[dns-operations] Using IP_RECVERR/IPV6_RECVERR on resolver client sockets

Florian Weimer fweimer at redhat.com
Tue Jan 8 13:58:12 UTC 2019


Someone noticed that the Linux kernel only puts some networking-related
errors on the socket error queue for connected UDP sockets:

  <https://sourceware.org/bugzilla/show_bug.cgi?id=24047>

The impact is that the UDP client doesn't notice that the network is
unreachable even if there's an ICMP message (host-related ICMP messages
are typically enqueued and cause a read error).  Instead, name servers
are only switched after a timeout.

I looked at what other DNS clients are doing.  systemd-resolved appears
the only one that uses IP_RECVERR or IPV6_RECVERR (curiously, setsockopt
with IP_RECVERR succeeds on an AF_INET6 socket, but does not have any
effect).

Is this just an oversight, or is there a deeper reason to ignore network
errors (particularly in stub resolvers)?  An attacker could just spoof
an ICMP message with a host error (e.g., port unreachable), so honoring
more ICMP errors wouldn't introduce further DoS potential.

Thanks,
Florian


More information about the dns-operations mailing list