Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 23 Jun 2024 03:39:56 +0000
From: "Lance Yang" <lance.yang@...ux.dev>
To: "Jan Mercl" <0xjnml@...il.com>, musl@...ts.openwall.com
Cc: "Lance Yang" <ioworker0@...il.com>
Subject: Re: [PATCH 1/1] improve DNS resolution logic for parallel
 queries

June 22, 2024 at 9:06 PM, "Jan Mercl" <0xjnml@...il.com> wrote:



> 
> On Sat, Jun 22, 2024 at 2:51 PM Lance Yang <lance.yang@...ux.dev> wrote:
> 
> > 
> > musl’s resolver queries some configured nameservers in parallel and accepts
> > 
> >  the first response. However, if the first response's RCODE indicates
> > 
> >  NXDOMAIN, the resolver terminates the resolution process too early,
> > 
> >  potentially missing valid responses from other nameservers.
> > 
> 
> Linux uses the first valid response, even if it is NXDOMAIN. So it's
> 
> not clear terminating the resolve process in that case is "too early".
> 
> I think that continuing the search after getting NXDOMAIN can be
> 
> possibly considered a security risk.
> 
> Source, possibly outdated:
> 
> https://www.unix.com/ip-networking/133552-howto-linux-multihomed-dns-client.html
> 
> -j

Hi Jan,

Thanks for paying attention and sharing this information!

I understand your concern that continuing the search after receiving an
NXDOMAIN response might pose a security risk. Will look into this issue
further.

Thanks again!
Lance

>

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.