Re: BIND serving ppp connections

Kevin Darcy wrote:
> Andrew P. wrote:
>
>>Thanks, but that's what the problem is all about. My network
>>has complicated routing. Once I use an address of a stable
>>interface clients will try to access it from different IPs, those
>>prohibited by allow-query. And I can't do rndc reload as I'm
>>not running bind as root (FreeBSD 5.3).
>>
>
> I believe you misunderstood Mark. Anyone with the relevant rndc key can
> execute an "rndc reload" or "rndc reconfig". What superuser authority is
> needed for is in order to bind a privileged port (53) on a
> newly-discovered interface. Sudo and other command-line-level utilities
> don't help here, since the binding is occurring completely within the
> named process itself.

Yep, I understand that :) I meant I could do rndc reload,
but named wouldn't bind to the address because it's not run
as root.

> I still don't quite understand why you can't just run named on one or
> more stable interfaces. Set your allow-query (and/or allow-recursion) to
> whatever address range is given to the PPP clients. You should be able
> to control that using your DHCP subsystem. Even if you have multiple
> pools and weird routing, you should be able to have named listen on
> multiple stable interfaces (virtual and/or physical) so that nameservice
> could be available "locally" on each pool/subnet and not have to go
> through a router. In the absolute worst case, you NAT the client's
> addresses to some range and "allow-query" that range (the stateless
> nature of DNS traffic makes it eminently NAT'able). What am I missing here?

Imagine I have one stable interface with one address, say
192.168.17.1. And when ppp clients connect they get
172.17.0/24, while the server gets 172.17.0.1. The catch is
that all the clients are on one ethernet with the server and
have their local interfaces configured as 192.168.17/24. And
they connect via pppoe to authenticate and say use internet.
Bind serves only local namespaces to unauthenticated
clients (192.168.17/24) and it serves all namespaces to
authenticated clients (172.17.0/24).

So if I try to advertise 192.168.17.1 as a default nameserver
for authenticated clients, they'll access it from
unauthenticated ip's, therefore messing up the whole thing :)

I have now aliased 172.17.0.1 to my loopback address, but
I don't like it very much. I'd rather have a tweak option
in BIND, allowing to force listening on wildcard or non-
existent addresses.

Andrew P.