Multiple IPs Associated With A Single Name

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

Multiple IPs Associated With A Single Name

Tim Daneliuk
In the dark and dusty reaches of my elderly DNS experience, ISTR a way to
set up A records so that the request to resolve a name returns a *list
of associated IPs*.  This is distinct from DNS RR (I think?) which
simply returns a different *single* IP for each call (I may well be wrong).

Can some kind soul point me to a relevant explanation of how to do the
hostname -> multiple IP mapping?

Thanks,
--
----------------------------------------------------------------------------
Tim Daneliuk     [hidden email]
PGP Key:         http://www.tundraware.com/PGP/

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple IPs Associated With A Single Name

Matthew Pounsett


On 29 September 2016 at 12:02, Tim Daneliuk <[hidden email]> wrote:
In the dark and dusty reaches of my elderly DNS experience, ISTR a way to
set up A records so that the request to resolve a name returns a *list
of associated IPs*.  This is distinct from DNS RR (I think?) which
simply returns a different *single* IP for each call (I may well be wrong).

Can some kind soul point me to a relevant explanation of how to do the
hostname -> multiple IP mapping?

Just include multiple A resource records (RRs).   It's up to the client how it uses those records, and what makes sense there is largely application specific: round robin, try them in series, etc.
 

Thanks,
--
----------------------------------------------------------------------------
Tim Daneliuk     [hidden email]
PGP Key:         http://www.tundraware.com/PGP/

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple IPs Associated With A Single Name

John Miller
In reply to this post by Tim Daneliuk
Hi Tim,

AFAIK, multiple A records are the only way to return multiple IPs for
a given FQDN.  there are multiple A records for a given name, BIND
will return all of those records -- it'll return all the IPs.  It's up
to the client in question to decide how to use that information.

John

On Thu, Sep 29, 2016 at 3:02 PM, Tim Daneliuk <[hidden email]> wrote:

> In the dark and dusty reaches of my elderly DNS experience, ISTR a way to
> set up A records so that the request to resolve a name returns a *list
> of associated IPs*.  This is distinct from DNS RR (I think?) which
> simply returns a different *single* IP for each call (I may well be wrong).
>
> Can some kind soul point me to a relevant explanation of how to do the
> hostname -> multiple IP mapping?
>
> Thanks,
> --
> ----------------------------------------------------------------------------
> Tim Daneliuk     [hidden email]
> PGP Key:         http://www.tundraware.com/PGP/
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users



--
John Miller
Systems Engineer
Brandeis University
[hidden email]
(781) 736-4619
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple IPs Associated With A Single Name

Tim Daneliuk
On 09/29/2016 02:08 PM, John Miller wrote:
> Hi Tim,
>
> AFAIK, multiple A records are the only way to return multiple IPs for
> a given FQDN.  there are multiple A records for a given name, BIND
> will return all of those records -- it'll return all the IPs.  It's up
> to the client in question to decide how to use that information.
>
> John
>


Thanks all, for responding.

One followup question.  I am currently doing some engineering work for
GreatBigHugeCo, wherein getting things like DNS updates done is very
time and paperwork intensive.  Sometimes I think it would be easier
to do tensor analysis with an abacus, but I digress ...

For reasons too long and complex to explain, I may want to do the following
and need some input on how to implement this or whether it's even practical:

  - Run an instance of bind in user space so I can control all the
    configuration without having root.

  - Forward all lookups not in my database to a "real" DNS server


What I am stuck on is this:  Is there any simple (i.e., non-root) way
to write a client or otherwise configure userspace to go to the non-standard
port and run my sort of man-in-the-middle server?  Or is this just a stupid
idea?


--
----------------------------------------------------------------------------
Tim Daneliuk     [hidden email]
PGP Key:         http://www.tundraware.com/PGP/

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple IPs Associated With A Single Name

Tim Daneliuk
On 09/29/2016 04:18 PM, Tim Daneliuk wrote:

