Listen on

chrism at sea.checkpoint.com chrism at sea.checkpoint.com
Fri Nov 2 20:06:59 UTC 2001 


Two things:

First, and most important - UPGRADE to a more recent version of BIND.  
The current version of BIND 8 is 8.2.5-REL.  The version that you have 
running has *SERIOUS* security holes which could give a remote user 
root access to your machine.

For more information on the security issues, please see:

	http://www.isc.org/products/BIND/bind-security.html

You can download BIND 8.2.5-REL from ISC here:

	ftp://ftp.isc.org/isc/bind/src/8.2.5/bind-src.tar.gz

The most recent (official) RPM for BIND 8 I could find was BIND 8.2.3, 
which will also fix the security issues.  Perhaps someone on this list 
knows where to find a more recent RPM.  The 8.2.3 RPM is downloadable 
from RedHat here:

	 
ftp://ftp.redhat.com/pub/redhat/linux/updates/7.0/en/os/i386/bind-8.2.3-1.i386.rpm

As for your question, the solution would be to add the "listen-on" 
statement to your options, similar to the following:

	options {
		<your other options go here>
		listen-on { 172.16.1.2 ; } ;
	};

For online documentation of different BIND 8 configuration options, 
please see this page:

	http://www.isc.org/products/BIND/docs/config/

The specific text you're looking for (in regards to this issue) is in 
the link for "options" from that page, under "Interfaces" :

-------------------------------------------------------------------
Interfaces

The interfaces and ports that the server will answer queries from may 
be specified using the listen-on option. listen-on takes an optional 
port, and an address_match_list. The server will listen on all 
interfaces allowed by the address match list. If a port is not 
specified, port 53 will be used.

Multiple listen-on statements are allowed. For example,

listen-on { 5.6.7.8; };
     listen-on port 1234 { !1.2.3.4; 1.2/16; };

will enable the nameserver on port 53 for the IP address 5.6.7.8, and 
on port 1234 of an address on the machine in net 1.2 that is not 
1.2.3.4.

If no listen-on is specified, the server will listen on port 53 on all 
interfaces.
-------------------------------------------------------------------

Hope this helps!

- Chris

--
          Chris Moore  --  chrism at sea.checkpoint.com
Check Point Software Technologies, Inc.  --   The Meta IP Group
      http://www.checkpoint.com/products/metaip/index.html



On Fri, 02 Nov 2001 10:26:18 bind at col7.metta.lk wrote:
- - Hi all,
- - I run named 8.2.2-P5 on my RH7.0
- I have a bit of problem with my dns
- - I need to find the options available in bind,
- because I need to make bind listen on only one IP
- - Is there an option something like this.
- interface-listen-only-on 172.16.1.2 (my lan card ip)
- What happens is that when a user is logged in
- the dns will reload the dns and listen on
- - 172.16.1.2 my lan card
- 172.16.1.1 the ppp connetion.
- - Nov  3 00:22:20 narada named[5845]: listening on [127.0.0.1].53 (lo)
- Nov  3 00:22:20 narada named[5845]: listening on [172.16.1.2].53
- (eth0)
- Nov  3 00:22:20 narada named[5845]: listening on [172.16.1.1].53
- (ppp0)
- - I do not want it ever to listen on 172.16.1.1
- - Thanks for your help
- - Mettavihari
- - - Below is my named.conf
- -------------------------------------------------
- options {
- 	version "Not today!";
- 	pid-file  "/var/named/named.pid";
- 	directory "/var/named";
- //	statistics-interval 0;
- 	interface-interval 5;
- 	forward only;
- 	forwarders {};
- };
- - zone "." {
-         type hint;
-         file "root.hints";
- };
- zone "col7.metta.lk"{
-         type master;
-         file "pz/col7.metta.lk";
-         notify no;
- };
- zone "metta.lk"{
-         type master;
-         file "pz/metta.lk";
-         notify no;
- };
- zone "0.0.127.in-addr.arpa"{
-         type master;
-         file "pz/127.0.0";
- };
- zone "1.16.172.in-addr.arpa"{
-         type master;
-         file "pz/172.16.1";
-         notify no;
- };
- - ------------------------------------------
- $TTL            86400 ; default time-to-live - 24 hours
- @		IN	SOA	narada.col7.metta.lk.	 
metta at col7.metta.lk.
- (
- 			2000080506 ; serial
- 			86400 ; refresh
- 			36000 ; retry
- 			2592000 ; expire
- 			86400 ; default_ttl
- 			)
- @		IN	NS	col7.metta.lk.
- @		IN	MX	10	narada.col7.metta.lk.
- localhost		IN	A	127.0.0.1
- narada		IN	A	172.16.1.1
- narada		IN	A	172.16.1.2
- narada		IN	MX	10	narada.col7.metta.lk.
- narada		IN	HINFO	"Pentium-I" "Linux RH7.0"
- dvf		IN	A	172.16.1.3
- metta04		IN	A	172.16.1.4
- metta05		IN	A	172.16.1.5
- metta06		IN	A	172.16.1.6
- metta07		IN	A	172.16.1.7
- harsha		IN	A	172.16.1.8
- metta09		IN	A	172.16.1.9
- col7.metta.lk.		IN	A	172.16.1.2
- col7.metta.lk.		IN	A	172.16.1.1
- col7.metta.lk.		IN	MX	10	 
narada.col7.metta.lk.
- - --------------------------------------------
- A saying of the Buddha from http://metta.lk/
- --------------------------------------------
- Whoever lives contemplating pleasant things, with senses unrestrained,
- in food immoderate, indolent, inactive, him verily Mara overthrows, as
- the wind (overthrows) a weak tree.
- Random Dhammapada Verse 7
- - - -

More information about the bind-users mailing list