sony >> > entertainment will see this and take note. >> >> And tell us what in the world DNS software they're running, and why >> they chose it. > > Jaap up-thread used fpdns to figure out the first question. > > fpdns e.ns.email.sonyentertainmentnetwork.com > fingerprint (e.ns.email.sonyentertainmentnetwork.com, 207.251.96.133): DJ > Bernstein TinyDNS 1.05 [Old Rules] >> ___ >> dns-operations mailing list >> dns-operations@lists.dns-oarc.net >> https://lists.dns-oarc.net/mailman/listinfo/dns-operations ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Name servers returning incorrectly truncated UDP responses
Puneet Sood writes: > Jaap up-thread used fpdns to figure out the first question. > fingerprint (e.ns.email.sonyentertainmentnetwork.com, 207.251.96.133): DJ > Bernstein TinyDNS 1.05 [Old Rules] Subtle correction: to figure out one possible answer to the first question. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Name servers returning incorrectly truncated UDP responses
--- Begin Message --- On Sat, Jul 30, 2022 at 10:26 AM Dave Lawrence wrote: > Greg Choules via dns-operations writes: > > I am including in this mail the RNAME from the SOA (same for both > > zones) in the hope that someone who is responsible for DNS at Sony > > entertainment will see this and take note. > > And tell us what in the world DNS software they're running, and why > they chose it. > Jaap up-thread used fpdns to figure out the first question. fpdns e.ns.email.sonyentertainmentnetwork.com fingerprint (e.ns.email.sonyentertainmentnetwork.com, 207.251.96.133): DJ Bernstein TinyDNS 1.05 [Old Rules] > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Name servers returning incorrectly truncated UDP responses
I am betting on “load balancers”… -- Ondřej Surý (He/Him) > On 30. 7. 2022, at 16:39, Dave Lawrence wrote: > > Greg Choules via dns-operations writes: >> I am including in this mail the RNAME from the SOA (same for both >> zones) in the hope that someone who is responsible for DNS at Sony >> entertainment will see this and take note. > > And tell us what in the world DNS software they're running, and why > they chose it. > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Name servers returning incorrectly truncated UDP responses
Greg Choules via dns-operations writes: > I am including in this mail the RNAME from the SOA (same for both > zones) in the hope that someone who is responsible for DNS at Sony > entertainment will see this and take note. And tell us what in the world DNS software they're running, and why they chose it. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Name servers returning incorrectly truncated UDP responses
Puneet Sood via dns-operations writes: > While the affected operators are spread around the world, the similarity of > the bad response across operators appears to suggest the DNS software may > be from the same or closely related source. These servers do not respond to > a version.bind query. > > Have you seen similar bad responses? Do you have an idea of the provenance > of this software? Fingerprinting with fpdns gives: fpdns e.ns.email.sonyentertainmentnetwork.com fingerprint (e.ns.email.sonyentertainmentnetwork.com, 207.251.96.133): DJ Bernstein TinyDNS 1.05 [Old Rules] jaap ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Name servers returning incorrectly truncated UDP responses
--- Begin Message --- This looks very broken. Here are checks of the "m.email..." and "email..." domains - both exhibit many protocol errors: https://ednscomp.isc.org/ednscomp/7225e09225 https://ednscomp.isc.org/ednscomp/e9310fc22b I am including in this mail the RNAME from the SOA (same for both zones) in the hope that someone who is responsible for DNS at Sony entertainment will see this and take note. Cheers, Greg On Fri, 29 Jul 2022 at 22:09, Puneet Sood via dns-operations < dns-operati...@dns-oarc.net> wrote: > > > > -- Forwarded message -- > From: Puneet Sood > To: dns-operations > Cc: > Bcc: > Date: Fri, 29 Jul 2022 17:04:28 -0400 > Subject: Name servers returning incorrectly truncated UDP responses > Hello, > > While making our DNS response validation stricter, we have noticed that a > number of name servers return badly truncated UDP responses. This sometimes > happens with incorrect Answer section RR count. > > $ dig m.email.sonyentertainmentnetwork.com. TXT @ > e.ns.email.sonyentertainmentnetwork.com > ;; Warning: Message parser reports malformed message packet. > ;; Truncated, retrying in TCP mode. > > ; <<>> DiG 9.18.3-1+build1-Debian <<>> > m.email.sonyentertainmentnetwork.com. TXT @ > e.ns.email.sonyentertainmentnetwork.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24446 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;m.email.sonyentertainmentnetwork.com. IN TXT > > ;; ANSWER SECTION: > m.email.sonyentertainmentnetwork.com. 3600 IN TXT "v=spf1 a mx ip4: > 63.236.31.220/31 ip4:8.30.201.100/31 ip4:63.236.84.160 ip4:8.30.201.16 > ip4:4.22.42.19 ip4:4.22.42.20/30 ip4:4.2" "2.42.24/31 ip4:4.22.42.26 ip4: > 72.166.182.10/31 ip4:72.166.182.12/31 ip4:72.166.182.18/31 ip4: > 72.166.182.20/30 ip4:207.251.96.0/" "24 ip4:65.125.54.0/24 ip4: > 63.232.57.0/24 ip4:208.49.63.128/28 ip4:63.211.90.16/29 ip4:8.7.42.16/29 > ip4:8.7.43.16/29 ip4:63.232." "236.144/29 ip4:8.7.44.144/29 ip4: > 63.236.31.128/26 ip4:63.236.76.0/23 ip4:8.30.201.0/26 ~all" > > ;; Query time: 4 msec > ;; SERVER: 207.251.96.133#53(e.ns.email.sonyentertainmentnetwork.com) > (TCP) > ;; WHEN: Fri Jul 29 16:57:51 EDT 2022 > ;; MSG SIZE rcvd: 542 > > > While the affected operators are spread around the world, the similarity > of the bad response across operators appears to suggest the DNS software > may be from the same or closely related source. These servers do not > respond to a version.bind query. > > Have you seen similar bad responses? Do you have an idea of the provenance > of this software? > > Thanks, > Puneet > > > > > -- Forwarded message -- > From: Puneet Sood via dns-operations > To: dns-operations > Cc: > Bcc: > Date: Fri, 29 Jul 2022 17:04:28 -0400 > Subject: [dns-operations] Name servers returning incorrectly truncated UDP > responses > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
