Binding named to a specfic device

Jim Reid jim at rfc1035.com
Sun Jan 30 12:53:55 UTC 2000 

>>>>> "David" == David  <rush at sinister.org> writes:

    David> Hey guys could someone plz help me!!?!? I have a cable
    David> modem at home attached to my linux box running a bunch of
    David> stuff and working as as router/firewall. Well i decided to
    David> run bind on my machine to act as a caching name server and
    David> forwarder. But the problem is very small. Everything works
    David> fine. But i just wanna know how to bind it to the internal
    David> ethernet card. I don't want it bound to the external
    David> network card which is on the internet. I don't want hackers
    David> to hack in this way. Anyone that could tell me how to just
    David> bind it to eth0 (my eternal network card) that would be great. 

The listen-on clause can be used to control which interfaces the name
server uses. However this won't buy you anything unless you configure
the firewall part of this box to block incoming traffic to port
53. And if you do that there's probably no need for a listen-on
clause, though having one won't hurt. If your name server was listed
in the NS records for any zones, you'd have to allow incoming traffic
to port 53 and probably couldn't use a listen-on clause in named.conf
either.

If your box is on the internet, there's not much point making it a
forwarding name server. Why force your name server to always send its
queries to the same small number of IP addresses - and depending on
their name servers to always be up! - when it could use the
information in the DNS to locate and query the world's name servers
for itself? Forcing a name server to always forward its queries is a
bit like forcing a musician to always play only one tune.

As for worrying about security attacks on the DNS, the best advice is
to run the latest version of BIND, 8.2.2P5 which will plug the known
security holes: buffer overflows and things like that. The truly
paranoid can use some of the options to bolt things down even tighter.
For instance running the name server as an unprivileged UID and/or in
a chroot'ed environment, applying ACLs, switching off recursion and
glue fetching to eliminate cache poisoning, etc. Some options - like
controlling recursion and glue fetching - won't be appropriate for a
caching-only name server. They might be tolerable for a forwarding
server, but that wouldn't prevent cache poisoning. They'd rely on the
answers returned by the servers that they forwarded to and its
possible that these servers have poisoned caches or have been
configured to tell lies.

More information about the bind-users mailing list