On 09/29/2016 04:33 PM, Matthew Pounsett wrote: > > > On 29 September 2016 at 14:18, Tim Daneliuk <tun...@tundraware.com > <mailto:tun...@tundraware.com>> wrote: > > > What I am stuck on is this: Is there any simple (i.e., non-root) way > to write a client or otherwise configure userspace to go to the > non-standard > port and run my sort of man-in-the-middle server? Or is this just a > stupid > idea? > > > There's no way to specify a port number in a delegation, so if this is an > authoritative DNS server that you expect random clients on the Internet to > contact, it must run on port 53... so you'll need root access to start it up. > I'm not aware of stub resolvers that accept port numbers in their > configuration either (e.g. glibc and resolv.conf) ... although I'll admit I > haven't gone to double check that... but I think you're out of luck for a > recursive server as well. > > Configuration for forwarders and stub zones can include a port number, > however. So in theory you could have a server somewhere that answers on port > 53 forwarding queries to your server that answers on an unprivileged port.
Yeah, kind of what I figured. > That seems like a lot of complexity to go to in order to avoid running a name > server as root, though. You'd probably be better off convincing your systems > people to set up sudo in such a way that you can administer a DNS server > running on a privileged port, and nothing else. > > This is very, very, very hard to do. One hope I have is that my team controls all the client-side apps code. I want to explore the possibility of forcing that code to do lookups to a server we control at a non-standard port that would only answer lookups for a very narrow range of internal app servers (none of this is on a public facing network) and forward everything else up to a real DNS servers. -- ---------------------------------------------------------------------------- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
