Re: Change source IP at outgoing packet send by Bind9 as forwarder.
Thanks for the tip. Adding query-source address binded (lan) IP; port 53; to named.conf.options . According to preliminary tests, this is it is ! пт, 18 окт. 2019 г. в 15:41, CpServiceSPb . : > > Have you tried the query-source option? (You might also need > > transfer-source and notify-source if you are zone any zone transfers.) > > Is it applicable in case of forwarding DNS are not mine, as following > there is no any speaking about zone transfers ? > For example: > forwarders { > 7.7.7.7; > 8.8.8.8; > }; > > > > > > пт, 18 окт. 2019 г. в 14:14, Tony Finch : > >> CpServiceSPb . wrote: >> >> > So how is to change Bind9 , what and where is to set up and waht setting >> > that Bind9 would send forwarding packet via wan interface but would use >> > address what it is binded to or internal, if it is binded to 127.0.0.1 >> and >> > 192.168.0.1 ? >> >> Have you tried the query-source option? (You might also need >> transfer-source and notify-source if you are zone any zone transfers.) >> >> Tony. >> -- >> f.anthony.n.finchhttp://dotat.at/ >> Sole, Lundy, Fastnet: West 6 to gale 8, veering northwest 4 to 6. Very >> rough >> or high. Thundery showers. Moderate or poor. >> > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Change source IP at outgoing packet send by Bind9 as forwarder.
CpServiceSPb . wrote: > So how is to change Bind9 , what and where is to set up and waht setting > that Bind9 would send forwarding packet via wan interface but would use > address what it is binded to or internal, if it is binded to 127.0.0.1 and > 192.168.0.1 ? Have you tried the query-source option? (You might also need transfer-source and notify-source if you are zone any zone transfers.) Tony. -- f.anthony.n.finchhttp://dotat.at/ Sole, Lundy, Fastnet: West 6 to gale 8, veering northwest 4 to 6. Very rough or high. Thundery showers. Moderate or poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Change source IP at outgoing packet send by Bind9 as forwarder.
May be I posted my question too complicated. So, let' s try with examples. As I wrote I have Asterisk as well at the server binded only to internal IP with external trunks that is it connects time to time to external VoIP provider, that is through wild Internet, via wan interface. I have Iptables with SNAT or MASQUERADE, it doesn' t matter due to static wan IP. But to look at what is going on I flash that is reset Iptables ruls completely and listen to wan interface by tcpdump. Pre finally: routes are set up, iptables rules are flashed, neither SNAT nor MASQUERADE is engaged. So, when Asterisk sends out either register or option packets (or other ones) to external VoIP IP, there is Asterisk binded (in my case INTERNAL) IP as source IP at such outgoig packet and regarding routes rules as its destination is anywhere in the galaxy (not within the server) , server sends out it via wan. That is: source = lan IP, destination = VoIP IP, port = 5060, via = wan interface. As SNAT is deactivated, source INTERNAL IP is not rewritten.When I set up Iptables rules, with SNAT, of course, source internal IP is changed to external wan IP. All work fine. But when I make nslookup (of external name, for example gmail.com) from the server that is Bind request external DNS, I see the following picture - source IP at the packet is wan IP, not binded interface IP (lan IP) : That is: source = wan IP, destination = specifid DNS IP, port = 53, via = wan interface I remember, there are NOT iptables rules ! >From all of this, includeing Asterisk behavior, I make a conclusion, that source IP is choosen initially by application, not defined by routes or iptables rules. May be I am wrong. But there are facts what I can see. And when I rebind Asterisk to wan interface, I see outgoing packest to external VoIP IP via wan interface but with wan IP as a sources. And my question was how and what setting is set up at Bind to place BINDED interface IP as source IP at sent packets to external DNSes ? пт, 18 окт. 2019 г. в 06:53, Grant Taylor via bind-users < bind-users@lists.isc.org>: > On 10/17/19 3:16 PM, CpServiceSPb . wrote: > > But when Bind9 forwards queries to external servers, it do it via wan > > interface but uses at the first onset server external IP as sources, > > I'm not surprised by this. > > > which is not changed by SNAT or MASQUERADE Iptables. > > It can be, but it depends on your iptables rules. > > > So how is to change Bind9 , what and where is to set up and waht setting > > that Bind9 would send forwarding packet via wan interface but would use > > address what it is binded to or internal, if it is binded to 127.0.0.1 > > and 192.168.0.1 ? > > To me, this is not a BIND setting. Rather I think it is a Linux routing > setting. > > Run the following command and check the results. > > ip route get $RemoteDNSIP > > You will quite likely see that Linux is going to send traffic via the > configured router using the WAN IP as the source IP address. > > This is functionally what BIND is doing. It's creating a UDP datagram / > TCP segment and asking the Linux kernel to turn it into an IP packet and > send it. > > You can use ip routes and ip rules to influence this process. More > specifically, you can tell Linux to source packets to specific > destinations* /from/ the LAN IP. > > *specific destinations are usually IP addresses. But I am quite sure > that there are ways to match traffic to UDP and / or TCP port 53. You > may need ip rules or possibly to mark packets with iptables, et al. > > The only time that I've seen this be a problem is when something like a > VPN or strict filtering on the far end is in place such that the WAN IP > is not allowed / is not able to communicate with the remote server. > Yet, the LAN IP is. > > Cause Linux to use the LAN IP as the source for this specific traffic. > > > > -- > Grant. . . . > unix || die > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Change source IP at outgoing packet send by Bind9 as forwarder.
