Bind listener to an IPv6 from AnyIP subnet
Ondřej Surý
ondrej at isc.org
Mon Mar 13 12:04:36 UTC 2023
Hi,
> On 13. 3. 2023, at 10:37, Michael Richardson <mcr at sandelman.ca> wrote:
>
> Signed PGP part
>
> me at at.encryp.ch wrote:
>> Regarding the usage of [::] - due to usage of firewall I am able to
>> block connections to the 53/udp and 53/tcp which are not coming to
>> specific IP addresses or ranges, I do not need such filtering
>> functionality within bind itself.
>
> Bind doesn't listen to specific sockets because of security.
> It does so because of connectivity and plumbing.
>
> I think you are making your life hard for no benefit.
Basically, what Michael said...
The AnyIP is not compatible with a way how BIND 9 discovers where it
should listen (via route socket). Also it's much simpler and faster then
calling getsockname(2) (a syscall!) on every incoming UDP packet[1].
You can probably write a firewall rules (conntrack) to rewrite the destination
addresses from the AnyIP range to single local address (DNAT) or if you are
feeling really fancy I think this could be also accomplished with an eBPF rule.
Ondrej
1. Or implement an extra logic to see whether the bound interface is
"wildcard" or not.
--
Ondřej Surý (He/Him)
ondrej at isc.org
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 358 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230313/162e4161/attachment.sig>
More information about the bind-users
mailing list