The listen-on statement of bind9 configuration seems to only take IP address(es) for an interface. "man named.conf" shows details on listen-on
For an internal named daemon, the interface being listen on can be declared as:
listen-on {
127.0.0.1;
192.168.1.1;
};
Now onward to the external bind9/named daemon... ISP provides dynamic IP address to this box (ie. 4.3.2.1). If I wanted to listen ONLY to the ISP-assigned IP address, I tried this:
listen-on {
!127.0.0.1;
!192.168.1.1;
};
Alas, that didn't work on stopping bind named from picking up any of the unused network interfaces.
How does one make bind9 named daemon listen ONLY on the dynamic IP interface and none of the unused interfaces (IP address)? Remember, you don't know in advance the IP address of the public-facing network interface that you need for your bind's configuration file.
This works for me:
listen-on {
!127.0.0.1;
!172.17.0.0/24;
0.0.0.0/0;
};
Or if you know the list of the potential IP address ranges used by the service provider (you could ask them, or you could look into the WHOIS database for their AS route objects), you could list those prefixes only:
listen-on {
194.38.96.0/19;
200.201.202.0/24;
};