BIND serving ppp connections

Andrew P. infofarmer at gmail.com
Wed Mar 30 23:19:04 UTC 2005 

Kevin Darcy wrote:
> Andrew P. wrote:
>
>>Thanks, but that's what the problem is all about. My network
>>has complicated routing. Once I use an address of a stable
>>interface clients will try to access it from different IPs, those
>>prohibited by allow-query. And I can't do rndc reload as I'm
>>not running bind as root (FreeBSD 5.3).
>>
> 
> I believe you misunderstood Mark. Anyone with the relevant rndc key can 
> execute an "rndc reload" or "rndc reconfig". What superuser authority is 
> needed for is in order to bind a privileged port (53) on a 
> newly-discovered interface. Sudo and other command-line-level utilities 
> don't help here, since the binding is occurring completely within the 
> named process itself.

Yep, I understand that :) I meant I could do rndc reload,
but named wouldn't bind to the address because it's not run
as root.

> I still don't quite understand why you can't just run named on one or 
> more stable interfaces. Set your allow-query (and/or allow-recursion) to 
> whatever address range is given to the PPP clients. You should be able 
> to control that using your DHCP subsystem. Even if you have multiple 
> pools and weird routing, you should be able to have named listen on 
> multiple stable interfaces (virtual and/or physical) so that nameservice 
> could be available "locally" on each pool/subnet and not have to go 
> through a router. In the absolute worst case, you NAT the client's 
> addresses to some range and "allow-query" that range (the stateless 
> nature of DNS traffic makes it eminently NAT'able). What am I missing here?

Imagine I have one stable interface with one address, say
192.168.17.1. And when ppp clients connect they get
172.17.0/24, while the server gets 172.17.0.1. The catch is
that all the clients are on one ethernet with the server and
have their local interfaces configured as 192.168.17/24. And
they connect via pppoe to authenticate and say use internet.
Bind serves only local namespaces to unauthenticated
clients (192.168.17/24) and it serves all namespaces to
authenticated clients (172.17.0/24).

So if I try to advertise 192.168.17.1 as a default nameserver
for authenticated clients, they'll access it from
unauthenticated ip's, therefore messing up the whole thing :)

I have now aliased 172.17.0.1 to my loopback address, but
I don't like it very much. I'd rather have a tweak option
in BIND, allowing to force listening on wildcard or non-
existent addresses.

Andrew P.

More information about the bind-users mailing list