[dns-operations] Nameserver responses from different IP than destination of request

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Aug 29 01:46:30 UTC 2020

On Fri, Aug 28, 2020 at 06:24:40PM -0400, Puneet Sood via dns-operations wrote:

> We (Google Public DNS) have noticed some instances of nameserver
> responses for a query coming from a different IP. Our initial plan was
> to consider these responses invalid and discard them. However after
> reading the text in RFC 1035 and the update in RFC 2181, we wanted to
> check what other recursive resolvers are seeing and how they are
> handling such responses.
> [...]

> We would be interested in hearing other operator's experience here.
> Are recursive servers seeing similar behavior from authoritative
> servers? If yes, are you discarding these responses?
> Are there authoritative server operators who still need the
> flexibility afforded by RFC 1035?

Not dropping them further weakens the already poor resistance of
non-DNSSEC replies to off-path cache poisoning attacks.  Please
drop these, the solution is up to the server operator.

They may have asymmetric inbound/outbound paths via firewalls doing NAT
between the Internet and their nameservers.  So even if the nameserver
is doing the right thing, the network middleboxes may introduce related,
but different IPs for the request and the response.

The operators of such domains need to clean up their network design.


More information about the dns-operations mailing list