Multiple IPs Associated With A Single Name

Tim Daneliuk tundra at tundraware.com
Thu Sep 29 21:48:55 UTC 2016 

On 09/29/2016 04:33 PM, Matthew Pounsett wrote:
> 
> 
> On 29 September 2016 at 14:18, Tim Daneliuk <tundra at tundraware.com <mailto:tundra at tundraware.com>> wrote:
> 
> 
>     What I am stuck on is this:  Is there any simple (i.e., non-root) way
>     to write a client or otherwise configure userspace to go to the non-standard
>     port and run my sort of man-in-the-middle server?  Or is this just a stupid
>     idea?
> 
> 
> There's no way to specify a port number in a delegation, so if this is an authoritative DNS server that you expect random clients on the Internet to contact, it must run on port 53... so you'll need root access to start it up.  I'm not aware of stub resolvers that accept port numbers in their configuration either  (e.g. glibc and resolv.conf) ... although I'll admit I haven't gone to double check that... but I think you're out of luck for a recursive server as well.
> 
> Configuration for forwarders and stub zones can include a port number, however.  So in theory you could have a server somewhere that answers on port 53 forwarding queries to your server that answers on an unprivileged port.   

Yeah, kind of what I figured.

> That seems like a lot of complexity to go to in order to avoid running a name server as root, though.  You'd probably be better off convincing your systems people to set up sudo in such a way that you can administer a DNS server running on a privileged port, and nothing else.
> 
> 

This is very, very, very hard to do.

One hope I have is that my team controls all the client-side apps code.
I want to explore the possibility of forcing that code to do lookups
to a server we control at a non-standard port that would only answer
lookups for a very narrow range of internal app servers (none of this
is on a public facing network) and forward everything else up to a real
DNS servers.




-- 
----------------------------------------------------------------------------
Tim Daneliuk     tundra at tundraware.com
PGP Key:         http://www.tundraware.com/PGP/

More information about the bind-users mailing list