Description of problem: listen-on {} dirrectives do not affect UDP Version-Release number of selected component (if applicable): bind-9.3.3-9.0.1.el5 How reproducible: Always Steps to Reproduce: 1. Install bind onto a multi-homed host 2. Set listen-on {} for a certain IP 3. See bind only listening on the certain IP on TCP, listening on all UDP Actual results: TCP is affected, not UDP Expected results: both are affected
Works as expected for me: /etc/named.conf: options { ... listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; ... }; ... and "netstat -apn" says that named listen only on 127.0.0.1:53 and on ::1:53 . Could you please check your configuration and if all is configured properly please attach named log. Adam
/var/named/chroot/etc/named.conf: options { ... listen-on { 65.111.180.225; 127.0.0.1; }; ... }; netstat -plan|grep 53: tcp 0 0 65.111.180.225:53 0.0.0.0:* LISTEN 32325/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 32325/named tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 32325/named tcp 0 0 ::1:953 :::* LISTEN 32325/named udp 0 0 0.0.0.0:53 0.0.0.0:* 32325/named udp 0 0 65.111.180.225:53 0.0.0.0:* 32325/named udp 0 0 127.0.0.1:53 0.0.0.0:* 32325/named udp 0 0 :::53 :::* 32325/named
listen-on port 53 { 65.111.180.225; 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; This results in the same netstat output.
Yes, result as expected. named always listen on 0.0.0.0 and :: . You will try for example delete 127.0.0.1; from listen-on statement and named should listen on 65.111.180.225 and 0.0.0.0 . Could you please confirm that all works as expected?
I'm confused. "... named always listen on 0.0.0.0 and :: ." What? Does it always listen on the above only for UDP? TCP is correct, and listens to what the configuration file states (not on 0.0.0.0 or ::). AFAIK, listen-on {} is supposed to affect UDP also.
This is the behavior that I expected also. There's nothing I can find in the bind docs that state 'listen-on' is tcp only. As there's no interface option as dhcp has, listen-on is the appropriate method to control this behavior. If UDP doesn't control this, then it is indeed a bug and needs to be fixed.
That addresses are used when named needs query other servers (so this is only outgoing addresses). Please see http://www.isc.org/index.pl?/sw/bind/FAQ.php, question "Why is named listening on UDP port other than 53?" . You are able to control where named query other servers with query-source and query-source-v6 options (see "address" parameter of options)
That's not really true. This is from an RHEL 3 (well, CentOS 3) box: root@www1 root # netstat -plan | grep ":53 " tcp 0 0 10.65.162.67:53 0.0.0.0:* LISTEN 7697/named tcp 0 0 194.187.162.141:53 0.0.0.0:* LISTEN 7697/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 7697/named udp 0 0 10.65.162.67:53 0.0.0.0:* 7697/named udp 0 0 10.65.163.141:53 0.0.0.0:* 7697/named udp 0 0 127.0.0.1:53 0.0.0.0:* 7697/named root@www1 root # grep -A3 listen-on /var/named/chroot/etc/named.conf listen-on { 10.65.162.67; 10.65.163.141; 127.0.0.1; root@www1 root # grep query-source /var/named/chroot/etc/named.conf # query-source address 10.65.163.141; As you can easily see there is *no* named listening on any other interface than those allowed in named.conf via the listen-on directive. And that machine has 5 ethernet interfaces. Neither is there any named listening on 0.0.0.0:53. So if bind answers queries on *any* interface which is not in the listen-on directive, this is clearly a bug. Sure, they could have chosen to listen on all interface and filter those queries out in a later stage, but that seems a tad stupid to me. Question for the reporter: Does bind *answer* queries on interfaces which aren't in listen-on { };?
(In reply to comment #8) > That's not really true. This is from an RHEL 3 (well, CentOS 3) box: > > root@www1 root # netstat -plan | grep ":53 " try $netstat -plan |grep named. BIND uses random port for queries to other servers > root@www1 root # grep -A3 listen-on /var/named/chroot/etc/named.conf > listen-on { > 10.65.162.67; > 10.65.163.141; > 127.0.0.1; > root@www1 root # grep query-source /var/named/chroot/etc/named.conf > # query-source address 10.65.163.141; or specify query-source address <addr> port 53 (when you want use port 53 for outgoing queries) > > As you can easily see there is *no* named listening on any other interface than > those allowed in named.conf via the listen-on directive. And that machine has 5 > ethernet interfaces. Neither is there any named listening on 0.0.0.0:53. > > So if bind answers queries on *any* interface which is not in the listen-on > directive, this is clearly a bug. Sure, they could have chosen to listen on all > interface and filter those queries out in a later stage, but that seems a tad > stupid to me. > > Question for the reporter: Does bind *answer* queries on interfaces which aren't > in listen-on { };?
Oh, okay, I see now. I was going to ask "who is that stupid to set query-source to 0.0.0.0:53" until I realized that the example named.conf in RHEL5 does exactly that. Yes, you're right. If you comment out that line bind doesn't listen on 0.0.0.0:53 udp anymore. Probably this bug report wouldn't have blown out of proportion had you asked the reporter to look what query-source is set to in his named.conf :) Cheers, Ralph