North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: address spoofing

  • From: Andrew Brown
  • Date: Sun Apr 25 11:12:47 1999

>> then, you can have (if you want) another bind listening on other
>> interfaces for other stuff.  like the "internal dns" server that you
>> mentioned.  or maybe a recursive, caching-only server that listens
>> only on 127.0.0.1.  of course...they can speak to each other if need
>> be.  :)
>
>I tried 2 instances of BIND and they didn't work right.  One functioned
>and the other played dead (very dead ... as in the process blocked and
>would not wake up).  One needs 2 separate machines to get it to actually
>work right (times the amount of redundancy desired).  If you know the
>magic to make it work right, I'd sure like to know.  Maybe some kind of
>lock somewhere?

the trick is to tell them specifically to listen on different
interfaces.  if you don't do that, then they will collide.  other
things (such as a different query or forwarding port, a separate pid
file, etc.) are also rather necessary.

i will attach a small shar file that paul vixie posted to the
bind-workers mailing list a little over a year and a half ago that
demonstrates exactly this.

-- 
|-----< "CODE WARRIOR" >-----|
[email protected]             * "ah!  i see you have the internet
[email protected] (Andrew Brown)                that goes *ping*!"
[email protected]       * "information is power -- share the wealth."
#!/bin/sh
# This is a shell archive (produced by GNU sharutils 4.2).
# To extract the files from this archive, save it to some FILE, remove
# everything before the `!/bin/sh' line above, then type `sh FILE'.
#
# Made on 1997-08-14 13:58 PDT by <[email protected]>.
# Source directory was `/var/named'.
#
# Existing files will *not* be overwritten unless `-c' is specified.
#
# This shar contains:
# length mode       name
# ------ ---------- ------------------------------------------
#    140 -rw-rw-r-- rc.stuff
#    827 -rw-r--r-- named.db.conf
#    300 -rw-r--r-- named.localhost.conf
#    197 -r--r--r-- inf/127.0.0
#   1488 -r--r--r-- inf/cache.db
#    353 -r--r--r-- inf/localhost
#
save_IFS="${IFS}"
IFS="${IFS}:"
gettext_dir=FAILED
locale_dir=FAILED
first_param="$1"
for dir in $PATH
do
  if test "$gettext_dir" = FAILED && test -f $dir/gettext \
     && ($dir/gettext --version >/dev/null 2>&1)
  then
    set `$dir/gettext --version 2>&1`
    if test "$3" = GNU
    then
      gettext_dir=$dir
    fi
  fi
  if test "$locale_dir" = FAILED && test -f $dir/shar \
     && ($dir/shar --print-text-domain-dir >/dev/null 2>&1)
  then
    locale_dir=`$dir/shar --print-text-domain-dir`
  fi
done
IFS="$save_IFS"
if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED
then
  echo=echo
else
  TEXTDOMAINDIR=$locale_dir
  export TEXTDOMAINDIR
  TEXTDOMAIN=sharutils
  export TEXTDOMAIN
  echo="$gettext_dir/gettext -s"
fi
touch -am 1231235999 $$.touch >/dev/null 2>&1
if test ! -f 1231235999 && test -f $$.touch; then
  shar_touch=touch
else
  shar_touch=:
  echo
  $echo 'WARNING: not restoring timestamps.  Consider getting and'
  $echo "installing GNU \`touch', distributed in GNU File Utilities..."
  echo
fi
rm -f 1231235999 $$.touch
#
if mkdir _sh21377; then
  $echo 'x -' 'creating lock directory'
else
  $echo 'failed to create lock directory'
  exit 1
fi
# ============= rc.stuff ==============
if test -f 'rc.stuff' && test "$first_param" != -c; then
  $echo 'x -' SKIPPING 'rc.stuff' '(file already exists)'
else
  $echo 'x -' extracting 'rc.stuff' '(text)'
  sed 's/^X//' << 'SHAR_EOF' > 'rc.stuff' &&
echo -n " named(db)";	/usr/sbin/named -c /var/named/named.db.conf
echo -n " named(lo0)";	/usr/sbin/named -c /var/named/named.localhost.conf
SHAR_EOF
  $shar_touch -am 0814135897 'rc.stuff' &&
  chmod 0664 'rc.stuff' ||
  $echo 'restore of' 'rc.stuff' 'failed'
  if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
  && ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
    md5sum -c << SHAR_EOF >/dev/null 2>&1 \
