Listen on all interfaces

Ketil Froyn isc_bind at ketil.froyn.name
Sun Dec 21 21:13:15 UTC 2003


On Thu, 18 Dec 2003, Oren Held wrote:

> I want my bind(9.2.3) to listen to all the interfaces - thus I do NOT
> include a "listen-on" line.
> However what it actually does is listen to EACH interface - which might
> sound fine at first thought - this means it listens to all the
> interfaces.
> 
> However, when I create a new interface I'd have to restart bind so it'll
> listen to it as well (I need it for HA reasons, sometimes I need to use
> another IP on the same machine). Unlike bind, most of the daemons I know
> don't listen to a specific interface.

I believe there is a reason why BIND listens on each interface instead of
all. The reason is most likely that if BIND were to listen to all
interfaces, it would not know which IP the question was sent to, and
therefore would not know which source IP to send the reply back from. The
problem would be that a client might send a query to one IP and then get a
reply from a different IP, in which case it must discard the answer
(otherwise DNS forgery would be very simple).  Presumably this is not an
issue with your other software that listen on all interfaces.

For more information on DNS forgery, see

  http://cr.yp.to/djbdns/forgery.html

Ketil Froyn
ketil at froyn.name
http://ketil.froyn.name/



More information about the bind-users mailing list