IP alias/routing question

Chris Pratt eagletree at hughes.net
Fri Jul 25 17:23:47 UTC 2008 

On Jul 25, 2008, at 10:12 AM, Matthew Seaman wrote:

> Chris Pratt wrote:
>
>> I'm now setting up a bind server in which the third alias
>> is the address for incoming DNS queries. It appears
>> it's responding but even though the queries come in
>> on the third alias, they "go out" through the "primary"
>> address or more specifically, the packet count is
>> incremented in the Opkts total for the IP address first
>> attached to the interface via ifconfig (without an alias).
>> My problem appears to be that the packets really are
>> coming from the first IP as the source and are getting
>> blocked by my firewall as they should (the first address
>> is not supposed to be answering DNS queries).
>
> Carefully not answering the 'why do these packets come from the
> wrong address' question, but just pointing out that BIND is
> actually rather more configurable in this respect than most
> software.
>
> You can control what IPs BIND will communicate on for various
> purposes using the following statements in the options { } section
> of named.conf:
>
>    listen-on {
>        127.0.0.1;
>        12.34.56.78;
>    };
>    listen-on-v6 {
>        ::1;
>        1234:5678:9abc:def0::1;
>    };
>    query-source       address 12.34.56.78 port *;
>    query-source-v6    address 1234:5678:9abc:def0::1 port *;
>    transfer-source    12.34.56.78 port *;
>    transfer-source-v6 1234:5678:9abc:def0::1 port *;
>    notify-source      812.34.56.78 port *;
>    notify-source-v6   1234:5678:9abc:def0::1 port *;
>
I am not using those latter three but only the listen-on.
I will experiment. I am still curious if what I see with
bind, ssh and some others is actually returning on the
first address or if netstat just makes it look that way
because of the default gateway.

> Note the 'port *' stuff -- due to the recent security problem with
> the DNS protocol publicised by Dan Kaminsky, it is imperative that
> the /source/ port on DNS traffic is allowed to be randomised.  See
>

This is good to know. I assumed going to the current
patched cvs was enough.

Thank you very much.

> http://www.kb.cert.org/vuls/id/800113 http://security.freebsd.org/ 
> advisories/FreeBSD-SA-08:06.bind.asc
>
> and  make sure you install a patched version of BIND.
>
> 	Cheers,
>
> 	Matthew
>
> -- 
> Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
>                                                  Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
>                                                  Kent, CT11 9PW
>

More information about the freebsd-questions mailing list