From owner-freebsd-questions@FreeBSD.ORG Fri Jul 25 17:13:10 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE0241065674 for ; Fri, 25 Jul 2008 17:13:09 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 626EB8FC37 for ; Fri, 25 Jul 2008 17:13:09 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id m6PHD16W020706; Fri, 25 Jul 2008 18:13:02 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.6.0 smtp.infracaninophile.co.uk m6PHD16W020706 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1217005982; bh=Hb3q8wZ/DcSq5P HYft41hAwweIfMI6mKREUE5GoXpq4=; h=Message-ID:Date:From:MIME-Version: To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type: Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes sage-ID:=20<488A0997.3090300@infracaninophile.co.uk>|Date:=20Fri,=2 025=20Jul=202008=2018:12:55=20+0100|From:=20Matthew=20Seaman=20|Organization:=20Infracaninophile|User -Agent:=20Thunderbird=202.0.0.14=20(X11/20080607)|MIME-Version:=201 .0|To:=20Chris=20Pratt=20|CC:=20FreeBSD=20Que stions=20|Subject:=20Re:=20IP=20alia s/routing=20question|References:=20<9339104B-252B-49DC-9648-B59343E 17E16@hughes.net>|In-Reply-To:=20<9339104B-252B-49DC-9648-B59343E17 E16@hughes.net>|X-Enigmail-Version:=200.95.6|Content-Type:=20multip art/signed=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"applicat ion/pgp-signature"=3B=0D=0A=20boundary=3D"------------enigCE3CDD3EC 8073C6FE09ADCAF"; b=pfzrGxd5EvbLVWG/oqCQI9CrJAWnPv3EvybltnA1YEzosoa QNFC3uVhPybp64rqAibrk3UuGXh8MDsxm2WGrafVVrSvqKf9G/Miskhts9D6LYZz+Mw CoYGhENnF5jjtEO7aYzLHCVgKyWiB6AWtYdn7KaEfmS5YJiTl1ea0aYv8= Message-ID: <488A0997.3090300@infracaninophile.co.uk> Date: Fri, 25 Jul 2008 18:12:55 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.14 (X11/20080607) MIME-Version: 1.0 To: Chris Pratt References: <9339104B-252B-49DC-9648-B59343E17E16@hughes.net> In-Reply-To: <9339104B-252B-49DC-9648-B59343E17E16@hughes.net> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigCE3CDD3EC8073C6FE09ADCAF" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Fri, 25 Jul 2008 18:13:02 +0100 (BST) X-Virus-Scanned: ClamAV 0.93.3/7826/Fri Jul 25 13:51:06 2008 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: FreeBSD Questions Subject: Re: IP alias/routing question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jul 2008 17:13:10 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigCE3CDD3EC8073C6FE09ADCAF Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Chris Pratt wrote: > I'm now setting up a bind server in which the third alias > is the address for incoming DNS queries. It appears > it's responding but even though the queries come in > on the third alias, they "go out" through the "primary" > address or more specifically, the packet count is > incremented in the Opkts total for the IP address first > attached to the interface via ifconfig (without an alias). > My problem appears to be that the packets really are > coming from the first IP as the source and are getting > blocked by my firewall as they should (the first address > is not supposed to be answering DNS queries). Carefully not answering the 'why do these packets come from the wrong address' question, but just pointing out that BIND is actually rather more configurable in this respect than most software. You can control what IPs BIND will communicate on for various purposes using the following statements in the options { } section of named.conf: listen-on { 127.0.0.1; 12.34.56.78; }; listen-on-v6 { ::1; 1234:5678:9abc:def0::1; }; query-source address 12.34.56.78 port *; query-source-v6 address 1234:5678:9abc:def0::1 port *; transfer-source 12.34.56.78 port *; transfer-source-v6 1234:5678:9abc:def0::1 port *; notify-source 812.34.56.78 port *; notify-source-v6 1234:5678:9abc:def0::1 port *; Note the 'port *' stuff -- due to the recent security problem with the DNS protocol publicised by Dan Kaminsky, it is imperative that the /source/ port on DNS traffic is allowed to be randomised. See http://www.kb.cert.org/vuls/id/800113=20 http://security.freebsd.org/advisories/FreeBSD-SA-08:06.bind.asc and make sure you install a patched version of BIND. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigCE3CDD3EC8073C6FE09ADCAF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkiKCZ0ACgkQ8Mjk52CukIyySwCeMu9WMuoBNg96g9bfEQ64xhqh l28An0GSt4RJNjjT0nEu2FYHOhWNQcGm =BNYR -----END PGP SIGNATURE----- --------------enigCE3CDD3EC8073C6FE09ADCAF--