[Dnsmasq-discuss] IP6 DNS UDP strange behaviour

Simon Kelley simon at thekelleys.org.uk
Tue Jun 27 18:37:58 BST 2017 

If your ISP really does that, I suggest you sack them immediately, or at
least shout very loudly at them.

The port space on any host is 2^16 ports, so at any time a UDP packet to
a port number picked at random is very likely to result in a destination
unreachable response, If that results in the host going offline, then
that provides a trivial DoS attack on the host from anywhere on the
internet, knowing nothing but the IP address.

Giving dnsmasq the option

query-port=0

will stop is from closing the socket after the first reply.

Cheers,

Simon.

On 27/06/17 14:37, Roger James wrote:
> Hi Simon,
> 
> Sending ICMP unreachable is not very friendly with my ISP. They treat
> the host as offline. The host is my VoIP PBX so I don't get any incoming
> calls for a while. Would it not be better to hold the port open until
> all requests have been received. I have turned on the strict-order
> option to try and circumvent this.
> 
> Roger
> 
> 
> On 27 June 2017 10:31:59 am Simon Kelley <simon at thekelleys.org.uk> wrote:
> 
>> What's probably happening is this.
>>
>> 1) query arrives from client,
>> 2) UDP socket opened, and query send from socket to more than one
>> upstream server.
>> 3) Reply arrives from fastest upstream server, reply returned to client.
>> 4) upstream socket closed.
>> 5) reply arrives from slower upstream server -> destination unreachable.
>>
>> dnsmasq does the "send the query to all available servers" trick every
>> once in a while to find the fastest one.
>>
>> If this is what you're seeing, it's a feature, not a bug.
>>
>> Cheers,
>>
>> Simon.
>>
>>
>>
>>
>> On 27/06/17 06:56, Roger James wrote:
>>> I am seeing some rather perplexing behaviour regarding the reception of
>>> upstream IPV6 UDP DNS query responses on a Debian (raspian) system
>>> running on a Raspberry Pi. It appears that dnsmasq is not holding open
>>> an IPV6 UDP port to handle a response to an upstream query. What my
>>> network monitor shows is the upstream request going out and a reply
>>> coming back in. However the Pi rejects the incoming UDP packet with a
>>> ICMPV6 Destination unreachable (port unreachable).
>>>
>>> I may be missing something obvious here, but it looks like dnsmasq is
>>> not holding open a listening port for the response.
>>>
>>> Has anyone got any ideas on what is going, or can point me at some ways
>>> of tracking this down.
>>>
>>> The configuration of dnsmasq is out of the box Debian.
>>>
>>> Thanks,
>>>
>>> Roger
>>>
>>>
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>
>>
>>
>>
>> ----------
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
> 
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20170627/962b11f0/attachment.sig>

More information about the Dnsmasq-discuss mailing list