Same source port queries dropped by ServerIron load balancer

Mark Andrews marka at isc.org
Thu Apr 1 23:04:27 UTC 2010 

In message <4BB4ED5A.20806 at chrysler.com>, Kevin Darcy writes:
> On 4/1/2010 12:37 AM, Mark Andrews wrote:
> > In message<4BB1C63B.30402 at ies.etisalat.ae>, Abdulla Bushlaibi writes:
> >    
> >> We are facing query drops by using dnsperf tool from ISC testing the DNS
> >> service via load balancer. Multiple queries from the same source port
> >> are being dropped partially by the load balancer and as per the load
> >> balancer vendor feed back, this is a security feature and this situation
> >> doesn't happen in real life scenarios.
> >>
> >> Most of the cases, clients are generating unique random source ports for
> >> each DNS query, however we are not sure about the option of reusing the
> >> same source port for multiple queries and how does it apply in real life
> >> scenarios.
> >>
> >> Appreciate your comment on this subject.
> >>
> >> -- 
> >> Abdulla Ahmad Bushlaibi
> >>
> >> _______________________________________________
> >> bind-users mailing list
> >> bind-users at lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
> >>      
> > A load balancer that cannot cope with multiple outstanding queries
> > that have the same source port is broken.  A server (and that
> > includes any load balancer in front of it) should not care about
> > the source port.

It's only "bad practice" if you are not using other methods to prevent
spoofing attacks succeeding.  A load balance should work with all traffic
paterns.

> Re-use of source ports for DNS queries is a bad security practice. I 
> cast my vote in favor of penalizing it, in the default configuration of 
> any device that responds to DNS requests.
> 
>                                                                          
>                                              - Kevin
> 
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list