Date: Fri, 25 Jul 2008 18:12:55 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Chris Pratt <eagletree@hughes.net> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: IP alias/routing question Message-ID: <488A0997.3090300@infracaninophile.co.uk> In-Reply-To: <9339104B-252B-49DC-9648-B59343E17E16@hughes.net> References: <9339104B-252B-49DC-9648-B59343E17E16@hughes.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigCE3CDD3EC8073C6FE09ADCAF Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Chris Pratt wrote: > I'm now setting up a bind server in which the third alias > is the address for incoming DNS queries. It appears > it's responding but even though the queries come in > on the third alias, they "go out" through the "primary" > address or more specifically, the packet count is > incremented in the Opkts total for the IP address first > attached to the interface via ifconfig (without an alias). > My problem appears to be that the packets really are > coming from the first IP as the source and are getting > blocked by my firewall as they should (the first address > is not supposed to be answering DNS queries). Carefully not answering the 'why do these packets come from the wrong address' question, but just pointing out that BIND is actually rather more configurable in this respect than most software. You can control what IPs BIND will communicate on for various purposes using the following statements in the options { } section of named.conf: listen-on { 127.0.0.1; 12.34.56.78; }; listen-on-v6 { ::1; 1234:5678:9abc:def0::1; }; query-source address 12.34.56.78 port *; query-source-v6 address 1234:5678:9abc:def0::1 port *; transfer-source 12.34.56.78 port *; transfer-source-v6 1234:5678:9abc:def0::1 port *; notify-source 812.34.56.78 port *; notify-source-v6 1234:5678:9abc:def0::1 port *; Note the 'port *' stuff -- due to the recent security problem with the DNS protocol publicised by Dan Kaminsky, it is imperative that the /source/ port on DNS traffic is allowed to be randomised. See http://www.kb.cert.org/vuls/id/800113=20 http://security.freebsd.org/advisories/FreeBSD-SA-08:06.bind.asc and make sure you install a patched version of BIND. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigCE3CDD3EC8073C6FE09ADCAF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkiKCZ0ACgkQ8Mjk52CukIyySwCeMu9WMuoBNg96g9bfEQ64xhqh l28An0GSt4RJNjjT0nEu2FYHOhWNQcGm =BNYR -----END PGP SIGNATURE----- --------------enigCE3CDD3EC8073C6FE09ADCAF--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?488A0997.3090300>