From: Travis H. (travis+)
Date: Sun Jan 21 2007 - 19:43:04 EST
On Sun, Jan 21, 2007 at 12:45:56AM -0500, Victor Duchovni wrote:
> It's a bug. And nameservers DO respond from the right IP,
Most do, no question there.
> the ones that don't
Ah, so some don't, after all!
> really don't work anymore, their responses are blocked by stateful
> firewalls, and should be ignored by security minded resolvers (despite
> the RFC).
I agree that it's trivia, that those servers can be ignored,
and tolerating this behavior is bad for security. But it could
cause problems like this if one resolver is behind a stateful
firewall and one isn't.
> > I assume this has to do with the way recv(2) and send(2) were
> > implemented in the socket API, but my OS states that recv(2) is
> > normally used only on a connected socket.
>
> No, it has to do with UDP applications that were not written with
> multi-homed hosts in mind and don't bind to each interface separately.
Same thing as I was getting at; the fact that UDP is not connected
means that you can't send a reply out to the original request from
the same socket because UDP doesn't assume a request/reply, so it
doesn't hold any state around that you could use to assure the same
IP.
-- ``Unthinking respect for authority is the greatest enemy of truth.'' -- Albert Einstein -><- <URL:http://www.subspacefield.org/~travis/>
|
|
|