1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
|
Network Working Group A. Kumar
Request for Comments: 1536 J. Postel
Category: Informational C. Neuman
ISI
P. Danzig
S. Miller
USC
October 1993
Common DNS Implementation Errors and Suggested Fixes
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard. Distribution of this memo is
unlimited.
Abstract
This memo describes common errors seen in DNS implementations and
suggests some fixes. Where applicable, violations of recommendations
from STD 13, RFC 1034 and STD 13, RFC 1035 are mentioned. The memo
also describes, where relevant, the algorithms followed in BIND
(versions 4.8.3 and 4.9 which the authors referred to) to serve as an
example.
Introduction
The last few years have seen, virtually, an explosion of DNS traffic
on the NSFnet backbone. Various DNS implementations and various
versions of these implementations interact with each other, producing
huge amounts of unnecessary traffic. Attempts are being made by
researchers all over the internet, to document the nature of these
interactions, the symptomatic traffic patterns and to devise remedies
for the sick pieces of software.
This draft is an attempt to document fixes for known DNS problems so
people know what problems to watch out for and how to repair broken
software.
1. Fast Retransmissions
DNS implements the classic request-response scheme of client-server
interaction. UDP is, therefore, the chosen protocol for communication
though TCP is used for zone transfers. The onus of requerying in case
no response is seen in a "reasonable" period of time, lies with the
client. Although RFC 1034 and 1035 do not recommend any
Kumar, Postel, Neuman, Danzig & Miller [Page 1]
RFC 1536 Common DNS Implementation Errors October 1993
retransmission policy, RFC 1035 does recommend that the resolvers
should cycle through a list of servers. Both name servers and stub
resolvers should, therefore, implement some kind of a retransmission
policy based on round trip time estimates of the name servers. The
client should back-off exponentially, probably to a maximum timeout
value.
However, clients might not implement either of the two. They might
not wait a sufficient amount of time before retransmitting or they
might not back-off their inter-query times sufficiently.
Thus, what the server would see will be a series of queries from the
same querying entity, spaced very close together. Of course, a
correctly implemented server discards all duplicate queries but the
queries contribute to wide-area traffic, nevertheless.
We classify a retransmission of a query as a pure Fast retry timeout
problem when a series of query packets meet the following conditions.
a. Query packets are seen within a time less than a "reasonable
waiting period" of each other.
b. No response to the original query was seen i.e., we see two or
more queries, back to back.
c. The query packets share the same query identifier.
d. The server eventually responds to the query.
A GOOD IMPLEMENTATION:
BIND (we looked at versions 4.8.3 and 4.9) implements a good
retransmission algorithm which solves or limits all of these
problems. The Berkeley stub-resolver queries servers at an interval
that starts at the greater of 4 seconds and 5 seconds divided by the
number of servers the resolver queries. The resolver cycles through
servers and at the end of a cycle, backs off the time out
exponentially.
The Berkeley full-service resolver (built in with the program
"named") starts with a time-out equal to the greater of 4 seconds and
two times the round-trip time estimate of the server. The time-out
is backed off with each cycle, exponentially, to a ceiling value of
45 seconds.
Kumar, Postel, Neuman, Danzig & Miller [Page 2]
RFC 1536 Common DNS Implementation Errors October 1993
FIXES:
a. Estimate round-trip times or set a reasonably high initial
time-out.
b. Back-off timeout periods exponentially.
c. Yet another fundamental though difficult fix is to send the
client an acknowledgement of a query, with a round-trip time
estimate.
Since UDP is used, no response is expected by the client until the
query is complete. Thus, it is less likely to have information about
previous packets on which to estimate its back-off time. Unless, you
maintain state across queries, so subsequent queries to the same
server use information from previous queries. Unfortunately, such
estimates are likely to be inaccurate for chained requests since the
variance is likely to be high.
