On 12/7/2010 5:31 PM, David A. Evans wrote:
I'm in the mood to prove a point. I have a very poorly
written application that is generating a few hundred queries per
second of completely bogus AAAA records before attempting a lookup of
the correct A records. This is because the application was compiled
with a IPv6 interface enabled on the severs so it assumes that v6 is
available. It is not. The application owner does not see an issue as
they get the handful NXDOMAIN responses back in ~2 ms for each valid
response and don't see any performance hit.
I would like to silently drop the AAAA record lookups instead
of responding back with NXDOMAIN.
NXDOMAIN? Is the application looking up a different *name* for its AAAA
queries than for its A queries? If a single name owned A records but no
AAAA records then the correct response from an AAAA-capable resolver to
an AAAA query of the name, would be the so-called "NODATA" response
(NOERROR with 0 answers and an SOA RR in Authority Section for negative
caching purposes, see RFC 2308 for details). NXDOMAIN, as another poster
pointed out, could inhibit even A-record queries of the name, and would
be the wrong response in that situation.
Thusly generating a performance hit as the application waits 2 seconds
for the reply.
I have found the filter-aaaa-on-v4 but it doesn't quiet do
what I want. From the description and my testing it appears to still
reply with NXDOMAIN to these queries, it simply filters out the
'valid' AAAA records from IPV4 based replies. (which is a really cool
solution to other issues, but not what I need.)
How nasty do you want to be? You could always add an AAAA record for
that name. Point it anywhere you want <evil laugh>
If you point it to something simply non-existent, this solution seems to
me only slightly ruder than silently dropping the queries.
Besides spinning up a bind 4.x box which google tells me did
this by default, is there any way of doing this?
I think it would be a really *bad* idea to spin up a BIND 4.x instance.
Do you really want a big ugly security hole on your network? What about
the person that inherits this setup from you? Would they be conversant
in BIND 4.x setup and maintenance? I wouldn't wish BIND 4.x on anyone...
If you really want to go in the direction of dropping packets, I'd look
at some sort of software-firewall intervention (iptables or whatever) to
do the packet-dropping.
On the other hand, if the app really is looking up a different name for
AAAA than for A (see above), that opens up all sorts of options for you.
You could set up that name as a zone by itself and simply return REFUSED
for all of those queries (the response packet count, and potentially the
application delay, would be the same, but the response packets would be
smaller and your intent crystal clear). Or set up a forwarder and play
some games that way.
- Kevin
*David A. Evans*
*Enterprise IP/DNS Management*
*Network Infrastructure Tools and Services*
*_evans_davi...@cat.com_* <mailto:evans_davi...@cat.com>
**
/Eschew Obfuscation/
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
