nameserver listening on 3 different addresses

Pete Peterson petersonp at genrad.com
Thu Apr 4 18:31:55 UTC 2002 

I have a Red Hat Linux name server( bind-8.2.3) that's listening on three
different addresses, on the same NIC on eth0, eth0:0 and eth0:1.  This may
seem strange, but it was set up this way to allow people on different
subnets, but on our local switch, to access through the switch.  Only one
of these addresses is accessible from outside through our firewall.
Another name server (our master) listens on only one port and is, of
course, accessible from outside.

This had been working for a long time until I upgraded the kernel and
a couple other non-bind-related things on both of these machines.  The
master worked fine after the update, but I discovered that the other
server was not resolving outside addresses, though it worked fine for
internal addresses.  Reverting to the older kernel didn't fix the problem,
so I'm not sure what triggered this behavior.

A tcpdump session look showed me that the inquiries were going out with
source addresses corresponding to eth0:1.  Since the firewall isn't open to
these addresses, the replies weren't making it back to the server.  I'm not
sure what changed to make this happen, but I determined that ifdown'ing the
eth0:0 and eth0:1 ports and restarting named resulted in normal operation
on external lookups.  I re-enabled the ports and set the "query source"
address in named.conf to the open address and BIND's name resolution worked
OK, but "host" didn't work since it still made queries from the eth0:1 port
or on the eth0:0 port if eth0:1 was ifdown'ed.  

Is there some way to control the address/port on which "host" makes its
inquiries?  "dig" seems to let me specify the port, but not the source
address.

Anybody have an idea of what could have changed to cause this problem?
Our switch/firewall guy says he hadn't changed anything relating to those
aliased IPs and that so far as he knew, they had never been open.

It seems like this situation would occur even if I had multiple NICs
rather than just aliases.  Is there some way to make "host" or "dig"
do "the right thing" without having to open the firewall to each
possible IP?  I *did* verify that opening the firewall to all three
addresses did indeed make everything work normally, including BIND
working without the query source directive.


        pete

-- 
        pete peterson
        Teradyne, Inc.
        7 Technology Park Drive
        Westford, MA 01886-0033

        pete.peterson at teradyne.com or petersonp at genrad.com
        +1-978-589-7478 (Office); +1-978-589-2088 (Closest FAX);
        +1-978-589-7007 (Main Teradyne Westford FAX)

More information about the bind-users mailing list