> On 09/29/2016 02:08 PM, John Miller wrote:
>> Hi Tim,
>>
>> AFAIK, multiple A records are the only way to return multiple IPs for
>> a given FQDN.  there are multiple A records for a given name, BIND
>> will return all of those records -- it'll return all the IPs.  It's up
>> to the client in question to decide how to use that information.
>>
>> John
>>
>
>
> Thanks all, for responding.
>
> One followup question.  I am currently doing some engineering work for
> GreatBigHugeCo, wherein getting things like DNS updates done is very
> time and paperwork intensive.  Sometimes I think it would be easier
> to do tensor analysis with an abacus, but I digress ...
>
> For reasons too long and complex to explain, I may want to do the following
> and need some input on how to implement this or whether it's even practical:
>
>   - Run an instance of bind in user space so I can control all the
>     configuration without having root.
>
>   - Forward all lookups not in my database to a "real" DNS server
>
>
> What I am stuck on is this:  Is there any simple (i.e., non-root) way
> to write a client or otherwise configure userspace to go to the non-standard
> port and run my sort of man-in-the-middle server?  Or is this just a stupid
> idea?
>
>


I forgot to mention:  At least one use case for this might be a case where
I can force the client in user space to use the DNS server and port of my
choosing.  In that case, they won't be using the system DNS config and the
above would not apply.   However, I am unclear on whether bind can be run
as an unprivileged user on a non-standard port.

--
----------------------------------------------------------------------------
Tim Daneliuk     [hidden email]
PGP Key:         http://www.tundraware.com/PGP/

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple IPs Associated With A Single Name

Matthew Pounsett
In reply to this post by Tim Daneliuk


On 29 September 2016 at 14:18, Tim Daneliuk <[hidden email]> wrote:

What I am stuck on is this:  Is there any simple (i.e., non-root) way
to write a client or otherwise configure userspace to go to the non-standard
port and run my sort of man-in-the-middle server?  Or is this just a stupid
idea?


There's no way to specify a port number in a delegation, so if this is an authoritative DNS server that you expect random clients on the Internet to contact, it must run on port 53... so you'll need root access to start it up.  I'm not aware of stub resolvers that accept port numbers in their configuration either  (e.g. glibc and resolv.conf) ... although I'll admit I haven't gone to double check that... but I think you're out of luck for a recursive server as well.

Configuration for forwarders and stub zones can include a port number, however.  So in theory you could have a server somewhere that answers on port 53 forwarding queries to your server that answers on an unprivileged port.   

That seems like a lot of complexity to go to in order to avoid running a name server as root, though.  You'd probably be better off convincing your systems people to set up sudo in such a way that you can administer a DNS server running on a privileged port, and nothing else.



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: Multiple IPs Associated With A Single Name

Kevin Darcy
In reply to this post by Tim Daneliuk
Yeah, sure, just run it with your own special config file (with -c); in that config file, set the listen-on to an unprivileged port, and make sure all of the pathnames (including implicit pathnames like the pid-file) are to files/directories to which the unprivileged user has read and (where necessary) write access.

As a sanity check, I just fired up an instance on a Red Hat box, as an unprivileged user, listening on port 12345. It's a caching-only config, with our own internal-root hints, and it's resolving (internal) names just fine.

                                                                                                - Kevin



-----Original Message-----
From: bind-users [mailto:[hidden email]] On Behalf Of Tim Daneliuk
Sent: Thursday, September 29, 2016 5:24 PM
To: John Miller
Cc: Bind Users
Subject: Re: Multiple IPs Associated With A Single Name

On 09/29/2016 04:18 PM, Tim Daneliuk wrote:

> On 09/29/2016 02:08 PM, John Miller wrote:
>> Hi Tim,
>>
>> AFAIK, multiple A records are the only way to return multiple IPs for
>> a given FQDN.  there are multiple A records for a given name, BIND
>> will return all of those records -- it'll return all the IPs.  It's
>> up to the client in question to decide how to use that information.
>>
>> John
>>
>
>
> Thanks all, for responding.
>
> One followup question.  I am currently doing some engineering work for
> GreatBigHugeCo, wherein getting things like DNS updates done is very
> time and paperwork intensive.  Sometimes I think it would be easier to
> do tensor analysis with an abacus, but I digress ...
>
> For reasons too long and complex to explain, I may want to do the
> following and need some input on how to implement this or whether it's even practical:
>
>   - Run an instance of bind in user space so I can control all the
>     configuration without having root.
>
>   - Forward all lookups not in my database to a "real" DNS server
>
>
> What I am stuck on is this:  Is there any simple (i.e., non-root) way
> to write a client or otherwise configure userspace to go to the
> non-standard port and run my sort of man-in-the-middle server?  Or is
> this just a stupid idea?
>
>


I forgot to mention:  At least one use case for this might be a case where I can force the client in user space to use the DNS server and port of my choosing.  In that case, they won't be using the system DNS config and the
above would not apply.   However, I am unclear on whether bind can be run
as an unprivileged user on a non-standard port.

