Date: Wed, 16 Jul 2008 17:22:07 -0400 (EDT) From: Charles Sprickman <spork@bway.net> To: Jeremy Chadwick <koitsu@FreeBSD.org> Cc: stable@freebsd.org, Eugene Grosbein <eugen@kuzbass.ru> Subject: Re: named.conf: query-source address Message-ID: <Pine.OSX.4.64.0807161721110.505@hotlap.local> In-Reply-To: <20080716205705.GA25198@eos.sc1.parodius.com> References: <20080716162042.GA27666@svzserv.kemerovo.su> <20080716205705.GA25198@eos.sc1.parodius.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 16 Jul 2008, Jeremy Chadwick wrote:
> On Thu, Jul 17, 2008 at 12:20:42AM +0800, Eugene Grosbein wrote:
>> I fully understand and second efforts on educating people
>> how to configure BIND to be stong to attacks and keep them from using
>> "query-source address" with "port" option but how about
>> binding named to particular IP address when host has many of them?
>
> We do such on our authoritative nameservers. The options we use:
Same here...
> listen-on { 127.0.0.1; 72.20.106.4; };
> query-source address 72.20.106.4;
> transfer-source 72.20.106.4;
> notify-source 72.20.106.4;
But just that portion. It works, and it passes the test with a std. dev
of 19K or so on the port "randomness".
Charles
> interface-interval 0;
> use-alt-transfer-source no;
>
> --
> | Jeremy Chadwick jdc at parodius.com |
> | Parodius Networking http://www.parodius.com/ |
> | UNIX Systems Administrator Mountain View, CA, USA |
> | Making life hard for others since 1977. PGP: 4BD6C0CB |
>
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSX.4.64.0807161721110.505>