On Aug 25, 2014, at 7:56 AM, Dave Duchscher <[email protected]> wrote:
> On Aug 25, 2014, at 6:05 AM, Maciej Soltysiak <[email protected]> wrote: > >> On Mon, Aug 25, 2014 at 9:16 AM, W.C.A. Wijngaards <[email protected]> >> wrote: >>> Yes. The reddit servers (or likely, their load-balancers) are not >>> following the DNS specifications. They are dropping the query and >>> they should be replying. There was a draft at the IETF even to mark >>> this as harmful, but it did not progress through the standards track, >>> I believe. If they want to refuse the query for unclear reasons (what >>> is wrong with responding NXDOMAIN?) they could choose from nice error >>> codes like SERVFAIL and FORMERR and REFUSED. >> Yup. I have a domain that goes through cloudflare. I just asked >> cloudflare NSes for a name with a colon and it behaves the same (drop) >> When I asked the parents, they answered. >> >> Cloudflare seems to do the same thing for their customers. >> >> If not FORMERR, they could've at least send ICMP administratively >> prohibited to mark that this particular comms is not ok with them. >> That would've made unbound record a failure. >> >> It's silly because in order to immunize your cache against this you >> would have to start your own filtering... That shouldn't be the point. > > Not a customer of Cloudflare but their help system allows outsiders to > submit so I have submitted a help request for this problem (172999). > Maybe this is a bug. Cloudflare's response: > Hey there, > > Because the DNS query "http://reddit.com"; is technically not valid (since DNS > queries should not contain the protocol URI), CloudFlare's DNS servers will > not respond to them. > > Since these kinds of invalid queries don't get this far in the normal DNS > system (since they get dropped at the root servers) > > Let us know if you need any other help > Thanks *sigh* -- Dave _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
