Berkeley CSUA MOTD:Entry 23359
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/05/29 [General] UID:1000 Activity:popular
5/29    

2001/12/24-26 [Computer/Networking] UID:23359 Activity:high
12/23   Is anyone here familiar with the bind 4.9.8 code? I'm trying
        to restrict the set of interfaces that named listens on (I
        have three interfaces and only want named listening on 2 of
        them). I've patched get_netconf in ns_main.c (among other files)
        to basically skip any interface that is not listed in named.boot.
        This seems to work, in that netstat shows only udp <ip>.domain
        entries for those interfaces listed in named.boot. But named
        still responds to queries from the other interface. Any ideas/
        pointers will be appreciated. tia.
        \_ See named.conf(5) regarding the "listen-on" option.  --dbushong
           \_ listen-on is a bind 8-9 option, I'm trying to hack the
              same thing into bind 4 but I'm running into problems.
                \_ Steal the 8.x code.
                   \_ 8.x is sufficiently different that it didn't
                      help me to look at the code.
        \_ why don't you upgrade to the latest 8.x? --aaron
           \_ I'm using the "audited" named on OpenBSD. I would prefer
              not to upgrade.
                \_ I'm using OpenBSD but screw that 4.x stuff.  I'm running
                   9.x.  Let 'em root my box.  Better that than 4.x.
                   \_ 8 and 9 are way to big/complex/insecure for my needs.
                      Anyway, I've managed to hack in the listen-on option.
                      Now my named just listens on the interfaces that are
                      specified in named.boot. It sort of works, except for
                      recursive queries (since its not listening on the
                      interface connected to the internet, it doesn't get
                      responses to queries it generates).
                      responses to queries it generates. I can't seem to
                      figure out how bind 8 handles this.)
                      Since this is not quite what I wanted, so I hacked
                      in a querynets option that allows me specify a list
                      of nets from which to accept queries. This prevents
                      people outside of my internal domain from querying
                      the nameserver for internal information. The downside
                      to this is that I have to check querynets for each
                      response, which slows down the server a bit.
                      I can post the patches if anyone is interested in
                      hacking with this a bit more.
                      \_ the 8.x branch is pretty well hammered by now.
                         also if you're running named as user bind, you
                         can sleep easier. --aaron
                      \_ 8/9 haven't been audited but has there been a security
                         issue in 8.x since 8.24?  What's wrong with 8.24+? Are
                         you at a bank or something?
                         \_ I've been working on this on my home machine,
                            but it is to help a customer who is concerned
                            about security. I'll probably tell them go with
                            8.x since I've wasted enough time and it doesn't
                            quite work right yet.
2025/05/29 [General] UID:1000 Activity:popular
5/29    

You may also be interested in these entries...
2011/2/6-19 [Computer/Networking] UID:54028 Activity:nil
2/5     hmm.
$netstat -at | grep LISTEN
tcp        0      0 *:43300                 *:*                     LISTEN
        \_ this is an sshd
tcp        0      0 *:49416                 *:*                     LISTEN
tcp        0      0 *:36201                 *:*                     LISTEN
	...
2009/11/13-30 [Computer/SW/Unix] UID:53523 Activity:nil
11/12   How does one find out if a system has rootkit installed?
        \_ Unix or m$?
           \_ Unix. On M$ I always assume it's compromised.
              \_ Install Tripwire before you plug your server into The Net?
                 The only other answer I can think of is to reinstall the
                 OS from scratch on another server and do an md checksum
	...
2009/8/18-9/1 [Computer/SW/Database, Computer/SW/Languages/Perl] UID:53283 Activity:low
8/18    trying to write an intentionally slow regex.
        what is your worst regex ever?
        this is using MySQL regexp but I'll also accept
        perl format         --brain
        \_ you need to know how regex is implemented internally in order to
           have a worst regex in terms of running time. Something that uses
	...
2009/5/23-29 [Computer/Domains] UID:53037 Activity:nil
5/23    I'm at a friends house and the Internet is dog slow. But when checking
        speedtest or nitro.ucsc, it shows I'm getting 2.7Mbps. Latency is <30ms
        Any ideas why it is so slow or ways to check this?
        \_ Hmm, I added 4.2.2.2 as a DNS server and that seemed to fix it.
        \_ Hmm, I added 4.2.2.2 as a DNS server and that seemed to help.
        \_ Adding 4.2.2.2 as a DNS server seemed to fix this.
	...