[dns-operations] [Ext] Nameserver responses from different IP than destination of request

Puneet Sood puneets at google.com
Tue Sep 8 16:53:36 UTC 2020


There are 2 sets of nameservers which account for the bulk of this
behavior. I can share some of the nameserver IPs (that have a high
volume of responses from different IPs) directly with operators who
are interested in reviewing these further. Please contact me directly.

-Puneet


On Sun, Sep 6, 2020 at 12:36 AM Brian Somers <bsomers at opendns.com> wrote:
>
> FWIW, OpenDNS resolvers have always ignored the response source address.
>
> In light of this conversation and in light of RFC 2181 section 4 and RFC 5452
> section 9.1, I’ll create a ticket to change this….
>
> Unfortunately I have not statistics around how many responses we receive
> from differing IPs.
>
>> Brian
>
> > On Sep 2, 2020, at 12:38 AM, Thomas Mieslinger <miesi at mail.com> wrote:
> >
> > On 9/1/20 9:15 PM, Andreas Ott wrote:
> >> On Mon, Aug 31, 2020 at 8:00 PM P Vixie <paul at redbarn.org
> >> <mailto:paul at redbarn.org>> wrote:
> >>    [...] the observation that something
> >>
> >>    bad is not happening to somebody doesn't mean it's not happening to
> >>    anybody.
> >>
> >> May I please ask an operational question to experts: though I am only
> >> running a small number of authoritative and recursive servers, I am
> >> coming up short looking up what logging I need to turn on in BIND 9.16
> >> and what logged strings I need to parse out to see responses coming from
> >> a different IP? I have various log channels enabled per the BIND logging
> >> "FAQ" but either I am missing config bits or the problem does not occur
> >> (on my servers). This is in a network lab setup and I am able to share data.
> >
> > I don't think this is implemented in a way need for this kind of
> > analysis in any recursive dns software.
> >
> > I have chosen to do dnscap on the interface with outgoing traffic and
> > may do correlation of request/reponses based on qname/qtype and look for
> > mismatches in dst ip/src ip afterwards.
> >
> > Another option that comes to my mind is to tweak/reuse the collectd dns
> > plugin which also opens the packetflow on a configurable interface with
> > libpcap and may be able to do some online data correlation.
> >
> > Just my 5¢
> >
> > Thomas
> >
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations




More information about the dns-operations mailing list