DNS versus NAT ?
Havard Eidnes
he at uninett.no
Thu Jun 13 06:46:13 UTC 2019
> Assume there exist two instances of, say, Unbound, running on two machines,
> both behind the same single SOHO router which is doing NAT for the local
> network.
>
> If they both send outbound DNS queries at about the same time, and both
> happen to select the exact same outbound port number to do so, say for
> example UDP port 53 [...]
It's a long time since sourcing queries from a recursor only from
port 53 was best practice. Source port randomization is the
current best practice. However, of course, "collisions" in time
may stil occur.
> [...], then when the two DNS response packets come back
> to the NAT router, how will it know which of the two machines it should
> send each of those two DNS response packets to?
That depends on how state is maintained in your NAT box. In all
likelyhood it maintains a 4-tuple, including both the source and
destination (address and port), so if the queries use the same
source port but queries different external name servers, the NAT
box would still be able to forward correctly.
> For the outbound DNS query packets, does the router re-jigger the orginal
> source port numbers so that they will (hopefully) not conflict and so that
> the DNS response packets, when they arrive, can be directed appropriately
> to one machine or the other?
>
> And if that is the case, then will my SOHO router catch fire if and when
> I elect to send out through it a set of 65536 or more separate DNS queries,
> all in rapid succession?
That all depends on your SOHO router, and isn't so much about DNS
per se. I can however imagine that it's quite possible to put
the SOHO router under strain, not just by using lots of queries
(using different source ports) in rapid succession, but also by
sending them to a lot of different external name servers.
Regards,
- Håvard
More information about the Unbound-users
mailing list