Hi Serg. Can you post the output of "named -V" please? You're looking for "--disable-linux-caps", which you don't want.
I'm not sure how (if) BIND interacts with AnyIP, but it should pick up new interfaces as they are added, *if* it is built with the necessary capabilities enabled. 'named' starts as root, but immediately drops to a lower-priviliged user, which can prevent it from discovering new addresses unless it has the necessary linux-caps. Cheers, Greg On Mon, 13 Mar 2023 at 09:16, Serg via bind-users <bind-users@lists.isc.org> wrote: > The problem is I have lots of IPv6 addresses where I need to listen DNS > requests (IPv6 prefix of /64) and I could not just explicitly add each to > the interface, thus I use AnyIP feature to be able to use entire prefix by > locally by such software like nginx, curl, etc. > > Regarding the usage of [::] - due to usage of firewall I am able to block > connections to the 53/udp and 53/tcp which are not coming to specific IP > addresses or ranges, I do not need such filtering functionality within bind > itself. > > Anyway, the better option is to allow bind to a so known "non-local" IP > addresses. Currently if I try to bind named to a IP address within AnyIP > prefix but which is not explicitly added to an interface it just not bind > socket here. Read this blog post for more details on AnyIP feature: > https://blog.widodh.nl/2016/04/anyip-bind-a-whole-subnet-to-your-linux-machine/ > > 2023-03-13T08:55:16Z Michael Richardson <m...@sandelman.ca>: > > > > > Serg via bind-users <bind-users@lists.isc.org> wrote: > > > As an alternative approach I have tried to run with a configuration > > > "listen-on-v6 { any; }", but it does behave in a way I need - it > binds > > > separate socket for each discovered IP address rather wildcard > address > > > of [::]. > > > > Bind needs to bind a new socket for each address so that it can easily > know > > which address is being communicated with. While there are newer ways to > do > > this, they aren't that portable. > > > > What is the problem with binding to all the addresses, if you then filter > > which addresses will actually respond? > > > > Many large authoritative resolvers put the anycast address on the lo, > and then use > > BGP to announce connectivity, and AFAIK, they all just listen on all > > addresses, because sometimes you want to ask a specific server a > question. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
