Date: Fri, 25 Jul 2008 18:12:55 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Chris Pratt <eagletree@hughes.net> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: IP alias/routing question Message-ID: <488A0997.3090300@infracaninophile.co.uk> In-Reply-To: <9339104B-252B-49DC-9648-B59343E17E16@hughes.net> References: <9339104B-252B-49DC-9648-B59343E17E16@hughes.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigCE3CDD3EC8073C6FE09ADCAF
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Chris Pratt wrote:
> I'm now setting up a bind server in which the third alias
> is the address for incoming DNS queries. It appears
> it's responding but even though the queries come in
> on the third alias, they "go out" through the "primary"
> address or more specifically, the packet count is
> incremented in the Opkts total for the IP address first
> attached to the interface via ifconfig (without an alias).
> My problem appears to be that the packets really are
> coming from the first IP as the source and are getting
> blocked by my firewall as they should (the first address
> is not supposed to be answering DNS queries).
Carefully not answering the 'why do these packets come from the
wrong address' question, but just pointing out that BIND is
actually rather more configurable in this respect than most
software.
You can control what IPs BIND will communicate on for various
purposes using the following statements in the options { } section
of named.conf:
listen-on {
127.0.0.1;
12.34.56.78;
};
listen-on-v6 {
::1;
1234:5678:9abc:def0::1;
};
query-source address 12.34.56.78 port *;
query-source-v6 address 1234:5678:9abc:def0::1 port *;
transfer-source 12.34.56.78 port *;
transfer-source-v6 1234:5678:9abc:def0::1 port *;
notify-source 812.34.56.78 port *;
notify-source-v6 1234:5678:9abc:def0::1 port *;
Note the 'port *' stuff -- due to the recent security problem with
the DNS protocol publicised by Dan Kaminsky, it is imperative that
the /source/ port on DNS traffic is allowed to be randomised. See
http://www.kb.cert.org/vuls/id/800113=20
http://security.freebsd.org/advisories/FreeBSD-SA-08:06.bind.asc
and make sure you install a patched version of BIND.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enigCE3CDD3EC8073C6FE09ADCAF
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkiKCZ0ACgkQ8Mjk52CukIyySwCeMu9WMuoBNg96g9bfEQ64xhqh
l28An0GSt4RJNjjT0nEu2FYHOhWNQcGm
=BNYR
-----END PGP SIGNATURE-----
--------------enigCE3CDD3EC8073C6FE09ADCAF--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?488A0997.3090300>