dig source port patch

Jonathan de Boyne Pollard J.deBoynePollard at tesco.net
Sun Aug 31 13:40:26 UTC 2003 

SW> On the other hand one cache (not BIND) uses a different 
SW> source port for each query because this makes it harder to
SW> spoof answers (the DNS antispoofing mechanism being quite weak).

BM> [...] this [...] doesn't seem practical for high-volume resolvers.

I suggest that you look at what such softwares actually do.  After all, they
_do_ work in practice with high query loads, and this mechanism therefore _is_
practical.

BM> If you're processing hundreds of queries/second, this would 
BM> hog an awful lot of ports.  
BM> I presume [...]
BM> I could easily imagine running out of ports. 

Don't presume and imagine, look.  

There are two resolving proxy DNS server softwares that I know that operate in
the way that Simon describes.  They both place limits, configurable by the DNS
administrator, on the number of parallel query resolutions that can exist
simultaneously, and thus the number of ports that will be allocated to sockets
used by the DNS server.  One software does this by limiting the number of
simultaneous query resolutions itself (defaulting to 200); meaning that the
number of ports used will, at worst, be the same as the maximum number of
simultaneous query resolutions allowed.  The other software does this by
pre-allocating a set of port numbers (defaulting to 1 port), and randomly
picking a port number from the set (and a random unique message ID - allowing
65536 simultaneous query resolutions per port); meaning that the number of
ports used is explicitly configured.

Thus the first software (by default) uses up to 200 port numbers, and the
second software (by default) uses 1 port number.  One doesn't run out of
ports.  

One does, however, run out of query resolution "slots".  The first software
handles this by replacing the "oldest" query resolution "slot" with the new
query (on the grounds that the old query resolution is stuck timing out
waiting for a response that will never happen).  The second software handles
this by returning a "server failure" response to the new query (on the -
perhaps less tenuous - grounds that the server has reached the limit of its
configured resources and that's the closest description of the situation that
is available).

More information about the bind-users mailing list