Running Bind in a container

Jimbo · June 24, 2021, 2:24pm

I am trying to run Bind9 in a container, but when I try to setup port forwarding it says port is in use, so I edited /etc/systemd/resolved.conf to look like this

[Resolve]
DNS=8.8.8.8 1.1.1.1
DNSStubListener=no
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#DNSOverTLS=no
#Cache=no-negative
#DNSStubListener=yes
#ReadEtcHosts=yes

I ran sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf to create a symlink and rebooted.

This command shows port 53 is still in use. Just wondering is it possible to run DNS server in an instance and have the port forwarded?

$ sudo lsof -i :53
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dnsmasq 1568  lxd    8u  IPv4  29119      0t0  UDP 10.177.183.1:domain 
dnsmasq 1568  lxd    9u  IPv4  29120      0t0  TCP 10.177.183.1:domain (LISTEN)
dnsmasq 1568  lxd   10u  IPv6  29121      0t0  UDP [fd42:c826:7807:6d68::1]:domain 
dnsmasq 1568  lxd   11u  IPv6  29122      0t0  TCP [fd42:c826:7807:6d68::1]:domain (LISTEN)
dnsmasq 1598  lxd    6u  IPv4  24396      0t0  UDP 10.0.0.1:domain 
dnsmasq 1598  lxd    7u  IPv4  24397      0t0  TCP 10.0.0.1:domain (LISTEN)

Thanks

stgraber · June 24, 2021, 2:32pm

My preferred approach is to configure bind9 to only listen on the interface that you want it on, so in your case eth0 and its associated address.

This avoids conflicts with dnsmasq, resolved, … which all bind loopback or internal interfaces.

Jimbo · June 24, 2021, 2:52pm

You are correct, I had it set to listen to any, changed that to the private net IP and it allowed me to add the port. Thanks.

Jimbo · June 24, 2021, 3:18pm

From within the instance, i can do nslookup mydomain.ai 10.0.0.20 and it works, if I try to do that remotely to the public IP address of the LXD server. Note. port forwarding is setup for port 53. So i am thinking I am still getting a conflict.

$ nslookup mydomain.ai 123.123.123.123
;; connection timed out; no servers could be reached`

Heres the config

$ cat /etc/bind/named.conf.options
options {
    directory "/var/cache/bind";

    forwarders {
        8.8.8.8;
        8.8.4.4;
    };

    dnssec-validation auto;

    listen-on { 10.0.0.20; localhost; };
    listen-on-v6 { none; };
};

stgraber · June 24, 2021, 4:49pm

Hmm, I’d probably use tcpdump to see what’s going on, make sure the traffic actually hits the container and if so, with what address, port and protocol.

Jimbo · June 24, 2021, 5:03pm

It does not seem to arrive to the container.

If run this on host nslookup mydomain.ai 10.0.0.20 with private IP, it goes to container.

tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:56:24.320070 IP _gateway.58182 > dns.lxd.domain: 8629+ A? mydomain.com. (34)
16:56:24.320229 IP dns.lxd.domain > _gateway.58182: 8629* 1/0/0 A 65.21.175.111 (50)
16:56:24.320809 IP _gateway.45070 > dns.lxd.domain: 30429+ AAAA? mydomain.com. (34)
16:56:24.320885 IP dns.lxd.domain > _gateway.45070: 30429* 0/1/0 (80)
16:56:24.321216 IP dns.lxd.47380 > _gateway.domain: 37560+ [1au] PTR? 20.0.0.10.in-addr.arpa. (51)
16:56:24.321370 IP _gateway.domain > dns.lxd.47380: 37560* 1/0/1 PTR dns.lxd. (72)
16:56:24.321778 IP dns.lxd.49843 > _gateway.domain: 8092+ [1au] PTR? 1.0.0.10.in-addr.arpa. (50)
16:56:24.329301 IP _gateway.domain > dns.lxd.49843: 8092 NXDomain 0/0/1 (50)
16:56:24.329405 IP dns.lxd.49843 > _gateway.domain: 8092+ PTR? 1.0.0.10.in-addr.arpa. (39)
16:56:24.337940 IP _gateway.domain > dns.lxd.49843: 8092 NXDomain 0/0/0 (39)
16:56:29.487757 ARP, Request who-has _gateway tell dns.lxd, length 28
16:56:29.487758 ARP, Request who-has dns.lxd tell _gateway, length 28
16:56:29.487802 ARP, Reply dns.lxd is-at 00:16:3e:d0:88:de (oui Unknown), length 28
16:56:29.487810 ARP, Reply _gateway is-at 00:16:3e:13:5d:ce (oui Unknown), length 28

If i send the same command but with the public IP from host or any other computer, nothing.

