[dns-operations] Using IP_RECVERR/IPV6_RECVERR on resolver client sockets
Florian Weimer
fweimer at redhat.com
Tue Jan 8 13:58:12 UTC 2019
Someone noticed that the Linux kernel only puts some networking-related
errors on the socket error queue for connected UDP sockets:
<https://sourceware.org/bugzilla/show_bug.cgi?id=24047>
The impact is that the UDP client doesn't notice that the network is
unreachable even if there's an ICMP message (host-related ICMP messages
are typically enqueued and cause a read error). Instead, name servers
are only switched after a timeout.
I looked at what other DNS clients are doing. systemd-resolved appears
the only one that uses IP_RECVERR or IPV6_RECVERR (curiously, setsockopt
with IP_RECVERR succeeds on an AF_INET6 socket, but does not have any
effect).
Is this just an oversight, or is there a deeper reason to ignore network
errors (particularly in stub resolvers)? An attacker could just spoof
an ICMP message with a host error (e.g., port unreachable), so honoring
more ICMP errors wouldn't introduce further DoS potential.
Thanks,
Florian
More information about the dns-operations
mailing list