Maintained by: NLnet Labs

[Unbound-users] Source address selection for replies

Alexander Gall
Fri Jan 11 15:00:18 CET 2008

Hello Wouter

In my anycast setup for our DNS cache, I use addresses configured on
loopback interfaces of the hosts (the addresses are announced to the
IGP as host routes).  I also prefer to let unbound listen on all
interfaces by specifying

        interface: ::

in the configuration file.  The main reason is that the instances on
different hosts are easier to maintain if the configuration doesn't
contain explicit addresses (we presently use two distinct anycast
address both for IPv4 and IPv6).

With this setup, when unbound receives a query on the loopback
interface, it sends the reply with a source address of one of the
physical interfaces of the host.  In other words, it appears that
unbound lets the kernel chose the source address, which is always
wrong in this case.  

There is a simple workaround by using this configuration instead:

        interface: ::1
        interface: 2001:620:0:ff::6

However, since DNS clients expect replies to come from the same
address to which the query was sent, I'd expect unbound to *always*
request a specific address for replies from the kernel.  I'm wondering
why unbound doesn't enforce this?

In case I'm overlooking something here and this is in fact a useful
feature, I'd ask for a configuration option that allows me to force
source address selection for query replies to always match the
destination address in the query.  That would allow me to keep the
simpler configuration mentioned above.