Subdomain delegation includes bogus additional section

mhoran

mhoran

New Member
I'm in the process of moving some domains back to ZoneEdit. However, I've encountered an issue with subdomains that are delegated to Google Cloud DNS. ZoneEdit returns a bogus additional section for those NS records which points to an IP address owned by voodoo.com.

To see the bogus additional section, run `dig test-sub.matthoran.com @dns1.zoneedit.com`.

You can see that this is delegated to Google Cloud DNS via the corresponding NS entries. However, the additional section includes A records pointing to 192.64.147.142. This is not a Google IP, and does not resolve the delegated records.

This additional section seems to be returned for any NS records. I created another dummy subdomain `nonexistent.matthoran.com`. This points to some nonsense nonexistent record on example.com. Again I get this bogus A record pointing to the voodoo.com owned IP.

This is not just dangerous (allowing someone to hijack my records) but also adds additional latency into requests. Since this IP being returned in the additional section doesn't resolve the records being requested, those requests must first time out before the proper upstream nameserver is contacted. This additional latency can be 5 seconds or more.

Is this intended?
 
Chris Cherry

Chris Cherry

Zoneedit Support
We use voodoo.com to redirect requests for domains we don't host. It comes up if you directly query our nameservers for a hostname that isn't a zone we host.


I've sent you a DM to provide some examples of what I'm referring to.
 
mhoran

mhoran

New Member
Ah, got it. Yeah I think that sort of makes sense; the additional section is an optimization, so if someone is using URL forwarding, the additional section prevents an unnecessary subsequent lookup for voodoo.com to perform the redirect.

Unfortunately this creates an issue when URL forwarding is not in use. The additional section, if present, should provide the A records for hosts in the answer section. Instead, the A record for voodoo.com is returned, which causes the DNS timeouts I'm seeing. In practical terms it seems I won't be able to return to ZoneEdit.

EasyDNS does behave the way I want, so I'll have to look into that unless this can be fixed in ZoneEdit. In my opinion the additional section should only be provided for URL forwarding records. However, it seems to be provided for all records that are outside ZoneEdit. This will always cause some confusion, and in the case of NS records, is particularly an issue.

Thanks for the reply!
 
You must log in or register to reply here.
Top