Bind listener to an IPv6 from AnyIP subnet

[Ondřej Surý]

Hi,

> On 13. 3. 2023, at 10:37, Michael Richardson <mcr at sandelman.ca> wrote:
> 
> Signed PGP part
> 
> me at at.encryp.ch wrote:
>> Regarding the usage of [::] - due to usage of firewall I am able to
>> block connections to the 53/udp and 53/tcp which are not coming to
>> specific IP addresses or ranges, I do not need such filtering
>> functionality within bind itself.
> 
> Bind doesn't listen to specific sockets because of security.
> It does so because of connectivity and plumbing.
> 
> I think you are making your life hard for no benefit.

Basically, what Michael said...

The AnyIP is not compatible with a way how BIND 9 discovers where it
should listen (via route socket).  Also it's much simpler and faster then
calling getsockname(2) (a syscall!) on every incoming UDP packet[1].

You can probably write a firewall rules (conntrack) to rewrite the destination
addresses from the AnyIP range to single local address (DNAT) or if you are
feeling really fancy I think this could be also accomplished with an eBPF rule.

Ondrej

1. Or implement an extra logic to see whether the bound interface is
"wildcard" or not.
--
Ondřej Surý (He/Him)
ondrej at isc.org

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 358 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230313/162e4161/attachment.sig>