Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 16 Jul 2008 14:23:28 -0700
From:      Doug Barton <dougb@FreeBSD.org>
To:        Jeremy Chadwick <koitsu@FreeBSD.org>
Cc:        stable@freebsd.org, Eugene Grosbein <eugen@kuzbass.ru>
Subject:   Re: named.conf: query-source address
Message-ID:  <487E66D0.1050000@FreeBSD.org>
In-Reply-To: <20080716205705.GA25198@eos.sc1.parodius.com>
References:  <20080716162042.GA27666@svzserv.kemerovo.su> <20080716205705.GA25198@eos.sc1.parodius.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Jeremy Chadwick wrote:
> On Thu, Jul 17, 2008 at 12:20:42AM +0800, Eugene Grosbein wrote:
>> I fully understand and second efforts on educating people
>> how to configure BIND to be stong to attacks and keep them from using
>> "query-source address" with "port" option but how about
>> binding named to particular IP address when host has many of them?
> 
> We do such on our authoritative nameservers.  The options we use:
> 
>         listen-on       { 127.0.0.1; 72.20.106.4; };
> 	query-source address 72.20.106.4;
> 	transfer-source 72.20.106.4;
> 	notify-source 72.20.106.4;
>         interface-interval 0;
>         use-alt-transfer-source no;

Have you found those -source options to be necessary in practice? In 
general named should be smart enough not to try reaching the outside 
world on the loopback address.

Also, I'm guessing that you have more than one public IP address 
configured on that box? Otherwise none of those options should be 
necessary.

Doug

-- 

     This .signature sanitized for your protection




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?487E66D0.1050000>