dns replies differ in src IP from query's dst IP (Bug?)

Guy Pazi guypazi at netvision.net.il
Thu Nov 22 07:24:58 UTC 2001 

Hi James,

Do you know if it is common with unix machines as well, as suggested by the
rfc?

> -----Original Message-----
> From: artch at netvision.net.il [mailto:artch at netvision.net.il]On
> Behalf Of James Griffin
> Sent: Wednesday, 21 November, 2001 5:06 PM
> To: Guy Pazi
> Cc: Mark_Andrews at isc.org; bind-users at isc.org
> Subject: Re: dns replies differ in src IP from query's dst IP (Bug?)
>
>
> Guy Pazi wrote:
> >
> > Thanks Mark, it's been of great help.
> > Just to make sure I understood. It has nothing to do with NS
> implementation
> > but rather with the IP stack?
> > Thanks again
> > Guy
> >
>
> About 2 or 3 years ago, I came across this sort of a problem with a .gov
> website.  The site was running on a multi-homed NT server.  Microsoft
> eventually published a "fix"/workaround.  I do not remember the details,
> but if your problem site is running an (old unpatched) NT server, you
> may want to check the KB.
>
> It is definitely an IP stack implementation issue, at least in the case
> of older Microsoft server code; nothing to do with BIND or ISS for that
> matter.
>
> Jim
>
> PS The .gov site "fixed" the problem before Microsoft published theirs
> by the simple expediant of removing the second NIC card and deleting the
> routing entry for that interface on the NT server.  In other words, they
> let their Cisco routers handle the routing.
>
> > > -----Original Message-----
> > > From: marka at isc.org [mailto:marka at isc.org]On Behalf Of
> > > Mark.Andrews at isc.org
> > > Sent: Wednesday, 21 November, 2001 2:34 PM
> > > To: Guy Pazi
> > > Cc: bind-users at isc.org
> > > Subject: Re: dns replies differ in src IP from query's dst IP (Bug?)
> > >
> > >
> > >
> > > >
> > > > Hi,
> > > > I?ve seen the following paragraph in rfc 1035:
> > > > ?- Some name servers send their responses from different
> > > addresses than the
> > > > one used to receive the query.  That is, a resolver cannot
> rely that a
> > > > response will come from the same address, which it sent the
> > > corresponding
> > > > query to. This name server bug is typically encountered in UNIX
> > > systems.?
> > > >
> > > > I couldn?t find which NSs? implementations enable this kind of
> > > behavior, and
> > > > if this is user configurable.
> > >
> > >       No.  It is not user configurable.  It is undesired behaviour
> > >       brought about by limitations of the IP stack of the host
> > >       machine or by not using the capabilities of the IP stack
> > >       properly to ensure that reply packet have the correct source
> > >       address and port.
> > >
> > > > I?m interested in the behavior of popular NSs?
> implementations (bind and
> > > > others).
> > > >
> > > > P.S. whoever knows about this ?bug?: is the IP used to reply
> > > dns queries is
> > > > typically used for listening to queries as well?
> > >
> > >       It doesn't have to be.
> > >
> > > > I.e. does the resolver
> > > > issuing the query is aware of the IP used for reply as an
> > > additional IP of
> > > > the NS in question?
> > >
> > >       Not always.
> > >
> > > > Thanks
> > > > Guy
> > > --
> > > Mark Andrews, Internet Software Consortium
> > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org
> > >
>

More information about the bind-users mailing list