Hello,

Burkhard Ott a écrit :
> Am Fri, 02 May 2008 02:00:17 -0500 schrieb Hal Murray:
>
>>If UDP was really stateless, NAT boxes wouldn't know where to send
>>that type of responses.
>
> NAT is a totally different thing.

Not so much. Stateful NAT relies on connection tracking.

> UDP is stateless (http://www.faqs.org/rfcs/rfc768.html)

Even though UDP is stateless by design, the Netfilter connection
tracking maintains some state information about UDP flows, so a
bidirectionnal UDP flow with packets in each direction having
source/destination addresses and ports swapped is considered a connection.

To answer the initial question, there could be some reasons for DNS
replies being tagged NEW :
- the reply arrived after the connection entry expired (default
unreplied UDP timeout is 30 seconds) ;
- the source address of the query was spoofed ;
- you have a dynamic connection (DHCP, PPP...) and use MASQUERADE, which
deletes masqueraded connections whenever the interface goes down or has
its address deleted or changed ;
- the DNS server has some DNAT-based load-balancing which sometimes
fails to put the correct source address back in the reply.