Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAA40n-XZ2--CSLPGty53NkHLjz5DO=ZCfvUiWrLRAWc_7nJw_w@mail.gmail.com>
Date: Sat, 22 Jun 2024 15:06:08 +0200
From: Jan Mercl <0xjnml@...il.com>
To: musl@...ts.openwall.com
Cc: Lance Yang <ioworker0@...il.com>
Subject: Re: [PATCH 1/1] improve DNS resolution logic for parallel queries

On Sat, Jun 22, 2024 at 2:51 PM Lance Yang <lance.yang@...ux.dev> wrote:

> musl’s resolver queries some configured nameservers in parallel and accepts
> the first response. However, if the first response's RCODE indicates
> NXDOMAIN, the resolver terminates the resolution process too early,
> potentially missing valid responses from other nameservers.

Linux uses the first valid response, even if it is NXDOMAIN. So it's
not clear terminating the resolve process in that case is "too early".
I think that continuing the search after getting NXDOMAIN can be
possibly considered a security risk.

Source, possibly outdated:
https://www.unix.com/ip-networking/133552-howto-linux-multihomed-dns-client.html

-j

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.