From owner-freebsd-questions@FreeBSD.ORG  Fri Jul 25 17:23:46 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D22C41065671
	for <freebsd-questions@freebsd.org>;
	Fri, 25 Jul 2008 17:23:46 +0000 (UTC)
	(envelope-from eagletree@hughes.net)
Received: from smtprelay.b.hostedemail.com (smtprelay0253.b.hostedemail.com
	[64.98.42.253]) by mx1.freebsd.org (Postfix) with ESMTP id 9E78C8FC1F
	for <freebsd-questions@freebsd.org>;
	Fri, 25 Jul 2008 17:23:46 +0000 (UTC)
	(envelope-from eagletree@hughes.net)
Received: from filter.hostedemail.com (b-bigip1 [10.5.19.254])
	by smtprelay02.b.hostedemail.com (Postfix) with SMTP id 42B24ACC8
	for <freebsd-questions@freebsd.org>;
	Fri, 25 Jul 2008 17:23:45 +0000 (UTC)
X-SpamScore: 1
X-Spam-Summary: 50, 0, 0, 3d83e599be4dee54, ab6c36259daa18df,
	eagletree@hughes.net, ,
	RULES_HIT:355:379:541:564:599:601:945:966:967:973:988:989:1042:1260:1261:1277:1311:1313:1314:1345:1359:1437:1515:1516:1518:1534:1542:1593:1594:1711:1730:1747:1766:1792:1801:2110:2196:2199:2376:2393:2525:2553:2560:2565:2612:2682:2685:2693:2857:2859:2894:2933:2937:2939:2942:2945:2947:2951:2954:3000:3022:3027:3355:3770:3865:3866:3867:3868:3869:3870:3871:3872:3873:3874:3934:3936:3938:3941:3944:3947:3950:3953:4250:4362:4385:4605:5007:6119:6996:6997:7652:7679:7903:7904,
	0, RBL:none, CacheIP:none, Bayesian:0.5, 0.5, 0.5, Netcheck:none,
	DomainCache:0, MSF:not bulk, SPF:, MSBL:none, DNSBL:none
X-session-marker: 6561676C6574726565406875676865732E6E6574
Received: from [192.168.0.3] (dpc6744118153.direcpc.com [67.44.118.153])
	(Authenticated sender: eagletree@hughes.net)
	by omf04.b.hostedemail.com (Postfix) with ESMTP
	for <freebsd-questions@freebsd.org>;
	Fri, 25 Jul 2008 17:23:39 +0000 (UTC)
Mime-Version: 1.0 (Apple Message framework v753)
In-Reply-To: <488A0997.3090300@infracaninophile.co.uk>
References: <9339104B-252B-49DC-9648-B59343E17E16@hughes.net>
	<488A0997.3090300@infracaninophile.co.uk>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <E7C25A71-DBCB-466D-9845-21E7EFF64F9D@hughes.net>
Content-Transfer-Encoding: 7bit
From: Chris Pratt <eagletree@hughes.net>
Date: Fri, 25 Jul 2008 10:23:30 -0700
To: FreeBSD Questions <freebsd-questions@freebsd.org>
X-Mailer: Apple Mail (2.753)
Subject: Re: IP alias/routing question
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jul 2008 17:23:47 -0000


On Jul 25, 2008, at 10:12 AM, Matthew Seaman wrote:

> Chris Pratt wrote:
>
>> I'm now setting up a bind server in which the third alias
>> is the address for incoming DNS queries. It appears
>> it's responding but even though the queries come in
>> on the third alias, they "go out" through the "primary"
>> address or more specifically, the packet count is
>> incremented in the Opkts total for the IP address first
>> attached to the interface via ifconfig (without an alias).
>> My problem appears to be that the packets really are
>> coming from the first IP as the source and are getting
>> blocked by my firewall as they should (the first address
>> is not supposed to be answering DNS queries).
>
> Carefully not answering the 'why do these packets come from the
> wrong address' question, but just pointing out that BIND is
> actually rather more configurable in this respect than most
> software.
>
> You can control what IPs BIND will communicate on for various
> purposes using the following statements in the options { } section
> of named.conf:
>
>    listen-on {
>        127.0.0.1;
>        12.34.56.78;
>    };
>    listen-on-v6 {
>        ::1;
>        1234:5678:9abc:def0::1;
>    };
>    query-source       address 12.34.56.78 port *;
>    query-source-v6    address 1234:5678:9abc:def0::1 port *;
>    transfer-source    12.34.56.78 port *;
>    transfer-source-v6 1234:5678:9abc:def0::1 port *;
>    notify-source      812.34.56.78 port *;
>    notify-source-v6   1234:5678:9abc:def0::1 port *;
>
I am not using those latter three but only the listen-on.
I will experiment. I am still curious if what I see with
bind, ssh and some others is actually returning on the
first address or if netstat just makes it look that way
because of the default gateway.

> Note the 'port *' stuff -- due to the recent security problem with
> the DNS protocol publicised by Dan Kaminsky, it is imperative that
> the /source/ port on DNS traffic is allowed to be randomised.  See
>

This is good to know. I assumed going to the current
patched cvs was enough.

Thank you very much.

> http://www.kb.cert.org/vuls/id/800113 http://security.freebsd.org/ 
> advisories/FreeBSD-SA-08:06.bind.asc
>
> and  make sure you install a patched version of BIND.
>
> 	Cheers,
>
> 	Matthew
>
> -- 
> Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
>                                                  Flat 3
> PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
>                                                  Kent, CT11 9PW
>