> On 9 Sep 2020, at 07:08, Puneet Sood via dns-operations > <[email protected]> wrote: > > > From: Puneet Sood <[email protected]> > Subject: Re: [dns-operations] [Ext] Nameserver responses from different IP > than destination of request > Date: 9 September 2020 at 07:08:20 AEST > To: John Levine <[email protected]> > Cc: dns-operations <[email protected]> > > > On Tue, Sep 8, 2020 at 5:00 PM John Levine <[email protected]> wrote: >> >> In article <[email protected]> you write: >>>> Seems to me that would be true for any software that uses the usual >>>> BSD or linux socket calls that match the host and port ... >> >>> You're conflating binding the UDP socket which specifies the *local end* >>> of the UDP socket (and behaves as you describe) with the somewhat less >>> common practice of "connecting" the UDP socket (done by DNS resolvers of >>> various stripes) which then also limits the *remote peer* ... >> >> Right, but I'd think that would be the usual way to do it. I suppose >> the alternative is for each request, pick a port, do a send using that >> port, then do a separate recv on the same port, but unless you're >> actively trying to work around the wrong IP bug, why would you do >> that? > > A single recursive resolver process can make a large number of > outbound requests to thousands (if not more) of nameservers. Keeping > one socket for each unique combination of (resolver IP, nameserver IP) > becomes expensive in such an environment. Using more than one resolver > IP provides additional entropy for the queries.
Which in part is why I came up with DNS COOKIES. As long as the server supports DNS COOKIE you can use a single socket and have more than enough entropy to defeat off path attacks. You can fall back to using seperate sockets for servers that don’t support DNS COOKIES. > -Puneet > >> >> _______________________________________________ >> dns-operations mailing list >> [email protected] >> https://lists.dns-oarc.net/mailman/listinfo/dns-operations > > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
