From owner-freebsd-net@freebsd.org Sat May 8 17:06:07 2021 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D4D7063A2AC for ; Sat, 8 May 2021 17:06:07 +0000 (UTC) (envelope-from hausen@punkt.de) Received: from mail.punkt.de (mail.punkt.de [IPv6:2a00:b580:8000:11:1c6b:7032:35e9:5616]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Fctxp5jr3z3KvL for ; Sat, 8 May 2021 17:06:06 +0000 (UTC) (envelope-from hausen@punkt.de) Received: from [IPv6:2003:a:d59:3880:b006:16c5:aabb:ea9f] (unknown [IPv6:2003:a:d59:3880:b006:16c5:aabb:ea9f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.punkt.de (Postfix) with ESMTPSA id E0CA72AE5F for ; Sat, 8 May 2021 19:05:57 +0200 (CEST) From: "Patrick M. Hausen" Content-Type: multipart/signed; boundary="Apple-Mail=_B6B5940D-4312-4CF2-9DD0-8C6C1BF7F752"; protocol="application/pgp-signature"; micalg=pgp-sha256 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.20\)) Subject: sender source IP address on UDP socket bound to INADDR_ANY in golang Message-Id: <2B26D5AB-0F77-4E36-AD9A-D7D6CE5F173C@punkt.de> Date: Sat, 8 May 2021 19:05:56 +0200 To: freebsd-net@freebsd.org X-Mailer: Apple Mail (2.3445.104.20) X-Rspamd-Queue-Id: 4Fctxp5jr3z3KvL X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of hausen@punkt.de designates 2a00:b580:8000:11:1c6b:7032:35e9:5616 as permitted sender) smtp.mailfrom=hausen@punkt.de X-Spamd-Result: default: False [-4.90 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:b580::/32]; HAS_ATTACHMENT(0.00)[]; TO_DN_NONE(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-0.997]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:b580:8000:11:1c6b:7032:35e9:5616:from]; ASN(0.00)[asn:16188, ipnet:2a00:b580::/32, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; R_DKIM_NA(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; DMARC_NA(0.00)[punkt.de]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2a00:b580:8000:11:1c6b:7032:35e9:5616:from:127.0.2.255]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-net] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 May 2021 17:06:07 -0000 --Apple-Mail=_B6B5940D-4312-4CF2-9DD0-8C6C1BF7F752 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi all, I am facing a problem that is perfectly explained by the semantics of the socket interface for UDP, if one assumes that the application in question binds to INADDR_ANY and does not specifically set the sender address when sending datagrams. In the case of a DNS server and an interface with multiple addresses that means outgoing answers will always be sent from the primary address if the server does not take specific measures to answer queries received on an alias address also *from* that alias address. I guess that is the primary reason why BIND binds to all addresses it finds at startup individually - to get this function "for free" by = the underlying OS. Now recently I stumbled over AdGuard Home - a filtering recursive nameserver written in golang - sending replies from the wrong address when alias addresses are involved. Naturally I opened the folks responsible a ticket: https://github.com/AdguardTeam/AdGuardHome/issues/3015 Their answer: "we *do* keep track of the address a query was sent to, that problem was solved long ago." Yet, clearly, my installation on Free/HardenedBSD 12.1 (OPNsense) behaves differently. My question to you on this list: since they do their main development work on Linux, is there a remote possibility that our API is sufficiently different for their code to run, but not to work as intended? Their code in question is here: = https://github.com/AdguardTeam/dnsproxy/blob/1163404e605c3dfbeab360fc3540f= c290f61a321/proxyutil/udp_unix.go#L47 I am familiar with the socket API in C (and could always fetch a copy of "Stevens" from my shelf), but don't know enough about golang to make any progress from here. Anyone who can help? Thanks! Patrick -- punkt.de GmbH Patrick M. Hausen .infrastructure Kaiserallee 13a 76133 Karlsruhe Tel. +49 721 9109500 https://infrastructure.punkt.de info@punkt.de AG Mannheim 108285 Gesch=C3=A4ftsf=C3=BChrer: J=C3=BCrgen Egeling, Daniel Lienert, Fabian = Stein --Apple-Mail=_B6B5940D-4312-4CF2-9DD0-8C6C1BF7F752 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEgzqrjO/mj9CSsTg2kG8u4u3aiVwFAmCWxPQACgkQkG8u4u3a iVzS5AgAjH7IRm1tVSeFERgivPfDrjsvM+CgBwnBhYtNFIFvxoeIt5sTSykIQ/E3 /lPhz5eaM5yPCwq3fT0wakggtrlaY3Xq731yXauZXhl4/zeQ+cTkK3NSq6YgxP4Z EmUdwafDRw2Xct6cFfo5sWAOyCXn/TQCtDZFqvKDht9Ov4qugvSYSytINPumm1hw bhrznAb63R6DxHjuSlxvhzYVIqD5wStymsN0tkl1HXeNEqCYrjIrFVBdVsFmchPO Gv3vkr+6oMVAu6xr/A5vv3b83gsPQR8mBhHIbCzkgPo/EidvwTXl6hMjO4L4TFwN 1aG+EgE/98+da8/9sahCuqrkJmUgnA== =O32W -----END PGP SIGNATURE----- --Apple-Mail=_B6B5940D-4312-4CF2-9DD0-8C6C1BF7F752--