Not sure whether this is a bug report or an RFE, so I'll give it a try here.
In my NSD 2.3.3's logs there are quite a couple of entries like
[1138286782] nsd[42]: error: sendto failed: Invalid argument
They originate from server.c and the reason usually is an attempt to send
a response to UDP port 0. Source port 0 is legal but it means something
like "I do not care what the response is", so it doesn't make much sense
for DNS queries. I could filter those packets, of course.
Then, the log message is not too instructive due to lack of detail.
It could be something else but a dst port 0 sendto() attempt and if
a particular querier appears too often it might be intersting as well.
So, nsd could (silently) ignore DNS packets with src port 0 or log the
error with more detail or both. Opinions?
-Peter
[On 26 Jan, @18:32, Peter Koch wrote in "message ``sendto failed: Inval ..."]
So, nsd could (silently) ignore DNS packets with src port 0 or log the
error with more detail or both. Opinions?
Hmm... the current behavoir of NSD should be changed IMO. The danger
is that if we log such queries we create a small DOS attack (which is
also present now). So I would like to silently ignore such queries,
maybe only log them when NSD is compiled with --enable-checking.
regards,
Miek Gieben writes:
[On 26 Jan, @18:32, Peter Koch wrote in "message ``sendto failed: Inval ..."]
So, nsd could (silently) ignore DNS packets with src port 0 or log the error with more detail or both. Opinions?
Hmm... the current behavoir of NSD should be changed IMO. The danger is that if we log such queries we create a small DOS attack (which is also present now).
Since the DOS is present, does it matter if it's extended a bit? As long as the log message doesn't fill the logs in the the absence of attacks, I mean?
After all, anyone with access to the source can DOS nsd perfectly well as it is.
Arnt
Arnt Gulbrandsen wrote:
Miek Gieben writes:
[On 26 Jan, @18:32, Peter Koch wrote in "message ``sendto failed: Inval ..."]
So, nsd could (silently) ignore DNS packets with src port 0 or log
the error with more detail or both. Opinions?
Hmm... the current behavoir of NSD should be changed IMO. The danger
is that if we log such queries we create a small DOS attack (which is
also present now).
Since the DOS is present, does it matter if it's extended a bit? As long
as the log message doesn't fill the logs in the the absence of attacks,
I mean?
After all, anyone with access to the source can DOS nsd perfectly well
as it is.
Arnt
Set your logs so that multiple instances in succession will just be dropped for say 10 seconds or something.
C.
it's a general trade-off between logging and being able to recognize problems
and silence and the absence of such opportunity. The general problem can
be solved by rate limiting error messages, which in turn requires more state
which opens another DoS path etc.
Would those CPU cycles necessary to enhance the currrent message be critical?
-Peter
[On 06 Feb, @20:08, Peter Koch wrote in "Re: message ``sendto failed: I ..."]
> After all, anyone with access to the source can DOS nsd perfectly well
> as it is.
it's a general trade-off between logging and being able to recognize problems
and silence and the absence of such opportunity. The general problem can
be solved by rate limiting error messages, which in turn requires more state
which opens another DoS path etc.
well said.
Rate limiting log messages == feature creep, so that will be probably
never be implemented (in NSD).
Would those CPU cycles necessary to enhance the currrent message be critical?
as a respons to this thread, I've added a few lines that explicitly
check for port == 0 and if so drop the current query on the floor. But
now I get the feeling that even this is too much and the old behavoir
wasn't that bad.