Is a DNS Referral response always honored?

Question

Using the DNS protocol in a man-in-the-middle service, I want to execute a friendly takeover on predefined A and CNAME records. Anything that doesn't meet the predefined criteria I would want to hand off as quickly and pain free as possible to the true authoritative dns servers.

Considering that, I intend to accomplish this using DNS Referrals. I am not seeing any immediate causes for concern with responding to the original query with a DNS Referral response record. The alternative is to recursively query to the original name server and return the results back but that is pretty resource intensive at scale.

Is there any known drawbacks to using DNS Referral responses such as clients not honoring the referral requests and instead just failing to resolve?

Thank you.

It's best to start with the problem that you're trying to solve by doing this. Depending on the server software, if you need to rewrite responses it's possible to do so without spoofing replies. The answer you have correctly points out that this exercise is based on an incorrect assumption. — Andrew B, Aug 17 '15 at 13:53

score 2 · Answer 1 · answered Aug 17 '15 at 09:32

2

Most clients are not prepared to do recursion themselves and rely on the configured DNS server(s) to do it for them. If they get a referral back the resolution will fail.

answered Aug 17 '15 at 09:32

Tilman Schmidt

4,101
12
27

1

Wouldn't a client machine use their ISP configured DNS? I would think those DNS servers would honor a referral seamlessly. – ihavenoideawhatimdoing Aug 17 '15 at 11:08
1

Sure. If you send your referral to another DNS server everything's fine. But you asked about clients. – Tilman Schmidt Aug 17 '15 at 11:25

Is a DNS Referral response always honored?

1 Answers1