Shouldn't such apps be checking the content they receive back from a server anyway? Regardless of if they think they're getting to the right server (due to a bogus non-NXDOMAIN response) there should be some sort of validation in place.. otherwise you're open in any sort of man-in-the-middle attack. I think the issue is more that older apps would expect that if they can get a response then everything is ok.. perhaps this simply an outdated method and needs to be rethought. Valdis.Kletnieks@vt.edu wrote:
On Mon, 09 Nov 2009 15:04:06 PST, Bill Stewart said:
For instance, returning the IP address of your company's port-80 web server instead of NXDOMAIN not only breaks non-port-80-http applications
Remember this...
There is one special case for which I don't mind having DNS servers lie about query results, which is the phishing/malware protection service. In that case, the DNS response is redirecting you to the IP address of a server that'll tell you "You really didn't want to visit PayPa11.com - it's a fake" or "You really didn't want to visit dgfdsgsdfgdfgsdfgsfd.example.ru - it's malware". It's technically broken, but you really _didn't_ want to go there anyway. It's a bit friendlier to administrators and security people if the response page gives you the
Returning bogus non-NXODMAIN gives non-port-80-http apps heartburn as well.