DNS versus NAT ?

Ronald F. Guilmette rfg at segfault.tristatelogic.com
Sat Jun 15 02:02:27 UTC 2019


In message <20190613.084613.1255667513423551263.he at uninett.no>, 
Havard Eidnes <he at uninett.no> wrote:

>It's a long time since sourcing queries from a recursor only from
>port 53 was best practice.  Source port randomization is the
>current best practice.

Yes, I am aware of that.  I just posited a simple case that would make
the issue/question entirely apparent.

>However, of course, "collisions" in time may stil occur.

Exactly so.  Even with port randomization, there's nothing to stop two
machines that happen to be behind the same NAT router from both electing
to send out DNS queries on, say, port 12345 at about the same time.

>> [...], then when the two DNS response packets come back
>> to the NAT router, how will it know which of the two machines it should
>> send each of those two DNS response packets to?
>
>That depends on how state is maintained in your NAT box.  In all
>likelyhood it maintains a 4-tuple, including both the source and
>destination (address and port), so if the queries use the same
>source port but queries different external name servers, the NAT
>box would still be able to forward correctly.

I understand this notion of the 4-tuple and how it would or could be used
to disambiguate in this context.  What I am entirely less sure about is
whether or not common off-the-shelf inexpensive SOHO routers create and
maintain one such 4-tuple for essentially each and every outbound UDP
packet they process, regardless of type.  Do they?  Or do they perform
some limited form of deep packet inspection so that they can create and
maintain one such 4-tuple only and exlusively for DNS query packets, in
particular?

Of course, all this makes me curious about other relevant capabilities
and limitations of SOHO routers too.  Once created, how long would such
a router be likely to maintain such a (tracking) 4-tuple before discarding
it as no longer needed?  And of course there is that other capacity
question that I asked:

>> And if that is the case, then will my SOHO router catch fire if and when
>> I elect to send out through it a set of 65536 or more separate DNS queries,
>> all in rapid succession?
>
>That all depends on your SOHO router, and isn't so much about DNS
>per se.  I can however imagine that it's quite possible to put
>the SOHO router under strain, not just by using lots of queries
>(using different source ports) in rapid succession, but also by
>sending them to a lot of different external name servers.

Yes.  I see.  Because that also would lead to the creation of multiple/
numerous 4-tuples that would all have to be strored and maintained.

I think that I have opened a can of worms for myself by either asking about
or even thinking about any of this.  :-)  But it has been enlightening,
and I thank you for your answer Havard.  Going forward, and in light of
these issues, I most certainly -won't- be doing any my DNS research from
behind my little SOHO router, based on what I know now.  I also am looking
at my SOHO router with a much more jaundiced eye now, and wondering how many
of these kinds of boxes have been subjected to serious testing for possible
programmed UDP-based Denial of Service attacks, either from the WAN side
or from the LAN side.


Regards,
rfg



More information about the Unbound-users mailing list