named.conf: query-source address

Matthew Seaman m.seaman at infracaninophile.co.uk
Wed Jul 16 17:34:52 UTC 2008 

Eugene Grosbein wrote:

> I fully understand and second efforts on educating people
> how to configure BIND to be stong to attacks and keep them from using
> "query-source address" with "port" option but how about
> binding named to particular IP address when host has many of them?
> Using "query-source address" without "port" is the only solution
> (not speaking of jails here) and safe one? Wouldn't all that hustle
> about query-source misinform users about utility of it?

To make named bind to a particular IP, you want the 'listen-on'
options -- this is the IP that clients will access for service.  By
the nature of things, you'll have to use port 53 for this.

The 'query-source' options don't have to be specified: the system
will just choose some appropriate address according to the state of
the routing table.  'query-source' to set the source /IP/ is really
only useful in some specific server configurations with several alias 
addresses any of which could be used.  That's pretty rare really. 
Most of the uses of query-source have been to set the source /port/
-- this was a standard part of the documentation: fix the source port
in order to help the DNS traffic transit firewalls.  However the recent 
security advisory has forced the complete abandonment of that idea.
It's not even particularly truthful that you need to fix the source port 
because of firewalling: nowadays most firewalls are stateful, which eliminates that requirement.

query-source is only ever used by recursive or stub resolvers --
instances of named that will go out and make queries on the net on your 
behalf.  Authoritative servers really don't need it.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20080716/1e2b8ddb/signature.pgp

More information about the freebsd-stable mailing list