Alarig Le Lay
2017-Dec-13 09:01 UTC
[nsd-users] Wrong source IP for reply if 'ip-address' is not specified
Hi, If I don?t specify the IP addresses on which NSD should bind, the IP address used for the reply is the one attached to interface instead of the one the request is destined. I use NSD 4.1.18 on a FreeBSD 11.1-STABLE r326743. morvan ~ # ip a s eth0 | grep inet inet 89.234.186.5/32 brd 89.234.186.5 scope global eth0 inet6 2a00:5884::5/64 scope global inet6 fe80::6465:64ff:fe62:6331/64 scope link morvan ~ # dig -t TXT hostname.as112.net @blackhole-1.iana.org ;; reply from unexpected source: 2a00:5884:0:100::1:10#53, expected 2620:4f:8000::6#53 ;; reply from unexpected source: 89.234.186.134#53, expected 192.175.48.6#53 ^Cmorvan ~ # root at as112:~ # ifconfig vtnet0.102 | grep inet inet 89.234.186.134 netmask 0xfffffff8 broadcast 89.234.186.135 inet6 fe80::8074:b5ff:fe78:d83c%vtnet0.102 prefixlen 64 scopeid 0x5 inet6 2a00:5884:0:100::1:10 prefixlen 112 root at as112:~ # ifconfig lo1 | grep inet inet 192.175.48.1 netmask 0xffffff00 inet 192.175.48.6 netmask 0xffffff00 inet 192.175.48.42 netmask 0xffffff00 inet 192.31.196.1 netmask 0xffffff00 inet6 2620:4f:8000::6 prefixlen 64 inet6 2620:4f:8000::42 prefixlen 64 inet6 2001:4:112::1 prefixlen 64 inet6 2620:4f:8000::1 prefixlen 64 root at as112:~ # route -6 -n get 2a00:5884::5 route to: 2a00:5884::5 destination: 2a00:5884:: mask: ffff:ffff:: gateway: 2a00:5884:0:100::1:2 fib: 0 interface: vtnet0.102 flags: <UP,GATEWAY,DONE,PROTO1> recvpipe sendpipe ssthresh rtt,msec mtu weight expire 0 0 0 0 1500 1 0 root at as112:~ # route -n get 89.234.186.5 route to: 89.234.186.5 destination: 89.234.186.0 mask: 255.255.255.0 gateway: 89.234.186.130 fib: 0 interface: vtnet0.102 flags: <UP,GATEWAY,DONE,PROTO1> recvpipe sendpipe ssthresh rtt,msec mtu weight expire 0 0 0 0 1500 1 0 09:37:35.342718 IP6 2a00:5884::5.44418 > 2620:4f:8000::6.53: 16577+ [1au] TXT? hostname.as112.net. (59) 09:37:35.343173 IP6 2a00:5884:0:100::1:10.53 > 2a00:5884::5.44418: 16577*- 4/2/1 TXT "grifon" "Rennes, FR", TXT "See http://www.as112.net/ for more information.", TXT "See https://monitoring. 09:37:36.343048 IP 89.234.186.5.41908 > 192.175.48.6.53: 16577+ [1au] TXT? hostname.as112.net. (59) 09:37:36.343261 IP 89.234.186.134.53 > 89.234.186.5.41908: 16577*- 4/2/1 TXT "grifon" "Rennes, FR", TXT "See http://www.as112.net/ for more information.", TXT "See https://monitoring.grifon.f So, the request is addressed to 2620:4f:8000::6 but replied from 2a00:5884:0:100::1:10. But, if I specify the addresses in nsd.conf, all is right: morvan ~ # dig -t TXT hostname.as112.net @blackhole-1.iana.org ; <<>> DiG 9.11.1-P3 <<>> -t TXT hostname.as112.net @blackhole-1.iana.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29606 ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;hostname.as112.net. IN TXT ;; ANSWER SECTION: hostname.as112.net. 604800 IN TXT "grifon" "Rennes, FR" hostname.as112.net. 604800 IN TXT "See http://www.as112.net/ for more information." hostname.as112.net. 604800 IN TXT "See https://monitoring.grifon.fr/munin/grifon.fr/as112.grifon.fr/index.html#dns for statistics." hostname.as112.net. 604800 IN TXT "Unicast IP: 89.234.186.134" ;; AUTHORITY SECTION: hostname.as112.net. 604800 IN NS blackhole-2.iana.org. hostname.as112.net. 604800 IN NS blackhole-1.iana.org. ;; Query time: 24 msec ;; SERVER: 2620:4f:8000::6#53(2620:4f:8000::6) ;; WHEN: Wed Dec 13 09:38:02 CET 2017 ;; MSG SIZE rcvd: 344 09:38:02.559512 IP6 2a00:5884::5.35278 > 2620:4f:8000::6.53: 29606+ [1au] TXT? hostname.as112.net. (59) 09:38:02.582280 IP6 2620:4f:8000::6.53 > 2a00:5884::5.35278: 29606*- 4/2/1 TXT "grifon" "Rennes, FR", TXT "See http://www.as112.net/ for more information.", TXT "See https://monitoring.grifon The complete nsd configuration if findable here: https://www.swordarmor.fr/le-noeud-as112-chez-grifon-et-breizh-ix.html#nsd.conf (the article is in french but the configuration is commented in english) I don?t know if it is known nor considerable as an issue. Regards, -- alarig -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 484 bytes Desc: not available URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20171213/f82686af/attachment.bin>
Anand Buddhdev
2017-Dec-13 09:23 UTC
[nsd-users] Wrong source IP for reply if 'ip-address' is not specified
On 13/12/2017 10:01, Alarig Le Lay wrote: Hi Alarig,> If I don?t specify the IP addresses on which NSD should bind, the IP > address used for the reply is the one attached to interface instead of > the one the request is destined.This is normal behaviour. On a server with multiple interfaces and addresses, it is best if you explicitly specify all the addresses to which NSD should bind. Regards, Anand Buddhdev RIPE NCC -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 898 bytes Desc: OpenPGP digital signature URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20171213/442dcc1f/attachment.bin>