copying the question section

Josh Littlefield joshl at
Wed Aug 7 00:33:52 UTC 2002

I think RFC2181, sec. 4.1 already updates this part of RFC1035 to say that 
the source IP address must be the address to which the query was sent 
(unless that would be an illegal source address).

James Ralston wrote:
> On Sun, 4 Aug 2002, Paul Vixie wrote:
>>One note... let's not implement [RFC1035 7.3] in its entirety:
>>|   - Some name servers send their responses from different
>>|     addresses than the one used to receive the query.  That is, a
>>|     resolver cannot rely that a response will come from the same
>>|     address which it sent the corresponding query to.  This name
>>|     server bug is typically encountered in UNIX systems.
>>libresolv, libbind, and bind8 have required that the response source
>>be the same as the query destination since about the BIND KJB/4.9
>>era, and there's no reason to relax now.  (SunOS 4.1.3 was the
>>culprit, and is long dead.)
> Even if libresolv et. al. did permit the query response to come from a
> different IP, most stateful firewalls I've seen certainly won't.
> The Linux netfilter code, for example, considers a UDP packet to be
> part of an "established" connection only if the source IP/port has
> been swapped with the destination IP/port, and the "reply" is seen
> with 30 seconds of the original packet.
> I suspect that for many, many sites, DNS will break if RFC1035 7.3 is
> implemented in its entirety.

Josh Littlefield                                  Cisco Systems, Inc.
joshl at                                      250 Apollo Drive
tel: 978-497-8378  fax: same               Chelmsford, MA  01824-3627

More information about the bind-workers mailing list