[dns-operations] [Ext] Nameserver responses from different IP than destination of request

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Sep 8 18:11:30 UTC 2020


On Tue, Sep 08, 2020 at 12:54:54PM -0400, John Levine wrote:

> In article <6f32301724d95a24777dbf993c28b0e35f9b8501.camel at powerdns.com> you write:
> >I cannot speak for any other piece of software, but the way PowerDNS
> >Recursor uses connected UDP sockets to talk to authoritatives means
> >that the kernel already drops responses from wrong addresses, ...
> 
> Seems to me that would be true for any software that uses the usual
> BSD or linux socket calls that match the host and port on received
> packets with recently sent ones. I'm having trouble figuring out how I
> would even arrange to receive replies from the wrong host short of
> using a raw socket that collected all incoming UDP packets, which
> would make it hard to run anything else that uses UDP on the same
> machine with the DNS client.

You're conflating binding the UDP socket which specifies the *local end*
of the UDP socket (and behaves as you describe) with the somewhat less
common practice of "connecting" the UDP socket (done by DNS resolvers of
various stripes) which then also limits the *remote peer* of the UDP
connection, and has the effect of:

    1. Also dropping traffic from unexpected peers (IP + UDP port)

    2. Returning EOF on receipt of network/port unreachable ICMP
       messages, alerting the local sender in a more timely 
       manner that no reply is likely to come back.

The key phrase in the original text you replied to was "connected UDP
sockets" (an apparent, but not actual oxymoron).

-- 
    Viktor.



More information about the dns-operations mailing list