Same source port queries dropped by ServerIron load balancer
Kevin Darcy
kcd at chrysler.com
Mon Apr 5 22:25:42 UTC 2010
On 3/30/2010 5:36 AM, Abdulla Bushlaibi wrote:
> We are facing query drops by using dnsperf tool from ISC testing the
> DNS service via load balancer. Multiple queries from the same source
> port are being dropped partially by the load balancer and as per the
> load balancer vendor feed back, this is a security feature and this
> situation doesn't happen in real life scenarios.
Actually, a thought occurred to me: if they're really trying to improve
the security of the DNS infrastructure by depriving source-port-reusing
clients of usable answers, then the absolute *worst* thing they can do
is *drop* the query. By not competing with forged answers to the same
question, such behavior increases the chance that the client's cache
will get poisoned.
A nice quick REFUSED response would make pretty much the same point
without recklessly endangering the client.
SERVFAIL would accomplish more-or-less the same thing, and persist
longer, and thus inflict more pain, but is not really the appropriate
response to give.
Bogus NXDOMAINs or NODATAs would be outright lies, but at least would
offer a granular way to inflict pain, either on a time basis or per
individual client.
- Kevin
More information about the bind-users
mailing list