From owner-freebsd-net@FreeBSD.ORG Sat Apr 19 15:21:44 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 383D837B404 for ; Sat, 19 Apr 2003 15:21:44 -0700 (PDT) Received: from ints.mail.pike.ru (ints.mail.pike.ru [195.9.45.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 62FF243FAF for ; Sat, 19 Apr 2003 15:21:42 -0700 (PDT) (envelope-from babolo@cicuta.babolo.ru) Received: (qmail 61971 invoked from network); 19 Apr 2003 22:39:22 -0000 Received: from babolo.ru (HELO cicuta.babolo.ru) (194.58.226.160) by ints.mail.pike.ru with SMTP; 19 Apr 2003 22:39:22 -0000 Received: (nullmailer pid 720 invoked by uid 136); Sat, 19 Apr 2003 22:24:39 -0000 X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1 In-Reply-To: <20030419064801.GA11635@parodius.com> To: Jeremy Chadwick Date: Sun, 20 Apr 2003 02:24:38 +0400 (MSD) From: "."@babolo.ru X-Mailer: ELM [version 2.4ME+ PL99b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-Id: <1050791079.007237.719.nullmailer@cicuta.babolo.ru> cc: freebsd-net@freebsd.org Subject: Re: BIND-8/9 interface bug? Or is it FreeBSD? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Apr 2003 22:21:44 -0000 > The secondary is configured literally identical to the > primary, except that the IPs have changed and _all_ of > the zones are type slave. > > I see the exact same problem on the secondary (again, > outgoing traffic on the public interface with an IP of > the private), except that the src & dst IPs apply to > the private IP on the secondary and the WAN IP of the > primary, respectively. Sorry if that's confusing. :-) > > Thank you for your below example -- I didn't consider that > BIND would do something that ""silly"" (note quotes), but > now it makes sense. > > I believe removing the query-source option could in fact > solve the problem, but there is a specific reason for it's > existance -- we rely on the MAPS RBL+ service for SBL lookups, > which are DNS based. Permission to the RBL+ service is based > on the IP doing the query. Since the nameserver IPs are > IP aliases, if I do not specify this, the queries come from > the first IP in the list shown in ifconfig -a. > > If there's a workaround for this, I'd love to hear it. :-) I use different named in different jails for public and private zones. Each pair on one host. Jail garantee that only dedicated IP will be used. possible transfers are: host1 host2 priv named <---> priv named ^ ^ | | V V pub named <----> pub named public named knows nothing about private zones private named is used by clients and forwards queryes to his public partner on the same host for non-private zones and have all private zones as master or slave PS http://free.babolo.ru/ports/jailup/ to easy establish jailed services