The fix chosen in the ARDP library used by Prospero is that the
server will send an initial acknowledgement to the client in those
cases where the server expects the query to take a long time (as
might be the case for chained queries). This initial acknowledgement
can include an expected time to wait before retrying.
This fix is more difficult since it requires that the client software
also be trained to expect the acknowledgement packet. This, in an
internet of millions of hosts is at best a hard problem.
2. Recursion Bugs
When a server receives a client request, it first looks up its zone
data and the cache to check if the query can be answered. If the
answer is unavailable in either place, the server seeks names of
servers that are more likely to have the information, in its cache or
zone data. It then does one of two things. If the client desires the
server to recurse and the server architecture allows recursion, the
server chains this request to these known servers closest to the
queried name. If the client doesn't seek recursion or if the server
cannot handle recursion, it returns the list of name servers to the
client assuming the client knows what to do with these records.
The client queries this new list of name servers to get either the
answer, or names of another set of name servers to query. This
process repeats until the client is satisfied. Servers might also go
through this chaining process if the server returns a CNAME record
for the queried name. Some servers reprocess this name to try and get
the desired record type.
Kumar, Postel, Neuman, Danzig & Miller [Page 3]
RFC 1536 Common DNS Implementation Errors October 1993
However, in certain cases, this chain of events may not be good. For
example, a broken or malicious name server might list itself as one
of the name servers to query again. The unsuspecting client resends
the same query to the same server.
In another situation, more difficult to detect, a set of servers
might form a loop wherein A refers to B and B refers to A. This loop
might involve more than two servers.
Yet another error is where the client does not know how to process
the list of name servers returned, and requeries the same server
since that is one (of the few) servers it knows.
We, therefore, classify recursion bugs into three distinct
categories:
a. Ignored referral: Client did not know how to handle NS records
in the AUTHORITY section.
b. Too many referrals: Client called on a server too many times,
beyond a "reasonable" number, with same query. This is
different from a Fast retransmission problem and a Server
Failure detection problem in that a response is seen for every
query. Also, the identifiers are always different. It implies
client is in a loop and should have detected that and broken
it. (RFC 1035 mentions that client should not recurse beyond
a certain depth.)
c. Malicious Server: a server refers to itself in the authority
section. If a server does not have an answer now, it is very
unlikely it will be any better the next time you query it,
specially when it claims to be authoritative over a domain.
RFC 1034 warns against such situations, on page 35.
"Bound the amount of work (packets sent, parallel processes
started) so that a request can't get into an infinite loop or
start off a chain reaction of requests or queries with other
implementations EVEN IF SOMEONE HAS INCORRECTLY CONFIGURED
SOME DATA."
A GOOD IMPLEMENTATION:
BIND fixes at least one of these problems. It places an upper limit
on the number of recursive queries it will make, to answer a
question. It chases a maximum of 20 referral links and 8 canonical
name translations.
Kumar, Postel, Neuman, Danzig & Miller [Page 4]
RFC 1536 Common DNS Implementation Errors October 1993
FIXES:
a. Set an upper limit on the number of referral links and CNAME
links you are willing to chase.
Note that this is not guaranteed to break only recursion loops.
It could, in a rare case, prune off a very long search path,
prematurely. We know, however, with high probability, that if
the number of links cross a certain metric (two times the depth
of the DNS tree), it is a recursion problem.
b. Watch out for self-referring servers. Avoid them whenever
possible.
c. Make sure you never pass off an authority NS record with your
own name on it!
d. Fix clients to accept iterative answers from servers not built
to provide recursion. Such clients should either be happy with
the non-authoritative answer or be willing to chase the
referral links themselves.
3. Zero Answer Bugs:
Name servers sometimes return an authoritative NOERROR with no
ANSWER, AUTHORITY or ADDITIONAL records. This happens when the
queried name is valid but it does not have a record of the desired
type. Of course, the server has authority over the domain.
However, once again, some implementations of resolvers do not
interpret this kind of a response reasonably. They always expect an
answer record when they see an authoritative NOERROR. These entities
continue to resend their queries, possibly endlessly.
