From owner-freebsd-stable@FreeBSD.ORG Wed Jul 16 17:34:52 2008 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC1001065684 for ; Wed, 16 Jul 2008 17:34:52 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 2D5478FC29 for ; Wed, 16 Jul 2008 17:34:51 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id m6GHYj21014541; Wed, 16 Jul 2008 18:34:46 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.6.0 smtp.infracaninophile.co.uk m6GHYj21014541 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1216229686; bh=lsCJiJhi1FoI0d 10zSmmnoSXN5nhTp3wgZnGfx19Hmg=; h=Message-ID:Date:From:MIME-Version: To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type: Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes sage-ID:=20<487E312E.9090307@infracaninophile.co.uk>|Date:=20Wed,=2 016=20Jul=202008=2018:34:38=20+0100|From:=20Matthew=20Seaman=20|Organization:=20Infracaninophile|User -Agent:=20Thunderbird=202.0.0.14=20(X11/20080607)|MIME-Version:=201 .0|To:=20Eugene=20Grosbein=20|CC:=20stable@freebs d.org|Subject:=20Re:=20named.conf:=20query-source=20address|Referen ces:=20<20080716162042.GA27666@svzserv.kemerovo.su>|In-Reply-To:=20 <20080716162042.GA27666@svzserv.kemerovo.su>|X-Enigmail-Version:=20 0.95.6|Content-Type:=20multipart/signed=3B=20micalg=3Dpgp-sha256=3B =0D=0A=20protocol=3D"application/pgp-signature"=3B=0D=0A=20boundary =3D"------------enigCC5489E18AA290004CE65FF3"; b=i/FyCap4A8uIFKa1yh UUL1fb46ELgFxZDgnVQRIrytDTBus0T0fVIz/XyyorATWFSfqzwVGZSuNqYxjcf2CpF E8IZCW3fCHAqHEbu6HSup356E550GXT3yY9QgUoewl9rJvAxpY38TH/LPnRM/r3Mze1 69z49/SXlt3NeKVMSoY= Message-ID: <487E312E.9090307@infracaninophile.co.uk> Date: Wed, 16 Jul 2008 18:34:38 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.14 (X11/20080607) MIME-Version: 1.0 To: Eugene Grosbein References: <20080716162042.GA27666@svzserv.kemerovo.su> In-Reply-To: <20080716162042.GA27666@svzserv.kemerovo.su> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigCC5489E18AA290004CE65FF3" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Wed, 16 Jul 2008 18:34:46 +0100 (BST) X-Virus-Scanned: ClamAV 0.93.1/7726/Wed Jul 16 14:28:37 2008 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: stable@freebsd.org Subject: Re: named.conf: query-source address X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jul 2008 17:34:52 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigCC5489E18AA290004CE65FF3 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Eugene Grosbein wrote: > I fully understand and second efforts on educating people > how to configure BIND to be stong to attacks and keep them from using > "query-source address" with "port" option but how about > binding named to particular IP address when host has many of them? > Using "query-source address" without "port" is the only solution > (not speaking of jails here) and safe one? Wouldn't all that hustle > about query-source misinform users about utility of it? To make named bind to a particular IP, you want the 'listen-on' options -- this is the IP that clients will access for service. By the nature of things, you'll have to use port 53 for this. The 'query-source' options don't have to be specified: the system will just choose some appropriate address according to the state of the routing table. 'query-source' to set the source /IP/ is really only useful in some specific server configurations with several alias=20 addresses any of which could be used. That's pretty rare really.=20 Most of the uses of query-source have been to set the source /port/ -- this was a standard part of the documentation: fix the source port in order to help the DNS traffic transit firewalls. However the recent=20 security advisory has forced the complete abandonment of that idea. It's not even particularly truthful that you need to fix the source port = because of firewalling: nowadays most firewalls are stateful, which elimi= nates that requirement. query-source is only ever used by recursive or stub resolvers -- instances of named that will go out and make queries on the net on your=20 behalf. Authoritative servers really don't need it. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigCC5489E18AA290004CE65FF3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkh+MTUACgkQ8Mjk52CukIysAQCfYaNdZC8Sh4OAVpnepwk1fXAf oL0AoIMY7FUwcluFZ+KpSHTbQTNipzOc =eKf6 -----END PGP SIGNATURE----- --------------enigCC5489E18AA290004CE65FF3--