Or just check the RFCs.
https://www.ietf.org/rfc/rfc5452.txt
- Kevin
-----Original Message-----
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mukund
Sivaraman
Sent: Friday, August 19, 2016 2:27 AM
To: pm8...@t-online.de
Cc: bind-users@lists.isc.org
Subject: Re: bind used as resolver: matching the source ip
On Thu, Aug 18, 2016 at 11:27:01AM +0200, pm8...@t-online.de wrote:
> Dear all,
>
> As far as I understand, BIND is not only used for authoritative name
> servers, but is also often used as a (recursive) resolver.
> When receiving a response to a DNS query, does BIND match the source
> ip of the response to the destination ip of the query and discard the
> response if they do not match? Does it match the ports?
> I.e. apart from checking
> query.transactionID == response.transactionID does BIND check for
> query.destinationIP == response.sourceIP and query.destinationPort ==
> response.sourcePort?
> Can you point me to the function in the source code where this check
> does or does not happen?
Yes, otherwise offpath cache poisoning would be possible. BIND as resolver not
only matches source port, but also the question and DNS cookie among other
things.
You should be able to find the address and port matching code somewhere within
lib/dns/dispatch.c. Question and cookie matching code should be found in
lib/dns/resolver.c.
Mukund
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
