Why server output from disallowed interface?
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Mon Feb 23 20:58:20 UTC 2004
Spam Averse <info at optinbig.com> wrote:
> I'm running BIND v9.2.1 on a (Red Hat v9) Linux box. I have configured bind
> to only respond to queries on interface eth0, yet it seems that there are
> outbound zone transfers on eth1.
> Here's a snippet of my named.conf:
> listen-on { 127.0.0.1; 192.168.0.1; };
> allow-query { 127.0.0.1; 192.168.0/24; };
You don't deny transfers ( allow-xfer )
> Interface eth0 is on 192.168.0/24, while eth1 is the interface to the
> internet. My server is authoratative for my network and acts as a caching
> server for all other queries.
> My understanding is that TCP is only used when a zone transfer is too big to
> fit in a a UDP packet. Thus I should only *transmit* on TCP to transfer
> zone info to other machines on my network, right?
wrong. UDP and TCP is used for queries/responses, for zone-transfers
TCP is always used.
> So why do I get TCP output from my internet interface? Here's a couple of
> examples, logged by Linux's iptables firewall (with my source address
> removed):
> Feb 20 11:42:04 nemesis kernel: PKTCHK:IN= OUT=eth1 SRC=aaa.bbb.ccc.ddd
> DST=64.246.26.64 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42343 DF PROTO=TCP
> SPT=33424 DPT=53 WINDOW=5840 RES=0x00 SYN URGP=0
> Feb 20 14:15:52 nemesis kernel: PKTCHK:IN= OUT=eth1 SRC=aa.bbb.ccc.ddd
> DST=193.171.255.2 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42343 DF PROTO=TCP
> SPT=33763 DPT=53 WINDOW=5840 RES=0x00 SYN URGP=0
> Note that the protocol is TCP and the destination port is 53.
Quite normal.
> According to my understanding this is a zone transfer to the machine shown
> as the destination address. As shown about, though, I have not permitted
> the answering of queries on the interface on which this data is being sent.
Enabling query-log will show you what goes on. Or even better running
ethereal.
> Can someone please explain to me what's going on here?
Read the manual. Upgrade, 9.2.1 has weaknesses.
> Thanks.
> --
> Please respond to the group, not by e-mail.
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
More information about the bind-users
mailing list