Re: hoststated(8): DNS Relay uses unexpected source IP address

Reyk Floeter Mon, 19 Nov 2007 09:56:45 -0800

On Sat, Nov 17, 2007 at 04:01:51PM +0100, Rolf Sommerhalder wrote:
> relay dnsRelay {
>  listen on $yellow port 53
>  protocol dnsProto
>  forward to $white port 53
>  #forward to $dnsHost port 53
>  timeout 60
> }
>


as theo mentioned, the problem is related to the use of the bind()
call for the outbound udp socket. the code currently uses the same
socket for inbound and outbound datagrams, and it will bind() to the
address specified in the "listen on" directive. there is no easy
support to support multi-homed interfaces yet, because i need to
extends the hoststated relay code to allow multiple "listen on"
directives per relay first (in contrast to TCP streams, we need to
"listen" for UDP replies).

please try to configure the following:

1. use 0.0.0.0 as the "listen on" address; the relay will listen
  on "any" IP address for incoming DNS requests and the kernel
  will select the primary IP address of the outgoing interface
  with the specified source port automatically

protocol dnsProto {
        protocol dns
}
relay domain {
        listen on 0.0.0.0 port 53
        forward to $dnsHost port 53
        protocol dnsProto
}

2. because we do not bind to an explicit address, restrict DNS in pf

pass in on { fxp2, fxp3 } inet proto udp to port 53

so the proposed solution is to always use "listen on 0.0.0.0 port 53"
with DNS relays for now.

