Patrick M. Hausen
2021-05-08 17:05:56 UTC
Hi all,
I am facing a problem that is perfectly explained by the semantics
of the socket interface for UDP, if one assumes that the application
in question binds to INADDR_ANY and does not specifically set the
sender address when sending datagrams.
In the case of a DNS server and an interface with multiple addresses
that means outgoing answers will always be sent from the primary
address if the server does not take specific measures to answer
queries received on an alias address also *from* that alias address.
I guess that is the primary reason why BIND binds to all addresses
it finds at startup individually - to get this function "for free" by the
underlying OS.
Now recently I stumbled over AdGuard Home - a filtering recursive
nameserver written in golang - sending replies from the wrong
address when alias addresses are involved. Naturally I opened
the folks responsible a ticket:
https://github.com/AdguardTeam/AdGuardHome/issues/3015
Their answer: "we *do* keep track of the address a query was sent to,
that problem was solved long ago."
Yet, clearly, my installation on Free/HardenedBSD 12.1 (OPNsense)
behaves differently. My question to you on this list: since they do
their main development work on Linux, is there a remote possibility
that our API is sufficiently different for their code to run, but not to
work as intended?
Their code in question is here:
https://github.com/AdguardTeam/dnsproxy/blob/1163404e605c3dfbeab360fc3540fc290f61a321/proxyutil/udp_unix.go#L47
I am familiar with the socket API in C (and could always fetch a copy
of "Stevens" from my shelf), but don't know enough about golang
to make any progress from here.
Anyone who can help?
Thanks!
Patrick
--
punkt.de GmbH
Patrick M. Hausen
.infrastructure
Kaiserallee 13a
76133 Karlsruhe
Tel. +49 721 9109500
https://infrastructure.punkt.de
***@punkt.de
AG Mannheim 108285
GeschÀftsfÌhrer: JÌrgen Egeling, Daniel Lienert, Fabian Stein
I am facing a problem that is perfectly explained by the semantics
of the socket interface for UDP, if one assumes that the application
in question binds to INADDR_ANY and does not specifically set the
sender address when sending datagrams.
In the case of a DNS server and an interface with multiple addresses
that means outgoing answers will always be sent from the primary
address if the server does not take specific measures to answer
queries received on an alias address also *from* that alias address.
I guess that is the primary reason why BIND binds to all addresses
it finds at startup individually - to get this function "for free" by the
underlying OS.
Now recently I stumbled over AdGuard Home - a filtering recursive
nameserver written in golang - sending replies from the wrong
address when alias addresses are involved. Naturally I opened
the folks responsible a ticket:
https://github.com/AdguardTeam/AdGuardHome/issues/3015
Their answer: "we *do* keep track of the address a query was sent to,
that problem was solved long ago."
Yet, clearly, my installation on Free/HardenedBSD 12.1 (OPNsense)
behaves differently. My question to you on this list: since they do
their main development work on Linux, is there a remote possibility
that our API is sufficiently different for their code to run, but not to
work as intended?
Their code in question is here:
https://github.com/AdguardTeam/dnsproxy/blob/1163404e605c3dfbeab360fc3540fc290f61a321/proxyutil/udp_unix.go#L47
I am familiar with the socket API in C (and could always fetch a copy
of "Stevens" from my shelf), but don't know enough about golang
to make any progress from here.
Anyone who can help?
Thanks!
Patrick
--
punkt.de GmbH
Patrick M. Hausen
.infrastructure
Kaiserallee 13a
76133 Karlsruhe
Tel. +49 721 9109500
https://infrastructure.punkt.de
***@punkt.de
AG Mannheim 108285
GeschÀftsfÌhrer: JÌrgen Egeling, Daniel Lienert, Fabian Stein