dns replies differ in src IP from query's dst IP (Bug?)

Kevin Darcy kcd at daimlerchrysler.com
Wed Nov 21 22:28:16 UTC 2001 

RFC 2181:


> 4. Server Reply Source Address Selection
>
>    Most, if not all, DNS clients, expect the address from which a reply
>    is received to be the same address as that to which the query
>    eliciting the reply was sent.  This is true for servers acting as
>    clients for the purposes of recursive query resolution, as well as
>    simple resolver clients.  The address, along with the identifier (ID)
>    in the reply is used for disambiguating replies, and filtering
>    spurious responses.  This may, or may not, have been intended when
>    the DNS was designed, but is now a fact of life.
>
>    Some multi-homed hosts running DNS servers generate a reply using a
>    source address that is not the same as the destination address from
>    the client's request packet.  Such replies will be discarded by the
>    client because the source address of the reply does not match that of
>    a host to which the client sent the original request.  That is, it
>    appears to be an unsolicited response.
>
> 4.1. UDP Source Address Selection
>
>    To avoid these problems, servers when responding to queries using UDP
>    must cause the reply to be sent with the source address field in the
>    IP header set to the address that was in the destination address
>    field of the IP header of the packet containing the query causing the
>    response.  If this would cause the response to be sent from an IP
>    address that is not permitted for this purpose, then the response may
>    be sent from any legal IP address allocated to the server.  That
>    address should be chosen to maximise the possibility that the client
>    will be able to use it for further queries.  Servers configured in
>    such a way that not all their addresses are equally reachable from
>    all potential clients need take particular care when responding to
>    queries sent to anycast, multicast, or similar, addresses.
>
>


- Kevin

Guy Pazi wrote:

> Hi,
> I?ve seen the following paragraph in rfc 1035:
> ?- Some name servers send their responses from different addresses than the
> one used to receive the query.  That is, a resolver cannot rely that a
> response will come from the same address, which it sent the corresponding
> query to.  This name server bug is typically encountered in UNIX systems.?
>
> I couldn?t find which NSs? implementations enable this kind of behavior, and
> if this is user configurable.
> I?m interested in the behavior of popular NSs? implementations (bind and
> others).
>
> P.S. whoever knows about this ?bug?: is the IP used to reply dns queries is
> typically used for listening to queries as well? I.e. does the resolver
> issuing the query is aware of the IP used for reply as an additional IP of
> the NS in question?
> Thanks
> Guy

More information about the bind-users mailing list