Hi All: I'm still working in my FreeBSD server to make it work with NSD. I've already updated my ports with NSD 2.0.2 and it was pretty easy (thanks to Peter Hessler). My host has two network interfaces, with two IP addresses belonging to two different IP networks (one for national traffic, one for international traffic). Let's suppose first IP is X.X.X.X and second is Y.Y.Y.Y The default route is through first network interface. When I query to first interface, I got the expected answer. When I query to second interface, I got a query time out. Checking out with tcpdump, I've found that queries coming through 2nd interface (dst address Y.Y.Y.Y) went out through first interface (probably due to the default router) but using as IP source address X.X.X.X, so any firewall will not match the answer because is not "related". If I force queries to be TCP, they work perfectly in both addresses. I'm not sure if this is a problem related with NSD or FreeBSD. I'm planning to solve it using SNAT (if FreeBSD allow it), but I still want to hear from you (probably I'm doing something wrong). Best Regards -- Sebastian E. Castro Avila sebastian at nic.cl Administrador de DNS, NIC Chile Agustinas 1357 Piso 4 Santiago, Chile Cod. Postal 6500587 Phone: +56-2-9407705 Fax : +56-2-9407701
Sebastian Castro wrote:> Hi All: > > I'm still working in my FreeBSD server to make it work with NSD. > > I've already updated my ports with NSD 2.0.2 and it was pretty easy > (thanks to Peter Hessler). > > My host has two network interfaces, with two IP addresses belonging to > two different IP networks (one for national traffic, one for > international traffic). Let's suppose first IP is X.X.X.X and second is > Y.Y.Y.Y > > The default route is through first network interface. > > When I query to first interface, I got the expected answer. > > When I query to second interface, I got a query time out. > > Checking out with tcpdump, I've found that queries coming through 2nd > interface (dst address Y.Y.Y.Y) went out through first interface (probably due to the default > router) but using as IP source address X.X.X.X, so any firewall will not > match the answer because is not "related".This is the way UDP works on most (all?) systems when a single UDP socket is used for multiple interface. To get correct multihoming source addresses from the server make sure NSD uses multiple UDP sockets, one for each interface, using the -a flag: nsd -a X.X.X.X -a Y.Y.Y.Y This way queries to the Y.Y.Y.Y interface will be received on the UDP socket for interface Y.Y.Y.Y and will also be responded to the Y.Y.Y.Y source address. Erik