--
----------------------------------------------------------------------------
Tim Daneliuk     [hidden email]
PGP Key:         http://www.tundraware.com/PGP/

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple IPs Associated With A Single Name

Tim Daneliuk
In reply to this post by Matthew Pounsett
On 09/29/2016 04:33 PM, Matthew Pounsett wrote:

>
>
> On 29 September 2016 at 14:18, Tim Daneliuk <[hidden email] <mailto:[hidden email]>> wrote:
>
>
>     What I am stuck on is this:  Is there any simple (i.e., non-root) way
>     to write a client or otherwise configure userspace to go to the non-standard
>     port and run my sort of man-in-the-middle server?  Or is this just a stupid
>     idea?
>
>
> There's no way to specify a port number in a delegation, so if this is an authoritative DNS server that you expect random clients on the Internet to contact, it must run on port 53... so you'll need root access to start it up.  I'm not aware of stub resolvers that accept port numbers in their configuration either  (e.g. glibc and resolv.conf) ... although I'll admit I haven't gone to double check that... but I think you're out of luck for a recursive server as well.
>
> Configuration for forwarders and stub zones can include a port number, however.  So in theory you could have a server somewhere that answers on port 53 forwarding queries to your server that answers on an unprivileged port.  

Yeah, kind of what I figured.

> That seems like a lot of complexity to go to in order to avoid running a name server as root, though.  You'd probably be better off convincing your systems people to set up sudo in such a way that you can administer a DNS server running on a privileged port, and nothing else.
>
>

This is very, very, very hard to do.

One hope I have is that my team controls all the client-side apps code.
I want to explore the possibility of forcing that code to do lookups
to a server we control at a non-standard port that would only answer
lookups for a very narrow range of internal app servers (none of this
is on a public facing network) and forward everything else up to a real
DNS servers.




--
----------------------------------------------------------------------------
Tim Daneliuk     [hidden email]
PGP Key:         http://www.tundraware.com/PGP/

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple IPs Associated With A Single Name

Niall O'Reilly
In reply to this post by Matthew Pounsett
On 29 Sep 2016, at 22:33, Matthew Pounsett wrote:

> That seems like a lot of complexity to go to in order to avoid running
> a name server as root, though.  You'd probably be better off
> convincing your systems people to set up sudo in such a way that you
> can administer a DNS server running on a privileged port, and nothing
> else.

   If this is for testing and you control all the clients, a VM of your
own,
   perhaps under VirtualBox on your laptop, may meet your need.

   Niall O'Reilly
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple IPs Associated With A Single Name

Tim Daneliuk
On 09/29/2016 04:57 PM, Niall O'Reilly wrote:
> On 29 Sep 2016, at 22:33, Matthew Pounsett wrote:
>
>> That seems like a lot of complexity to go to in order to avoid running a name server as root, though.  You'd probably be better off convincing your systems people to set up sudo in such a way that you can administer a DNS server running on a privileged port, and nothing else.
>
>   If this is for testing and you control all the clients, a VM of your own,
>   perhaps under VirtualBox on your laptop, may meet your need.
>
>   Niall O'Reilly


No, not really.  It's for a private cloud microservices system we're
thinking through.  We already run most/many of the various service
backends in user space so that the app devs and support folks can control
their own universe without having to constantly invoke someone with sudo
or root or firecall permissions.   Because of very strict audit and
regulatory constraints, there is zero chance they'll ever get root/sudo
access to the DNS config, so running our private DNS just for this
subset of private client/cloud users may make sense.

I really appreciate everyone jumping in to help with this.

--
----------------------------------------------------------------------------
Tim Daneliuk     [hidden email]
PGP Key:         http://www.tundraware.com/PGP/

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple IPs Associated With A Single Name

Matthew Pounsett


On 29 September 2016 at 15:07, Tim Daneliuk <[hidden email]> wrote:


No, not really.  It's for a private cloud microservices system we're
thinking through.  We already run most/many of the various service
backends in user space so that the app devs and support folks can control
their own universe without having to constantly invoke someone with sudo
or root or firecall permissions.   Because of very strict audit and
regulatory constraints, there is zero chance they'll ever get root/sudo
access to the DNS config, so running our private DNS just for this
subset of private client/cloud users may make sense.

