If your ISP really does that, I suggest you sack them immediately, or at least shout very loudly at them.
The port space on any host is 2^16 ports, so at any time a UDP packet to a port number picked at random is very likely to result in a destination unreachable response, If that results in the host going offline, then that provides a trivial DoS attack on the host from anywhere on the internet, knowing nothing but the IP address. Giving dnsmasq the option query-port=0 will stop is from closing the socket after the first reply. Cheers, Simon. On 27/06/17 14:37, Roger James wrote: > Hi Simon, > > Sending ICMP unreachable is not very friendly with my ISP. They treat > the host as offline. The host is my VoIP PBX so I don't get any incoming > calls for a while. Would it not be better to hold the port open until > all requests have been received. I have turned on the strict-order > option to try and circumvent this. > > Roger > > > On 27 June 2017 10:31:59 am Simon Kelley <si...@thekelleys.org.uk> wrote: > >> What's probably happening is this. >> >> 1) query arrives from client, >> 2) UDP socket opened, and query send from socket to more than one >> upstream server. >> 3) Reply arrives from fastest upstream server, reply returned to client. >> 4) upstream socket closed. >> 5) reply arrives from slower upstream server -> destination unreachable. >> >> dnsmasq does the "send the query to all available servers" trick every >> once in a while to find the fastest one. >> >> If this is what you're seeing, it's a feature, not a bug. >> >> Cheers, >> >> Simon. >> >> >> >> >> On 27/06/17 06:56, Roger James wrote: >>> I am seeing some rather perplexing behaviour regarding the reception of >>> upstream IPV6 UDP DNS query responses on a Debian (raspian) system >>> running on a Raspberry Pi. It appears that dnsmasq is not holding open >>> an IPV6 UDP port to handle a response to an upstream query. What my >>> network monitor shows is the upstream request going out and a reply >>> coming back in. However the Pi rejects the incoming UDP packet with a >>> ICMPV6 Destination unreachable (port unreachable). >>> >>> I may be missing something obvious here, but it looks like dnsmasq is >>> not holding open a listening port for the response. >>> >>> Has anyone got any ideas on what is going, or can point me at some ways >>> of tracking this down. >>> >>> The configuration of dnsmasq is out of the box Debian. >>> >>> Thanks, >>> >>> Roger >>> >>> >>> >>> _______________________________________________ >>> Dnsmasq-discuss mailing list >>> Dnsmasqemail@example.com >>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >>> >> >> >> >> >> ---------- >> _______________________________________________ >> Dnsmasq-discuss mailing list >> Dnsmasqfirstname.lastname@example.org >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> > > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasqemail@example.com > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >
Description: OpenPGP digital signature
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasqfirstname.lastname@example.org http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss