Maintained by: NLnet Labs

[Unbound-users] issue

Eric Meddaugh
Mon Aug 25 16:13:13 CEST 2014

I alerted Cloud Flare last week and they have indicate they have engineers looking into it.  I opened the ticket as a DOS against any domains they provide hosing for.  As long as there are clients querying '' (or any other cloud flare hosted domain) it can keep that domain offline.  Our work-around as allowed to appear to remain online.


-----Original Message-----
From: Unbound-users [mailto:unbound-users-bounces at] On Behalf Of John Peacock
Sent: Monday, August 25, 2014 9:45 AM
To: unbound-users at
Subject: Re: [Unbound-users] issue

On Mon, 2014-08-25 at 08:24 -0500, Dave Duchscher wrote:
> Cloudflare's response:
> > Hey there,
> > 
> > Because the DNS query "" is technically not valid (since DNS queries should not contain the protocol URI), CloudFlare's DNS servers will not respond to them.

That is what I would have predicted their response would have been.  A
broken client is making illegal DNS queries; that is the root cause of
the difficulty.  The fact that unbound itself doesn't return an error
for these illegal queries is only making matters worse.  Neither ':' nor
'/' are legal DNS hostname characters (see RFC-1035 and onwards), so it
should be the resolver library (i.e. unbound) that should be validating
the query before sending it on, IMNSHO.  The fact that has an
unfriendly behavior WRT illegal queries doesn't mean it is their fault;
there is no requirement to return NXDOMAIN or SERVFAIL or anything at
all, so they chose to drop the query.


senior software build and release engineer
twitter @MessageSystems

tel 410-872-4910 x239
email john.peacock at
Unbound-users mailing list
Unbound-users at