A GOOD IMPLEMENTATION
BIND resolver code does not query a server more than 3 times. If it
is unable to get an answer from 4 servers, querying them three times
each, it returns error.
Of course, it treats a zero-answer response the way it should be
treated; with respect!
FIXES:
a. Set an upper limit on the number of retransmissions for a given
query, at the very least.
Kumar, Postel, Neuman, Danzig & Miller [Page 5]
RFC 1536 Common DNS Implementation Errors October 1993
b. Fix resolvers to interpret such a response as an authoritative
statement of non-existence of the record type for the given
name.
4. Inability to detect server failure:
Servers in the internet are not very reliable (they go down every
once in a while) and resolvers are expected to adapt to the changed
scenario by not querying the server for a while. Thus, when a server
does not respond to a query, resolvers should try another server.
Also, non-stub resolvers should update their round trip time estimate
for the server to a large value so that server is not tried again
before other, faster servers.
Stub resolvers, however, cycle through a fixed set of servers and if,
unfortunately, a server is down while others do not respond for other
reasons (high load, recursive resolution of query is taking more time
than the resolver's time-out, ....), the resolver queries the dead
server again! In fact, some resolvers might not set an upper limit on
the number of query retransmissions they will send and continue to
query dead servers indefinitely.
Name servers running system or chained queries might also suffer from
the same problem. They store names of servers they should query for a
given domain. They cycle through these names and in case none of them
answers, hit each one more than one. It is, once again, important
that there be an upper limit on the number of retransmissions, to
prevent network overload.
This behavior is clearly in violation of the dictum in RFC 1035 (page
46)
"If a resolver gets a server error or other bizarre response
from a name server, it should remove it from SLIST, and may
wish to schedule an immediate transmission to the next
candidate server address."
Removal from SLIST implies that the server is not queried again for
some time.
Correctly implemented full-service resolvers should, as pointed out
before, update round trip time values for servers that do not respond
and query them only after other, good servers. Full-service resolvers
might, however, not follow any of these common sense directives. They
query dead servers, and they query them endlessly.
Kumar, Postel, Neuman, Danzig & Miller [Page 6]
RFC 1536 Common DNS Implementation Errors October 1993
A GOOD IMPLEMENTATION:
BIND places an upper limit on the number of times it queries a
server. Both the stub-resolver and the full-service resolver code do
this. Also, since the full-service resolver estimates round-trip
times and sorts name server addresses by these estimates, it does not
query a dead server again, until and unless all the other servers in
the list are dead too! Further, BIND implements exponential back-off
too.
FIXES:
a. Set an upper limit on number of retransmissions.
b. Measure round-trip time from servers (some estimate is better
than none). Treat no response as a "very large" round-trip
time.
c. Maintain a weighted rtt estimate and decay the "large" value
slowly, with time, so that the server is eventually tested
again, but not after an indefinitely long period.
d. Follow an exponential back-off scheme so that even if you do
not restrict the number of queries, you do not overload the
net excessively.
5. Cache Leaks:
Every resource record returned by a server is cached for TTL seconds,
where the TTL value is returned with the RR. Full-service (or stub)
resolvers cache the RR and answer any queries based on this cached
information, in the future, until the TTL expires. After that, one
more query to the wide-area network gets the RR in cache again.
Full-service resolvers might not implement this caching mechanism
well. They might impose a limit on the cache size or might not
interpret the TTL value correctly. In either case, queries repeated
within a TTL period of a RR constitute a cache leak.
A GOOD/BAD IMPLEMENTATION:
BIND has no restriction on the cache size and the size is governed by
the limits on the virtual address space of the machine it is running
on. BIND caches RRs for the duration of the TTL returned with each
record.
