In message <4bb4ed5a.20...@chrysler.com>, Kevin Darcy writes: > On 4/1/2010 12:37 AM, Mark Andrews wrote: > > In message<4bb1c63b.30...@ies.etisalat.ae>, Abdulla Bushlaibi writes: > > > >> We are facing query drops by using dnsperf tool from ISC testing the DNS > >> service via load balancer. Multiple queries from the same source port > >> are being dropped partially by the load balancer and as per the load > >> balancer vendor feed back, this is a security feature and this situation > >> doesn't happen in real life scenarios. > >> > >> Most of the cases, clients are generating unique random source ports for > >> each DNS query, however we are not sure about the option of reusing the > >> same source port for multiple queries and how does it apply in real life > >> scenarios. > >> > >> Appreciate your comment on this subject. > >> > >> -- > >> Abdulla Ahmad Bushlaibi > >> > >> _______________________________________________ > >> bind-users mailing list > >> bind-users@lists.isc.org > >> https://lists.isc.org/mailman/listinfo/bind-users > >> > > A load balancer that cannot cope with multiple outstanding queries > > that have the same source port is broken. A server (and that > > includes any load balancer in front of it) should not care about > > the source port.
It's only "bad practice" if you are not using other methods to prevent spoofing attacks succeeding. A load balance should work with all traffic paterns. > Re-use of source ports for DNS queries is a bad security practice. I > cast my vote in favor of penalizing it, in the default configuration of > any device that responds to DNS requests. > > > - Kevin > > > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
