Difference between 'transparent' and 'nodefault' options

Hi,

I would like to know the difference between ‘transparent’ and ‘nodefault’. Transparent sounds like a soft nodefault? When there is local-data it does a lookup there, if there is not it will continue looking for an answer, such as e.g. going through the forwarders? Is that correct? This could also mean it get’s a reply from the AS112 project if the address is private, right?

Can someone also explain this sentence for me? “If no local-zone is given local-data causes a transparent zone to be created by default.” What is this transparent zone? Why would it be created and if it is created, how can I see it?

As far as I understand is nodefault a way to use private addresses in your zone without having them ‘answered’ by the AS112 project, correct?

I have a stub-zone to an authoritative name server which has only private addresses in its zone. I guess I will need to use ‘nodefault’ for that? At the moment I use ‘transparent’, that works fine too. What kind of problems could I expect if I continue with ‘transparent’?

Sorry for all the questions… I just want to clearly understand these options, at the moment I don’t and I can’t find other sources than the man page. Thank you.

I am out of the office October 1st & 2nd and will respond to your message as quickly as possible once I return.

Amanda

I am out of the office October 1st & 2nd and will respond to your message as quickly as possible once I return.

Amanda

I am out of the office October 1st & 2nd and will respond to your message as quickly as possible once I return.

Amanda

I am out of the office October 1st & 2nd and will respond to your message as quickly as possible once I return.

Amanda

I am out of the office October 1st & 2nd and will respond to your message as quickly as possible once I return.

Amanda

I am out of the office October 1st & 2nd and will respond to your message as quickly as possible once I return.

Amanda

I am out of the office October 1st & 2nd and will respond to your message as quickly as possible once I return.

Amanda

I am out of the office October 1st & 2nd and will respond to your message as quickly as possible once I return.

Amanda

I am out of the office October 1st & 2nd and will respond to your message as quickly as possible once I return.

Amanda

I was reading a disturbing article on ways that DNS can be used to get data past firewalls and for malicious programs to communicate with a command and control center via DNS NXDOMAIN.

Right off hand I dont see a way to block this ? Looking at my NXDOMAIN lookups its quite pervasive and coming from a large number of sources. Its clearly being used by A LOT of people.

Is there a way I can use Unbound to mitigate this threat ? This is a serious issue because i don't see how to block this.

https://www.plixer.com/blog/detecting-malware/security-vendors-teaching-bad-actors-how-to-get-past-firewalls/

Hi Kees,

Hi,

I would like to know the difference between 'transparent' and
'nodefault'. Transparent sounds like a soft nodefault? When there is
local-data it does a lookup there, if there is not it will continue
looking for an answer, such as e.g. going through the forwarders? Is
that correct? This could also mean it get's a reply from the AS112
project if the address is private, right?

Yes it performs the local-data and if not there, continues to the
upstream servers, like forwarders you have configured. This could mean
contacting servers from the AS112 project.

Unbound also has built-in answers for names from the AS112 namespace,
and the nodefault makes it not process that so you can use that query
for normal processing.

Can someone also explain this sentence for me? "If no local-zone is
given local-data causes a transparent zone to be created by default."
What is this transparent zone? Why would it be created and if it is
created, how can I see it?

As far as I understand is nodefault a way to use private addresses in
your zone without having them 'answered' by the AS112 project, correct?

Without having them answered by the built-in namespace answers in
Unbound for names in the AS112 namespace. With that rephrase.

Transparent (and other local-zone types) implies nodefault. If you say
transparent you get also the benefits that nodefault would give.
Transparent also allows you to add local-data statements, but if you
have none, there is very little difference for you between transparent
and nodefault.

I have a stub-zone to an authoritative name server which has only
private addresses in its zone. I guess I will need to use 'nodefault'
for that? At the moment I use 'transparent', that works fine too. What
kind of problems could I expect if I continue with 'transparent'?

No, I do not expect problems, I think you would be fine.

Sorry for all the questions... I just want to clearly understand these
options, at the moment I don't and I can't find other sources than the
man page. Thank you.

Transparent also works for people who want to override like a couple of
data elements but the rest uses normal upstream processing. For zones
that are not private. Nodefault is used to turn of the build-in AS112
namespace processing, so that these private namespace names and be used.

The created transparent zone is made if you give local-data but no
local-zone statements. It is simply a higher up domain node. Not sure
how to see if but perhaps with unbound-control. However, I don't think
you need to worry about it because you have specified the local-zone
statements.

Best regards, Wouter

This is a very serious problem. I would like insight as well.
I have noticed in my logs such activity e.g from cloudfront.net and other.

There is no silver bullet we all know that. The domains hosting malicious programs (and their social engineering) should as far as possible not reachable from the machines and programs should not be able to install in a straightforward manner anyway. The known bad ip ranges should be dropped. The questionable domains should be dns blackholed. And then what? The well known domains? What shall we do, cut off most of the internet? One may as well pull the plug, it’s faster.

Sometimes i wonder if in a few years we will be back to a host file with the few thousands of relatively trustworthy hosts we care for. Then again, who knows what the next machine does. My packets have to hop to a next machine, i dont control the internet

rate limiting for nxdomains can be sharper (lower threshold) to make it
unreliable as a comms path.

OMGosh. THE Paul Vixie !... I am honored you responded to my post.

Welllll.... Ive done a lot of looking around and I just dont see any solution to this issue. Im not concerned with DoS attacks, those i could deal with. Im concerned for the stunningly stealthy 5 or 6 NXDOMAIN lookups from a scary actor. That kind of thing could transmit a small amount of really damaging info. Or.. A company using this to monitor each client with pings once a minute. The uses of this low rate communications channel is Unbounded and truly scary.

I know this has been around a long time. Im sorry for my stunned amazement, I just ran into this.

No matter how I rack my brain, I can't think of any way around this. Short of a registry of every domain before they can be used. So nothing should ever come up NXDOMAIN. Even then, it will get abused.

Man, just when I thought I was happy with TLS 1.3 for DNS and DNSSEC. Its just never ending.

I am out of the office October 1st & 2nd and will respond to your message as quickly as possible once I return.

Amanda

I am out of the office October 1st & 2nd and will respond to your message as quickly as possible once I return.

Amanda

I am out of the office October 1st & 2nd and will respond to your message as quickly as possible once I return.

Amanda

I am out of the office October 1st & 2nd and will respond to your message as quickly as possible once I return.

Amanda