cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: ares "feature": Ignores responses from unexpected sources

From: Henrik Storner <henrik_at_hswn.dk>
Date: Thu, 16 Oct 2003 23:27:12 +0200

On Thu, Oct 16, 2003 at 10:58:40AM -0700, Mark Pizzolato wrote:
> On Thursday, October 16, 2003 8:15 AM, Daniel Stenberg wrote:
> > On Wed, 8 Oct 2003, Henrik Storner wrote:
> > > I have a DNS server that accepts queries on one IP-address, but sends
> the
> > > answers with a different source-IP. A network trace says (IP's and
> > > domain-names changed):
> > >
> > > 10.29.31.155 -> 10.29.37.21 DNS C dns01a.foo.com. Internet Addr ?
> > > 10.29.10.5 -> 10.29.31.155 DNS R dns01a.foo.com. Internet Addr 10.29.37.21
> > >
> > > Note that the request is sent to 10.29.37.21, but the answer
> > > originates from 10.29.10.5.

Just to finish this off, it turned out that the odd source-IP in the
response packet was the result of accessing the DNS server through a
load-balancer. So I really cannot blame the DNS server software for
doing weird stuff - it was an odd network setup that caused things to
happen that way.

But there is still the issue of how the various resolver libraries
handle the situation.

> Well, the behavior of ignoring responses from sources that weren't directly
> requested is viewed as a security advantage. It has existed as an option
> (RES_INSECURE1) for a long time in the libresolv code.
>
> I recall recently reading an RFC which describes ignoring such answers as
> the best current practice (certainly a SHOULD and maybe a MUST). I'll see
> if I can find the particular RFC.

Thanks for those pointers. The idea of sending a note to Bugtraq about
the behaviour of the standard libresolv - at least as found on my
Linux boxes - did cross my mind.

> Meanwhile there may be a bug in the ares resolver if it doesn't eventually
> timeout .

Hopefully I'll get some time this coming week-end to see if I can hunt
down that bug, or come up with a simple testcase.

-- 
Henrik Storner <henrik_at_hswn.dk> 
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php

Received on 2003-10-16

This message: [ Message body ]
Next message: Sharma, Amit: "Error Code 51"
Previous message: Mark Pizzolato: "Re: ares "feature": Ignores responses from unexpected sources"
In reply to: Mark Pizzolato: "Re: ares "feature": Ignores responses from unexpected sources"
Next in thread: Henrik Storner: "Re: ares "feature": Ignores responses from unexpected sources"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]