Re: named.conf: query-source address
jonathan michaels wrote: Doug, et al, i for one appreciate this over-engieered responce because it has given me (and those like me) a chance to get answers to questions that we have asked for over a year in my case, about this whole bind setup issue. I have no idea what you mean by questions that we have asked for over a year. (Although, if you've asked on freebsd-questions@ I would not have seen it.) There is the [EMAIL PROTECTED] mailing list where you can get answers to anything bind-related, and there are plenty of people knowledgeable about running it on freebsd on that list even if I don't get a chance to answer first. Of course there are also plenty of resources, the most important being DNS and BIND, 5th Edition. http://oreilly.com/catalog/9780596100575/index.html which you should definitely read and have handy if you're doing any DNS work that is even marginally complex. as an asideo, it would be better for people coming in cold could find a better source of who to setup support services such as bind and all teh others for a woring freebsd based network .. Our Handbook is an excellent source for this. If you feel that the articles are written at too high a level feel free to send some feedback on that. Most of us have long ago lost our ability to see things the way the mythical average user does, so that kind of feedback is very valuable. Someone else also mentioned http://www.absolutefreebsd.com/, which I highly recommend. hth, Doug -- This .signature sanitized for your protection ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf: query-source address
On Fri, 18 Jul 2008, Mark Andrews wrote: To: Matthew Seaman [EMAIL PROTECTED] query-source is only ever used by recursive or stub resolvers -- instances of named that will go out and make queries on the net on your=20 behalf. Authoritative servers really don't need it. Actually authoritative servers make queries to work out where to send notify messages. While sending a notify to the wrong place is not that bad. It is good practice to see that authoritative servers are also fixed now rather than later. Servers have a habit of changing roles and when that happens not everyone will looks in options to see if query source is correct. Also at some point I'd like to be able to get rid of masters clauses or at least go from IP addresses to hostnames. The slave / stub zones would then have to go out and discover the ip address on the fly. Re the latter point, I can see the advantage of being able to move a primary server to a new IP address without needing slave/s to update their config. On the other hand I can see possible chicken/egg issues in some instances, for example testing axfrs before a new domain comes online, or a domain disappearing even temporarily ([re-]registration problems, politics or other upstream failures) where specifying masters by IP address keeps things rolling. At least consider keeping config-time hostname resolution of masters optional? And I guess the same principles apply to allow-transfer, forwarders and other address lists? cheers, Ian ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Using IP aliases, was: named.conf: query-source address
Chuck Swiger wrote: I'm a little dubious about the notion that having a single machine hosting lots of distinct websites, probably for different clients, is a good idea from the standpoint of security. Well, good luck selling the idea of replacing one dual xeon 1U box with 2000+ other boxes to the management. -- ./lxnt ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf: query-source address
On Wed, Jul 16, 2008 at 10:11:03PM -0700, Doug Barton wrote: Jeremy Chadwick wrote: The config parms we use are necessary. That's all you had to say. :) I see a lot of people attempt to over-engineer stuff with named that leads to complications later. If you are doing things for a good reason, keep doing them. Doug, et al, i for one appreciate this over-engieered responce because it has given me (and those like me) a chance to get answers to questions that we have asked for over a year in my case, about this whole bind setup issue. as an asideo, it would be better for people coming in cold could find a better source of who to setup support services such as bind and all teh others for a woring freebsd based network .. i don't mean teh existant 'engineering speak that assumes we all know everything .. this is clearly not teh case to a whole lot of people coming to freebsd. kind regards jonathan -- powered by .. QNX, OS9 and freeBSD -- http://caamora com au/operating system === appropriate solution in an inappropriate world === ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf: query-source address
On Wed, Jul 16, 2008 at 09:06:33PM -0700, Chuck Swiger wrote: Isn't this common to have multiple aliases at an interface? Sometimes only one of them should be used for all DNS traffic. About the only common reason to set up multiple aliases on an interface is when you're doing something like hosting multiple SSL webservers on a single box which actually need to have distinct IPs as a consequence. Other than that, using public IPs for aliases is usually wasteful of IP address space. YMMV... Think about multiple IP-based services (not HTTP virtual servers) at one physical host that should use distinct IP addresses for some reasons (local policy/billing/monitoring/etc.) Eugene Grosbein ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Using IP aliases, was: named.conf: query-source address
