On 7/15/06, Nejc Skoberne <[EMAIL PROTECTED]> wrote:
request is E.F.G.H, the source address of DNS reply is A.B.C.D! That is why
route-to rule doesn't
work any more. If I remember correctly, this is due to the fact, that UDP is
connectionless protocol
and the DNS server doesn't have to bind to a specific address and port when
sending an UDP packet
(DNS reply). Therefore it uses the source IP address of the interface via which
it tries to send
the reply (default route).
How could I solve this problem?
Well, the specification says that a DNS server reply may come from a
different IP than the one the request was received upon.
Every DNS server I work with binds to all the specific IPs with
different sockets, instead of binding to the wildcard socket. Perhaps
you can upgrade, or switch servers. If you're going to have to
re-write the config file anyway, you might consider djbdns. Although
it cannot put a cache and a server on the same socket, it is much more
secure, much easier to configure, and you can use interface aliases.
The other alternative is to run two instances of your server, and have
each bind to one IP address alone, if that's possible.
--
``I am not a pessimist. To perceive evil where it exists is, in my
opinion, a form of optimism.'' -- Roberto Rossellini
http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
