search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.7k stars 908 forks source link

PDNS auth blocking creation of looping records within a zone #14354

Open GuyT2002 opened 4 months ago

GuyT2002 commented 4 months ago

Short description

When creating the following records in a zone, and having [::1]:53 as resolver with pdns.conf, the AUTH server will loop forever and spam itself to the point of answering all queries slowly (200-600 ms on avarage). Records:

ZONE: clients.np.med.org

RECORDS:
* CNAME Active 300 clients.np.med.org
@ ALIAS Active 300 mail.clients.np.med.org

Now when querying the zone itself (clients.np.med.org) the PDNS auth server will be stuck querying itself:

[root@prod-auth-in-1 ~]# sudo tcpdump -i any port 53 
12:12:27.584591 IP6 ::1.41899 > ::1.53: 16115+ AAAA? mail.clients.np.med.org (45)
12:12:27.585919 IP6 ::1.41899 > ::1.53: 15091+ AAAA? mail.clients.np.med.org (45)
12:12:27.587250 IP6 ::1.41899 > ::1.53: 15347+ AAAA? mail.clients.np.med.org (45)

Usecase

PDNS auth not allowing closed-loop records to be created.

Description

When clients which are not the DNS server hosts can create records, they don't have a chance at DoSing the auth so immensly.

Habbie commented 4 months ago

and having [::1]:53 as resolver with pdns.conf

which is a misconfig. We should at least document that pitfall.