copying the question section
joshl at cisco.com
Wed Aug 7 00:33:52 UTC 2002
I think RFC2181, sec. 4.1 already updates this part of RFC1035 to say that
the source IP address must be the address to which the query was sent
(unless that would be an illegal source address).
James Ralston wrote:
> On Sun, 4 Aug 2002, Paul Vixie wrote:
>>One note... let's not implement [RFC1035 7.3] in its entirety:
>>| - Some name servers send their responses from different
>>| addresses than the one used to receive the query. That is, a
>>| resolver cannot rely that a response will come from the same
>>| address which it sent the corresponding query to. This name
>>| server bug is typically encountered in UNIX systems.
>>libresolv, libbind, and bind8 have required that the response source
>>be the same as the query destination since about the BIND KJB/4.9
>>era, and there's no reason to relax now. (SunOS 4.1.3 was the
>>culprit, and is long dead.)
> Even if libresolv et. al. did permit the query response to come from a
> different IP, most stateful firewalls I've seen certainly won't.
> The Linux netfilter code, for example, considers a UDP packet to be
> part of an "established" connection only if the source IP/port has
> been swapped with the destination IP/port, and the "reply" is seen
> with 30 seconds of the original packet.
> I suspect that for many, many sites, DNS will break if RFC1035 7.3 is
> implemented in its entirety.
Josh Littlefield Cisco Systems, Inc.
joshl at cisco.com 250 Apollo Drive
tel: 978-497-8378 fax: same Chelmsford, MA 01824-3627
More information about the bind-workers