FWIW, OpenDNS resolvers have always ignored the response source address. In light of this conversation and in light of RFC 2181 section 4 and RFC 5452 section 9.1, I’ll create a ticket to change this….
Unfortunately I have not statistics around how many responses we receive from differing IPs. — Brian > On Sep 2, 2020, at 12:38 AM, Thomas Mieslinger <[email protected]> wrote: > > On 9/1/20 9:15 PM, Andreas Ott wrote: >> On Mon, Aug 31, 2020 at 8:00 PM P Vixie <[email protected] >> <mailto:[email protected]>> wrote: >> [...] the observation that something >> >> bad is not happening to somebody doesn't mean it's not happening to >> anybody. >> >> May I please ask an operational question to experts: though I am only >> running a small number of authoritative and recursive servers, I am >> coming up short looking up what logging I need to turn on in BIND 9.16 >> and what logged strings I need to parse out to see responses coming from >> a different IP? I have various log channels enabled per the BIND logging >> "FAQ" but either I am missing config bits or the problem does not occur >> (on my servers). This is in a network lab setup and I am able to share data. > > I don't think this is implemented in a way need for this kind of > analysis in any recursive dns software. > > I have chosen to do dnscap on the interface with outgoing traffic and > may do correlation of request/reponses based on qname/qtype and look for > mismatches in dst ip/src ip afterwards. > > Another option that comes to my mind is to tweak/reuse the collectd dns > plugin which also opens the packetflow on a configurable interface with > libpcap and may be able to do some online data correlation. > > Just my 5¢ > > Thomas > > _______________________________________________ > dns-operations mailing list > [email protected] > https://lists.dns-oarc.net/mailman/listinfo/dns-operations _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
