Running Bind in a container

I am trying to run Bind9 in a container, but when I try to setup port forwarding it says port is in use, so I edited /etc/systemd/resolved.conf to look like this

[Resolve]
DNS=8.8.8.8 1.1.1.1
DNSStubListener=no
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#DNSOverTLS=no
#Cache=no-negative
#DNSStubListener=yes
#ReadEtcHosts=yes

I ran sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf to create a symlink and rebooted.

This command shows port 53 is still in use. Just wondering is it possible to run DNS server in an instance and have the port forwarded?

$ sudo lsof -i :53
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dnsmasq 1568  lxd    8u  IPv4  29119      0t0  UDP 10.177.183.1:domain 
dnsmasq 1568  lxd    9u  IPv4  29120      0t0  TCP 10.177.183.1:domain (LISTEN)
dnsmasq 1568  lxd   10u  IPv6  29121      0t0  UDP [fd42:c826:7807:6d68::1]:domain 
dnsmasq 1568  lxd   11u  IPv6  29122      0t0  TCP [fd42:c826:7807:6d68::1]:domain (LISTEN)
dnsmasq 1598  lxd    6u  IPv4  24396      0t0  UDP 10.0.0.1:domain 
dnsmasq 1598  lxd    7u  IPv4  24397      0t0  TCP 10.0.0.1:domain (LISTEN)

Thanks

My preferred approach is to configure bind9 to only listen on the interface that you want it on, so in your case eth0 and its associated address.

This avoids conflicts with dnsmasq, resolved, … which all bind loopback or internal interfaces.

1 Like

You are correct, I had it set to listen to any, changed that to the private net IP and it allowed me to add the port. Thanks.

From within the instance, i can do nslookup mydomain.ai 10.0.0.20 and it works, if I try to do that remotely to the public IP address of the LXD server. Note. port forwarding is setup for port 53. So i am thinking I am still getting a conflict.

$ nslookup mydomain.ai 123.123.123.123
;; connection timed out; no servers could be reached`

Heres the config

$ cat /etc/bind/named.conf.options
options {
    directory "/var/cache/bind";

    forwarders {
        8.8.8.8;
        8.8.4.4;
    };

    dnssec-validation auto;

    listen-on { 10.0.0.20; localhost; };
    listen-on-v6 { none; };
};

Hmm, I’d probably use tcpdump to see what’s going on, make sure the traffic actually hits the container and if so, with what address, port and protocol.

It does not seem to arrive to the container.

If run this on host nslookup mydomain.ai 10.0.0.20 with private IP, it goes to container.

tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:56:24.320070 IP _gateway.58182 > dns.lxd.domain: 8629+ A? mydomain.com. (34)
16:56:24.320229 IP dns.lxd.domain > _gateway.58182: 8629* 1/0/0 A 65.21.175.111 (50)
16:56:24.320809 IP _gateway.45070 > dns.lxd.domain: 30429+ AAAA? mydomain.com. (34)
16:56:24.320885 IP dns.lxd.domain > _gateway.45070: 30429* 0/1/0 (80)
16:56:24.321216 IP dns.lxd.47380 > _gateway.domain: 37560+ [1au] PTR? 20.0.0.10.in-addr.arpa. (51)
16:56:24.321370 IP _gateway.domain > dns.lxd.47380: 37560* 1/0/1 PTR dns.lxd. (72)
16:56:24.321778 IP dns.lxd.49843 > _gateway.domain: 8092+ [1au] PTR? 1.0.0.10.in-addr.arpa. (50)
16:56:24.329301 IP _gateway.domain > dns.lxd.49843: 8092 NXDomain 0/0/1 (50)
16:56:24.329405 IP dns.lxd.49843 > _gateway.domain: 8092+ PTR? 1.0.0.10.in-addr.arpa. (39)
16:56:24.337940 IP _gateway.domain > dns.lxd.49843: 8092 NXDomain 0/0/0 (39)
16:56:29.487757 ARP, Request who-has _gateway tell dns.lxd, length 28
16:56:29.487758 ARP, Request who-has dns.lxd tell _gateway, length 28
16:56:29.487802 ARP, Reply dns.lxd is-at 00:16:3e:d0:88:de (oui Unknown), length 28
16:56:29.487810 ARP, Reply _gateway is-at 00:16:3e:13:5d:ce (oui Unknown), length 28

If i send the same command but with the public IP from host or any other computer, nothing.

