bind used as resolver: matching the source ip

[pm8...@t-online.de]

Dear all,
 
As far as I understand, BIND is not only used for authoritative name 
servers, but is also often used as a (recursive) resolver.
When receiving a response to a DNS query, does BIND match the source ip of 
the response to the destination ip of the query and discard the response if 
they do not match? Does it match the ports?
I.e. apart from checking
query.transactionID == response.transactionID
does BIND check for
query.destinationIP == response.sourceIP
and
query.destinationPort == response.sourcePort?
Can you point me to the function in the source code where this check does 
or does not happen?
Any help is appreciated.


 
Gesendet mit Telekom Mail  - kostenlos 
und sicher für alle!___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind used as resolver: matching the source ip

[Mukund Sivaraman]

On Thu, Aug 18, 2016 at 11:27:01AM +0200, pm8...@t-online.de wrote:
> Dear all,
>  
> As far as I understand, BIND is not only used for authoritative name 
> servers, but is also often used as a (recursive) resolver.
> When receiving a response to a DNS query, does BIND match the source ip of 
> the response to the destination ip of the query and discard the response if 
> they do not match? Does it match the ports?
> I.e. apart from checking
> query.transactionID == response.transactionID
> does BIND check for
> query.destinationIP == response.sourceIP
> and
> query.destinationPort == response.sourcePort?
> Can you point me to the function in the source code where this check does 
> or does not happen?

Yes, otherwise offpath cache poisoning would be possible. BIND as
resolver not only matches source port, but also the question and DNS
cookie among other things.

You should be able to find the address and port matching code somewhere
within lib/dns/dispatch.c. Question and cookie matching code should be
found in lib/dns/resolver.c.

Mukund


signature.asc
Description: PGP signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: bind used as resolver: matching the source ip

[Darcy Kevin (FCA)]

Or just check the RFCs. 

https://www.ietf.org/rfc/rfc5452.txt

- Kevin

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mukund 
Sivaraman
Sent: Friday, August 19, 2016 2:27 AM
To: pm8...@t-online.de
Cc: bind-users@lists.isc.org
Subject: Re: bind used as resolver: matching the source ip

On Thu, Aug 18, 2016 at 11:27:01AM +0200, pm8...@t-online.de wrote:
> Dear all,
>  
> As far as I understand, BIND is not only used for authoritative name 
> servers, but is also often used as a (recursive) resolver.
> When receiving a response to a DNS query, does BIND match the source 
> ip of the response to the destination ip of the query and discard the 
> response if they do not match? Does it match the ports?
> I.e. apart from checking
> query.transactionID == response.transactionID does BIND check for 
> query.destinationIP == response.sourceIP and query.destinationPort == 
> response.sourcePort?
> Can you point me to the function in the source code where this check 
> does or does not happen?

Yes, otherwise offpath cache poisoning would be possible. BIND as resolver not 
only matches source port, but also the question and DNS cookie among other 
things.

You should be able to find the address and port matching code somewhere within 
lib/dns/dispatch.c. Question and cookie matching code should be found in 
lib/dns/resolver.c.

Mukund
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users