dns replies differ in src IP from query's dst IP (Bug?)
Kevin Darcy
kcd at daimlerchrysler.com
Wed Nov 21 22:28:16 UTC 2001
RFC 2181:
> 4. Server Reply Source Address Selection
>
> Most, if not all, DNS clients, expect the address from which a reply
> is received to be the same address as that to which the query
> eliciting the reply was sent. This is true for servers acting as
> clients for the purposes of recursive query resolution, as well as
> simple resolver clients. The address, along with the identifier (ID)
> in the reply is used for disambiguating replies, and filtering
> spurious responses. This may, or may not, have been intended when
> the DNS was designed, but is now a fact of life.
>
> Some multi-homed hosts running DNS servers generate a reply using a
> source address that is not the same as the destination address from
> the client's request packet. Such replies will be discarded by the
> client because the source address of the reply does not match that of
> a host to which the client sent the original request. That is, it
> appears to be an unsolicited response.
>
> 4.1. UDP Source Address Selection
>
> To avoid these problems, servers when responding to queries using UDP
> must cause the reply to be sent with the source address field in the
> IP header set to the address that was in the destination address
> field of the IP header of the packet containing the query causing the
> response. If this would cause the response to be sent from an IP
> address that is not permitted for this purpose, then the response may
> be sent from any legal IP address allocated to the server. That
> address should be chosen to maximise the possibility that the client
> will be able to use it for further queries. Servers configured in
> such a way that not all their addresses are equally reachable from
> all potential clients need take particular care when responding to
> queries sent to anycast, multicast, or similar, addresses.
>
>
- Kevin
Guy Pazi wrote:
> Hi,
> I?ve seen the following paragraph in rfc 1035:
> ?- Some name servers send their responses from different addresses than the
> one used to receive the query. That is, a resolver cannot rely that a
> response will come from the same address, which it sent the corresponding
> query to. This name server bug is typically encountered in UNIX systems.?
>
> I couldn?t find which NSs? implementations enable this kind of behavior, and
> if this is user configurable.
> I?m interested in the behavior of popular NSs? implementations (bind and
> others).
>
> P.S. whoever knows about this ?bug?: is the IP used to reply dns queries is
> typically used for listening to queries as well? I.e. does the resolver
> issuing the query is aware of the IP used for reply as an additional IP of
> the NS in question?
> Thanks
> Guy
More information about the bind-users
mailing list