Date: Fri, 25 Jul 2008 10:23:30 -0700 From: Chris Pratt <eagletree@hughes.net> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: IP alias/routing question Message-ID: <E7C25A71-DBCB-466D-9845-21E7EFF64F9D@hughes.net> In-Reply-To: <488A0997.3090300@infracaninophile.co.uk> References: <9339104B-252B-49DC-9648-B59343E17E16@hughes.net> <488A0997.3090300@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jul 25, 2008, at 10:12 AM, Matthew Seaman wrote: > Chris Pratt wrote: > >> I'm now setting up a bind server in which the third alias >> is the address for incoming DNS queries. It appears >> it's responding but even though the queries come in >> on the third alias, they "go out" through the "primary" >> address or more specifically, the packet count is >> incremented in the Opkts total for the IP address first >> attached to the interface via ifconfig (without an alias). >> My problem appears to be that the packets really are >> coming from the first IP as the source and are getting >> blocked by my firewall as they should (the first address >> is not supposed to be answering DNS queries). > > Carefully not answering the 'why do these packets come from the > wrong address' question, but just pointing out that BIND is > actually rather more configurable in this respect than most > software. > > You can control what IPs BIND will communicate on for various > purposes using the following statements in the options { } section > of named.conf: > > listen-on { > 127.0.0.1; > 12.34.56.78; > }; > listen-on-v6 { > ::1; > 1234:5678:9abc:def0::1; > }; > query-source address 12.34.56.78 port *; > query-source-v6 address 1234:5678:9abc:def0::1 port *; > transfer-source 12.34.56.78 port *; > transfer-source-v6 1234:5678:9abc:def0::1 port *; > notify-source 812.34.56.78 port *; > notify-source-v6 1234:5678:9abc:def0::1 port *; > I am not using those latter three but only the listen-on. I will experiment. I am still curious if what I see with bind, ssh and some others is actually returning on the first address or if netstat just makes it look that way because of the default gateway. > Note the 'port *' stuff -- due to the recent security problem with > the DNS protocol publicised by Dan Kaminsky, it is imperative that > the /source/ port on DNS traffic is allowed to be randomised. See > This is good to know. I assumed going to the current patched cvs was enough. Thank you very much. > http://www.kb.cert.org/vuls/id/800113 http://security.freebsd.org/ > advisories/FreeBSD-SA-08:06.bind.asc > > and make sure you install a patched version of BIND. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > Kent, CT11 9PW >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E7C25A71-DBCB-466D-9845-21E7EFF64F9D>