[BALUG-Admin] NOTIFY should only ever come from
Michael Paoli
michael.paoli@berkeley.edu
Wed Jun 5 04:19:04 UTC 2024
Uhm, ... almost exactly correct. ;-)
One would think that ... but that's not quite how many/most DNS servers
and their software behave and/or behave by default (and is often quite
configurable too).
Many will, by default, issue NOTIFY from all authoritative nameservers.
At first that might seem odd, but, I believe the logic goes about like this:
the overhead is low
clients that don't care can/will (mostly) ignore
authoritative (whether primary or secondary) has no way of knowing
how other authoritatives downstream of it are configured, so, e.g.
some authoritatives may only get their data via other secondary(/ies),
and not direct from master, etc.
So, DNS, etc., trying to be resilient and robust and fault tolerant and
mostly continue working under even far from ideal circumstances,
that's probably not a horrible design decision for default behaviors.
Of course one can also make good arguments to have different or
different default behavior ... and most nameservers (and including
BIND9) are highly configurable as to how they'll actually behave
in those regards.
But NOTIFY coming from other than actual authoritative
nameservers (be they master/primary or a slave/secondary),
something is quite odd or screwed up there. E.g. like some
funky NAT/SNAT mapping (which shouldn't apply in our cases
here, as we're talking Internet globally routable public IPs here, no
NAT/SNAT or other mapping of the sort should at all apply between these),
or, somebody <me giving Comcast Business the hairy eyeball look again>
fscking around in ways with DNS traffic that they never ought be doing -
and SecurityEdge would certainly be one of the guilty culprits found in such
fscking up with port 53 traffic (at least we certainly hit lots of that earlier,
and maybe we're hitting more of some same and/or similar, at least partially,
in those regards).
On Tue, Jun 4, 2024 at 6:14 PM Rick Moen <rick@linuxmafia.com> wrote:
>
> Quoting Al (awbalug@sunnyside.com):
>
> > Actually I take it back, 73.189.65.18 must be the WAN address of
> > Michael's modem. That won't appear on a message from Michael,
> > unless somehow NAT got involved in the modem? Not sure if that's
> > quite right. I think NAT would come from the last of the assigned
> > static IPv4 addresses, but IIRC I have also seen messages from a
> > modem's WAN address.
>
> Interest, if so -- but nonetheless completely improper. NOTIFY
> should only ever come from the domain master nameserver's IP.
More information about the BALUG-Admin
mailing list