Hi! I fully understand and second efforts on educating people how to configure BIND to be stong to attacks and keep them from using "query-source address" with "port" option but how about binding named to particular IP address when host has many of them? Using "query-source address" without "port" is the only solution (not speaking of jails here) and safe one? Wouldn't all that hustle about query-source misinform users about utility of it? Eugene Grosbein
Eugene Grosbein wrote:> I fully understand and second efforts on educating people > how to configure BIND to be stong to attacks and keep them from using > "query-source address" with "port" option but how about > binding named to particular IP address when host has many of them? > Using "query-source address" without "port" is the only solution > (not speaking of jails here) and safe one? Wouldn't all that hustle > about query-source misinform users about utility of it?To make named bind to a particular IP, you want the 'listen-on' options -- this is the IP that clients will access for service. By the nature of things, you'll have to use port 53 for this. The 'query-source' options don't have to be specified: the system will just choose some appropriate address according to the state of the routing table. 'query-source' to set the source /IP/ is really only useful in some specific server configurations with several alias addresses any of which could be used. That's pretty rare really. Most of the uses of query-source have been to set the source /port/ -- this was a standard part of the documentation: fix the source port in order to help the DNS traffic transit firewalls. However the recent security advisory has forced the complete abandonment of that idea. It's not even particularly truthful that you need to fix the source port because of firewalling: nowadays most firewalls are stateful, which eliminates that requirement. query-source is only ever used by recursive or stub resolvers -- instances of named that will go out and make queries on the net on your behalf. Authoritative servers really don't need it. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20080716/1e2b8ddb/signature.pgp
On Thu, Jul 17, 2008 at 12:20:42AM +0800, Eugene Grosbein wrote:> I fully understand and second efforts on educating people > how to configure BIND to be stong to attacks and keep them from using > "query-source address" with "port" option but how about > binding named to particular IP address when host has many of them?We do such on our authoritative nameservers. The options we use: listen-on { 127.0.0.1; 72.20.106.4; }; query-source address 72.20.106.4; transfer-source 72.20.106.4; notify-source 72.20.106.4; interface-interval 0; use-alt-transfer-source no; -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
On Wed, 16 Jul 2008, Jeremy Chadwick wrote:> On Thu, Jul 17, 2008 at 12:20:42AM +0800, Eugene Grosbein wrote: >> I fully understand and second efforts on educating people >> how to configure BIND to be stong to attacks and keep them from using >> "query-source address" with "port" option but how about >> binding named to particular IP address when host has many of them? > > We do such on our authoritative nameservers. The options we use:Same here...> listen-on { 127.0.0.1; 72.20.106.4; }; > query-source address 72.20.106.4; > transfer-source 72.20.106.4; > notify-source 72.20.106.4;But just that portion. It works, and it passes the test with a std. dev of 19K or so on the port "randomness". Charles> interface-interval 0; > use-alt-transfer-source no; > > -- > | Jeremy Chadwick jdc at parodius.com | > | Parodius Networking http://www.parodius.com/ | > | UNIX Systems Administrator Mountain View, CA, USA | > | Making life hard for others since 1977. PGP: 4BD6C0CB | > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >