Same source port queries dropped by ServerIron load balancer
Kevin Darcy
kcd at chrysler.com
Tue Mar 30 20:07:17 UTC 2010
On 3/30/2010 8:00 AM, Tony Finch wrote:
> On Tue, 30 Mar 2010, Abdulla Bushlaibi wrote:
>
>
>> We are facing query drops by using dnsperf tool from ISC testing the DNS
>> service via load balancer. Multiple queries from the same source port are
>> being dropped partially by the load balancer and as per the load balancer
>> vendor feed back, this is a security feature and this situation doesn't happen
>> in real life scenarios.
>>
> High performance stub resolvers like adns use the same UDP port for many
> queries.
>
>
Thus reducing entropy and commensurately increasing the chance of
accepting a spoofed response as genuine.
I think the load-balancer vendor has the right default here, and adns
should re-think their methodology.
- Kevin
More information about the bind-users
mailing list