[Pdns-users] Error binding on UDP port 53 only when slave=yes
Sean Lair
slair at ippathways.com
Sat Jun 6 20:13:30 UTC 2020
Hello!
Our Authorities PDNS servers are currently using native mode with MariaDB. We are attempting to enabled slave=yes (in pdns.conf) but when we do so, we get the error below. ***If we do not have slave=yes configured, then PDNS works fine (but not in slave mode of course).***
-----------------------------
Jun 6 19:57:54 ns1 systemd[1]: Starting PowerDNS Authoritative Server...
Jun 6 19:57:54 ns1 pdns_server[8154]: Loading '/usr/lib64/pdns/libgmysqlbackend.so'
Jun 6 19:57:54 ns1 pdns_server[8154]: This is a standalone pdns
Jun 6 19:57:54 ns1 pdns_server[8154]: Listening on controlsocket in '/var/run/pdns/pdns.controlsocket'
Jun 6 19:57:54 ns1 pdns_server[8154]: UDP server bound to 0.0.0.0:53
Jun 6 19:57:54 ns1 pdns_server[8154]: UDP server bound to [::]:53
Jun 6 19:57:54 ns1 pdns_server[8154]: TCP server bound to 0.0.0.0:53
Jun 6 19:57:54 ns1 pdns_server[8154]: TCP server bound to [::]:53
Jun 6 19:57:54 ns1 pdns_server[8154]: PowerDNS Authoritative Server 4.3.0 (C) 2001-2020 PowerDNS.COM BV
Jun 6 19:57:54 ns1 pdns_server[8154]: Using 64-bits mode. Built using gcc 8.3.1 20190507 (Red Hat 8.3.1-4) on Apr 9 2020 19:45:37 by mockbuild at localhost.
Jun 6 19:57:54 ns1 pdns_server[8154]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Jun 6 19:57:54 ns1 pdns_server[8154]: [webserver] Listening for HTTP requests on 0.0.0.0:8081
Jun 6 19:57:54 ns1 pdns_server[8154]: Master/slave communicator launching
Jun 6 19:57:54 ns1 pdns_server[8154]: Creating backend connection for TCP
Jun 6 19:57:54 ns1 pdns_server[8154]: About to create 3 backend threads for UDP
Jun 6 19:57:54 ns1 pdns_server[8154]: Exiting because communicator thread died with error: Resolver binding to local UDP socket on 0.0.0.0: Permission denied
-----------------------------
It seems that when slave=yes is configured that PDNS drops its privilege level before opening it's sockets? If I turn off SELinux we have no issues, but with SELinux ON w/o slave=yes we also work without issue... Here is a line from our audit log, confirming that SELinux is blocking listening on port 53 - again this blocking only occurs if slave=yes.
-----------------------------
type=AVC msg=audit(1591472511.372:4842): avc: denied { name_bind } for pid=8081 comm="pdns/comm-main" src=14783 scontext=system_u:system_r:pdns_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0
-----------------------------
Let me know if there is anything else I can provide to help. We are CentOS8 and PowerDNS Authoritative Server 4.3.0.
Thanks!
Sean
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20200606/95775530/attachment.htm>
More information about the Pdns-users
mailing list