Using IP aliases, was: named.conf: query-source address

Chuck Swiger cswiger at
Thu Jul 17 20:20:24 UTC 2008

On Jul 17, 2008, at 7:00 AM, Eugene Grosbein wrote:
>> About the only common reason to set up multiple aliases on an
>> interface is when you're doing something like hosting multiple SSL
>> webservers on a single box which actually need to have distinct IPs  
>> as
>> a consequence.  Other than that, using public IPs for aliases is
>> usually wasteful of IP address space.  YMMV...
> Think about multiple IP-based services (not HTTP "virtual" servers)
> at one physical host that should use distinct IP addresses
> for some reasons (local policy/billing/monitoring/etc.)

I'll reply to this particular message, but let me generalize against  
some of the other responses as well.

If your organization does billing based on traffic, or wants to do  
traffic shaping or bandwidth limitation, great; but IPFW+Dummynet or PF 
+ALTQ don't care whether you recognize traffic by IP alone or by IP 
+port(s), so long as the ports are distinct for each billing category  
or packet queue you want to run.

If you want to organize specific services on specific ports which have  
different backend hosts handling them to distribute load or allow you  
to rebalance your hardware to meet changing demand, by all means.  You  
can have a hardware load-balancer like a NetScaler, or even use the  
RFC-2391 capabilities of IPFW+natd or "RDR ROUND ROBIN" with PF.  But  
if you do that, you might as well put the actual backend machines on a  
RFC-1918 subnet and you might well end up using fewer public IPs than  
you would if all machines had public IPs.

I don't have any problem with people deciding for themselves how they  
want to manage their services and their networks.  It's just that, too  
often, people use IP aliases to do things like make a single physical  
machine appear as two so they don't actually bother to provide two  
actual machines for hosting DNS services with proper redundancy.  Even  
for the shared webhosting case, where you need separate IPs per SSL  
cert as HTTPS doesn't support name-based virtual hosts, I'm a little  
dubious about the notion that having a single machine hosting lots of  
distinct websites, probably for different clients, is a good idea from  
the standpoint of security.


More information about the freebsd-stable mailing list