BIND running setuid with interface changes

---

• From: "Eugene M. Kim" <freebsd.org@xxxxxxxxxxxx>
• Date: Wed, 27 Dec 2006 09:35:18 -0800

---

Greetings,

I am running a VPN gateway, where interfaces come and go frequently. I
set up BIND so that it listens on all interfaces.
It seems that, instead of listening on a wildcard IPv4 address (*:53,
that is), BIND monitors for address changes on all interfaces and
creates a separate listening socket for each address (note that IPv6
uses the wildcard address, but IPv4 does not):

home 09:22:27 namedb # 61 sockstat|grep 'named.*:53'
bind named 38200 20 udp6 *:53 *:*
bind named 38200 21 tcp6 *:53 *:*
bind named 38200 22 udp4 10.0.0.1:53 *:*
bind named 38200 23 tcp4 10.0.0.1:53 *:*
bind named 38200 24 udp4 127.0.0.1:53 *:*
bind named 38200 25 tcp4 127.0.0.1:53 *:*
home 09:25:12 namedb # 62


Then, when a new address comes up (such as on a dynamically created L2TP
tun(4) interface), BIND tries to listen on it, but fails because it is
running setuid as bind:

Dec 27 02:32:00 home named[1121]: listening on IPv4 interface tun0, 10.0.2.129#53
Dec 27 02:32:00 home named[1121]: could not listen on UDP socket: permission denied


The only workarounds that I can think of is either to run BIND as setuid
root, or to restart (not reload) BIND every time a new VPN connection
comes up, both of which I am not comfortable with.

Any better ideas?

Cheers,
Eugene
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

---

• Follow-Ups:
  • Re: BIND running setuid with interface changes
    • From: Skip Ford
  • Re: BIND running setuid with interface changes
    • From: Doug Barton

• Prev by Date: Re: [fbsd] Re: jail addresses and default bindings
• Next by Date: Re: BIND running setuid with interface changes
• Previous by thread: Diagnose co-location networking problem
• Next by thread: Re: BIND running setuid with interface changes
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Bind Listening on port 32768 ... Bind Listening on port 32768 ... This is kde-init that is running on port 32768 ... This worked perfectly in solving the listening "kdeinit" at port 32768. ... Get email alerts & NEW webcam video instant messaging with Yahoo! ... (Focus-Linux) Re: BIND running setuid with interface changes ... I am running a VPN gateway, where interfaces come and go frequently. ... set up BIND so that it listens on all interfaces. ... It seems that, instead of listening on a wildcard IPv4 address (*:53, ... (freebsd-net) Re: Bind and volatile interfaces ... down, without restarting bind 9? ... you can add this address to a permanent interface such as the loopback interface lo or a dummy address: ... Another method on an IPv6-capable system is to enable listening on IPv6 with the option 'listen-on-v6'. ... By default the IPv6 sockets will also accept IPv4 queries on any local IPv4 address, although this may hang some versions of BIND on some systems. ... (alt.os.linux) Re: Bind Listening on port 32768 ... Are you sure it is bind that is listening? ... Try shutting down bind to see if it is still lisenting on port 32768 ... Get email alerts & NEW webcam video instant messaging with Yahoo! ... (Focus-Linux) Re: Whats blocking port 1443 during boot? ... and proxies requests the back-end Apache2 on listening on ports 10082 ... requested address: make_sock: could not bind to address ... no listening sockets available, shutting down ... perhaps there's a configuration error, and Apache ... (Debian-User)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Mailing-Lists  > FreeBSD  > net  > 2006-12