On 10/17/19 3:16 PM, CpServiceSPb . wrote: But when Bind9 forwards queries to external servers, it do it via wan interface but uses at the first onset server external IP as sources, I'm not surprised by this. which is not changed by SNAT or MASQUERADE Iptables. It can be, but it depends on your iptables rules. So how is to change Bind9 , what and where is to set up and waht setting that Bind9 would send forwarding packet via wan interface but would use address what it is binded to or internal, if it is binded to 127.0.0.1 and 192.168.0.1 ? To me, this is not a BIND setting. Rather I think it is a Linux routing setting. Run the following command and check the results. ip route get $RemoteDNSIP You will quite likely see that Linux is going to send traffic via the configured router using the WAN IP as the source IP address. This is functionally what BIND is doing. It's creating a UDP datagram / TCP segment and asking the Linux kernel to turn it into an IP packet and send it. You can use ip routes and ip rules to influence this process. More specifically, you can tell Linux to source packets to specific destinations* /from/ the LAN IP. *specific destinations are usually IP addresses. But I am quite sure that there are ways to match traffic to UDP and / or TCP port 53. You may need ip rules or possibly to mark packets with iptables, et al. The only time that I've seen this be a problem is when something like a VPN or strict filtering on the far end is in place such that the WAN IP is not allowed / is not able to communicate with the remote server. Yet, the LAN IP is. Cause Linux to use the LAN IP as the source for this specific traffic. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Change source IP at outgoing packet send by Bind9 as forwarder.
OK, it might be too early and i'm not getting your question, I'm only half way through my first coffee of the day... But if you have 192.168.0.1 as lan, and the wan, lets say is 1.1.1.1, and needs to resolve a hostname, it has to go to the big wide world of internets, and it can only do that using 1.1.1.1, therefor thats the only way it will work, your internal LAN IP is not asking the root serves or subsequent in chain, your WAN IP is, because routing, pvt address space etc, you know... On 18/10/2019 07:16, CpServiceSPb . wrote: > I have Bind9 on Ubuntu 18.04 x64 LTS working as a cache and forwarding one. > There are some forwarders IPs. > > Server has 2 NICs (lan and wan) . > > BInd9 binds strictly to localhost and lan NICs, that is to 127.0.0.1 and > 192.168.0.1. > But when Bind9 forwards queries to external servers, it do it via wan > interface but uses at the first onset server external IP as sources, which > is not changed by SNAT or MASQUERADE Iptables. > Unlike other soft, for example Asterisk, what is binded to lan interface > only and uses internal (192.168.0.1) IP as source for outgoing packet and > then iptables changes source address of such outgoing packets from internal > to external using either SNAT or MASQUERADE. > > So how is to change Bind9 , what and where is to set up and waht setting > that Bind9 would send forwarding packet via wan interface but would use > address what it is binded to or internal, if it is binded to 127.0.0.1 and > 192.168.0.1 ? > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Change source IP at outgoing packet send by Bind9 as forwarder.
I have Bind9 on Ubuntu 18.04 x64 LTS working as a cache and forwarding one. There are some forwarders IPs. Server has 2 NICs (lan and wan) . BInd9 binds strictly to localhost and lan NICs, that is to 127.0.0.1 and 192.168.0.1. But when Bind9 forwards queries to external servers, it do it via wan interface but uses at the first onset server external IP as sources, which is not changed by SNAT or MASQUERADE Iptables. Unlike other soft, for example Asterisk, what is binded to lan interface only and uses internal (192.168.0.1) IP as source for outgoing packet and then iptables changes source address of such outgoing packets from internal to external using either SNAT or MASQUERADE. So how is to change Bind9 , what and where is to set up and waht setting that Bind9 would send forwarding packet via wan interface but would use address what it is binded to or internal, if it is binded to 127.0.0.1 and 192.168.0.1 ? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users