> On 09/29/2016 04:33 PM, Matthew Pounsett wrote: > > > > > > On 29 September 2016 at 14:18, Tim Daneliuk <tun...@tundraware.com > > <mailto:tun...@tundraware.com>> wrote: > > > > > > What I am stuck on is this: Is there any simple (i.e., non-root) way > > to write a client or otherwise configure userspace to go to the > > non-standard > > port and run my sort of man-in-the-middle server? Or is this just a > > stupid > > idea? > > > > > > There's no way to specify a port number in a delegation, so if this is an > > authoritative DNS server that you expect random clients on the Internet to > > contact, it must run on port 53... so you'll need root access to start it > > up. I'm not aware of stub resolvers that accept port numbers in their > > configuration either (e.g. glibc and resolv.conf) ... although I'll admit > > I haven't gone to double check that... but I think you're out of luck for a > > recursive server as well. > > > > Configuration for forwarders and stub zones can include a port number, > > however. So in theory you could have a server somewhere that answers on > > port 53 forwarding queries to your server that answers on an unprivileged > > port. > > Yeah, kind of what I figured. >
Won't port redirection work better then ? > > That seems like a lot of complexity to go to in order to avoid running a > > name server as root, though. You'd probably be better off convincing your > > systems people to set up sudo in such a way that you can administer a DNS > > server running on a privileged port, and nothing else. > > > > > > This is very, very, very hard to do. > > One hope I have is that my team controls all the client-side apps code. > I want to explore the possibility of forcing that code to do lookups > to a server we control at a non-standard port that would only answer > lookups for a very narrow range of internal app servers (none of this > is on a public facing network) and forward everything else up to a real > DNS servers. > > > > > -- > ---------------------------------------------------------------------------- > Tim Daneliuk tun...@tundraware.com > PGP Key: http://www.tundraware.com/PGP/ > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Hrant Dadivanyan (aka Ran d'Adi) hrant(at)dadivanyan.net /* "Feci quod potui, faciant meliora potentes." */ ran(at)psg.com _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
