They don't fix it because they are not usually aware of it. The
vast bulk of the queries against load balancers are A and
queries and long as these don't return NXDOMAIN they don't see
operational problems. Servfail for is not a issue for them
as it doesn't impact the A lookup which is
I got to work with the app owners today debugging this problem. One way to get
the DNS server to return the list of root servers is to do a non-recursive
(+norec) query for a non-existent domain. Turns out this particular app does
non-recursive queries. The app itself does a single Windows sy
It's surprising that more organizations don't fix this--it can be a
serious DoS vulnerability if the record is important enough. Anyone
know of tools that, given a zone or a set of labels, will test for this
behavior?
John
On 05/30/2014 11:42 AM, David A. Evans wrote:
To my questio
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu, 2014-05-08 at 01:44 +1000, Mark Andrews wrote:
> Because NS queries are not common with normal DNS lookups. For
> some reason people that deploy load balancers think they don't need
> to fix issues like this. Send something other than a A rec
To my question of how many more are lurking out there. It looks
like quite a few. I am not sure we are going to be able to continue with
RPZ's and NSDNAME's.
xserv.dell.com is my newest main stream web site having the
issue.
I is behaving the same way as www.rackspa
In message <1401433477.99469.yahoomail...@web121601.mail.ne1.yahoo.com>, Jiann-
Ming Su writes:
>
>
>
> > On Friday, May 30, 2014 12:34 AM, Mark Andrews wrote:
> > >
> > In message
> <1401424053.51486.yahoomail...@web121604.mail.ne1.yahoo.com>,
> > Jiann-
> > Ming Su writes:
> >>
> >>
> >> Looki
> On Friday, May 30, 2014 12:34 AM, Mark Andrews wrote:
> >
> In message <1401424053.51486.yahoomail...@web121604.mail.ne1.yahoo.com>,
> Jiann-
> Ming Su writes:
>>
>>
>> Looking through the traces of the NXDomain vs NoError responses. The
>> NoError response includes the list of the Int
7 matches
Mail list logo