> relay nfOracleRelay {
>  listen on $yellow port 1521
>  protocol nfOracleProto
>  forward to $white port 1521
>  #forward to $ospHost port 1521
>  timeout 3600
> }
> 
> relay x11Relay {
>  listen on $yellow port 6000
>  protocol x11Proto
>  forward to $white port 6000
>  #forward to $x11Host port 6000
>  timeout 600
> }
> [EMAIL PROTECTED]:etc]#
> 
> 
> 
> [EMAIL PROTECTED]:etc]# hoststated -v -d
> startup
> init_filter: filter init done
> init_tables: created 0 tables
> relay_init: adding relay x11Relay
> protocol 3: name x11Proto
>         flags: 0x0004
>         type: tcp
> relay_init: adding relay nfOracleRelay
> protocol 2: name nfOracleProto
>         flags: 0x0004
>         type: tcp
> relay_init: adding relay dnsRelay
> protocol 1: name dnsProto
>         flags: 0x0004
>         type: dns
> relay_init: adding relay sshRelay
> protocol 0: name sshProto
>         flags: 0x0004
>         type: tcp
> relay_launch: running relay x11Relay
> relay_launch: running relay nfOracleRelay
> relay_launch: running relay dnsRelay
> relay_launch: running relay sshRelay
> 
> ---
> 
> A) DNS/UDP Example
> 
> Output of "hoststated -v -d" after issuing a DNS lookup on "orange":
> 
> relay_dns_log: session 1: request id 0xf4cc flags 0x1:0x0 qd 1 an 0 ns 0 ar 0
> relay dnsRelay, session 1 (1 active), 10.2.2.32 -> 10.1.1.30:53, udp timeout
> relay_dns_log: session 2: request id 0xf4cc flags 0x1:0x0 qd 1 an 0 ns 0 ar 0
> relay dnsRelay, session 2 (1 active), 10.2.2.32 -> 10.1.1.30:53, udp timeout
> 
> 
> hostated listens on the right NIC fxp3:
> 
> [EMAIL PROTECTED]:root]# tcpdump -i fxp3 -n
> tcpdump: listening on fxp3, link-type EN10MB
> 15:51:39.635373 10.2.2.32.32768 > 10.2.2.31.53: 51934+ A? orange. (24) (DF)
> 15:51:44.636459 10.2.2.32.32768 > 10.2.2.31.53: 51934+ A? orange. (24) (DF)
> 
> 
> hostated passes on the proxied requets to the left NIC fxp2, using the
> unexpected/wrong(?) source address of (fxp3)=10.2.2.31, instead of
> (fxp2)=10.1.1.31 as in the TCP example below:
> 
> [EMAIL PROTECTED]:root]# tcpdump -i fxp2 -n
> tcpdump: listening on fxp2, link-type EN10MB
> 15:42:13.565810 10.2.2.31.53 > 10.1.1.30.53: 5744+ A? orange. (24)
> 15:42:18.566692 10.2.2.31.53 > 10.1.1.30.53: 6135+ A? orange. (24)
> 
> 
> ---
> 
> B) TCP Example
> 
> Output of "hoststated -v -d" after "orange" opens and immediately
> closes again an X11 window on a remote X server to the left of
> "white":
> 
> relay x11Relay, session 5 (1 active), 10.2.2.32 -> 10.1.1.30:6000, done
> 
> 
> hostated listens on the right NIC fxp3:
> 
> [EMAIL PROTECTED]:root]# tcpdump -i fxp3 -n
> tcpdump: listening on fxp3, link-type EN10MB
> 15:49:36.359944 10.2.2.32.32770 > 10.2.2.31.6000: S
> 18518406:18518406(0) win 5840 <mss 1460,sackOK,timestamp 74716745
> 0,nop,wscale 2> (DF) [tos 0x10]
> 15:49:36.360083 10.2.2.31.6000 > 10.2.2.32.32770: S
> 2569303658:2569303658(0) ack 18518407 win 65535 <mss
> 1460,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp 2174965381
> 74716745> (DF)
> 15:49:36.360975 10.2.2.32.32770 > 10.2.2.31.6000: . ack 1 win 1460
> <nop,nop,timestamp 74716746 2174965381> (DF) [tos 0x10]
> 15:49:39.487031 10.2.2.32.32770 > 10.2.2.31.6000: P 1:3(2) ack 1 win
> 1460 <nop,nop,timestamp 74719873 2174965381> (DF) [tos 0x10]
> 15:49:39.684656 10.2.2.31.6000 > 10.2.2.32.32770: . ack 3 win 33304
> <nop,nop,timestamp 2174965388 74719873> (DF)
> 15:49:43.873208 10.2.2.32.32770 > 10.2.2.31.6000: F 3:3(0) ack 1 win
> 1460 <nop,nop,timestamp 74724259 2174965388> (DF) [tos 0x10]
> 15:49:43.873284 10.2.2.31.6000 > 10.2.2.32.32770: . ack 4 win 33304
> <nop,nop,timestamp 2174965396 74724259> (DF)
> 15:49:43.873720 10.2.2.31.6000 > 10.2.2.32.32770: F 1:1(0) ack 4 win
> 33304 <nop,nop,timestamp 2174965396 74724259> (DF)
> 15:49:43.873928 10.2.2.32.1024 > 10.2.2.31.6000: . ack 2569303660 win
> 1460 <nop,nop,timestamp 74724260 2174965396> (DF)
> 15:49:45.365551 10.2.2.31.6000 > 10.2.2.32.32770: F 1:1(0) ack 4 win
> 33304 <nop,nop,timestamp 2174965399 74724259> (DF)
> 15:49:45.366449 10.2.2.32.1024 > 10.2.2.31.6000: . ack 1 win 1460
> <nop,nop,timestamp 74725753 2174965396> (DF)
> 15:49:48.366031 10.2.2.31.6000 > 10.2.2.32.32770: F 1:1(0) ack 4 win
> 33304 <nop,nop,timestamp 2174965405 74724259> (DF)
> 15:49:48.366837 10.2.2.32.1024 > 10.2.2.31.6000: . ack 1 win 1460
> <nop,nop,timestamp 74728753 2174965396> (DF)
> 
> 
> hostated passes on the proxied requets to the left NIC fxp2, using the
> source address (fxp2)=10.1.1.31, as expected:
> 
> [EMAIL PROTECTED]:root]# tcpdump -i fxp2 -n
> tcpdump: listening on fxp2, link-type EN10MB
> 15:44:10.623784 10.1.1.31.46713 > 10.1.1.30.6000: S
> 2296881782:2296881782(0) win 65535 <mss 1460,nop,nop,sackOK,nop,wscale
> 1,nop,nop,timestamp 3412075455 0> (DF)
> 15:44:10.625018 10.1.1.30.6000 > 10.1.1.31.46713: S
> 2783995020:2783995020(0) ack 2296881783 win 16384 <mss
> 1368,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1707132611
> 3412075455> (DF)
> 15:44:10.625083 10.1.1.31.46713 > 10.1.1.30.6000: . ack 1 win 32768
> <nop,nop,timestamp 3412075455 1707132611> (DF)
> 15:44:18.336307 10.1.1.31.46713 > 10.1.1.30.6000: P 1:6(5) ack 1 win
> 32768 <nop,nop,timestamp 3412075471 1707132611> (DF)
> 15:44:18.529429 10.1.1.30.6000 > 10.1.1.31.46713: . ack 6 win 17628
> <nop,nop,timestamp 1707132627 0> (DF)
> 15:44:40.750801 10.1.1.31.46713 > 10.1.1.30.6000: F 6:6(0) ack 1 win
> 32768 <nop,nop,timestamp 3412075515 1707132627> (DF)
> 15:44:40.751809 10.1.1.30.6000 > 10.1.1.31.46713: . ack 7 win 17628
> <nop,nop,timestamp 1707132671 0> (DF)
> 15:44:40.752193 10.1.1.30.6000 > 10.1.1.31.46713: F 1:1(0) ack 7 win
> 17628 <nop,nop,timestamp 1707132671 0> (DF)
> 15:44:40.752244 10.1.1.31.46713 > 10.1.1.30.6000: . ack 2 win 32768
> <nop,nop,timestamp 3412075515 1707132671> (DF)

Re: hoststated(8): DNS Relay uses unexpected source IP address

Reply via email to