note to myself — why DNS ANY queries are a bad thing
Alright i’m abusing my blog as a bookmarking tool again…
Last week a collegue of mine hit a problem in his java code trying to resolve mailexchange handler (MX) hostnames. He tried to get both A and AAAA records at the same time with the java dns library (JNDI) and found that sometimes he would only get a SOA reply back and that the library was doing ANY queries to accomplish the task with just one DNS query.
This is error! ;-)
Bert Hubert pointed me to this thread on the issue whether a recursive nameserver should recursve for any records upon an ANY query or just answer them from its cache if it has something for the qname.
As Edward Lewis put it:
I’ll nominate section 5.3.3. of rfc 1034:
5.3.3. Algorithm
The top level algorithm has four steps:
1. See if the answer is in local information, and if so return it to the client.…
T_ANY is at best a debugging tool. It has been used in the past to get mail records I think, but really, T_ANY is just for debugging and others trying to abuse the service.
Comments