I suppose you could leave yourself an unprivileged config file... have them put you in group 'dns' or something, and make all the configs and zone files writable by that group.   At least that way all you need your sysadmins for is to issue the 'rndc reconfig' command. 


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple IPs Associated With A Single Name

Tim Daneliuk
In reply to this post by Kevin Darcy
On 09/29/2016 04:45 PM, Darcy Kevin (FCA) wrote:
> Yeah, sure, just run it with your own special config file (with -c); in that config file, set the listen-on to an unprivileged port, and make sure all of the pathnames (including implicit pathnames like the pid-file) are to files/directories to which the unprivileged user has read and (where necessary) write access.
>
> As a sanity check, I just fired up an instance on a Red Hat box, as an unprivileged user, listening on port 12345. It's a caching-only config, with our own internal-root hints, and it's resolving (internal) names just fine.
>
> - Kevin

How did you get your code to look at that instance:port rather than the
one dictated by /etc/resolv.conf or a local server on port 53?

----------------------------------------------------------------------------
Tim Daneliuk     [hidden email]
PGP Key:         http://www.tundraware.com/PGP/

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple IPs Associated With A Single Name

Reindl Harald

Am 30.09.2016 um 16:22 schrieb Tim Daneliuk:
> On 09/29/2016 04:45 PM, Darcy Kevin (FCA) wrote:
>> Yeah, sure, just run it with your own special config file (with -c); in that config file, set the listen-on to an unprivileged port, and make sure all of the pathnames (including implicit pathnames like the pid-file) are to files/directories to which the unprivileged user has read and (where necessary) write access.
>>
>> As a sanity check, I just fired up an instance on a Red Hat box, as an unprivileged user, listening on port 12345. It's a caching-only config, with our own internal-root hints, and it's resolving (internal) names just fine.
>>
> How did you get your code to look at that instance:port rather than the
> one dictated by /etc/resolv.conf or a local server on port 53?

dig [@server] [-b address] [-c class] [-f filename] [-k filename] [-m]
[-p port#] [-q name] [-t type] [-v] [-x addr] [-y [hmac:]name:key] [-4]
[-6] [name] [type] [class] [queryopt...]


[harry@srv-rhsoft:~]$ dig rhsoft.net @127.0.0.1 -p 1024
; <<>> DiG 9.10.4-P3-RedHat-9.10.4-2.P3.fc24 <<>> rhsoft.net @127.0.0.1
-p 1024
;; global options: +cmd
;; connection timed out; no servers could be reached

[harry@srv-rhsoft:~]$ dig rhsoft.net @127.0.0.1 -p 53
; <<>> DiG 9.10.4-P3-RedHat-9.10.4-2.P3.fc24 <<>> rhsoft.net @127.0.0.1
-p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28087
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;rhsoft.net.                    IN      A

;; ANSWER SECTION:
rhsoft.net.             3600    IN      A       91.118.73.4

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fr Sep 30 17:11:43 CEST 2016
;; MSG SIZE  rcvd: 55
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple IPs Associated With A Single Name

Tim Daneliuk
On 09/30/2016 10:12 AM, Reindl Harald wrote:

>
> Am 30.09.2016 um 16:22 schrieb Tim Daneliuk:
>> On 09/29/2016 04:45 PM, Darcy Kevin (FCA) wrote:
>>> Yeah, sure, just run it with your own special config file (with -c); in that config file, set the listen-on to an unprivileged port, and make sure all of the pathnames (including implicit pathnames like the pid-file) are to files/directories to which the unprivileged user has read and (where necessary) write access.
>>>
>>> As a sanity check, I just fired up an instance on a Red Hat box, as an unprivileged user, listening on port 12345. It's a caching-only config, with our own internal-root hints, and it's resolving (internal) names just fine.
>>>
>> How did you get your code to look at that instance:port rather than the
>> one dictated by /etc/resolv.conf or a local server on port 53?
>
> dig [@server] [-b address] [-c class] [-f filename] [-k filename] [-m] [-p port#] [-q name] [-t type] [-v] [-x addr] [-y [hmac:]name:key] [-4] [-6] [name] [type] [class] [queryopt...]

As I understand it, dig uses it's own code to determine which resolver to use, hence this works.

