Eugene Grosbein wrote:
I fully understand and second efforts on educating people how to configure BIND to be stong to attacks and keep them from using "query-source address" with "port" option but how about binding named to particular IP address when host has many of them? Using "query-source address" without "port" is the only solution (not speaking of jails here) and safe one? Wouldn't all that hustle about query-source misinform users about utility of it?
To make named bind to a particular IP, you want the 'listen-on' options -- this is the IP that clients will access for service. By the nature of things, you'll have to use port 53 for this. The 'query-source' options don't have to be specified: the system will just choose some appropriate address according to the state of the routing table. 'query-source' to set the source /IP/ is reallyonly useful in some specific server configurations with several alias addresses any of which could be used. That's pretty rare really. Most of the uses of query-source have been to set the source /port/
-- this was a standard part of the documentation: fix the source portin order to help the DNS traffic transit firewalls. However the recent security advisory has forced the complete abandonment of that idea. It's not even particularly truthful that you need to fix the source port because of firewalling: nowadays most firewalls are stateful, which eliminates that requirement.
query-source is only ever used by recursive or stub resolvers --instances of named that will go out and make queries on the net on your behalf. Authoritative servers really don't need it.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
