BIND and listening on interfaces
Reindl Harald
h.reindl at thelounge.net
Fri Aug 1 15:32:40 UTC 2014
Am 01.08.2014 um 17:16 schrieb Barry Margolin:
> In article <mailman.720.1406904401.26362.bind-users at lists.isc.org>,
> Reindl Harald <h.reindl at thelounge.net> wrote:
>
>> the thread yesterday reminded me on my Fedora bugrpeort
>> https://bugzilla.redhat.com/show_bug.cgi?id=1073038#c3
>> https://bugzilla.redhat.com/show_bug.cgi?id=1073038#c8
>>
>> i don't buy "Note that destination IP address must be
>> known and set correctly in reply, otherwise clients
>> will be confused" because how does it survive NAT
>
> What's meant is that the source address of the reply must match the
> destination address of the request. This is the how TCP behaves
> automatically, since it involves connections, but all UDP packets are
> independent. When BIND sends a reply message, the stack doesn't know
> that it's related to a particular incoming message whose IPs should be
> flipped.
>
> It survives NAT because the router remembers how it translated the
> incoming packet. When it sees an outgoing packet with the translated IP
> and port, it undoes the translation
yes and no
iptables knows the concept of " -p udp -m conntrack --ctstate NEW"
so the stack somehow knows, not the same way as TCP but it knows
other UDP services like OpenVPN, dhcpd, avahi or mediathomb just
listening on UDP 0.0.0.0:port and just working
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140801/572ec51c/attachment.bin>
More information about the bind-users
mailing list