Date: Tue, 15 Dec 1998 14:29:13 +0800 From: Peter Wemm <peter@netplex.com.au> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: Dag-Erling Smorgrav <des@flood.ping.uio.no>, committers@FreeBSD.ORG Subject: Re: Bind sandbox bogosity Message-ID: <199812150629.OAA03361@spinner.netplex.com.au> In-Reply-To: Your message of "Mon, 14 Dec 1998 18:43:56 PST." <199812150243.SAA50480@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Dillon wrote: > The second problem is real, and I did mention it. However, > my feeling is that running named in a sandbox is a basic > security precaution that must be taken and that the vast > majority of configurations will not have a problem with > it. It would be nice if there were a way to turn off > the interface scanning junk, though. named is the only > major program I know that does that (a Vixie bogosity, > in my view). The interface scanning is necessary, because the DNS replies *must* come from the same IP address as the query was sent to. With a multihomed host, replying from the nearest return interface is not allowed. For a static machine, this isn't a problem. For a machine with dynamic interface changes (eg: PPP links) it is a big thing. Of course, being able to control which addresses the queries got sent to would be an alternative.. Or not running named at all on such boxes. Cheers, -Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812150629.OAA03361>