Date: Wed, 16 Jul 2008 18:34:38 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Eugene Grosbein <eugen@kuzbass.ru> Cc: stable@freebsd.org Subject: Re: named.conf: query-source address Message-ID: <487E312E.9090307@infracaninophile.co.uk> In-Reply-To: <20080716162042.GA27666@svzserv.kemerovo.su> References: <20080716162042.GA27666@svzserv.kemerovo.su>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigCC5489E18AA290004CE65FF3
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Eugene Grosbein wrote:
> I fully understand and second efforts on educating people
> how to configure BIND to be stong to attacks and keep them from using
> "query-source address" with "port" option but how about
> binding named to particular IP address when host has many of them?
> Using "query-source address" without "port" is the only solution
> (not speaking of jails here) and safe one? Wouldn't all that hustle
> about query-source misinform users about utility of it?
To make named bind to a particular IP, you want the 'listen-on'
options -- this is the IP that clients will access for service. By
the nature of things, you'll have to use port 53 for this.
The 'query-source' options don't have to be specified: the system
will just choose some appropriate address according to the state of
the routing table. 'query-source' to set the source /IP/ is really
only useful in some specific server configurations with several alias=20
addresses any of which could be used. That's pretty rare really.=20
Most of the uses of query-source have been to set the source /port/
-- this was a standard part of the documentation: fix the source port
in order to help the DNS traffic transit firewalls. However the recent=20
security advisory has forced the complete abandonment of that idea.
It's not even particularly truthful that you need to fix the source port =
because of firewalling: nowadays most firewalls are stateful, which elimi=
nates that requirement.
query-source is only ever used by recursive or stub resolvers --
instances of named that will go out and make queries on the net on your=20
behalf. Authoritative servers really don't need it.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enigCC5489E18AA290004CE65FF3
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkh+MTUACgkQ8Mjk52CukIysAQCfYaNdZC8Sh4OAVpnepwk1fXAf
oL0AoIMY7FUwcluFZ+KpSHTbQTNipzOc
=eKf6
-----END PGP SIGNATURE-----
--------------enigCC5489E18AA290004CE65FF3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?487E312E.9090307>