Moin! On 21 Jan 2021, at 13:48, Yasuhiro Orange Morishita / 森下泰宏 wrote: > I know that section 6 of RFC 5452 describes 'in-domain checking' > for full-service resolvers, but I can't find any RFCs describing the > same checking for DNS forwarders... The DNS forwarders term didn’t appear in an RFC before 7719, so I guess there is no such description.
> Moreover, the whitepaper describes this as follows: > > "We acknowledge that this is not a vulnerability per se, and > moreover is reasonable behavior, though it magnifies the attack and > similar types of attacks." > > Isn't it really a vulnerability? I agree for a real DNS forwarder (aka proper resolver acting as a forwarder), but for a DNS proxy there really is no other option then to give the packet back to the client (stub resolver) and let it deal with it. So long -Ralf ——- Ralf Weber _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
