From owner-freebsd-pf@FreeBSD.ORG Sat Jul 15 16:02:27 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A250416A4E6 for ; Sat, 15 Jul 2006 16:02:27 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A9A443D66 for ; Sat, 15 Jul 2006 16:02:24 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id c59so1006432pyc for ; Sat, 15 Jul 2006 09:02:23 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=WzGFkn2wD7RuLX5aXEjBODbDjl8WnLWQznZJ+cJhe/x/EyDLVMbR3JwEbXQGKwK/tF9Utk4w6Fx9xv/T5LpRFiqx/aYQRyC0kggPzipd40UXxtHbN1TYDIcpa8M2AF0SZnB1hXQqBNOokcAh9c8Z5hiPvd2W6KDU9zxWOkybWAI= Received: by 10.35.19.6 with SMTP id w6mr1130530pyi; Sat, 15 Jul 2006 09:02:23 -0700 (PDT) Received: by 10.35.34.3 with HTTP; Sat, 15 Jul 2006 09:02:23 -0700 (PDT) Message-ID: Date: Sat, 15 Jul 2006 11:02:23 -0500 From: "Travis H." To: "Nejc Skoberne" In-Reply-To: <44B90E76.2080808@skoberne.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <44B75A3D.5060108@skoberne.net> <8eea04080607141609n1270f57dva21efcd2d8eb5789@mail.gmail.com> <44B82950.8050905@skoberne.net> <20060715084102.GA63164@ns2.wananchi.com> <44B90E76.2080808@skoberne.net> Cc: Odhiambo WASHINGTON , freebsd-pf@freebsd.org Subject: Re: Multihoming with route-to X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Jul 2006 16:02:27 -0000 On 7/15/06, Nejc Skoberne wrote: > request is E.F.G.H, the source address of DNS reply is A.B.C.D! That is why route-to rule doesn't > work any more. If I remember correctly, this is due to the fact, that UDP is connectionless protocol > and the DNS server doesn't have to bind to a specific address and port when sending an UDP packet > (DNS reply). Therefore it uses the source IP address of the interface via which it tries to send > the reply (default route). > > How could I solve this problem? Well, the specification says that a DNS server reply may come from a different IP than the one the request was received upon. Every DNS server I work with binds to all the specific IPs with different sockets, instead of binding to the wildcard socket. Perhaps you can upgrade, or switch servers. If you're going to have to re-write the config file anyway, you might consider djbdns. Although it cannot put a cache and a server on the same socket, it is much more secure, much easier to configure, and you can use interface aliases. The other alternative is to run two instances of your server, and have each bind to one IP address alone, if that's possible. -- ``I am not a pessimist. To perceive evil where it exists is, in my opinion, a form of optimism.'' -- Roberto Rossellini http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484