From owner-cvs-all Mon Dec 14 22:30:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA19629 for cvs-all-outgoing; Mon, 14 Dec 1998 22:30:35 -0800 (PST) (envelope-from owner-cvs-all@FreeBSD.ORG) Received: from spinner.netplex.com.au (spinner.netplex.com.au [202.12.86.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA19622 for ; Mon, 14 Dec 1998 22:30:32 -0800 (PST) (envelope-from peter@netplex.com.au) Received: from spinner.netplex.com.au (localhost [127.0.0.1]) by spinner.netplex.com.au (8.9.1/8.9.1/Netplex) with ESMTP id OAA03361; Tue, 15 Dec 1998 14:29:14 +0800 (WST) (envelope-from peter@spinner.netplex.com.au) Message-Id: <199812150629.OAA03361@spinner.netplex.com.au> X-Mailer: exmh version 2.0.2 2/24/98 To: Matthew Dillon cc: Dag-Erling Smorgrav , committers@FreeBSD.ORG Subject: Re: Bind sandbox bogosity In-reply-to: Your message of "Mon, 14 Dec 1998 18:43:56 PST." <199812150243.SAA50480@apollo.backplane.com> Date: Tue, 15 Dec 1998 14:29:13 +0800 From: Peter Wemm Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk Matthew Dillon wrote: > The second problem is real, and I did mention it. However, > my feeling is that running named in a sandbox is a basic > security precaution that must be taken and that the vast > majority of configurations will not have a problem with > it. It would be nice if there were a way to turn off > the interface scanning junk, though. named is the only > major program I know that does that (a Vixie bogosity, > in my view). The interface scanning is necessary, because the DNS replies *must* come from the same IP address as the query was sent to. With a multihomed host, replying from the nearest return interface is not allowed. For a static machine, this isn't a problem. For a machine with dynamic interface changes (eg: PPP links) it is a big thing. Of course, being able to control which addresses the queries got sent to would be an alternative.. Or not running named at all on such boxes. Cheers, -Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message