BIND 4 -> 8 gotcha

David Hedley david at inty.co.uk
Wed Jan 19 11:45:59 UTC 2000 

> -----Original Message-----
> From: Jim Reid [mailto:jim at rfc1035.com]
> Sent: 19 January 2000 11:07
> To: David Hedley
> Cc: bind-users at isc.org
> Subject: Re: BIND 4 -> 8 gotcha
>
>
> >>>>> "David" == David Hedley <david at inty.co.uk> writes:
>
>     David> I've recently upgraded from BIND 4 to BIND 8 (8.2.2-P5 to
>     David> be precise) and I've noticed that 'named' no longer binds
>     David> to INADDR_ANY:53 (i.e. the wildcard IP address), instead
>     David> choosing to bind to each IP address on each interface
>     David> specifically. This creates a big problem if, as in our
>     David> case, the DNS server running 'named' handles dial-up PPP
>     David> links where the interfaces are coming up, going down, being
>     David> assigned different IP addresses etc all the time. I have
>     David> managed to work around this by specifying 'query-source
>     David> address * port 53' in the named.conf, which makes 'named'
>     David> bind to *.53, however this is a bit of a hack.
>
> The query-source address option sets the address and maybe the port
> number that the name server uses for *sending* queries. It doesn't
> have any effect on the addresses that the name server listens on for
> incoming queries. That can be controlled through the listen-on option.

Nonetheless, it still works (I did say it was a hack!). It _does_ affect the
addresses that the name server listens on for incoming queries. The
'listen-on' option doesn't work in this case - 'listen-on' is only used to
'mask out' IP addresses from an initial set of addresses built up from the
system interface list. The wildcard '0.0.0.0' address is not part of this
initial set, so 'listen-on' has no effect on whether that address is bound
or not. (You can see this for yourself by doing 'listen-on { any; };' - it
still won't bind to *.53).

When a request (or response) comes in for 'named' to an IP address that
isn't in its list of interfaces, it still processes it anyhow, hence the
query-source hack works (unless a TCP connection is required :)

>
>     David> In short, _why_ doesn't 'named' bind to the wildcard
>     David> address?, and is there an obvious solution I'm missing
>     David> (apart from patching the source)?
>
> Because in some situations, using the wildcard interface is not
> appropriate: say on a firewall that has to implement split DNS. There
> could be two named processes: one listening on the external interface
> and one listening on the internal interfaces. In such setups using a
> wildcard address would not be a good idea. Working on the basis of
> least surprise, by default BIND8 doesn't use a wildcard listener.
> Instead the default behaviour is to use discrete listener sockets for
> each network address that's up when the name server goes looking for
> network interfaces. The listen-on option can then be used to control
> which interfaces are and aren't used for DNS.

But there should at least be some option for restoring the BIND-4 mode of
operation!

>
> As for "solutions", you could use the listen-on option to explicitly
> define which interfaces the name server listens for queries. However
> that is clumsy (and maybe unworkable) if the dialup interfaces could
> have any of a large number of IP addresses. Maybe using a listen-on
> option address of 0.0.0.0 will work, sort of. [I don't know: I've not
> tried it.] You could also try using the interface-interval option to
> make named scan for new and old network interfaces more frequently. By
> default, named does this once an hour and adds or removes listener
> sockets as appropriate.
>

listen-on { any; }; doesn't work (see above).

> However I'm puzzled why you want/need the name server to listen for
> queries on dial-up interfaces that dynamically and frequently change
> their IP address. [These types of interfaces are not really much use
> for providing any network service. How could you get someone to come
> to an SMTP listener or a web server that was listening on some
> randomly changing IP address? Why should it be any different if such
> an interface was used for DNS service?] Who sends queries to those
> dial-up interfaces addresses? Why do they do that? Why don't they use
> (one of) the fixed IP addresses of your name server?

The server itself is not dialling up - other computers are dialling into it
(and are being given the server-end IP address of the PPP link as a DNS
server). The firewall restricts incoming traffic along the PPP link and only
allows certain packets to the server end of the PPP link until further
authentication is requested and granted, which requires DNS to function
properly.

Sure, we could reconfigure our firewall, but we'd rather not have to if at
all possible!

David


This email has been virus scanned using Sophos Anti-Virus by intY (www.inty.net)

More information about the bind-users mailing list