Bind listener to an IPv6 from AnyIP subnet
Greg Choules
gregchoules+bindusers at googlemail.com
Mon Mar 13 11:00:18 UTC 2023
Hi Serg.
Can you post the output of "named -V" please?
You're looking for "--disable-linux-caps", which you don't want.
I'm not sure how (if) BIND interacts with AnyIP, but it should pick up new
interfaces as they are added, *if* it is built with the necessary
capabilities enabled. 'named' starts as root, but immediately drops to a
lower-priviliged user, which can prevent it from discovering new addresses
unless it has the necessary linux-caps.
Cheers, Greg
On Mon, 13 Mar 2023 at 09:16, Serg via bind-users <bind-users at lists.isc.org>
wrote:
> The problem is I have lots of IPv6 addresses where I need to listen DNS
> requests (IPv6 prefix of /64) and I could not just explicitly add each to
> the interface, thus I use AnyIP feature to be able to use entire prefix by
> locally by such software like nginx, curl, etc.
>
> Regarding the usage of [::] - due to usage of firewall I am able to block
> connections to the 53/udp and 53/tcp which are not coming to specific IP
> addresses or ranges, I do not need such filtering functionality within bind
> itself.
>
> Anyway, the better option is to allow bind to a so known "non-local" IP
> addresses. Currently if I try to bind named to a IP address within AnyIP
> prefix but which is not explicitly added to an interface it just not bind
> socket here. Read this blog post for more details on AnyIP feature:
> https://blog.widodh.nl/2016/04/anyip-bind-a-whole-subnet-to-your-linux-machine/
>
> 2023-03-13T08:55:16Z Michael Richardson <mcr at sandelman.ca>:
>
> >
> > Serg via bind-users <bind-users at lists.isc.org> wrote:
> > > As an alternative approach I have tried to run with a configuration
> > > "listen-on-v6 { any; }", but it does behave in a way I need - it
> binds
> > > separate socket for each discovered IP address rather wildcard
> address
> > > of [::].
> >
> > Bind needs to bind a new socket for each address so that it can easily
> know
> > which address is being communicated with. While there are newer ways to
> do
> > this, they aren't that portable.
> >
> > What is the problem with binding to all the addresses, if you then filter
> > which addresses will actually respond?
> >
> > Many large authoritative resolvers put the anycast address on the lo,
> and then use
> > BGP to announce connectivity, and AFAIK, they all just listen on all
> > addresses, because sometimes you want to ask a specific server a
> question.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230313/f03b81c2/attachment-0001.htm>
More information about the bind-users
mailing list