Multihoming with route-to
Travis H.
solinym at gmail.com
Sat Jul 15 16:02:27 UTC 2006
On 7/15/06, Nejc Skoberne <nejc at skoberne.net> wrote:
> request is E.F.G.H, the source address of DNS reply is A.B.C.D! That is why route-to rule doesn't
> work any more. If I remember correctly, this is due to the fact, that UDP is connectionless protocol
> and the DNS server doesn't have to bind to a specific address and port when sending an UDP packet
> (DNS reply). Therefore it uses the source IP address of the interface via which it tries to send
> the reply (default route).
>
> How could I solve this problem?
Well, the specification says that a DNS server reply may come from a
different IP than the one the request was received upon.
Every DNS server I work with binds to all the specific IPs with
different sockets, instead of binding to the wildcard socket. Perhaps
you can upgrade, or switch servers. If you're going to have to
re-write the config file anyway, you might consider djbdns. Although
it cannot put a cache and a server on the same socket, it is much more
secure, much easier to configure, and you can use interface aliases.
The other alternative is to run two instances of your server, and have
each bind to one IP address alone, if that's possible.
--
``I am not a pessimist. To perceive evil where it exists is, in my
opinion, a form of optimism.'' -- Roberto Rossellini
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
More information about the freebsd-pf
mailing list