It does, however, not follow the RFCs with respect to interpretation
of a 0 TTL value. If a record has a TTL value of 0 seconds, BIND uses
Kumar, Postel, Neuman, Danzig & Miller [Page 7]
RFC 1536 Common DNS Implementation Errors October 1993
the minimum TTL value, for that zone, from the SOA record and caches
it for that duration. This, though it saves some traffic on the
wide-area network, is not correct behavior.
FIXES:
a. Look over your caching mechanism to ensure TTLs are interpreted
correctly.
b. Do not restrict cache sizes (come on, memory is cheap!).
Expired entries are reclaimed periodically, anyway. Of course,
the cache size is bound to have some physical limit. But, when
possible, this limit should be large (run your name server on
a machine with a large amount of physical memory).
c. Possibly, a mechanism is needed to flush the cache, when it is
known or even suspected that the information has changed.
6. Name Error Bugs:
This bug is very similar to the Zero Answer bug. A server returns an
authoritative NXDOMAIN when the queried name is known to be bad, by
the server authoritative for the domain, in the absence of negative
caching. This authoritative NXDOMAIN response is usually accompanied
by the SOA record for the domain, in the authority section.
Resolvers should recognize that the name they queried for was a bad
name and should stop querying further.
Some resolvers might, however, not interpret this correctly and
continue to query servers, expecting an answer record.
Some applications, in fact, prompt NXDOMAIN answers! When given a
perfectly good name to resolve, they append the local domain to it
e.g., an application in the domain "foo.bar.com", when trying to
resolve the name "usc.edu" first tries "usc.edu.foo.bar.com", then
"usc.edu.bar.com" and finally the good name "usc.edu". This causes at
least two queries that return NXDOMAIN, for every good query. The
problem is aggravated since the negative answers from the previous
queries are not cached. When the same name is sought again, the
process repeats.
Some DNS resolver implementations suffer from this problem, too. They
append successive sub-parts of the local domain using an implicit
searchlist mechanism, when certain conditions are satisfied and try
the original name, only when this first set of iterations fails. This
behavior recently caused pandemonium in the Internet when the domain
"edu.com" was registered and a wildcard "CNAME" record placed at the
Kumar, Postel, Neuman, Danzig & Miller [Page 8]
RFC 1536 Common DNS Implementation Errors October 1993
top level. All machines from "com" domains trying to connect to hosts
in the "edu" domain ended up with connections to the local machine in
the "edu.com" domain!
GOOD/BAD IMPLEMENTATIONS:
Some local versions of BIND already implement negative caching. They
typically cache negative answers with a very small TTL, sufficient to
answer a burst of queries spaced close together, as is typically
seen.
The next official public release of BIND (4.9.2) will have negative
caching as an ifdef'd feature.
The BIND resolver appends local domain to the given name, when one of
two conditions is met:
i. The name has no periods and the flag RES_DEFNAME is set.
ii. There is no trailing period and the flag RES_DNSRCH is set.
The flags RES_DEFNAME and RES_DNSRCH are default resolver options, in
BIND, but can be changed at compile time.
Only if the name, so generated, returns an NXDOMAIN is the original
name tried as a Fully Qualified Domain Name. And only if it contains
at least one period.
FIXES:
a. Fix the resolver code.
b. Negative Caching. Negative caching servers will restrict the
traffic seen on the wide-area network, even if not curb it
altogether.
c. Applications and resolvers should not append the local domain to
names they seek to resolve, as far as possible. Names
interspersed with periods should be treated as Fully Qualified
Domain Names.
In other words, Use searchlists only when explicitly specified.
No implicit searchlists should be used. A name that contains
any dots should first be tried as a FQDN and if that fails, with
the local domain name (or searchlist if specified) appended. A
name containing no dots can be appended with the searchlist right
away, but once again, no implicit searchlists should be used.
