BIND running setuid with interface changes
Eugene M. Kim
freebsd.org at ab.ote.we.lv
Wed Dec 27 09:52:29 PST 2006
Greetings,
I am running a VPN gateway, where interfaces come and go frequently. I
set up BIND so that it listens on all interfaces.
It seems that, instead of listening on a wildcard IPv4 address (*:53,
that is), BIND monitors for address changes on all interfaces and
creates a separate listening socket for each address (note that IPv6
uses the wildcard address, but IPv4 does not):
home 09:22:27 namedb # 61 sockstat|grep 'named.*:53'
bind named 38200 20 udp6 *:53 *:*
bind named 38200 21 tcp6 *:53 *:*
bind named 38200 22 udp4 10.0.0.1:53 *:*
bind named 38200 23 tcp4 10.0.0.1:53 *:*
bind named 38200 24 udp4 127.0.0.1:53 *:*
bind named 38200 25 tcp4 127.0.0.1:53 *:*
home 09:25:12 namedb # 62
Then, when a new address comes up (such as on a dynamically created L2TP
tun(4) interface), BIND tries to listen on it, but fails because it is
running setuid as bind:
Dec 27 02:32:00 home named[1121]: listening on IPv4 interface tun0, 10.0.2.129#53
Dec 27 02:32:00 home named[1121]: could not listen on UDP socket: permission denied
The only workarounds that I can think of is either to run BIND as setuid
root, or to restart (not reload) BIND every time a new VPN connection
comes up, both of which I am not comfortable with.
Any better ideas?
Cheers,
Eugene
More information about the freebsd-net
mailing list