[dns-operations] [Ext] Nameserver responses from different IP than destination of request

Puneet Sood puneets at google.com
Tue Sep 8 21:08:20 UTC 2020


On Tue, Sep 8, 2020 at 5:00 PM John Levine <johnl at taugh.com> wrote:
>
> In article <20200908181130.GD4758 at straasha.imrryr.org> you write:
> >> Seems to me that would be true for any software that uses the usual
> >> BSD or linux socket calls that match the host and port ...
>
> >You're conflating binding the UDP socket which specifies the *local end*
> >of the UDP socket (and behaves as you describe) with the somewhat less
> >common practice of "connecting" the UDP socket (done by DNS resolvers of
> >various stripes) which then also limits the *remote peer* ...
>
> Right, but I'd think that would be the usual way to do it. I suppose
> the alternative is for each request, pick a port, do a send using that
> port, then do a separate recv on the same port, but unless you're
> actively trying to work around the wrong IP bug, why would you do
> that?

A single recursive resolver process can make a large number of
outbound requests to thousands (if not more) of nameservers. Keeping
one socket for each unique combination of (resolver IP, nameserver IP)
becomes expensive in such an environment. Using more than one resolver
IP provides additional entropy for the queries.

-Puneet

>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



More information about the dns-operations mailing list