Same source port queries dropped by ServerIron load balancer
Kevin Darcy
kcd at chrysler.com
Thu Apr 1 19:00:42 UTC 2010
On 4/1/2010 12:37 AM, Mark Andrews wrote:
> In message<4BB1C63B.30402 at ies.etisalat.ae>, Abdulla Bushlaibi writes:
>
>> We are facing query drops by using dnsperf tool from ISC testing the DNS
>> service via load balancer. Multiple queries from the same source port
>> are being dropped partially by the load balancer and as per the load
>> balancer vendor feed back, this is a security feature and this situation
>> doesn't happen in real life scenarios.
>>
>> Most of the cases, clients are generating unique random source ports for
>> each DNS query, however we are not sure about the option of reusing the
>> same source port for multiple queries and how does it apply in real life
>> scenarios.
>>
>> Appreciate your comment on this subject.
>>
>> --
>> Abdulla Ahmad Bushlaibi
>>
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> A load balancer that cannot cope with multiple outstanding queries
> that have the same source port is broken. A server (and that
> includes any load balancer in front of it) should not care about
> the source port.
>
>
Re-use of source ports for DNS queries is a bad security practice. I
cast my vote in favor of penalizing it, in the default configuration of
any device that responds to DNS requests.
- Kevin
More information about the bind-users
mailing list