[dns-operations] [Ext] Nameserver responses from different IP than destination of request
Florian Weimer
fw at deneb.enyo.de
Tue Sep 8 21:03:12 UTC 2020
* John Levine:
> In article <20200908181130.GD4758 at straasha.imrryr.org> you write:
>>> Seems to me that would be true for any software that uses the usual
>>> BSD or linux socket calls that match the host and port ...
>
>>You're conflating binding the UDP socket which specifies the *local end*
>>of the UDP socket (and behaves as you describe) with the somewhat less
>>common practice of "connecting" the UDP socket (done by DNS resolvers of
>>various stripes) which then also limits the *remote peer* ...
>
> Right, but I'd think that would be the usual way to do it. I suppose
> the alternative is for each request, pick a port, do a send using that
> port, then do a separate recv on the same port, but unless you're
> actively trying to work around the wrong IP bug, why would you do
> that?
It's the only way to get source port randomization on systems where
the kernel picks a predictive source port number when binding a
socket. You keep open a few thousand sockets all the time and choose
one randomly to send the query.
More information about the dns-operations
mailing list