<div dir="ltr"><br><div class="gmail_quote">On Tue, Aug 5, 2008 at 1:22 PM, Michael Tokarev <span dir="ltr"><<a href="mailto:mjt@tls.msk.ru">mjt@tls.msk.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d"><a href="mailto:askthelist@gmail.com">askthelist@gmail.com</a> wrote:<br>
> rbldnsd is returning "Not Implemented" in responses to requests in<br>
> which the DNS AA (Authoritative Answer) bit is set... This may seem<br>
> strange and an odd request, but Is there a way to configure rbldnsd to<br>
> ignore this bit in requests and respond to the query anyway? If there is<br>
<br>
</div>Yes indeed this is strange, more than strange.</blockquote><div><br>Truth is stranger then fiction sometimes... <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
<br>
This bit is used for ANSWERS (as it's authoritative ANSWER), it can't<br>
be set in queries. Just like some other bits, like RA (recursion available).</blockquote><div><br>According to the RFC1035 this should be illegal, yet our Microsoft DNS Servers with forwards to our local rbldnsd's began sending queries with this bit set recently, not sure if it has anything do do with the recent dns patches that were released, but... Heres a debug that shows the bit being set...<br>
<br>20080804 21:30:35 728 PACKET 0000000002722CA0 UDP Snd x.x.x.x
d42a Q [0004 A NOERROR] A
(3)cnn(3)net(5)multi(5)surbl(3)org(0)<br>UDP question info<br> Socket = 4740, recvd on port (65535)<br> Remote addr x.x.x.x, port 53<br> Time Query=0, Queued=0, Expire=0<br> Buf length = 0x0500 (1280)<br> Msg length = 0x0029 (41)<br>
Message:<br> XID 0xd42a<br> Flags 0x0400<br> QR 0 (QUESTION)<br> <strong><font color="#000000"> OPCODE 0 (QUERY) </font></strong><br><strong><font color="#000000"> AA 1 </font></strong><br>
TC 0<br> RD 0<br> RA 0<br> Z 0<br> RCODE 0 (NOERROR)<br> QCOUNT 1<br> ACOUNT 0<br> NSCOUNT 0<br> ARCOUNT 0<br> QUESTION SECTION:<br> Offset = 0x000c, RR count = 0<br>
Name "(3)cnn(3)net(5)multi(5)surbl(3)org(0)"<br> QTYPE A (1)<br> QCLASS 1<br> ANSWER SECTION:<br> empty<br> AUTHORITY SECTION:<br> empty<br> ADDITIONAL SECTION:<br> empty </div>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
<div class="Ih2E3d"><br>
> I couldnt find it and havent been able to find much documentation on the<br>
> subject. I've sifted through the source code and it seems the relevant<br>
> code would be in the rbldnsd_packet.c/dns.h source files but since my C<br>
> skills are non-existant it would be great if someone can provide a hack<br>
> for me to implement this...<br>
<br>
</div>There's no config option for this, and yes it's in the source. In<br>
rbldnsd_packet.c file, in function named replypacket(), there's this<br>
code:<br>
<br>
if (h[p_f1] & (pf1_opcode | pf1_aa | pf1_tc | pf1_qr)) {<br>
h[p_f1] = pf1_qr;<br>
refuse(DNS_R_NOTIMPL);<br>
} <br></blockquote><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
You can just comment it out. But this is WRONG. In a way similar to<br>
the way it drops packets when QR flag is set -- ie, when it's a<br>
reply, not a query. Imagine someone sends out a query with a fake<br>
source address equal to the address of the server itself -- the server<br>
replies to this packet, and the reply goes back to the same server,<br>
which now interprets the reply as new query and replies to it and<br>
so on ad infinitum... The bit you're talking about should NEVER, EVER<br>
be set in a query, and no sane DNS client software will set it.<br>
Something's seriously wrong on your client side.</blockquote><div><br>Great, thanks for the info. I seen that bit of code but was unsure how to manipulate it the way I needed to without breaking anything. I just need a bandaid until our vendor(Microsoft) can figure out why our server is behaving in this way and provide us either a solution or a workaround before our servers start getting banned from making too many dns requests...<br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
<br>
And by the way, returning NOTIMPL here is questionable as well --<br>
maybe FORMERR is better. But in any way it's a clear error,<br>
clearly wrong packet, and I don't know how to implement its<br>
processing...<br>
<br>
/mjt</blockquote><div><br>Thanks. <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
_______________________________________________<br>
rbldnsd mailing list<br>
<a href="mailto:rbldnsd@corpit.ru">rbldnsd@corpit.ru</a><br>
<a href="http://www.corpit.ru/mailman/listinfo/rbldnsd" target="_blank">http://www.corpit.ru/mailman/listinfo/rbldnsd</a><br>
</blockquote></div><br></div>