On Jul 17, 2008, at 7:00 AM, Eugene Grosbein wrote: About the only common reason to set up multiple aliases on an interface is when you're doing something like hosting multiple SSL webservers on a single box which actually need to have distinct IPs as a consequence. Other than that, using public IPs for aliases is usually wasteful of IP address space. YMMV... Think about multiple IP-based services (not HTTP virtual servers) at one physical host that should use distinct IP addresses for some reasons (local policy/billing/monitoring/etc.) I'll reply to this particular message, but let me generalize against some of the other responses as well. If your organization does billing based on traffic, or wants to do traffic shaping or bandwidth limitation, great; but IPFW+Dummynet or PF +ALTQ don't care whether you recognize traffic by IP alone or by IP +port(s), so long as the ports are distinct for each billing category or packet queue you want to run. If you want to organize specific services on specific ports which have different backend hosts handling them to distribute load or allow you to rebalance your hardware to meet changing demand, by all means. You can have a hardware load-balancer like a NetScaler, or even use the RFC-2391 capabilities of IPFW+natd or RDR ROUND ROBIN with PF. But if you do that, you might as well put the actual backend machines on a RFC-1918 subnet and you might well end up using fewer public IPs than you would if all machines had public IPs. I don't have any problem with people deciding for themselves how they want to manage their services and their networks. It's just that, too often, people use IP aliases to do things like make a single physical machine appear as two so they don't actually bother to provide two actual machines for hosting DNS services with proper redundancy. Even for the shared webhosting case, where you need separate IPs per SSL cert as HTTPS doesn't support name-based virtual hosts, I'm a little dubious about the notion that having a single machine hosting lots of distinct websites, probably for different clients, is a good idea from the standpoint of security. Regards, -- -Chuck ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf: query-source address
query-source is only ever used by recursive or stub resolvers -- instances of named that will go out and make queries on the net on your=20 behalf. Authoritative servers really don't need it. Actually authoritative servers make queries to work out where to send notify messages. While sending a notify to the wrong place is not that bad. It is good practice to see that authoritative servers are also fixed now rather than later. Servers have a habit of changing roles and when that happens not everyone will looks in options to see if query source is correct. Also at some point I'd like to be able to get rid of masters clauses or at least go from IP addresses to hostnames. The slave / stub zones would then have to go out and discover the ip address on the fly. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
named.conf: query-source address
Hi! I fully understand and second efforts on educating people how to configure BIND to be stong to attacks and keep them from using query-source address with port option but how about binding named to particular IP address when host has many of them? Using query-source address without port is the only solution (not speaking of jails here) and safe one? Wouldn't all that hustle about query-source misinform users about utility of it? Eugene Grosbein ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf: query-source address
Eugene Grosbein wrote: I fully understand and second efforts on educating people how to configure BIND to be stong to attacks and keep them from using query-source address with port option but how about binding named to particular IP address when host has many of them? Using query-source address without port is the only solution (not speaking of jails here) and safe one? Wouldn't all that hustle about query-source misinform users about utility of it? To make named bind to a particular IP, you want the 'listen-on' options -- this is the IP that clients will access for service. By the nature of things, you'll have to use port 53 for this. The 'query-source' options don't have to be specified: the system will just choose some appropriate address according to the state of the routing table. 'query-source' to set the source /IP/ is really only useful in some specific server configurations with several alias addresses any of which could be used. That's pretty rare really. Most of the uses of query-source have been to set the source /port/ -- this was a standard part of the documentation: fix the source port in order to help the DNS traffic transit firewalls. However the recent security advisory has forced the complete abandonment of that idea. It's not even particularly truthful that you need to fix the source port because of firewalling: nowadays most firewalls are stateful, which eliminates that requirement. query-source is only ever used by recursive or stub resolvers -- instances of named that will go out and make queries on the net on your behalf. Authoritative servers really don't need it. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: named.conf: query-source address
On Thu, Jul 17, 2008 at 12:20:42AM +0800, Eugene Grosbein wrote: I fully understand and second efforts on educating people how to configure BIND to be stong to attacks and keep them from using query-source address with port option but how about binding named to particular IP address when host has many of them? We do such on our authoritative nameservers. The options we use: listen-on { 127.0.0.1; 72.20.106.4; }; query-source address 72.20.106.4; transfer-source 72.20.106.4; notify-source 72.20.106.4; interface-interval 0; use-alt-transfer-source no; -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf: query-source address
