In message <[email protected]>, Havard Eidnes <[email protected]> wrote:
>It's a long time since sourcing queries from a recursor only from >port 53 was best practice. Source port randomization is the >current best practice. Yes, I am aware of that. I just posited a simple case that would make the issue/question entirely apparent. >However, of course, "collisions" in time may stil occur. Exactly so. Even with port randomization, there's nothing to stop two machines that happen to be behind the same NAT router from both electing to send out DNS queries on, say, port 12345 at about the same time. >> [...], then when the two DNS response packets come back >> to the NAT router, how will it know which of the two machines it should >> send each of those two DNS response packets to? > >That depends on how state is maintained in your NAT box. In all >likelyhood it maintains a 4-tuple, including both the source and >destination (address and port), so if the queries use the same >source port but queries different external name servers, the NAT >box would still be able to forward correctly. I understand this notion of the 4-tuple and how it would or could be used to disambiguate in this context. What I am entirely less sure about is whether or not common off-the-shelf inexpensive SOHO routers create and maintain one such 4-tuple for essentially each and every outbound UDP packet they process, regardless of type. Do they? Or do they perform some limited form of deep packet inspection so that they can create and maintain one such 4-tuple only and exlusively for DNS query packets, in particular? Of course, all this makes me curious about other relevant capabilities and limitations of SOHO routers too. Once created, how long would such a router be likely to maintain such a (tracking) 4-tuple before discarding it as no longer needed? And of course there is that other capacity question that I asked: >> And if that is the case, then will my SOHO router catch fire if and when >> I elect to send out through it a set of 65536 or more separate DNS queries, >> all in rapid succession? > >That all depends on your SOHO router, and isn't so much about DNS >per se. I can however imagine that it's quite possible to put >the SOHO router under strain, not just by using lots of queries >(using different source ports) in rapid succession, but also by >sending them to a lot of different external name servers. Yes. I see. Because that also would lead to the creation of multiple/ numerous 4-tuples that would all have to be strored and maintained. I think that I have opened a can of worms for myself by either asking about or even thinking about any of this. :-) But it has been enlightening, and I thank you for your answer Havard. Going forward, and in light of these issues, I most certainly -won't- be doing any my DNS research from behind my little SOHO router, based on what I know now. I also am looking at my SOHO router with a much more jaundiced eye now, and wondering how many of these kinds of boxes have been subjected to serious testing for possible programmed UDP-based Denial of Service attacks, either from the WAN side or from the LAN side. Regards, rfg
