dns replies differ in src IP from query's dst IP (Bug?)

James Griffin agriffin at cpcug.org
Wed Nov 21 15:06:23 UTC 2001 

Guy Pazi wrote:
> 
> Thanks Mark, it's been of great help.
> Just to make sure I understood. It has nothing to do with NS implementation
> but rather with the IP stack?
> Thanks again
> Guy
> 

About 2 or 3 years ago, I came across this sort of a problem with a .gov
website.  The site was running on a multi-homed NT server.  Microsoft
eventually published a "fix"/workaround.  I do not remember the details,
but if your problem site is running an (old unpatched) NT server, you
may want to check the KB.

It is definitely an IP stack implementation issue, at least in the case
of older Microsoft server code; nothing to do with BIND or ISS for that
matter.

Jim

PS The .gov site "fixed" the problem before Microsoft published theirs
by the simple expediant of removing the second NIC card and deleting the
routing entry for that interface on the NT server.  In other words, they
let their Cisco routers handle the routing.

> > -----Original Message-----
> > From: marka at isc.org [mailto:marka at isc.org]On Behalf Of
> > Mark.Andrews at isc.org
> > Sent: Wednesday, 21 November, 2001 2:34 PM
> > To: Guy Pazi
> > Cc: bind-users at isc.org
> > Subject: Re: dns replies differ in src IP from query's dst IP (Bug?)
> >
> >
> >
> > >
> > > Hi,
> > > I?ve seen the following paragraph in rfc 1035:
> > > ?- Some name servers send their responses from different
> > addresses than the
> > > one used to receive the query.  That is, a resolver cannot rely that a
> > > response will come from the same address, which it sent the
> > corresponding
> > > query to. This name server bug is typically encountered in UNIX
> > systems.?
> > >
> > > I couldn?t find which NSs? implementations enable this kind of
> > behavior, and
> > > if this is user configurable.
> >
> >       No.  It is not user configurable.  It is undesired behaviour
> >       brought about by limitations of the IP stack of the host
> >       machine or by not using the capabilities of the IP stack
> >       properly to ensure that reply packet have the correct source
> >       address and port.
> >
> > > I?m interested in the behavior of popular NSs? implementations (bind and
> > > others).
> > >
> > > P.S. whoever knows about this ?bug?: is the IP used to reply
> > dns queries is
> > > typically used for listening to queries as well?
> >
> >       It doesn't have to be.
> >
> > > I.e. does the resolver
> > > issuing the query is aware of the IP used for reply as an
> > additional IP of
> > > the NS in question?
> >
> >       Not always.
> >
> > > Thanks
> > > Guy
> > --
> > Mark Andrews, Internet Software Consortium
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org
> >

More information about the bind-users mailing list