[dns-operations] [Ext] Nameserver responses from different IP than destination of request

Mark Andrews marka at isc.org
Wed Sep 9 00:15:49 UTC 2020 


> On 9 Sep 2020, at 07:08, Puneet Sood via dns-operations <dns-operations at dns-oarc.net> wrote:
> 
> 
> From: Puneet Sood <puneets at google.com>
> Subject: Re: [dns-operations] [Ext] Nameserver responses from different IP than destination of request
> Date: 9 September 2020 at 07:08:20 AEST
> To: John Levine <johnl at taugh.com>
> Cc: dns-operations <dns-operations at dns-oarc.net>
> 
> 
> On Tue, Sep 8, 2020 at 5:00 PM John Levine <johnl at taugh.com> wrote:
>> 
>> In article <20200908181130.GD4758 at straasha.imrryr.org> you write:
>>>> Seems to me that would be true for any software that uses the usual
>>>> BSD or linux socket calls that match the host and port ...
>> 
>>> You're conflating binding the UDP socket which specifies the *local end*
>>> of the UDP socket (and behaves as you describe) with the somewhat less
>>> common practice of "connecting" the UDP socket (done by DNS resolvers of
>>> various stripes) which then also limits the *remote peer* ...
>> 
>> Right, but I'd think that would be the usual way to do it. I suppose
>> the alternative is for each request, pick a port, do a send using that
>> port, then do a separate recv on the same port, but unless you're
>> actively trying to work around the wrong IP bug, why would you do
>> that?
> 
> A single recursive resolver process can make a large number of
> outbound requests to thousands (if not more) of nameservers. Keeping
> one socket for each unique combination of (resolver IP, nameserver IP)
> becomes expensive in such an environment. Using more than one resolver
> IP provides additional entropy for the queries.

Which in part is why I came up with DNS COOKIES.  As long as the server
supports DNS COOKIE you can use a single socket and have more than enough
entropy to defeat off path attacks.  You can fall back to using seperate
sockets for servers that don’t support DNS COOKIES.

> -Puneet
> 
>> 
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list