dns query id not changing
Adam Denenberg
straightflush at gmail.com
Fri Dec 17 15:24:03 UTC 2004
yeah i understand it will be reused. My issue is that in the
application, every time i run tcpdump and check, the 3rd request for a
certain A record is always the same as the 2nd (same Transaction ID).=20
So my conern is why the resolver is doing this. This is reproducable
behavior and is inconsistent with the way other queries are run.
I wrote a small test script to do a gethostbyname_r() in a for loop of
100 queries and this never happens. However in the application
(pam_ldap/nss_ldap) the 3rd Transaction ID is always the same as the
2nd.
i am trying to find the cause of this behavior, b/c it is breaking the
applicatoin when dns requests traverse the FW.
thanks
adam
On Fri, 17 Dec 2004 07:13:38 +0000 (UTC), phn at icke-reklam.ipsec.nu
<phn at icke-reklam.ipsec.nu> wrote:
> Adam Denenberg <straightflush at gmail.com> wrote:
> > Well the issue is that that same "tuple" is coming in as the firewall
> > is tearing down the connection. The firewall needs about 60ms for the
> > connection to expire according to Cisco.
>=20
> > I agree that there is definitely an issue with the firewall, but it
> > was also my understadning the resolver used random query IDs for each
> > request. Out of nowhere, the resolver appears to re-use a query ID
> > that it just used in a very short span (20ms) and it confuses the
> > firewall b/c the firewall has not torn down the previous connection.
> > Shouldnt this behavior be somewhat consistent?
>=20
> > We have an application (pam_ldap) that needs to make 3 or 4 DNS
> > requests. The 3rd dns request is _always_ using the same ID as the 2nd
> > DNS request and occurs in about 10ms before the firewall has torn down
> > the original connection and thus causes a timeout (the FW drops it).
>=20
> > I guess what i am trying to figure out is why the behavior of the
> > resolver for creating a query ID is not consistent. It should either
> > reuse the same one, or create totally random ones. It is doing a
> > little bit of both and thus breaking the app.
>=20
> As this id os a 16-bit value it will be reused fast.
>=20
> Do as others suggested, fix the pix! Change vendor if needed.
>=20
> --
> Peter H=E5kanson
> IPSec Sverige ( At Gothenburg Riverside )
> Sorry about my e-mail address, but i'm trying to keep spam out=
,
> remove "icke-reklam" if you feel for mailing me. Thanx.
>=20
>
More information about the bind-users
mailing list