Robert Blayzor
2022-Jun-23 14:05 UTC
[nsd-users] Multi-homed server UDP packets wrong interface
We have hosts that are multi-homed on IPv6 networks and having an issue
with NSD sourcing out UDP reply packets via a different interface/IP
than the query was received on.
This obviously will cause issues with clients behind firewalls, etc.
Looks as though NSD just sources the packet on the egress interface
based on the host routing table. So the reply is coming back from a
different IP address.
With TCP this isn't an issue....
Coincidentally Unbound has a option to toggle this behavior....
# enable this feature to copy the source address of queries to
reply.
# Socket options are not supported on all platforms. experimental.
interface-automatic: yes
Is there such a knob in NSD? If not, can there be?
--
inoc.net!rblayzor
XMPP: rblayzor.AT.inoc.net
PGP: https://pgp.inoc.net/rblayzor/
Jeroen Koekkoek
2022-Jun-28 07:50 UTC
[nsd-users] Multi-homed server UDP packets wrong interface
Hi Robert,
Setting the outgoing IP address depends on the IP_PKTINFO socket
option. Currently NSD does not implement it, but given some time it can
certainly be made to do so.
NSD currently does support the bindtodevice socket option, which should
get you the desired result(?) The option causes NSD to bind the socket
to the device that has it assigned. It's an attribute of the ip-address
configuration option and you can set it like so:
ip-address: 1.2.3.4 bindtodevice=yes
Let me know if it works for you. As for the IP_PKTINFO option, I've
created a GitHub issue: https://github.com/NLnetLabs/nsd/issues/217.
Regards,
Jeroen
On Thu, 2022-06-23 at 10:05 -0400, Robert Blayzor via nsd-users
wrote:> We have hosts that are multi-homed on IPv6 networks and having an
> issue
> with NSD sourcing out UDP reply packets via a different interface/IP
> than the query was received on.
>
> This obviously will cause issues with clients behind firewalls, etc.
> Looks as though NSD just sources the packet on the egress interface
> based on the host routing table. So the reply is coming back from a
> different IP address.
>
> With TCP this isn't an issue....
>
>
> Coincidentally Unbound has a option to toggle this behavior....
>
>
> ???????? # enable this feature to copy the source address of queries
> to
> reply.
> ???????? # Socket options are not supported on all platforms.
> experimental.
> ???????? interface-automatic: yes
>
>
>
> Is there such a knob in NSD? If not, can there be?
>