These are chat archives for CZ-NIC/knot-resolver

6th
Aug 2017
Mike Emigh
@nakame_maiku_twitter
Aug 06 2017 10:47
resolver doesnt seem to randomize source ports by itself. does it do any validation on responses source port?
Vladimír Čunát
@vcunat
Aug 06 2017 12:09
The OS randomizes the ports.
kresd only considers answers on matching port (and ID, QNAME, ...)
Mike Emigh
@nakame_maiku_twitter
Aug 06 2017 12:11
might be a good idea to include in notes, freebsd doesnt randomize by default
I tried using the gnutls_rnd function with a couple different algorithms, but still ended up with same results on that test
I guess it might be nice to be able to specify multiple (randomized) outgoing IPs as well
Vladimír Čunát
@vcunat
Aug 06 2017 14:22
So, if you run unpatched kresd on freebsd, what does the table Query Source Port Analysis say?
Mike Emigh
@nakame_maiku_twitter
Aug 06 2017 14:40
dir bias 100% very bad
net.inet.ip.random_id needs to be set to 1
once that is set, everything goes to excellent
Vladimír Čunát
@vcunat
Aug 06 2017 15:55

Hmm, wiki on ephemeral ports says

Most implementations may simply increment the last used port number until the ephemeral port range is exhausted.

so I expect that's FreeBSD's default, explaining the dir bias and overall bad score.