Unbound refuses to respons non-recursive queries

send a non-recursive query to an unbound recursor and get a response with rcode REFUSED while whithout RA set.
lthis is the following
query:
dig +norecurse tianya.cn @unbound.recurse.ns
response:

; <<>> DiG 9.7.2-P2 <<>> +norecurse tianya.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 47807
;; flags: qr; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 19 11:39:58 2011
;; MSG SIZE rcvd: 12

I want to know why unbound does refuse to resonse and why it does not set ra bit.

regards
2011-05-19

(attachments)

liumingxing@cnnic.cn.jpg150×200 11.2 KB

unbound is not an authoritative server. It should only see recursive queries.

Paul

Paul Wouters wrote:

>send a non-recursive query to an unbound recursor and get a response with
>rcode REFUSED while whithout RA set.
>lthis is the following
>query:
> dig +norecurse tianya.cn @unbound.recurse.ns

unbound is not an authoritative server. It should only see recursive queries.

RD bit cleared towards a recursive server is a cache snooping attempt.
cache snooping is not enabled by default in unbound.

   access-control: <IP netblock> <action>
      The netblock is given as an IP4 or IP6 address with /size appended
      for a classless network block. The action can be deny, refuse,
      allow or allow_snoop.
   [...]
      The action allow_snoop gives nonrecursive access too. This
      give both recursive and non recursive access. The name
      allow_snoop refers to cache snooping, a technique to use
      nonrecursive queries to examine the cache contents (for malicious
      acts). However, nonrecursive queries can also be a valuable
      debugging tool (when you want to examine the cache contents).
      In that case use allow_snoop for your administration host.

Or just someone invoking { dig +trace }, which normally talks only to
auth servers but leaves RD cleared for the priming query to the local
cache to find the root servers.

Yes, it's a bug in dig(1), but dig(1) is widespread.

This was the only glitch I encountered when deploying unbound.

The ideal pragmatic response would be to treat RD cleared for queries
for "." specially, defaulting the ACL for that to be the same as that
for making recursive queries -- there's no privacy implications for
letting someone query the root server list, so no reason to lock it down
to a smaller group than can issue recursive queries.

But it's unclean bug-compatibility and perhaps not worth the
administrative complexity of another special-case.

-Phil

Phil Pennock wrote:

Paul Wouters wrote:

unbound is not an authoritative server. It should only see recursive queries.

btw, i noticed that unbound seems not to echo the question section in
REFUSED answers:

    query: [17 octets]
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 6493
    ;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;. IN NS

    ;; ANSWER SECTION:

    ;; AUTHORITY SECTION:

    ;; ADDITIONAL SECTION:

RD bit cleared towards a recursive server is a cache snooping attempt.

i do DNS debugging, i'm clearly a criminal:

      give both recursive and non recursive access. The name
      allow_snoop refers to cache snooping, a technique to use
      nonrecursive queries to examine the cache contents (for malicious

baby, bathwater.

-Peter

Peter Koch wrote:

> RD bit cleared towards a recursive server is a cache snooping attempt.

i do DNS debugging, i'm clearly a criminal:

i do DNS debugging too, but not with so crude a tool as cache snooping

> give both recursive and non recursive access. The name
> allow_snoop refers to cache snooping, a technique to use
> nonrecursive queries to examine the cache contents (for malicious

baby, bathwater.

well, the man page could be less judgmental but i see no reason for a
debugging feature like cache snooping to be enabled by default.