[dns-operations] Nameserver responses from different IP than destination of request

P Vixie paul at redbarn.org
Tue Sep 1 01:08:11 UTC 2020 

On Mon, Aug 31, 2020 at 08:00:00PM +0200, Florian Weimer wrote:
> * Puneet Sood via dns-operations:
> 
> > We would be interested in hearing other operator's experience here.
> > Are recursive servers seeing similar behavior from authoritative
> > servers? If yes, are you discarding these responses?
> > Are there authoritative server operators who still need the
> > flexibility afforded by RFC 1035?
> 
> If I recall correctly, while helping to run an academic network I
> encountered this issue on the authoritative server side.  That was
> close to twenty years ago, and even back then, it did not occur to us
> to push the resolvers to accept these incorrectly sourced responses,
> instead of getting the authoritative server operator to fix their
> setup. ...

right. same. this misbehaviour is why we added logic to BIND4.9 to
reject wrong-sourced responses, both in the stub and full resolvers.

> ...  Or maybe I'm not correctly remembering things, and it wasn't
> DNS but Sun RPC.  (Hard to believe that even early BIND 4 didn't get
> this right, and what else could they have been running?)

early BIND assumed singly-homed servers, and later BSD kernels used
the interface address as the source address for unbound UDP sockets.
however, earlier (4.3BSD and earlier) kernels always used the first
configured interface as the source address for unbound UDP sockets,
and this broke _everything_ on multi-homed hosts. including Sun RPC,
NTP, DNS of course, and NFS. Sun's fix for this in late SunOS was to
ignore the source address of UDP responses because it was unreliable.
anyone using SunOS on a multi-homed server ended up switching to open
source versions of the affected protocols. it was a real mess, easily
on-par with the .rhosts debacle that led to Sun's "fix" for the
gethostbyaddr() to have it call gethostbyname() on each returned name,
rather than doing this in ruserok() and similar. those were bad times.

> Anyway, in my current world, most recursive DNS servers operate behind
> some sort of stateful packet filter, so the server operators on their
> own cannot make these incorrectly source responses work because the
> systems under their direct control never receive them.

of the 27 million RDNS servers, 26.9 million of them are home gateways
with the oldest and worst DNS and kernel UDP implementations ever seen.
they do in fact need the relative safety of being behind stateful fire
walls. of the other ~100K, most are not behind stateful firewalls, and
about half are not behind anything other than a host-based firewall like
"pf". so i agree with your observation but i quibble with your method
of reaching your agreeable position.

-- 
Paul Vixie

More information about the dns-operations mailing list