In my particular case, I am trying to figure out a way to redirect gethostbyname() calls
to the resolver of my choice so that existing code will run without change.  The problem is
that I need to do this without root or sudo access to the machines in question, and this is
increasingly looking impossible.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple IPs Associated With A Single Name

Reindl Harald


Am 30.09.2016 um 17:22 schrieb Tim Daneliuk:

> On 09/30/2016 10:12 AM, Reindl Harald wrote:
>>
>> Am 30.09.2016 um 16:22 schrieb Tim Daneliuk:
>>> On 09/29/2016 04:45 PM, Darcy Kevin (FCA) wrote:
>>>> Yeah, sure, just run it with your own special config file (with -c); in that config file, set the listen-on to an unprivileged port, and make sure all of the pathnames (including implicit pathnames like the pid-file) are to files/directories to which the unprivileged user has read and (where necessary) write access.
>>>>
>>>> As a sanity check, I just fired up an instance on a Red Hat box, as an unprivileged user, listening on port 12345. It's a caching-only config, with our own internal-root hints, and it's resolving (internal) names just fine.
>>>>
>>> How did you get your code to look at that instance:port rather than the
>>> one dictated by /etc/resolv.conf or a local server on port 53?
>>
>> dig [@server] [-b address] [-c class] [-f filename] [-k filename] [-m] [-p port#] [-q name] [-t type] [-v] [-x addr] [-y [hmac:]name:key] [-4] [-6] [name] [type] [class] [queryopt...]
>
> As I understand it, dig uses it's own code to determine which resolver to use, hence this works.
>
> In my particular case, I am trying to figure out a way to redirect gethostbyname() calls
> to the resolver of my choice so that existing code will run without change.  The problem is
> that I need to do this without root or sudo access to the machines in question, and this is
> increasingly looking impossible

well, gethostbyname() has a defined behavior and if you use it in your
code you get what you asekd for

otherwise use a dns-library as it exists for any programming language
where you can set such properties - the way to redirect gethostbyname()
is, well, edit /etc/resolv.conf but that don't give you port options as
far as i know (could be worked around by point to 127.0.0.1:53 and
define there a forwarder with port running unbound or likely even
posible with bind)

so the bad news is: starting with a resolution function without params
was a bad idea, hopefully there are not hundrets of gethostbyname()
calls spread over the code instead using a abstraction function where
you could switch to a library at a central code point

without changes - no way


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple IPs Associated With A Single Name

Hrant Dadivanyan
In reply to this post by Tim Daneliuk
> On 09/29/2016 04:33 PM, Matthew Pounsett wrote:
> >
> >
> > On 29 September 2016 at 14:18, Tim Daneliuk <[hidden email] <mailto:[hidden email]>> wrote:
> >
> >
> >     What I am stuck on is this:  Is there any simple (i.e., non-root) way
> >     to write a client or otherwise configure userspace to go to the non-standard
> >     port and run my sort of man-in-the-middle server?  Or is this just a stupid
> >     idea?
> >
> >
> > There's no way to specify a port number in a delegation, so if this is an authoritative DNS server that you expect random clients on the Internet to contact, it must run on port 53... so you'll need root access to start it up.  I'm not aware of stub resolvers that accept port numbers in their configuration either  (e.g. glibc and resolv.conf) ... although I'll admit I haven't gone to double check that... but I think you're out of luck for a recursive server as well.
> >
> > Configuration for forwarders and stub zones can include a port number, however.  So in theory you could have a server somewhere that answers on port 53 forwarding queries to your server that answers on an unprivileged port.  
>
> Yeah, kind of what I figured.
>

Won't port redirection work better then ?

> > That seems like a lot of complexity to go to in order to avoid running a name server as root, though.  You'd probably be better off convincing your systems people to set up sudo in such a way that you can administer a DNS server running on a privileged port, and nothing else.
> >
> >
>
> This is very, very, very hard to do.
>
> One hope I have is that my team controls all the client-side apps code.
> I want to explore the possibility of forcing that code to do lookups
> to a server we control at a non-standard port that would only answer
> lookups for a very narrow range of internal app servers (none of this
> is on a public facing network) and forward everything else up to a real
> DNS servers.
>
>
>
>
> --
> ----------------------------------------------------------------------------
> Tim Daneliuk     [hidden email]
> PGP Key:         http://www.tundraware.com/PGP/
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Hrant Dadivanyan (aka Ran d'Adi) hrant(at)dadivanyan.net
/* "Feci quod potui, faciant meliora potentes." */       ran(at)psg.com
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple IPs Associated With A Single Name

/dev/rob0
In reply to this post by Tim Daneliuk
On Fri, Sep 30, 2016 at 10:22:35AM -0500, Tim Daneliuk wrote:
> In my particular case, I am trying to figure out a way to redirect
> gethostbyname() calls to the resolver of my choice so that existing
> code will run without change.  The problem is that I need to do
> this without root or sudo access to the machines in question, and
> this is increasingly looking impossible.

