[Dnsmasq-discuss] IP6 DNS UDP strange behaviour
simon at thekelleys.org.uk
Tue Jun 27 18:37:58 BST 2017
If your ISP really does that, I suggest you sack them immediately, or at
least shout very loudly at them.
The port space on any host is 2^16 ports, so at any time a UDP packet to
a port number picked at random is very likely to result in a destination
unreachable response, If that results in the host going offline, then
that provides a trivial DoS attack on the host from anywhere on the
internet, knowing nothing but the IP address.
Giving dnsmasq the option
will stop is from closing the socket after the first reply.
On 27/06/17 14:37, Roger James wrote:
> Hi Simon,
> Sending ICMP unreachable is not very friendly with my ISP. They treat
> the host as offline. The host is my VoIP PBX so I don't get any incoming
> calls for a while. Would it not be better to hold the port open until
> all requests have been received. I have turned on the strict-order
> option to try and circumvent this.
> On 27 June 2017 10:31:59 am Simon Kelley <simon at thekelleys.org.uk> wrote:
>> What's probably happening is this.
>> 1) query arrives from client,
>> 2) UDP socket opened, and query send from socket to more than one
>> upstream server.
>> 3) Reply arrives from fastest upstream server, reply returned to client.
>> 4) upstream socket closed.
>> 5) reply arrives from slower upstream server -> destination unreachable.
>> dnsmasq does the "send the query to all available servers" trick every
>> once in a while to find the fastest one.
>> If this is what you're seeing, it's a feature, not a bug.
>> On 27/06/17 06:56, Roger James wrote:
>>> I am seeing some rather perplexing behaviour regarding the reception of
>>> upstream IPV6 UDP DNS query responses on a Debian (raspian) system
>>> running on a Raspberry Pi. It appears that dnsmasq is not holding open
>>> an IPV6 UDP port to handle a response to an upstream query. What my
>>> network monitor shows is the upstream request going out and a reply
>>> coming back in. However the Pi rejects the incoming UDP packet with a
>>> ICMPV6 Destination unreachable (port unreachable).
>>> I may be missing something obvious here, but it looks like dnsmasq is
>>> not holding open a listening port for the response.
>>> Has anyone got any ideas on what is going, or can point me at some ways
>>> of tracking this down.
>>> The configuration of dnsmasq is out of the box Debian.
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the Dnsmasq-discuss