Bind9 - udp socket: permission denied

yuckey2d · Apr 4, 2017, 7:13 PM

Hi All,

I'm running a somewhat complicated PFsense setup. one lan, three vpn serverse, two vpn clients.

Three open vpn serverse @ (10.5.5.0, 10.5.6.0, 10.5.7.0), two vpns out (Private Internet Access, and a VPS server) + the standard WAN, which I mostly block out, so to route everything over VPNs.

Basically I use bind to setup custom web domains on my local intranets- ala something like projectname.test.dev. This works fine about 90% of the time, until bind9 crashes, but doesn't restart automatically, and I have to kick it.

The error I'm getting is that Bind9 could not listen on udp socket: permission denied (my lan interface).

I've read this - https://forums.freebsd.org/threads/33090/
that's exactly what I'm seeing… And apparently bind is losing sudo permissions, so cannot take over a port below 1024, every time one of my vpns gets a new IP address.

Any ideas how I can remedy this - i've tried only listening to the LAN interface, but that doesn't seem to work.

johnpoz · Apr 4, 2017, 7:49 PM

What are you doing that actually requires BIND? Pointing projectname.test.dev to an IP would be a simple host override in resolver (unbound)..

yuckey2d · Apr 4, 2017, 9:42 PM

I was familiar with a standard dns server, so I assumed setting up a bind server locally was the way to go…

Are you suggesting I use resolver to direct for all my internal domains???

I have more than a few sites and domains (custom domains) that are hosted locally. Plus I have registered domains coming in from the wan, where the external IP address doesn't work on lan, unless I create an override. Is resolver the way to go for both of these scenarios?

Can you briefly queue me in on the plus or minus with using bind, versus resolver - I don't really get it - thanks!

yuckey2d · Apr 4, 2017, 9:54 PM

I mean, I probably have 30 domains - the bind interface is seems much easier to manage multiple domains for the network.

yuckey2d · Apr 4, 2017, 9:56 PM

same issue with DNS resolver

https://forum.pfsense.org/index.php?topic=127763.0

johnpoz · Apr 5, 2017, 9:02 AM

So your hosting 30 domains to the public? Where is the 2nd NS in this scenario?

With that many domains that you need to be authoritative for, bind is the right choice.. Hosting it off your firewall to the public - not so much so..

yuckey2d · Apr 6, 2017, 7:12 PM

Yeah - not all the domains are external… Lots of development environments - ala *.dev, or *.env

I have a dynamic ip address, so I rely on dynamic dns and my VPN clients ip addresses change a few times a day. It almost always works fine -
except for when my client VPN ip addresses change, and my bind takes a dump.

My registered domains use name servers out of digital ocean, so it's rock solid 100% of the time. My main issue has been local intranet stuff (*.env, *.dev) - local environments, and redirecting registered domains (hosted locally) to their lan ip address (instead of the wan ip), as I don't host on the PFSense box, but port forward to hosts in my lan.

It seems DNS Resolver has been doing much better the last 48 hours.... Any tips or more advice on bind versus domain resolver. I would prefer to use bind, as it's easier to manage at scale, and bind9 is recommended frequently in the web development community (???), technical advice here - is this just a particular config issue with PFSense?

johnpoz · Apr 7, 2017, 10:33 AM

"My registered domains use name servers out of digital ocean"

So you do not host domains to the public then?? I am here out on the internet.. And I want to resolve some domain of yours.. Not talking some dynamic fqdn that points to your pfsense public IP.. I am talking about a registered domain..

I think your over engineering this to be honest..
So how many local devices are you talking about?? Do you run more than one NS locally that you need to share info with, do you do any sort of delegation of subdomains to other NS on your network? Do you use cnames or something that would require bind and true authoritative NS??

Pointing some fqdn to an IP does not require BIND.. Does not matter what domain you use or tld being valid or not.. Thats great you have .dev and or .env tlds etc.. How many devices or IPs are actually in these domains? Are these domains delegated to some other NS that others manage?

If your public domains are hosted public, ie on DO.. You have not mentioned an actual need of some functionality of BIND.. Your over complicating your setup I think.

yuckey2d · Apr 7, 2017, 4:37 PM

It's a basic web development operation.

some hosts with A records point to digital ocean VPS, some development sites trickle down the local subnet and get port forwarded to boxes in the LAN. Those lan boxes need a local DNS record because the external DO dns record points to the router, not the local IP.

www.domain.com > A record > DO
dev.domain.com > CNAME > home network

plex.home.dev > local A record 10.5.5.2 > home network
*
*
*

So it's a combination… I have lots of local stuff, that's not public, and DNS is easier that setting up hosts file on every machine.

The problem with dns crashing still happened today with the DNS Resolver. Is there anything I can do to remedy this situation, and still keep my VPN clients active. I would prefer to have DNS and encrypted WAN.