AFAICS, yes, you must have root.  Even if your libc resolver supports
using a different port, you would have to be root to change
/etc/resolv.conf.

Another root trick to use could be to redirect 127.0.0.1:53 (both TCP
and UDP) to :1035 (or other such non-privileged port as needed.)
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple IPs Associated With A Single Name

Tim Daneliuk
In reply to this post by Hrant Dadivanyan
On 09/30/2016 11:17 AM, Hrant Dadivanyan wrote:
> Won't port redirection work better then ?


Yes it would, but redirecting a privileged port requires .... root.

Since so many people have kindly responded here, it might be worth
explaining a bit of the backstory.

The client is a large corporate concern which very rigid compliance and
audit requirements.  This means even the simplest changes can take
weeks or months to implement as things go through massive internal
reviews.

Meanwhile, there is an R&D team that is exploring spinning up on-demand
microservices solutions for a variety of data analytics applications
within the firm.  They cannot get a sandbox they control and they cannot
get sudo for even limited access to things on their sandboxes.  So, we're
trying to figure out a way to work around the corporate slowness while
still living entirely in userland - this lowers the audit risk a lot.

Somewhat OT:

I know this probably seems dumb to most people but you have to realize that
after the 2008 economic meltdown, governments all over the world - predictably -
way overreacted (and to the wrong things) and are now choking the life
out of corporations with absurd regulations that do nothing but make
things harder.  The cheaters can probably still find a way if they really
want to - it's just mildly harder.  It's good for me though - it keeps
me fully booking revenue :)

--
----------------------------------------------------------------------------
Tim Daneliuk     [hidden email]
PGP Key:         http://www.tundraware.com/PGP/

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple IPs Associated With A Single Name

John Miller
On Fri, Sep 30, 2016 at 1:15 PM, Tim Daneliuk <[hidden email]> wrote:
> On 09/30/2016 11:17 AM, Hrant Dadivanyan wrote:
>> Won't port redirection work better then ?

> get sudo for even limited access to things on their sandboxes.  So, we're
> trying to figure out a way to work around the corporate slowness while
> still living entirely in userland - this lowers the audit risk a lot.

Hi Tim,

Can you spin up virtual machines on your desktops?  It seems like your
situation just screams for tools like Vagrant and Docker, or your own
AWS/Azure/Google environment.  Yours isn't really a DNS problem, per
se, but instead to have a proper development environment.  These days,
it's relatively easy to stand up an entire network within VMware
Workstation, VirtualBox, etc., or even your own local KVM instances.

John
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Multiple IPs Associated With A Single Name

Tim Daneliuk
On 09/30/2016 12:46 PM, John Miller wrote:

> On Fri, Sep 30, 2016 at 1:15 PM, Tim Daneliuk <[hidden email]> wrote:
>> On 09/30/2016 11:17 AM, Hrant Dadivanyan wrote:
>>> Won't port redirection work better then ?
>
>> get sudo for even limited access to things on their sandboxes.  So, we're
>> trying to figure out a way to work around the corporate slowness while
>> still living entirely in userland - this lowers the audit risk a lot.
>
> Hi Tim,
>
> Can you spin up virtual machines on your desktops?  It seems like your
> situation just screams for tools like Vagrant and Docker, or your own
> AWS/Azure/Google environment.  Yours isn't really a DNS problem, per
> se, but instead to have a proper development environment.  These days,
> it's relatively easy to stand up an entire network within VMware
> Workstation, VirtualBox, etc., or even your own local KVM instances.
>
> John
>


For testing purpose we've done this.  However, I was a bit cavalier
about this being just a sandbox.  There is the intent to go live with
a production version of all this stuff within a short time.  I am trying
to get ahead of that freight train ...

Again, many, many thanks to all of you who took the time here to try and
help.  It's very much appreciated.

--
----------------------------------------------------------------------------
Tim Daneliuk     [hidden email]
PGP Key:         http://www.tundraware.com/PGP/

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users