IP alias/routing question
Chris Pratt
eagletree at hughes.net
Fri Jul 25 17:23:47 UTC 2008
On Jul 25, 2008, at 10:12 AM, Matthew Seaman wrote:
> Chris Pratt wrote:
>
>> I'm now setting up a bind server in which the third alias
>> is the address for incoming DNS queries. It appears
>> it's responding but even though the queries come in
>> on the third alias, they "go out" through the "primary"
>> address or more specifically, the packet count is
>> incremented in the Opkts total for the IP address first
>> attached to the interface via ifconfig (without an alias).
>> My problem appears to be that the packets really are
>> coming from the first IP as the source and are getting
>> blocked by my firewall as they should (the first address
>> is not supposed to be answering DNS queries).
>
> Carefully not answering the 'why do these packets come from the
> wrong address' question, but just pointing out that BIND is
> actually rather more configurable in this respect than most
> software.
>
> You can control what IPs BIND will communicate on for various
> purposes using the following statements in the options { } section
> of named.conf:
>
> listen-on {
> 127.0.0.1;
> 12.34.56.78;
> };
> listen-on-v6 {
> ::1;
> 1234:5678:9abc:def0::1;
> };
> query-source address 12.34.56.78 port *;
> query-source-v6 address 1234:5678:9abc:def0::1 port *;
> transfer-source 12.34.56.78 port *;
> transfer-source-v6 1234:5678:9abc:def0::1 port *;
> notify-source 812.34.56.78 port *;
> notify-source-v6 1234:5678:9abc:def0::1 port *;
>
I am not using those latter three but only the listen-on.
I will experiment. I am still curious if what I see with
bind, ssh and some others is actually returning on the
first address or if netstat just makes it look that way
because of the default gateway.
> Note the 'port *' stuff -- due to the recent security problem with
> the DNS protocol publicised by Dan Kaminsky, it is imperative that
> the /source/ port on DNS traffic is allowed to be randomised. See
>
This is good to know. I assumed going to the current
patched cvs was enough.
Thank you very much.
> http://www.kb.cert.org/vuls/id/800113 http://security.freebsd.org/
> advisories/FreeBSD-SA-08:06.bind.asc
>
> and make sure you install a patched version of BIND.
>
> Cheers,
>
> Matthew
>
> --
> Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
> Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
> Kent, CT11 9PW
>
More information about the freebsd-questions
mailing list