Fixed IPv6 Source Address for UDP Connections

Matthias-Christian_O · July 11, 2010, 11:29am

Hi,

I have a tunnel on a sever (ns1.example.com) which has an IPv6
address (2001:db8:1::2/64) for the tunnel endpoint and an IPv6 address
(2001:db8:2::1/48) from the subnet which is tunneled to the endpoint
on the same interface:

# ip -6 addr show dev tun0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qlen 500
    inet6 2001:db8:2::1/48 scope global
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1::2/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::b8:1:0:2/64 scope link
       valid_lft forever preferred_lft forever

On ns1.example.com runs a DNS server which listens by default on
[::]:53. ns1.example.com resolves to 2001:db8:2::1. When a client wants
to resolve a.b.example.com, it first resolves ns1.example.com and then
sends a package to the address and expects an answer from that address.

However, sometimes the DNS server replies from a different address
(the client queried 2001:db8:1::2 and got a reply from 2001:db8:1::2),
because the DNS server seems to pick an address randomly. This is
possible because UDP is stateless (with TCP it works).

I want that the DNS server replies on the same address on which
it received the request (I was told by bind does this). Is that
possible? Is the current behaviour intended?

Regards,
Matthias-Christian

Yuri_Schaeffer · July 12, 2010, 7:28am

Hello Matthias-Christian,

However, sometimes the DNS server replies from a different address
(the client queried 2001:db8:1::2 and got a reply from 2001:db8:1::2),
because the DNS server seems to pick an address randomly. This is
possible because UDP is stateless (with TCP it works).

When you don't specify an interface to bind the OS will select one for
you. The tunnel interface may be confusing it. Make sure your nsd.conf
looks similar to this:

server:
        ip-address: 2001:db8:2::1
        ip-address: [your ipv4 address]
        ip-address: 127.0.0.1

Regards,
Yuri

Peter_Koch · July 12, 2010, 7:51am

> However, sometimes the DNS server replies from a different address
> (the client queried 2001:db8:1::2 and got a reply from 2001:db8:1::2),

which would seem perfectly OK - unless this was a failed obfuscation attempt.

> because the DNS server seems to pick an address randomly. This is
> possible because UDP is stateless (with TCP it works).

When you don't specify an interface to bind the OS will select one for
you. The tunnel interface may be confusing it. Make sure your nsd.conf

This could be read to say that NSD might not follow section 4 of RFC 2181
to the fullest extent possible. Really?

-Peter

Matthias-Christian_O · July 12, 2010, 8:47am

Hello Matthias-Christian,

Hello Yuri,

> However, sometimes the DNS server replies from a different address
> (the client queried 2001:db8:1::2 and got a reply from 2001:db8:1::2),
> because the DNS server seems to pick an address randomly. This is
> possible because UDP is stateless (with TCP it works).

When you don't specify an interface to bind the OS will select one for
you. The tunnel interface may be confusing it. Make sure your nsd.conf
looks similar to this:

server:
        ip-address: 2001:db8:2::1
        ip-address: [your ipv4 address]
        ip-address: 127.0.0.1

This will also work for multiple IPv6 addresses, because nsd opens
a separate socket for each address and replies on that socket. This
that right?

Regards,
Matthias-Christian

Matthias-Christian_O · July 12, 2010, 9:00am

> > However, sometimes the DNS server replies from a different address
> > (the client queried 2001:db8:1::2 and got a reply from 2001:db8:1::2),

which would seem perfectly OK - unless this was a failed obfuscation attempt.

I just got the example wrong and pasted the wrong address. Both
addresses were supposed to be different ;).

> > because the DNS server seems to pick an address randomly. This is
> > possible because UDP is stateless (with TCP it works).
>
> When you don't specify an interface to bind the OS will select one for
> you. The tunnel interface may be confusing it. Make sure your nsd.conf

This could be read to say that NSD might not follow section 4 of RFC 2181
to the fullest extent possible. Really?

As far as I understood it, this clarification only applies to recursive,
but not authorative name servers, so it could be irrelevant to nsd.

This could also explain, why dig did issue a warning:

$ dig @2001:db8:2::1 -x 2001:db8:2::1
;; reply from unexpected source: 2001:db8:1::2#53, expected
2001:db8:2::1#53

(I didn't setup a NS record yet, because everything is not running as
expected. So I did query the authorative DNS server directly.)

dig seems to expect a recursive DNS server after the @.

Regards,
Matthias-Christian

Yuri_Schaeffer · July 12, 2010, 1:53pm

Hello Matthias-Christian,

This will also work for multiple IPv6 addresses, because nsd opens
a separate socket for each address and replies on that socket. This
that right?

Yes, that is correct. Having the interfaces configured allows NSD to
pick the right source address itself, rather than leaving it to the OS.

Regards,
Yuri

Yuri_Schaeffer · July 12, 2010, 1:55pm

Yes. But only when configured incorrectly.

Regards,
Yuri