Re: Bind 9.6.1-P1 ignoring listen-on directive

Wed, 09 Sep 2009 12:20:35 -0700

Syntax. The parser is matching on "localhost" before it sees the negated elements. 

- Kevin

John Center wrote:

Hi,
I'm testing Bind 9.6.1-P1 on Solaris 10 SPARC (64bit/Sun Studio 12.1) & I noticed this in the logs:
Sep 9 13:15:31 ns3a/ns3a named[23042]: [ID 873579 daemon.info] listening on IPv4 interface lo0, 127.0.0.1#53 Sep 9 13:15:31 ns3a/ns3a named[23042]: [ID 873579 daemon.info] listening on IPv4 interface bge0, 153.104.92.2#53 Sep 9 13:15:31 ns3a/ns3a named[23042]: [ID 873579 daemon.info] listening on IPv4 interface bge0:1, 153.104.92.4#53 Sep 9 13:15:31 ns3a/ns3a named[23042]: [ID 873579 daemon.info] listening on IPv4 interface bge1, 10.104.36.20#53
I only wanted named to listen on one interface + the loopback, so I added a listen-on statement in named.conf: 

acl testnets { 153.104.244.0/24; 153.104.248.0/24; };
options {
directory "/opt/isc/bind/var/db";
allow-query { testnets; };
listen-on { localhost; 153.104.92.2; };
listen-on-v6 { none; };
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "db.127.0.0";
notify no;
};
But, I still have the same log entries when I start named. I then modified named.conf to specifically exclude the other interfaces: 

listen-on { localhost; 153.104.92.2; !153.104.92.4; !10.104.36.20; };
But, again, I'm still seeing it state that it is listening on the excluded interfaces. I tried increasing the debug level, but I didn't see any additional info pertaining to this. I know that it is listening on the excluded interfaces because I see a queries on the 10.104.36.20 interface:
Sep 9 13:09:16 ns3a/ns3a named[22867]: [ID 873579 daemon.info] client 10.104.109.0#1041: query (cache) 'ATF/A/IN' denied Sep 9 13:09:16 ns3a/ns3a named[22867]: [ID 873579 daemon.info] client 10.104.109.0#1046: query (cache) 'ATP.villanova.edu/A/IN' denied
Is this a known problem? It's an issue for us because we restrict DNS queries to particular interfaces. If it isn't a known bug, I'd be glad to help troubleshoot this problem. 

Thanks.

-John



_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to