re-bind named to all interfaces
Mark Pettit
pettit at yahoo-inc.com
Thu Apr 12 19:11:11 UTC 2012
It probably has to do with BIND dropping privileges.
If you run BIND with "-u" so it changes to an unprivileged user, then BIND may not be able to bind() to new interfaces created on your system.
I use FreeBSD, and my solution was to do this every time I add a new interface:
RESET=`sysctl -e net.inet.ip.portrange.reservedhigh`
sysctl net.inet.ip.portrange.reservedhigh=52
rndc reconfig
<wait for named to start responding>
sysctl $RESET
Linux has some hacks that let you bypass those steps. FreeBSD also has a kernel feature called MAC-PORTACL that behaves like the Linux hack, but since enabling that would require a kernel recompile on more than a thousand servers, we decided not to do that.
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac-portacl.html
What OS are you using, and what's the command-line you use to launch BIND?
On Apr 12, 2012, at 9:52 AM, Phil Mayers wrote:
> On 12/04/12 16:44, Mihai Moldovan wrote:
>
>> Hmm, permission denied while binding to ppp0? Maybe that's because my named is
>> running as the non-privileged system user "named" and binding to the privileged
>> port 53? Makes sense... but... hm. I guess in this case there's no other way but
>> running named as root?
>
> I vaguely seem to recall this has come up on the list before.
>
> However: at our site:
>
> 1. Bind runs as user "named"
> 2. "rndc reconfig" works with a new IP, e.g.
>
> # rndc reconfig
> # lsof -n -i :53 | fgrep 192.168.
> # ip addr add 192.168.230.230/32 dev lo
> # rndc reconfig
> # lsof -n -i :53 | fgrep 192.168.
> named 17052 named 32u IPv4 1395639422 TCP
> 192.168.230.230:domain (LISTEN)
> named 17052 named 531u IPv4 1395639421 UDP 192.168.230.230:domain
>
> This is on RHEL5, with SELinux enabled.
>
> So, it's definitely possible to do this as non-root. As above, I'm sure
> this has been discussed, but I can't remember what we decided the
> mechanism that allowed this was.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list