named.conf: query-source address
Charles Sprickman
spork at bway.net
Wed Jul 16 21:48:49 UTC 2008
On Wed, 16 Jul 2008, Jeremy Chadwick wrote:
> On Thu, Jul 17, 2008 at 12:20:42AM +0800, Eugene Grosbein wrote:
>> I fully understand and second efforts on educating people
>> how to configure BIND to be stong to attacks and keep them from using
>> "query-source address" with "port" option but how about
>> binding named to particular IP address when host has many of them?
>
> We do such on our authoritative nameservers. The options we use:
Same here...
> listen-on { 127.0.0.1; 72.20.106.4; };
> query-source address 72.20.106.4;
> transfer-source 72.20.106.4;
> notify-source 72.20.106.4;
But just that portion. It works, and it passes the test with a std. dev
of 19K or so on the port "randomness".
Charles
> interface-interval 0;
> use-alt-transfer-source no;
>
> --
> | Jeremy Chadwick jdc at parodius.com |
> | Parodius Networking http://www.parodius.com/ |
> | UNIX Systems Administrator Mountain View, CA, USA |
> | Making life hard for others since 1977. PGP: 4BD6C0CB |
>
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>
More information about the freebsd-stable
mailing list