nsd users - Jul 2010 - Fixed IPv6 Source Address for UDP Connections

Hi,

I have a tunnel on a sever (ns1.example.com) which has an IPv6
address (2001:db8:1::2/64) for the tunnel endpoint and an IPv6 address
(2001:db8:2::1/48) from the subnet which is tunneled to the endpoint
on the same interface:

# ip -6 addr show dev tun0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qlen 500
    inet6 2001:db8:2::1/48 scope global 
       valid_lft forever preferred_lft forever
    inet6 2001:db8:1::2/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::b8:1:0:2/64 scope link 
       valid_lft forever preferred_lft forever

On ns1.example.com runs a DNS server which listens by default on
[::]:53. ns1.example.com resolves to 2001:db8:2::1. When a client wants
to resolve a.b.example.com, it first resolves ns1.example.com and then
sends a package to the address and expects an answer from that address.

However, sometimes the DNS server replies from a different address
(the client queried 2001:db8:1::2 and got a reply from 2001:db8:1::2),
because the DNS server seems to pick an address randomly. This is
possible because UDP is stateless (with TCP it works).

I want that the DNS server replies on the same address on which
it received the request (I was told by bind does this). Is that
possible? Is the current behaviour intended?

Regards,
Matthias-Christian

Hello Matthias-Christian,
> However, sometimes the DNS server replies from a different address
> (the client queried 2001:db8:1::2 and got a reply from 2001:db8:1::2),
> because the DNS server seems to pick an address randomly. This is
> possible because UDP is stateless (with TCP it works).
When you don't specify an interface to bind the OS will select one for
you. The tunnel interface may be confusing it. Make sure your nsd.conf
looks similar to this:

server:
        ip-address: 2001:db8:2::1
        ip-address: [your ipv4 address]
        ip-address: 127.0.0.1


Regards,
Yuri

-- 
Yuri Schaeffer
NLnet Labs
http://www.nlnetlabs.nl