From owner-freebsd-stable@FreeBSD.ORG  Wed Jul 16 21:50:10 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7CA551065774
	for <stable@freebsd.org>; Wed, 16 Jul 2008 21:50:10 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: from mail2.fluidhosting.com (mx23.fluidhosting.com [204.14.89.6])
	by mx1.freebsd.org (Postfix) with ESMTP id 130738FC0C
	for <stable@freebsd.org>; Wed, 16 Jul 2008 21:50:10 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: (qmail 16803 invoked by uid 399); 16 Jul 2008 21:23:30 -0000
Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1)
	by localhost with ESMTPAM; 16 Jul 2008 21:23:30 -0000
X-Originating-IP: 127.0.0.1
X-Sender: dougb@dougbarton.us
Message-ID: <487E66D0.1050000@FreeBSD.org>
Date: Wed, 16 Jul 2008 14:23:28 -0700
From: Doug Barton <dougb@FreeBSD.org>
Organization: http://www.FreeBSD.org/
User-Agent: Thunderbird 2.0.0.14 (X11/20080606)
MIME-Version: 1.0
To: Jeremy Chadwick <koitsu@FreeBSD.org>
References: <20080716162042.GA27666@svzserv.kemerovo.su>
	<20080716205705.GA25198@eos.sc1.parodius.com>
In-Reply-To: <20080716205705.GA25198@eos.sc1.parodius.com>
X-Enigmail-Version: 0.95.6
OpenPGP: id=D5B2F0FB
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: stable@freebsd.org, Eugene Grosbein <eugen@kuzbass.ru>
Subject: Re: named.conf: query-source address
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jul 2008 21:50:10 -0000

Jeremy Chadwick wrote:
> On Thu, Jul 17, 2008 at 12:20:42AM +0800, Eugene Grosbein wrote:
>> I fully understand and second efforts on educating people
>> how to configure BIND to be stong to attacks and keep them from using
>> "query-source address" with "port" option but how about
>> binding named to particular IP address when host has many of them?
> 
> We do such on our authoritative nameservers.  The options we use:
> 
>         listen-on       { 127.0.0.1; 72.20.106.4; };
> 	query-source address 72.20.106.4;
> 	transfer-source 72.20.106.4;
> 	notify-source 72.20.106.4;
>         interface-interval 0;
>         use-alt-transfer-source no;

Have you found those -source options to be necessary in practice? In 
general named should be smart enough not to try reaching the outside 
world on the loopback address.

Also, I'm guessing that you have more than one public IP address 
configured on that box? Otherwise none of those options should be 
necessary.

Doug

-- 

     This .signature sanitized for your protection