    || $echo 'rc.stuff:' 'MD5 check failed'
81d47871d3ce82faf4bb7956303c6dae  rc.stuff
SHAR_EOF
  else
    shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'rc.stuff'`"
    test 140 -eq "$shar_count" ||
    $echo 'rc.stuff:' 'original size' '140,' 'current size' "$shar_count!"
  fi
fi
# ============= named.db.conf ==============
if test -f 'named.db.conf' && test "$first_param" != -c; then
  $echo 'x -' SKIPPING 'named.db.conf' '(file already exists)'
else
  $echo 'x -' extracting 'named.db.conf' '(text)'
  sed 's/^X//' << 'SHAR_EOF' > 'named.db.conf' &&
#
# $Id:$
#
X
options {
X	check-names response warn;
X	directory "/var/named";
X	recursion no;
X	listen-on { 204.152.187.21; };
};
X
################################################################ master
X
zone "rc.vix.com" {
X	type master;
X	file "pri/rc.vix.com";
};
X
zone "186.152.204.in-addr.arpa" {
X	type master;
X	file "pri/204.152.186";
};
X
zone "187.152.204.in-addr.arpa" {
X	type master;
X	file "pri/204.152.187";
};
X
################################################################ slave
X
zone "vix.com" {
X	type slave;
X	file "sec/vix.com";
X	masters { 192.5.5.1; };
};
X
################################################################ infrastructure
X
zone "localhost" {
X	type master;
X	file "inf/localhost";
};
X
zone "0.0.127.in-addr.arpa" {
X	type master;
X	file "inf/127.0.0";
};
X
zone "." {
X	type hint;
X	file "inf/cache.db";
};
X
SHAR_EOF
  $shar_touch -am 0813224397 'named.db.conf' &&
  chmod 0644 'named.db.conf' ||
  $echo 'restore of' 'named.db.conf' 'failed'
  if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
  && ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
    md5sum -c << SHAR_EOF >/dev/null 2>&1 \
    || $echo 'named.db.conf:' 'MD5 check failed'
e67508b3d850d9bf523b76604bb19302  named.db.conf
SHAR_EOF
  else
    shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'named.db.conf'`"
    test 827 -eq "$shar_count" ||
    $echo 'named.db.conf:' 'original size' '827,' 'current size' "$shar_count!"
  fi
fi
# ============= named.localhost.conf ==============
if test -f 'named.localhost.conf' && test "$first_param" != -c; then
  $echo 'x -' SKIPPING 'named.localhost.conf' '(file already exists)'
else
  $echo 'x -' extracting 'named.localhost.conf' '(text)'
  sed 's/^X//' << 'SHAR_EOF' > 'named.localhost.conf' &&
#
# $Id:$
#
X
options {
X	check-names response warn;
X	directory "/var/named";
X	recursion yes;
X	listen-on { 127.0.0.1; };
};
X
zone "localhost" {
X	type master;
X	file "inf/localhost";
};
X
zone "0.0.127.in-addr.arpa" {
X	type master;
X	file "inf/127.0.0";
};
X
zone "." {
X	type hint;
X	file "inf/cache.db";
};
SHAR_EOF
  $shar_touch -am 0813224297 'named.localhost.conf' &&
  chmod 0644 'named.localhost.conf' ||
  $echo 'restore of' 'named.localhost.conf' 'failed'
  if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
  && ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
    md5sum -c << SHAR_EOF >/dev/null 2>&1 \
    || $echo 'named.localhost.conf:' 'MD5 check failed'
5300d6e5f49af84642a56d582b02d841  named.localhost.conf
SHAR_EOF
  else
    shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'named.localhost.conf'`"
    test 300 -eq "$shar_count" ||
    $echo 'named.localhost.conf:' 'original size' '300,' 'current size' "$shar_count!"
  fi
fi
# ============= inf/127.0.0 ==============
if test ! -d 'inf'; then
  $echo 'x -' 'creating directory' 'inf'
  mkdir 'inf'
fi
if test -f 'inf/127.0.0' && test "$first_param" != -c; then
  $echo 'x -' SKIPPING 'inf/127.0.0' '(file already exists)'
else
  $echo 'x -' extracting 'inf/127.0.0' '(text)'
  sed 's/^X//' << 'SHAR_EOF' > 'inf/127.0.0' &&
@	IN	SOA	localhost. root.localhost. (
X			42	; serial
X			3600	; refresh (1 hour)
X			1800	; retry (30 mins)
X			604800	; expire (7 days)
X			3600 )	; minimum (1 hour)
X		NS	localhost.
1		PTR	localhost.
SHAR_EOF
  $shar_touch -am 0813184197 'inf/127.0.0' &&
  chmod 0444 'inf/127.0.0' ||
  $echo 'restore of' 'inf/127.0.0' 'failed'
