Multiple IPs Associated With A Single Name

Hrant Dadivanyan hrant at dadivanyan.net
Fri Sep 30 16:17:45 UTC 2016 

> On 09/29/2016 04:33 PM, Matthew Pounsett wrote:
> > 
> > 
> > On 29 September 2016 at 14:18, Tim Daneliuk <tundra at tundraware.com <mailto:tundra at tundraware.com>> wrote:
> > 
> > 
> >     What I am stuck on is this:  Is there any simple (i.e., non-root) way
> >     to write a client or otherwise configure userspace to go to the non-standard
> >     port and run my sort of man-in-the-middle server?  Or is this just a stupid
> >     idea?
> > 
> > 
> > There's no way to specify a port number in a delegation, so if this is an authoritative DNS server that you expect random clients on the Internet to contact, it must run on port 53... so you'll need root access to start it up.  I'm not aware of stub resolvers that accept port numbers in their configuration either  (e.g. glibc and resolv.conf) ... although I'll admit I haven't gone to double check that... but I think you're out of luck for a recursive server as well.
> > 
> > Configuration for forwarders and stub zones can include a port number, however.  So in theory you could have a server somewhere that answers on port 53 forwarding queries to your server that answers on an unprivileged port.   
> 
> Yeah, kind of what I figured.
> 

Won't port redirection work better then ?

> > That seems like a lot of complexity to go to in order to avoid running a name server as root, though.  You'd probably be better off convincing your systems people to set up sudo in such a way that you can administer a DNS server running on a privileged port, and nothing else.
> > 
> > 
> 
> This is very, very, very hard to do.
> 
> One hope I have is that my team controls all the client-side apps code.
> I want to explore the possibility of forcing that code to do lookups
> to a server we control at a non-standard port that would only answer
> lookups for a very narrow range of internal app servers (none of this
> is on a public facing network) and forward everything else up to a real
> DNS servers.
> 
> 
> 
> 
> -- 
> ----------------------------------------------------------------------------
> Tim Daneliuk     tundra at tundraware.com
> PGP Key:         http://www.tundraware.com/PGP/
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Hrant Dadivanyan (aka Ran d'Adi)		hrant(at)dadivanyan.net
/* "Feci quod potui, faciant meliora potentes." */       ran(at)psg.com

More information about the bind-users mailing list