Same source port queries dropped by ServerIron load balancer

[Kevin Darcy]

On 3/30/2010 5:36 AM, Abdulla Bushlaibi wrote:
> We are facing query drops by using dnsperf tool from ISC testing the 
> DNS service via load balancer. Multiple queries from the same source 
> port are being dropped partially by the load balancer and as per the 
> load balancer vendor feed back, this is a security feature and this 
> situation doesn't happen in real life scenarios.
Actually, a thought occurred to me: if they're really trying to improve 
the security of the DNS infrastructure by depriving source-port-reusing 
clients of usable answers, then the absolute *worst* thing they can do 
is *drop* the query. By not competing with forged answers to the same 
question, such behavior increases the chance that the client's cache 
will get poisoned.

A nice quick REFUSED response would make pretty much the same point 
without recklessly endangering the client.

SERVFAIL would accomplish more-or-less the same thing, and persist 
longer, and thus inflict more pain, but is not really the appropriate 
response to give.

Bogus NXDOMAINs or NODATAs would be outright lies, but at least would 
offer a granular way to inflict pain, either on a time basis or per 
individual client.

                                                                         
                                                                         
     - Kevin