Re: IP alias/routing question

Fri, 25 Jul 2008 10:24:00 -0700 


On Jul 25, 2008, at 10:12 AM, Matthew Seaman wrote:


Chris Pratt wrote:


I'm now setting up a bind server in which the third alias
is the address for incoming DNS queries. It appears
it's responding but even though the queries come in
on the third alias, they "go out" through the "primary"
address or more specifically, the packet count is
incremented in the Opkts total for the IP address first
attached to the interface via ifconfig (without an alias).
My problem appears to be that the packets really are
coming from the first IP as the source and are getting
blocked by my firewall as they should (the first address
is not supposed to be answering DNS queries).


Carefully not answering the 'why do these packets come from the
wrong address' question, but just pointing out that BIND is
actually rather more configurable in this respect than most
software.

You can control what IPs BIND will communicate on for various
purposes using the following statements in the options { } section
of named.conf:

   listen-on {
       127.0.0.1;
       12.34.56.78;
   };
   listen-on-v6 {
       ::1;
       1234:5678:9abc:def0::1;
   };
   query-source       address 12.34.56.78 port *;
   query-source-v6    address 1234:5678:9abc:def0::1 port *;
   transfer-source    12.34.56.78 port *;
   transfer-source-v6 1234:5678:9abc:def0::1 port *;
   notify-source      812.34.56.78 port *;
   notify-source-v6   1234:5678:9abc:def0::1 port *;


I am not using those latter three but only the listen-on.
I will experiment. I am still curious if what I see with
bind, ssh and some others is actually returning on the
first address or if netstat just makes it look that way
because of the default gateway.


Note the 'port *' stuff -- due to the recent security problem with
the DNS protocol publicised by Dan Kaminsky, it is imperative that
the /source/ port on DNS traffic is allowed to be randomised.  See



This is good to know. I assumed going to the current
patched cvs was enough.

Thank you very much.
http://www.kb.cert.org/vuls/id/800113 http://security.freebsd.org/ advisories/FreeBSD-SA-08:06.bind.asc 

and  make sure you install a patched version of BIND.

        Cheers,

        Matthew

--
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                 Kent, CT11 9PW



_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to