On Wed, 16 Jul 2008, Jeremy Chadwick wrote: On Thu, Jul 17, 2008 at 12:20:42AM +0800, Eugene Grosbein wrote: I fully understand and second efforts on educating people how to configure BIND to be stong to attacks and keep them from using query-source address with port option but how about binding named to particular IP address when host has many of them? We do such on our authoritative nameservers. The options we use: Same here... listen-on { 127.0.0.1; 72.20.106.4; }; query-source address 72.20.106.4; transfer-source 72.20.106.4; notify-source 72.20.106.4; But just that portion. It works, and it passes the test with a std. dev of 19K or so on the port randomness. Charles interface-interval 0; use-alt-transfer-source no; -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf: query-source address
On Wed, Jul 16, 2008 at 02:23:28PM -0700, Doug Barton wrote: Jeremy Chadwick wrote: On Thu, Jul 17, 2008 at 12:20:42AM +0800, Eugene Grosbein wrote: I fully understand and second efforts on educating people how to configure BIND to be stong to attacks and keep them from using query-source address with port option but how about binding named to particular IP address when host has many of them? We do such on our authoritative nameservers. The options we use: listen-on { 127.0.0.1; 72.20.106.4; }; query-source address 72.20.106.4; transfer-source 72.20.106.4; notify-source 72.20.106.4; interface-interval 0; use-alt-transfer-source no; Have you found those -source options to be necessary in practice? In general named should be smart enough not to try reaching the outside world on the loopback address. It's not loopback I'm worried about. The config parms we use are necessary. Removing them will break DNS for us breaks horribly (AXFRs failing due to ACLs on master servers, recursive queries being made from the wrong src, NOTIFYs being sent from the wrong src). BIND will usually pick the first non-aliased IP to perform things from, unless queries or other things come across a different network route, in which case it'll respond with whatever IP it deems appropriate (based on the routing table, I presume). Showing our ifconfig will probably speak for itself: bge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=1bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING inet 72.20.106.2 netmask 0xff80 broadcast 72.20.106.127 inet 72.20.106.3 netmask 0x broadcast 72.20.106.3 inet 72.20.106.4 netmask 0x broadcast 72.20.106.4 inet 72.20.106.5 netmask 0x broadcast 72.20.106.5 inet 72.20.106.7 netmask 0x broadcast 72.20.106.7 inet 72.20.106.8 netmask 0x broadcast 72.20.106.8 inet 72.20.106.40 netmask 0x broadcast 72.20.106.40 inet 72.20.106.41 netmask 0x broadcast 72.20.106.41 ether 00:30:48:81:fc:8a media: Ethernet autoselect (100baseTX full-duplex) status: active The interface-interval 0 option can be safely removed, but I do not see the point in having BIND continually look for new IPs on an interface when we want it only using a specific IP (that will never get removed or changed on the fly). use-alt-transfer-source no is an absolute must. BIND tries to be cute/smart about cycling through all IPs to attempt an AXFR, which is behaviour that (IMHO) should be question in the first place. The comment I have in our named.conf explaining why we use it: # Do not attempt to use an alternative IP address for zone # transfers. This keeps named from trying to use the main # IP address of the box if an xfer via transfer-source fails. Also, I'm guessing that you have more than one public IP address configured on that box? Otherwise none of those options should be necessary. Correct -- and that's what Eugene was asking about. :-) -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf: query-source address
Jeremy Chadwick wrote: On Thu, Jul 17, 2008 at 12:20:42AM +0800, Eugene Grosbein wrote: I fully understand and second efforts on educating people how to configure BIND to be stong to attacks and keep them from using query-source address with port option but how about binding named to particular IP address when host has many of them? We do such on our authoritative nameservers. The options we use: listen-on { 127.0.0.1; 72.20.106.4; }; query-source address 72.20.106.4; transfer-source 72.20.106.4; notify-source 72.20.106.4; interface-interval 0; use-alt-transfer-source no; Have you found those -source options to be necessary in practice? In general named should be smart enough not to try reaching the outside world on the loopback address. Also, I'm guessing that you have more than one public IP address configured on that box? Otherwise none of those options should be necessary. Doug -- This .signature sanitized for your protection ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf: query-source address
We do such on our authoritative nameservers. The options we use: listen-on { 127.0.0.1; 72.20.106.4; }; query-source address 72.20.106.4; transfer-source 72.20.106.4; notify-source 72.20.106.4; interface-interval 0; use-alt-transfer-source no; That's perfectly fine. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf: query-source address
On Wed, Jul 16, 2008 at 06:34:38PM +0100, Matthew Seaman wrote: The 'query-source' options don't have to be specified: the system will just choose some appropriate address according to the state of the routing table. 'query-source' to set the source /IP/ is really only useful in some specific server configurations with several alias addresses any of which could be used. That's pretty rare really. Isn't this common to have multiple aliases at an interface? Sometimes only one of them should be used for all DNS traffic. query-source is only ever used by recursive or stub resolvers -- instances of named that will go out and make queries on the net on your behalf. Authoritative servers really don't need it. Sometimes one needs to bind named to distinct IP address for all data it sends to the net on its own, not as answers to queries only. There is nothing wrong in using 'query-source' without 'port' option, I mean. Eugene Grosbein ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf: query-source address
