0

I'm attempting to run bind9 on my system to mess with DNS, with the plan to get this setup the same way on a rpi and host it in my network at home. The service starts up just fine according to logs and can even perform DNS lookups using my configured forwarders when I change the exposed ports to 3053. When using higher numbered ports without any other configuration changes the host port binding happens but using 53 the binding fails silently.

System Specs:

  • OS: Ubuntu 22.04.2 LTS x86_64

  • Kernel: 5.15.0-60-generic

  • Rancher Desktop Version: 1.7.0-455

  • **Main firewall application is ufw not sure if that matters since iptables is the backing firewall for it.

    • Containerd Mode
    • Nerdctl Rootless mode
    • nerdctl version: 1.2.0

Here is the docker-compose.yml file I'm using the start the service.

version: '3'

services:
  bind9:
    container_name: dns-bind9
    image: 'ubuntu/bind9:edge'
    environment: 
      - BIND9_USER=root
      - TZ=America/Toronto
    ports:
      - '53:53/TCP'
      - '53:53/UDP'
    volumes:
      - ./config:/etc/bind
      - ./cache:/var/cache/bind
      - ./records:/var/lib/bind
    restart: always

In order to allow nerdctl and containerd to use the ports below 1024 I have this in the configuration. This works for ports like 80 and 443 when using containers that use those ports.

/etc/sysctl.conf

  • net.ipv4.ip_unprivileged_port_start=23

I know this worked because I can bind to 80 and 443

> ss -tlnp | egrep ":(80|443) "
LISTEN 0      128          0.0.0.0:80         0.0.0.0:*    users:(("ssh",pid=4185443,fd=30))             
LISTEN 0      128          0.0.0.0:443        0.0.0.0:*    users:(("ssh",pid=4185443,fd=31))

I've reviewed multiple stackoverflow stack exchange pages about port binding issues that generally point to something having already bound to the port in question.

When ports are set to 53 for the host binding ss turns up nothing. The IP address listed is for a virtual adapter configured for virt-mgr and virtual machines.

> nerdctl port dns-bind9
53/tcp -> 0.0.0.0:53
53/udp -> 0.0.0.0:53


❯ ss -tlnp | grep 53
LISTEN 0      32     192.168.122.1:53         0.0.0.0:*

When ports are using a higher number I see this. And I'm able to successfully query the service.

❯ nerdctl port dns-bind9
53/tcp -> 0.0.0.0:3053
53/udp -> 0.0.0.0:3053


❯ ss -tlnp | grep 53
LISTEN 0      32     192.168.122.1:53         0.0.0.0:*                                                  
LISTEN 0      128          0.0.0.0:3053       0.0.0.0:*    users:(("ssh",pid=4185443,fd=30))

Checking the nat tables I don't really see anything mapping mapping to that port and I'm not sure where to look to see this binding taking place besides in the iptables.

The only interesting thing in there is at the bottom with the following two lines which don't actually indicate what port is being masqueraded

    1    60 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
   22 13481 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535

Full output.

sudo iptables -nvL -t nat

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 370K  130M DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   15  4155 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    3   831 MASQUERADE  all  --  *      !br-e4531532a63c  172.23.0.0/16        0.0.0.0/0           
    3   831 MASQUERADE  all  --  *      !br-c0c4ea91d868  172.22.0.0/16        0.0.0.0/0           
    3   831 MASQUERADE  all  --  *      !br-1f09d5d4dbe1  172.18.0.0/16        0.0.0.0/0           
    3   831 MASQUERADE  all  --  *      !br-16e7f724dade  172.20.0.0/16        0.0.0.0/0           
44536 3251K LIBVIRT_PRT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-e4531532a63c *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-c0c4ea91d868 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-1f09d5d4dbe1 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-16e7f724dade *       0.0.0.0/0            0.0.0.0/0           

Chain LIBVIRT_PRT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  117  8097 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24        
    0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255     
    1    60 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
   22 13481 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24

I'm not really looking for a solution more tips on how I can troubleshoot the issue. Granted if someone has a solution I'm all ears.

ScriptingDad
  • 33
  • 1
  • 5

0 Answers0