Bug 345801

Summary:	Listen-On does not Affect UDP
Product:	Red Hat Enterprise Linux 5	Reporter:	Jonathan Steffan <jonathansteffan>
Component:	bind	Assignee:	Adam Tkac <atkac>
Status:	CLOSED NOTABUG	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	5.0	CC:	james.l.perrin, ovasik, ralph+rh-bugzilla
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2007-10-29 13:52:17 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jonathan Steffan 2007-10-22 19:33:31 UTC

Description of problem:
listen-on {} dirrectives do not affect UDP

Version-Release number of selected component (if applicable):
bind-9.3.3-9.0.1.el5

How reproducible:
Always

Steps to Reproduce:
1. Install bind onto a multi-homed host
2. Set listen-on {} for a certain IP
3. See bind only listening on the certain IP on TCP, listening on all UDP 
  
Actual results:
TCP is affected, not UDP

Expected results:
both are affected

Comment 1 Adam Tkac 2007-10-23 13:01:35 UTC

Works as expected for me:

/etc/named.conf:

options {
...
        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
...
};
...

and "netstat -apn" says that named listen only on 127.0.0.1:53 and on ::1:53 .
Could you please check your configuration and if all is configured properly
please attach named log.

Adam

Comment 2 Jonathan Steffan 2007-10-23 22:14:26 UTC

/var/named/chroot/etc/named.conf:
options {
...
    listen-on {
          65.111.180.225;
          127.0.0.1;
    };
...
};

netstat -plan|grep 53:

tcp 0 0 65.111.180.225:53 0.0.0.0:* LISTEN 32325/named 
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 32325/named 
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 32325/named 
tcp 0 0 ::1:953 :::* LISTEN 32325/named 
udp 0 0 0.0.0.0:53 0.0.0.0:* 32325/named 
udp 0 0 65.111.180.225:53 0.0.0.0:* 32325/named 
udp 0 0 127.0.0.1:53 0.0.0.0:* 32325/named 
udp 0 0 :::53 :::* 32325/named

Comment 3 Jonathan Steffan 2007-10-23 22:17:18 UTC

listen-on port 53 {
                  65.111.180.225;
                  127.0.0.1;
};
listen-on-v6 port 53 {
                  ::1;
};

This results in the same netstat output.

Comment 4 Adam Tkac 2007-10-24 13:39:54 UTC

Yes, result as expected. named always listen on 0.0.0.0 and :: .  You will try
for example delete 127.0.0.1; from listen-on statement and named should listen
on 65.111.180.225 and 0.0.0.0 . Could you please confirm that all works as expected?

Comment 5 Jonathan Steffan 2007-10-24 16:07:01 UTC

I'm confused.

"... named always listen on 0.0.0.0 and :: ."

What? Does it always listen on the above only for UDP? TCP is correct, and
listens to what the configuration file states (not on 0.0.0.0 or ::). AFAIK,
listen-on {} is supposed to affect UDP also.

Comment 6 Jim Perrin 2007-10-29 12:35:03 UTC

This is the behavior that I expected also. There's nothing I can find in the
bind docs that state 'listen-on' is tcp only. As there's no interface option as
dhcp has, listen-on is the appropriate method to control this behavior. If UDP
doesn't control this, then it is indeed a bug and needs to be fixed.

Comment 7 Adam Tkac 2007-10-29 13:52:17 UTC

That addresses are used when named needs query other servers (so this is only
outgoing addresses). Please see http://www.isc.org/index.pl?/sw/bind/FAQ.php,
question "Why is named listening on UDP port other than 53?" . You are able to
control where named query other servers with query-source and query-source-v6
options (see "address" parameter of options)

Comment 8 Ralph Angenendt 2007-10-29 15:53:19 UTC

That's not really true. This is from an RHEL 3 (well, CentOS 3) box:

root@www1 root # netstat -plan | grep ":53 "
tcp        0      0 10.65.162.67:53             0.0.0.0:*                  
LISTEN      7697/named          
tcp        0      0 194.187.162.141:53          0.0.0.0:*                  
LISTEN      7697/named          
tcp        0      0 127.0.0.1:53                0.0.0.0:*                  
LISTEN      7697/named          
udp        0      0 10.65.162.67:53             0.0.0.0:*                      
        7697/named          
udp        0      0 10.65.163.141:53          0.0.0.0:*                        
      7697/named          
udp        0      0 127.0.0.1:53                0.0.0.0:*                      
        7697/named          
root@www1 root # grep -A3 listen-on /var/named/chroot/etc/named.conf
    listen-on {
        10.65.162.67;
        10.65.163.141;
        127.0.0.1;
root@www1 root # grep query-source /var/named/chroot/etc/named.conf
    # query-source address 10.65.163.141;

As you can easily see there is *no* named listening on any other interface than
those allowed in named.conf via the listen-on directive. And that machine has 5
ethernet interfaces. Neither is there any named listening on 0.0.0.0:53. 

So if bind answers queries on *any* interface which is not in the listen-on
directive, this is clearly a bug. Sure, they could have chosen to listen on all
interface and filter those queries out in a later stage, but that seems a tad
stupid to me.

Question for the reporter: Does bind *answer* queries on interfaces which aren't
in listen-on { };?

Comment 9 Adam Tkac 2007-10-29 16:08:04 UTC

(In reply to comment #8)
> That's not really true. This is from an RHEL 3 (well, CentOS 3) box:
> 
> root@www1 root # netstat -plan | grep ":53 "

try $netstat -plan |grep named. BIND uses random port for queries to other servers

> root@www1 root # grep -A3 listen-on /var/named/chroot/etc/named.conf
>     listen-on {
>         10.65.162.67;
>         10.65.163.141;
>         127.0.0.1;
> root@www1 root # grep query-source /var/named/chroot/etc/named.conf
>     # query-source address 10.65.163.141;

or specify query-source address <addr> port 53 (when you want use port 53 for
outgoing queries)

> 
> As you can easily see there is *no* named listening on any other interface than
> those allowed in named.conf via the listen-on directive. And that machine has 5
> ethernet interfaces. Neither is there any named listening on 0.0.0.0:53. 
> 
> So if bind answers queries on *any* interface which is not in the listen-on
> directive, this is clearly a bug. Sure, they could have chosen to listen on all
> interface and filter those queries out in a later stage, but that seems a tad
> stupid to me.
> 
> Question for the reporter: Does bind *answer* queries on interfaces which aren't
> in listen-on { };?

Comment 10 Ralph Angenendt 2007-10-29 17:19:05 UTC

Oh, okay, I see now. I was going to ask "who is that stupid to set query-source
to 0.0.0.0:53" until I realized that the example named.conf in RHEL5 does
exactly that.

Yes, you're right. If you comment out that line bind doesn't listen on
0.0.0.0:53 udp anymore. 

Probably this bug report wouldn't have blown out of proportion had you asked the
reporter to look what query-source is set to in his named.conf :)

Cheers,

Ralph