[dns-operations] [Ext] Nameserver responses from different IP than destination of request
Brian Somers
bsomers at opendns.com
Sun Sep 6 04:30:55 UTC 2020
FWIW, OpenDNS resolvers have always ignored the response source address.
In light of this conversation and in light of RFC 2181 section 4 and RFC 5452
section 9.1, I’ll create a ticket to change this….
Unfortunately I have not statistics around how many responses we receive
from differing IPs.
—
Brian
> On Sep 2, 2020, at 12:38 AM, Thomas Mieslinger <miesi at mail.com> wrote:
>
> On 9/1/20 9:15 PM, Andreas Ott wrote:
>> On Mon, Aug 31, 2020 at 8:00 PM P Vixie <paul at redbarn.org
>> <mailto:paul at redbarn.org>> wrote:
>> [...] the observation that something
>>
>> bad is not happening to somebody doesn't mean it's not happening to
>> anybody.
>>
>> May I please ask an operational question to experts: though I am only
>> running a small number of authoritative and recursive servers, I am
>> coming up short looking up what logging I need to turn on in BIND 9.16
>> and what logged strings I need to parse out to see responses coming from
>> a different IP? I have various log channels enabled per the BIND logging
>> "FAQ" but either I am missing config bits or the problem does not occur
>> (on my servers). This is in a network lab setup and I am able to share data.
>
> I don't think this is implemented in a way need for this kind of
> analysis in any recursive dns software.
>
> I have chosen to do dnscap on the interface with outgoing traffic and
> may do correlation of request/reponses based on qname/qtype and look for
> mismatches in dst ip/src ip afterwards.
>
> Another option that comes to my mind is to tweak/reuse the collectd dns
> plugin which also opens the packetflow on a configurable interface with
> libpcap and may be able to do some online data correlation.
>
> Just my 5¢
>
> Thomas
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list