Bind listener to an IPv6 from AnyIP subnet
Hello, I am trying to bind named listener to an IPv6 from prefix which
is assigned to a system via AnyIP kernel feature - basically, it is done
by the following command: sudo ip -6 route add local 2001:db8::/32 dev lo.
To be able to use IPv6 from AnyIP prefix the following sysctl must be
applied: net.ipv6.ip_nonlocal_bind = 1
Having above, I am able to use any IP from AnyIP prefix in all software
but named refuses to create socket, which listens to that kind of an IP
address.
As an alternative approach I have tried to run with a configuration
"listen-on-v6 { any; }", but it does behave in a way I need - it binds
separate socket for each discovered IP address rather wildcard address
of [::].
Had anyone faced the same or similar issue?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind listener to an IPv6 from AnyIP subnet
I have reloaded the configuration as well as restarted the bind9. The
simpliest workaround I see - bind IPv6 explicitly to the interface using
command "ip address add 2001:db8::1 dev eth0" and then I am able to use
2001:db8::1 for the named. But I would like to take advantage of using
AnyIP.
On 3/12/23 19:03, Darren Ankney wrote:
Just a quick question because I ran into this problem before... is it
possible that named was started before the ip was added?
On Sun, Mar 12, 2023 at 12:55 PM Serg via bind-users
wrote:
Hello, I am trying to bind named listener to an IPv6 from prefix which
is assigned to a system via AnyIP kernel feature - basically, it is done
by the following command: sudo ip -6 route add local 2001:db8::/32 dev lo.
To be able to use IPv6 from AnyIP prefix the following sysctl must be
applied: net.ipv6.ip_nonlocal_bind = 1
Having above, I am able to use any IP from AnyIP prefix in all software
but named refuses to create socket, which listens to that kind of an IP
address.
As an alternative approach I have tried to run with a configuration
"listen-on-v6 { any; }", but it does behave in a way I need - it binds
separate socket for each discovered IP address rather wildcard address
of [::].
Had anyone faced the same or similar issue?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind listener to an IPv6 from AnyIP subnet
The problem is I have lots of IPv6 addresses where I need to listen DNS
requests (IPv6 prefix of /64) and I could not just explicitly add each to the
interface, thus I use AnyIP feature to be able to use entire prefix by locally
by such software like nginx, curl, etc.
Regarding the usage of [::] - due to usage of firewall I am able to block
connections to the 53/udp and 53/tcp which are not coming to specific IP
addresses or ranges, I do not need such filtering functionality within bind
itself.
Anyway, the better option is to allow bind to a so known "non-local" IP
addresses. Currently if I try to bind named to a IP address within AnyIP prefix
but which is not explicitly added to an interface it just not bind socket here.
Read this blog post for more details on AnyIP feature:
https://blog.widodh.nl/2016/04/anyip-bind-a-whole-subnet-to-your-linux-machine/
2023-03-13T08:55:16Z Michael Richardson :
>
> Serg via bind-users wrote:
> > As an alternative approach I have tried to run with a configuration
> > "listen-on-v6 { any; }", but it does behave in a way I need - it binds
> > separate socket for each discovered IP address rather wildcard address
> > of [::].
>
> Bind needs to bind a new socket for each address so that it can easily know
> which address is being communicated with. While there are newer ways to do
> this, they aren't that portable.
>
> What is the problem with binding to all the addresses, if you then filter
> which addresses will actually respond?
>
> Many large authoritative resolvers put the anycast address on the lo, and
> then use
> BGP to announce connectivity, and AFAIK, they all just listen on all
> addresses, because sometimes you want to ask a specific server a question.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind dns amplification attack
Are you an open recursor? If the answer is no, you should not face any amplifications attacks. If you are an open recursor, the best solution is to restrict which IP addresses are allowed to access your recursor. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
