bind used as resolver: matching the source ip
Mukund Sivaraman
muks at isc.org
Fri Aug 19 06:27:03 UTC 2016
On Thu, Aug 18, 2016 at 11:27:01AM +0200, pm8pm8 at t-online.de wrote:
> Dear all,
>
> As far as I understand, BIND is not only used for authoritative name
> servers, but is also often used as a (recursive) resolver.
> When receiving a response to a DNS query, does BIND match the source ip of
> the response to the destination ip of the query and discard the response if
> they do not match? Does it match the ports?
> I.e. apart from checking
> query.transactionID == response.transactionID
> does BIND check for
> query.destinationIP == response.sourceIP
> and
> query.destinationPort == response.sourcePort?
> Can you point me to the function in the source code where this check does
> or does not happen?
Yes, otherwise offpath cache poisoning would be possible. BIND as
resolver not only matches source port, but also the question and DNS
cookie among other things.
You should be able to find the address and port matching code somewhere
within lib/dns/dispatch.c. Question and cookie matching code should be
found in lib/dns/resolver.c.
Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160819/25d377f3/attachment.bin>
More information about the bind-users
mailing list