Why server output from disallowed interface?

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Mon Feb 23 20:58:20 UTC 2004


Spam Averse <info at optinbig.com> wrote:
> I'm running BIND v9.2.1 on a (Red Hat v9) Linux box.  I have configured bind
> to only respond to queries on interface eth0, yet it seems that there are
> outbound zone transfers on eth1.

> Here's a snippet of my named.conf:

>    listen-on { 127.0.0.1; 192.168.0.1; };
>    allow-query { 127.0.0.1; 192.168.0/24; };

You don't deny transfers  ( allow-xfer )


> Interface eth0 is on 192.168.0/24, while eth1 is the interface to the
> internet.  My server is authoratative for my network and acts as a caching
> server for all other queries.

> My understanding is that TCP is only used when a zone transfer is too big to
> fit in a a UDP packet.  Thus I should only *transmit* on TCP to transfer
> zone info to other machines on my network, right?
wrong. UDP and TCP is used for queries/responses, for zone-transfers
TCP is always used.


> So why do I get TCP output from my internet interface?  Here's a couple of
> examples, logged by Linux's iptables firewall (with my source address
> removed):

> Feb 20 11:42:04 nemesis kernel: PKTCHK:IN= OUT=eth1 SRC=aaa.bbb.ccc.ddd
> DST=64.246.26.64 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42343 DF PROTO=TCP
> SPT=33424 DPT=53 WINDOW=5840 RES=0x00 SYN URGP=0

> Feb 20 14:15:52 nemesis kernel: PKTCHK:IN= OUT=eth1 SRC=aa.bbb.ccc.ddd
> DST=193.171.255.2 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=42343 DF PROTO=TCP
> SPT=33763 DPT=53 WINDOW=5840 RES=0x00 SYN URGP=0

> Note that the protocol is TCP and the destination port is 53.
Quite normal.


> According to my understanding this is a zone transfer to the machine shown
> as the destination address.  As shown about, though, I have not permitted
> the answering of queries on the interface on which this data is being sent.

Enabling query-log will show you what goes on. Or even better running 
ethereal.

> Can someone please explain to me what's going on here?

Read the manual. Upgrade, 9.2.1 has weaknesses.

> Thanks.


> -- 
> Please respond to the group, not by e-mail.


-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.


More information about the bind-users mailing list