Or just check the RFCs. https://www.ietf.org/rfc/rfc5452.txt
- Kevin -----Original Message----- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mukund Sivaraman Sent: Friday, August 19, 2016 2:27 AM To: pm8...@t-online.de Cc: bind-users@lists.isc.org Subject: Re: bind used as resolver: matching the source ip On Thu, Aug 18, 2016 at 11:27:01AM +0200, pm8...@t-online.de wrote: > Dear all, > > As far as I understand, BIND is not only used for authoritative name > servers, but is also often used as a (recursive) resolver. > When receiving a response to a DNS query, does BIND match the source > ip of the response to the destination ip of the query and discard the > response if they do not match? Does it match the ports? > I.e. apart from checking > query.transactionID == response.transactionID does BIND check for > query.destinationIP == response.sourceIP and query.destinationPort == > response.sourcePort? > Can you point me to the function in the source code where this check > does or does not happen? Yes, otherwise offpath cache poisoning would be possible. BIND as resolver not only matches source port, but also the question and DNS cookie among other things. You should be able to find the address and port matching code somewhere within lib/dns/dispatch.c. Question and cookie matching code should be found in lib/dns/resolver.c. Mukund _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users