Kumar, Postel, Neuman, Danzig & Miller [Page 9]
RFC 1536 Common DNS Implementation Errors October 1993
Associated with the name error bug is another problem where a server
might return an authoritative NXDOMAIN, although the name is valid. A
secondary server, on start-up, reads the zone information from the
primary, through a zone transfer. While it is in the process of
loading the zones, it does not have information about them, although
it is authoritative for them. Thus, any query for a name in that
domain is answered with an NXDOMAIN response code. This problem might
not be disastrous were it not for negative caching servers that cache
this answer and so propagate incorrect information over the internet.
BAD IMPLEMENTATION:
BIND apparently suffers from this problem.
Also, a new name added to the primary database will take a while to
propagate to the secondaries. Until that time, they will return
NXDOMAIN answers for a good name. Negative caching servers store this
answer, too and aggravate this problem further. This is probably a
more general DNS problem but is apparently more harmful in this
situation.
FIX:
a. Servers should start answering only after loading all the zone
data. A failed server is better than a server handing out
incorrect information.
b. Negative cache records for a very small time, sufficient only
to ward off a burst of requests for the same bad name. This
could be related to the round-trip time of the server from
which the negative answer was received. Alternatively, a
statistical measure of the amount of time for which queries
for such names are received could be used. Minimum TTL value
from the SOA record is not advisable since they tend to be
pretty large.
c. A "PUSH" (or, at least, a "NOTIFY") mechanism should be allowed
and implemented, to allow the primary server to inform
secondaries that the database has been modified since it last
transferred zone data. To alleviate the problem of "too many
zone transfers" that this might cause, Incremental Zone
Transfers should also be part of DNS. Also, the primary should
not NOTIFY/PUSH with every update but bunch a good number
together.
Kumar, Postel, Neuman, Danzig & Miller [Page 10]
RFC 1536 Common DNS Implementation Errors October 1993
7. Format Errors:
Some resolvers issue query packets that do not necessarily conform to
standards as laid out in the relevant RFCs. This unnecessarily
increases net traffic and wastes server time.
FIXES:
a. Fix resolvers.
b. Each resolver verify format of packets before sending them out,
using a mechanism outside of the resolver. This is, obviously,
needed only if step 1 cannot be followed.
References
[1] Mockapetris, P., "Domain Names Concepts and Facilities", STD 13,
RFC 1034, USC/Information Sciences Institute, November 1987.
[2] Mockapetris, P., "Domain Names Implementation and Specification",
STD 13, RFC 1035, USC/Information Sciences Institute, November
1987.
[3] Partridge, C., "Mail Routing and the Domain System", STD 14, RFC
974, CSNET CIC BBN, January 1986.
[4] Gavron, E., "A Security Problem and Proposed Correction With
Widely Deployed DNS Software", RFC 1535, ACES Research Inc.,
October 1993.
[5] Beertema, P., "Common DNS Data File Configuration Errors", RFC
1537, CWI, October 1993.
Security Considerations
Security issues are not discussed in this memo.
Kumar, Postel, Neuman, Danzig & Miller [Page 11]
RFC 1536 Common DNS Implementation Errors October 1993
Authors' Addresses
Anant Kumar
USC Information Sciences Institute
4676 Admiralty Way
Marina Del Rey CA 90292-6695
Phone:(310) 822-1511
FAX: (310) 823-6741
EMail: anant@isi.edu
Jon Postel
USC Information Sciences Institute
4676 Admiralty Way
Marina Del Rey CA 90292-6695
Phone:(310) 822-1511
FAX: (310) 823-6714
EMail: postel@isi.edu
Cliff Neuman
USC Information Sciences Institute
4676 Admiralty Way
Marina Del Rey CA 90292-6695
Phone:(310) 822-1511
FAX: (310) 823-6714
EMail: bcn@isi.edu
Peter Danzig
Computer Science Department
University of Southern California
University Park
EMail: danzig@caldera.usc.edu
Steve Miller
Computer Science Department
University of Southern California
University Park
Los Angeles CA 90089
EMail: smiller@caldera.usc.edu
Kumar, Postel, Neuman, Danzig & Miller [Page 12]
|