On Jul 16, 2008, at 8:51 PM, Eugene Grosbein wrote: On Wed, Jul 16, 2008 at 06:34:38PM +0100, Matthew Seaman wrote: The 'query-source' options don't have to be specified: the system will just choose some appropriate address according to the state of the routing table. 'query-source' to set the source /IP/ is really only useful in some specific server configurations with several alias addresses any of which could be used. That's pretty rare really. Isn't this common to have multiple aliases at an interface? Sometimes only one of them should be used for all DNS traffic. About the only common reason to set up multiple aliases on an interface is when you're doing something like hosting multiple SSL webservers on a single box which actually need to have distinct IPs as a consequence. Other than that, using public IPs for aliases is usually wasteful of IP address space. YMMV... Regards, -- -Chuck ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf: query-source address
On Wed, Jul 16, 2008 at 09:06:33PM -0700, Chuck Swiger wrote: On Jul 16, 2008, at 8:51 PM, Eugene Grosbein wrote: On Wed, Jul 16, 2008 at 06:34:38PM +0100, Matthew Seaman wrote: The 'query-source' options don't have to be specified: the system will just choose some appropriate address according to the state of the routing table. 'query-source' to set the source /IP/ is really only useful in some specific server configurations with several alias addresses any of which could be used. That's pretty rare really. Isn't this common to have multiple aliases at an interface? Sometimes only one of them should be used for all DNS traffic. About the only common reason to set up multiple aliases on an interface is when you're doing something like hosting multiple SSL webservers on a single box which actually need to have distinct IPs as a consequence. Other than that, using public IPs for aliases is usually wasteful of IP address space. YMMV... This is off-topic, but the reason we use public IPs for web hosting (read: standard HTTP) is so we can rate-limit the network I/O using pf and ALTQ. We tried for many years to use bandwidth-limiting modules such as mod_bw and mod_cband, but the modules are incredibly buggy. (Our most recent experience was with mod_cband, which will literally deadlock the entire webserver during heavy multipart downloads. The Debian folks found the same problem, and it was ultimately removed from their package repo.) -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf: query-source address
Jeremy Chadwick wrote: The config parms we use are necessary. That's all you had to say. :) I see a lot of people attempt to over-engineer stuff with named that leads to complications later. If you are doing things for a good reason, keep doing them. Doug -- This .signature sanitized for your protection ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: named.conf: query-source address
--On July 16, 2008 9:06:33 PM -0700 Chuck Swiger [EMAIL PROTECTED] wrote: On Jul 16, 2008, at 8:51 PM, Eugene Grosbein wrote: On Wed, Jul 16, 2008 at 06:34:38PM +0100, Matthew Seaman wrote: The 'query-source' options don't have to be specified: the system will just choose some appropriate address according to the state of the routing table. 'query-source' to set the source /IP/ is really only useful in some specific server configurations with several alias addresses any of which could be used. That's pretty rare really. Isn't this common to have multiple aliases at an interface? Sometimes only one of them should be used for all DNS traffic. About the only common reason to set up multiple aliases on an interface is when you're doing something like hosting multiple SSL webservers on a single box which actually need to have distinct IPs as a consequence. Other than that, using public IPs for aliases is usually wasteful of IP address space. YMMV... I would have thought that the most common reason for setting up multiple aliases on an interface was for hosting multiple domains on a single server. At least that's why I do it. Paul Schmehl If it isn't already obvious, my opinions are my own and not those of my employer.
Re: named.conf: query-source address
On Wed, 16 Jul 2008, Chuck Swiger wrote: On Jul 16, 2008, at 8:51 PM, Eugene Grosbein wrote: On Wed, Jul 16, 2008 at 06:34:38PM +0100, Matthew Seaman wrote: The 'query-source' options don't have to be specified: the system will just choose some appropriate address according to the state of the routing table. 'query-source' to set the source /IP/ is really only useful in some specific server configurations with several alias addresses any of which could be used. That's pretty rare really. Isn't this common to have multiple aliases at an interface? Sometimes only one of them should be used for all DNS traffic. About the only common reason to set up multiple aliases on an interface is when you're doing something like hosting multiple SSL webservers on a single box which actually need to have distinct IPs as a consequence. Other than that, using public IPs for aliases is usually wasteful of IP address space. I think another common reason is portability of services. When I setup a box, it gets an IP that sticks with that piece of hardware. Each distinct service that I pile onto it then gets it's own IP. This has at least two major advantages that I've found: -If the box dies, it's easy to move any of the services to another box without waiting for DNS changes to propogate. -If one of the services outgrows the box, it's a simple matter to move that service elsewhere, again without playing with DNS. I also will sometimes move services away for a major upgrade of the box. All of this becomes simple when you just bring an alias down on one box and up on another. Next step, putting each service in a jail and moving the jail when needed. YMMV... On the internets, it always does. :) Charles Regards, -- -Chuck ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]