Hi, > On 13. 3. 2023, at 10:37, Michael Richardson <m...@sandelman.ca> wrote: > > Signed PGP part > > m...@at.encryp.ch wrote: >> Regarding the usage of [::] - due to usage of firewall I am able to >> block connections to the 53/udp and 53/tcp which are not coming to >> specific IP addresses or ranges, I do not need such filtering >> functionality within bind itself. > > Bind doesn't listen to specific sockets because of security. > It does so because of connectivity and plumbing. > > I think you are making your life hard for no benefit.
Basically, what Michael said... The AnyIP is not compatible with a way how BIND 9 discovers where it should listen (via route socket). Also it's much simpler and faster then calling getsockname(2) (a syscall!) on every incoming UDP packet[1]. You can probably write a firewall rules (conntrack) to rewrite the destination addresses from the AnyIP range to single local address (DNAT) or if you are feeling really fancy I think this could be also accomplished with an eBPF rule. Ondrej 1. Or implement an extra logic to see whether the bound interface is "wildcard" or not. -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
signature.asc
Description: Message signed with OpenPGP
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
