12/23 Is anyone here familiar with the bind 4.9.8 code? I'm trying
to restrict the set of interfaces that named listens on (I
have three interfaces and only want named listening on 2 of
them). I've patched get_netconf in ns_main.c (among other files)
to basically skip any interface that is not listed in named.boot.
This seems to work, in that netstat shows only udp <ip>.domain
entries for those interfaces listed in named.boot. But named
still responds to queries from the other interface. Any ideas/
pointers will be appreciated. tia.
\_ See named.conf(5) regarding the "listen-on" option. --dbushong
\_ listen-on is a bind 8-9 option, I'm trying to hack the
same thing into bind 4 but I'm running into problems.
\_ Steal the 8.x code.
\_ 8.x is sufficiently different that it didn't
help me to look at the code.
\_ why don't you upgrade to the latest 8.x? --aaron
\_ I'm using the "audited" named on OpenBSD. I would prefer
not to upgrade.
\_ I'm using OpenBSD but screw that 4.x stuff. I'm running
9.x. Let 'em root my box. Better that than 4.x.
\_ 8 and 9 are way to big/complex/insecure for my needs.
Anyway, I've managed to hack in the listen-on option.
Now my named just listens on the interfaces that are
specified in named.boot. It sort of works, except for
recursive queries (since its not listening on the
interface connected to the internet, it doesn't get
responses to queries it generates).
responses to queries it generates. I can't seem to
figure out how bind 8 handles this.)
Since this is not quite what I wanted, so I hacked
in a querynets option that allows me specify a list
of nets from which to accept queries. This prevents
people outside of my internal domain from querying
the nameserver for internal information. The downside
to this is that I have to check querynets for each
response, which slows down the server a bit.
I can post the patches if anyone is interested in
hacking with this a bit more.
\_ the 8.x branch is pretty well hammered by now.
also if you're running named as user bind, you
can sleep easier. --aaron
\_ 8/9 haven't been audited but has there been a security
issue in 8.x since 8.24? What's wrong with 8.24+? Are
you at a bank or something?
\_ I've been working on this on my home machine,
but it is to help a customer who is concerned
about security. I'll probably tell them go with
8.x since I've wasted enough time and it doesn't
quite work right yet. |