On the host, i undid the configuration what I did at the start so it uses systemd-resolve again. If i run this command to see ports 53, but i am not getting any errors, I added the proxy fine.

sudo lsof -i :53
COMMAND     PID            USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
systemd-r  1250 systemd-resolve   12u  IPv4   1923      0t0  UDP 127.0.0.53:domain 
systemd-r  1250 systemd-resolve   13u  IPv4   1924      0t0  TCP 127.0.0.53:domain (LISTEN)
dnsmasq   38834             lxd    8u  IPv4 302941      0t0  UDP 10.177.183.1:domain 
dnsmasq   38834             lxd    9u  IPv4 302942      0t0  TCP 10.177.183.1:domain (LISTEN)
dnsmasq   38834             lxd   10u  IPv6 302943      0t0  UDP [fe80::216:3eff:fe99:f226]:domain 
dnsmasq   38834             lxd   11u  IPv6 302944      0t0  TCP [fe80::216:3eff:fe99:f226]:domain (LISTEN)
dnsmasq   38834             lxd   12u  IPv6 302945      0t0  UDP [fd42:c826:7807:6d68::1]:domain 
dnsmasq   38834             lxd   13u  IPv6 302946      0t0  TCP [fd42:c826:7807:6d68::1]:domain (LISTEN)
dnsmasq   38856             lxd    6u  IPv4 304830      0t0  UDP 10.0.0.1:domain 
dnsmasq   38856             lxd    7u  IPv4 304831      0t0  TCP 10.0.0.1:domain (LISTEN)
dnsmasq   38856             lxd    8u  IPv6 304832      0t0  UDP [fe80::216:3eff:fe13:5dce]:domain 
dnsmasq   38856             lxd    9u  IPv6 304833      0t0  TCP [fe80::216:3eff:fe13:5dce]:domain (LISTEN)

This is how I setup the proxy

  proxy-5353:
    connect: tcp:0.0.0.0:53
    listen: tcp:123.123.123.123:53
    nat: "true"
    type: proxy

note. The instance is a container using ubuntu focal.

Jimbo · June 24, 2021, 5:18pm

Actually, I removed the static IP address switch proxy to

  proxy-5353:
    connect: tcp:127.0.0.1:53
    listen: tcp:0.0.0.0:53
    type: proxy

Then instance no longer starts|

"Error: Error occurred when starting proxy device: Error: Failed to listen on 0.0.0.0:53: listen tcp 0.0.0.0:53: bind: address already in use
Try lxc info --show-log dns for more info
"

TomvB · June 24, 2021, 5:59pm

I’m running PDNS in containers.

Steps from bash history:
nano /etc/systemd/resolved.conf

[Resolve]
#DNS=1.1.1.1
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#DNSOverTLS=no
#Cache=no-negative
DNSStubListener=no
#ReadEtcHosts=yes

sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

Jimbo · June 24, 2021, 6:06pm

Thanks Tom, that is what i started out with, but because I could not get it working I reverted the settings back, now i learnt how to use TCPdump, maybe its worth another go. Thanks for taking the time out to help.

Jimbo · June 24, 2021, 6:18pm

Retested, same thing. i have to set a static IP address and nat proxy for the container to start.
The systemd-resolve lines have disappeared but still getting a conflict I think.

$ sudo lsof -i :53
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dnsmasq 1896  lxd    8u  IPv4  25324      0t0  UDP 10.177.183.1:domain 
dnsmasq 1896  lxd    9u  IPv4  25325      0t0  TCP 10.177.183.1:domain (LISTEN)
dnsmasq 1896  lxd   10u  IPv6  25326      0t0  UDP [fd42:c826:7807:6d68::1]:domain 
dnsmasq 1896  lxd   11u  IPv6  25327      0t0  TCP [fd42:c826:7807:6d68::1]:domain (LISTEN)
dnsmasq 1945  lxd    6u  IPv4  28831      0t0  UDP 10.0.0.1:domain 
dnsmasq 1945  lxd    7u  IPv4  28832      0t0  TCP 10.0.0.1:domain (LISTEN)

Again seems to work fine when using the private network address, just the problem when using the public address, which is suppose to forward it to container, but nothing reaches it (i assume because TCP dump showed nothing at all).

TomvB · June 24, 2021, 7:17pm

With macvlan? I’m using macvlan in this case with the PowerDNS service on port 53.
Reboot required after the change. Tested with Ubuntu 20.04.

root@LC:~# lsof -i :53
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
pdns_serv 337 pdns 5u IPv4 96977 0t0 UDP ns1.:domain
pdns_serv 337 pdns 6u IPv4 96978 0t0 TCP ns1.:domain (LISTEN)

Also check /etc/resolv.conf

nameserver 8.8.8.8
search domain.example

Jimbo · June 24, 2021, 7:37pm

Interesting re macvlan, i cant use macvlan just yet as i configured a bridge to use a different subnet of IPv4 addresses, and this time round macvlan doesnt work.

First thing I do is ping google.com to make sure it’s working.

Jimbo · June 25, 2021, 2:31pm

I am going to reformat the server again (#11) and install debian to try and get a routed network setup, it took me days to get bridged working with the extra subnet.

Can somebody just confirm if I can run bind9 with port 53 inside a container or not using the standard lxd bridge, been stuck on this for two days now. thanks. All other stuff proxy ports work out of the box,.

stgraber · June 25, 2021, 4:28pm

I’ve been running production DNS servers inside of LXD containers for years, it’s never been a problem. Recently resolved indeed causes conflicts out of the box so the DNS server fails to start until you bind it to a specific interface/address but it otherwise all works just fine.

Jimbo · June 25, 2021, 4:33pm

Okay, so i must be doing something wrong.

Jimbo · June 25, 2021, 4:38pm

What do you mean exactly "bind it to a specific interface/address " are you refering the BIND server configuration or the port forwarding , which i already tried both.

stgraber · June 25, 2021, 5:04pm

Looking back at your post, I suspect the main issue is that you’re proxying TCP only whereas the bulk of DNS is UDP.

Jimbo · June 25, 2021, 5:09pm

I see, so nslookup worked with the 10.x.x.x. address because that was UDP and the port forward did not work because of the UDP, that makes sense. Thank you very much, I will try again.