  if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
  && ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
    md5sum -c << SHAR_EOF >/dev/null 2>&1 \
    || $echo 'inf/127.0.0:' 'MD5 check failed'
943368ab6e5913bc1dad2644287a7e6a  inf/127.0.0
SHAR_EOF
  else
    shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'inf/127.0.0'`"
    test 197 -eq "$shar_count" ||
    $echo 'inf/127.0.0:' 'original size' '197,' 'current size' "$shar_count!"
  fi
fi
# ============= inf/cache.db ==============
if test -f 'inf/cache.db' && test "$first_param" != -c; then
  $echo 'x -' SKIPPING 'inf/cache.db' '(file already exists)'
else
  $echo 'x -' extracting 'inf/cache.db' '(text)'
  sed 's/^X//' << 'SHAR_EOF' > 'inf/cache.db' &&
X
; <<>> DiG 8.1 <<>> @a.root-servers.net . ns 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
;; QUERY SECTION:
;;	., type = NS, class = IN
X
;; ANSWER SECTION:
X.			6D IN NS	E.ROOT-SERVERS.NET.
X.			6D IN NS	I.ROOT-SERVERS.NET.
X.			6D IN NS	F.ROOT-SERVERS.NET.
X.			6D IN NS	G.ROOT-SERVERS.NET.
X.			6D IN NS	J.ROOT-SERVERS.NET.
X.			6D IN NS	K.ROOT-SERVERS.NET.
X.			6D IN NS	L.ROOT-SERVERS.NET.
X.			6D IN NS	M.ROOT-SERVERS.NET.
X.			6D IN NS	A.ROOT-SERVERS.NET.
X.			6D IN NS	H.ROOT-SERVERS.NET.
X.			6D IN NS	B.ROOT-SERVERS.NET.
X.			6D IN NS	C.ROOT-SERVERS.NET.
X.			6D IN NS	D.ROOT-SERVERS.NET.
X
;; ADDITIONAL SECTION:
E.ROOT-SERVERS.NET.	6D IN A		192.203.230.10
I.ROOT-SERVERS.NET.	6D IN A		192.36.148.17
F.ROOT-SERVERS.NET.	6D IN A		192.5.5.241
G.ROOT-SERVERS.NET.	6D IN A		192.112.36.4
J.ROOT-SERVERS.NET.	5w6d16h IN A	198.41.0.10
K.ROOT-SERVERS.NET.	5w6d16h IN A	193.0.14.129
L.ROOT-SERVERS.NET.	5w6d16h IN A	198.32.64.12
M.ROOT-SERVERS.NET.	5w6d16h IN A	198.32.65.12
A.ROOT-SERVERS.NET.	6D IN A		198.41.0.4
H.ROOT-SERVERS.NET.	6D IN A		128.63.2.53
B.ROOT-SERVERS.NET.	6D IN A		128.9.0.107
C.ROOT-SERVERS.NET.	6D IN A		192.33.4.12
D.ROOT-SERVERS.NET.	6D IN A		128.8.10.90
X
;; Total query time: 98 msec
;; FROM: db.rc.vix.com to SERVER: a.root-servers.net  198.41.0.4
;; WHEN: Wed Aug 13 18:40:21 1997
;; MSG SIZE  sent: 17  rcvd: 436
X
SHAR_EOF
  $shar_touch -am 0813184097 'inf/cache.db' &&
  chmod 0444 'inf/cache.db' ||
  $echo 'restore of' 'inf/cache.db' 'failed'
  if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
  && ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
    md5sum -c << SHAR_EOF >/dev/null 2>&1 \
    || $echo 'inf/cache.db:' 'MD5 check failed'
9cb7ed6393b7570137b27690250a1d15  inf/cache.db
SHAR_EOF
  else
    shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'inf/cache.db'`"
    test 1488 -eq "$shar_count" ||
    $echo 'inf/cache.db:' 'original size' '1488,' 'current size' "$shar_count!"
  fi
fi
# ============= inf/localhost ==============
if test -f 'inf/localhost' && test "$first_param" != -c; then
  $echo 'x -' SKIPPING 'inf/localhost' '(file already exists)'
else
  $echo 'x -' extracting 'inf/localhost' '(text)'
  sed 's/^X//' << 'SHAR_EOF' > 'inf/localhost' &&
@	in	soa	localhost. root.localhost. (
X                        42      ; serial
X                        3600    ; refresh (1 hour)
X                        1800    ; retry (30 mins)
X                        604800  ; expire (7 days)
X                        3600 )  ; minimum (1 hour)
X
X        	ns	localhost.
X                ptr     1.0.0.127.in-addr.arpa.
SHAR_EOF
  $shar_touch -am 0813182497 'inf/localhost' &&
  chmod 0444 'inf/localhost' ||
  $echo 'restore of' 'inf/localhost' 'failed'
  if ( md5sum --help 2>&1 | grep 'sage: md5sum \[' ) >/dev/null 2>&1 \
  && ( md5sum --version 2>&1 | grep -v 'textutils 1.12' ) >/dev/null; then
    md5sum -c << SHAR_EOF >/dev/null 2>&1 \
    || $echo 'inf/localhost:' 'MD5 check failed'
21c9332f243d5b7c80894a5548e86666  inf/localhost
SHAR_EOF
  else
    shar_count="`LC_ALL= LC_CTYPE= LANG= wc -c < 'inf/localhost'`"
    test 353 -eq "$shar_count" ||
    $echo 'inf/localhost:' 'original size' '353,' 'current size' "$shar_count!"
  fi
fi
rm -fr _sh21377
exit 0