[Mildly OT] Userland Control Of getbostbyname()

markham breitbach markham at ssimicro.com
Fri Sep 30 15:04:52 UTC 2016

You could use jails to do this.  It's a lot of work, but possible.  I
did a project where we essentially used jails to create app containers. 
I think we had them down around 40-50MB depending on the application. 
Whatever applications are in that jail have access to their own
nameservices, etc. and you can tune the permissions within the jail to
allow that application's manager to modify resolv.conf, etc. 

We also had a case where we used nullfs mounts to link to a common
"basejail"  (ezjail does this now too).  This is useful in a case where
you have many similar jails, as they can all be quickly updated and you
only need to have one copy of the common files.  Also adds a layer of
security as the base system is all read-only.


On 2016-09-30 8:20 AM, Tim Daneliuk wrote:
> On 09/30/2016 09:15 AM, Matthew Seaman wrote:
>> On 09/30/16 14:47, Tim Daneliuk wrote:
>>> Is it possible to control *which* DNS server (and port) a userland program
>>> queries for DNS resolution when doing gethosbyname() and gethostbyip()
>>> calls?  dig and nslookup seem capable of defining the DNS server to query,
>>> but I don't know if they're doing the call directly or via the gethostby...
>>> calls.
>>> In a perfect world, I'd get a solution to this that was language agnostic -
>>> a way to tell my userland programs - in C, Java, Python, perl, go ... 
>>> always use this server:port when doing name resolution.
>> Server, yes but not port, and only globally -- by editing /etc/resolv.conf
>> However, if you're running with the standard local_unbound enabled, then
>> you can specify a forward-addr including a port in
>> /var/unbound/forward.conf like so:
>>    forward-addr: at 1053
>> Note: this is an all or nothing solution, although it does fulfil your
>> criterion of being language agnostic.  Every application will get
>> directed to your alternative DNS server+port, not just some chosen one.
>> You can override the resolvers per application if you're willing to code
>> that per application.  Of course the API used is language specific, and
>> you can't use gethostbyname(3) and that ilk, (which can do lookups from
>> many sources other than the DNS) but only by doing DNS lookups directly
>> from your code.
>> 	Cheers,
>> 	Matthew
> Thanks Matthew, that's kind of what I figured.  The fundamental requirement
> for my use case is that all the config changes be do-able without root
> or sudo access.  It's sounds like this is not possible short of - as you
> point out - writing custom query code.  This breaks the other half of
> my use case - existing code should just run and use the newly selected
> resolver.  Sigh ...
> I suspect more people are going to run into this as the industry moves more
> and more to containerized microservices.  There are any number of scenarios
> where you want to be able to spin up custom compute topologies on-demand
> without having to go through the administrative overhead of getting a DNS
> admin to make your changes every time.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160930/0f263224/attachment.sig>

More information about the freebsd-questions mailing list