Bind listener to an IPv6 from AnyIP subnet

[me at at.encryp.ch]

The problem is I have lots of IPv6 addresses where I need to listen DNS requests (IPv6 prefix of /64) and I could not just explicitly add each to the interface, thus I use AnyIP feature to be able to use entire prefix by locally by such software like nginx, curl, etc.

Regarding the usage of [::] - due to usage of firewall I am able to block connections to the 53/udp and 53/tcp which are not coming to specific IP addresses or ranges, I do not need such filtering functionality within bind itself.

Anyway, the better option is to allow bind to a so known "non-local" IP addresses. Currently if I try to bind named to a IP address within AnyIP prefix but which is not explicitly added to an interface it just not bind socket here. Read this blog post for more details on AnyIP feature: https://blog.widodh.nl/2016/04/anyip-bind-a-whole-subnet-to-your-linux-machine/

2023-03-13T08:55:16Z Michael Richardson <mcr at sandelman.ca>:

> 
> Serg via bind-users <bind-users at lists.isc.org> wrote:
>     > As an alternative approach I have tried to run with a configuration
>     > "listen-on-v6 { any; }", but it does behave in a way I need - it binds
>     > separate socket for each discovered IP address rather wildcard address
>     > of [::].
> 
> Bind needs to bind a new socket for each address so that it can easily know
> which address is being communicated with.  While there are newer ways to do
> this, they aren't that portable.
> 
> What is the problem with binding to all the addresses, if you then filter
> which addresses will actually respond?
> 
> Many large authoritative resolvers put the anycast address on the lo, and then use
> BGP to announce connectivity, and AFAIK, they all just listen on all
> addresses, because sometimes you want to ask a specific server a question.