On the host, i undid the configuration what I did at the start so it uses systemd-resolve again. If i run this command to see ports 53, but i am not getting any errors, I added the proxy fine.

sudo lsof -i :53
COMMAND     PID            USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
systemd-r  1250 systemd-resolve   12u  IPv4   1923      0t0  UDP 127.0.0.53:domain 
systemd-r  1250 systemd-resolve   13u  IPv4   1924      0t0  TCP 127.0.0.53:domain (LISTEN)
dnsmasq   38834             lxd    8u  IPv4 302941      0t0  UDP 10.177.183.1:domain 
dnsmasq   38834             lxd    9u  IPv4 302942      0t0  TCP 10.177.183.1:domain (LISTEN)
dnsmasq   38834             lxd   10u  IPv6 302943      0t0  UDP [fe80::216:3eff:fe99:f226]:domain 
dnsmasq   38834             lxd   11u  IPv6 302944      0t0  TCP [fe80::216:3eff:fe99:f226]:domain (LISTEN)
dnsmasq   38834             lxd   12u  IPv6 302945      0t0  UDP [fd42:c826:7807:6d68::1]:domain 
dnsmasq   38834             lxd   13u  IPv6 302946      0t0  TCP [fd42:c826:7807:6d68::1]:domain (LISTEN)
dnsmasq   38856             lxd    6u  IPv4 304830      0t0  UDP 10.0.0.1:domain 
dnsmasq   38856             lxd    7u  IPv4 304831      0t0  TCP 10.0.0.1:domain (LISTEN)
dnsmasq   38856             lxd    8u  IPv6 304832      0t0  UDP [fe80::216:3eff:fe13:5dce]:domain 
dnsmasq   38856             lxd    9u  IPv6 304833      0t0  TCP [fe80::216:3eff:fe13:5dce]:domain (LISTEN)

This is how I setup the proxy

  proxy-5353:
    connect: tcp:0.0.0.0:53
    listen: tcp:123.123.123.123:53
    nat: "true"
    type: proxy

note. The instance is a container using ubuntu focal.

Actually, I removed the static IP address switch proxy to

  proxy-5353:
    connect: tcp:127.0.0.1:53
    listen: tcp:0.0.0.0:53
    type: proxy

Then instance no longer starts|

"Error: Error occurred when starting proxy device: Error: Failed to listen on 0.0.0.0:53: listen tcp 0.0.0.0:53: bind: address already in use
Try lxc info --show-log dns for more info
"

I’m running PDNS in containers.

Steps from bash history:
nano /etc/systemd/resolved.conf

[Resolve]
#DNS=1.1.1.1
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#DNSOverTLS=no
#Cache=no-negative
DNSStubListener=no
#ReadEtcHosts=yes

sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

Thanks Tom, that is what i started out with, but because I could not get it working I reverted the settings back, now i learnt how to use TCPdump, maybe its worth another go. Thanks for taking the time out to help.

Retested, same thing. i have to set a static IP address and nat proxy for the container to start.
The systemd-resolve lines have disappeared but still getting a conflict I think.

$ sudo lsof -i :53
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dnsmasq 1896  lxd    8u  IPv4  25324      0t0  UDP 10.177.183.1:domain 
dnsmasq 1896  lxd    9u  IPv4  25325      0t0  TCP 10.177.183.1:domain (LISTEN)
dnsmasq 1896  lxd   10u  IPv6  25326      0t0  UDP [fd42:c826:7807:6d68::1]:domain 
dnsmasq 1896  lxd   11u  IPv6  25327      0t0  TCP [fd42:c826:7807:6d68::1]:domain (LISTEN)
dnsmasq 1945  lxd    6u  IPv4  28831      0t0  UDP 10.0.0.1:domain 
dnsmasq 1945  lxd    7u  IPv4  28832      0t0  TCP 10.0.0.1:domain (LISTEN)

Again seems to work fine when using the private network address, just the problem when using the public address, which is suppose to forward it to container, but nothing reaches it (i assume because TCP dump showed nothing at all).

With macvlan? I’m using macvlan in this case with the PowerDNS service on port 53.
Reboot required after the change. Tested with Ubuntu 20.04.

root@LC:~# lsof -i :53
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
pdns_serv 337 pdns 5u IPv4 96977 0t0 UDP ns1.:domain
pdns_serv 337 pdns 6u IPv4 96978 0t0 TCP ns1.:domain (LISTEN)

Also check /etc/resolv.conf

nameserver 8.8.8.8
search domain.example

Interesting re macvlan, i cant use macvlan just yet as i configured a bridge to use a different subnet of IPv4 addresses, and this time round macvlan doesnt work.

First thing I do is ping google.com to make sure it’s working.

I am going to reformat the server again (#11) and install debian to try and get a routed network setup, it took me days to get bridged working with the extra subnet.

Can somebody just confirm if I can run bind9 with port 53 inside a container or not using the standard lxd bridge, been stuck on this for two days now. thanks. All other stuff proxy ports work out of the box,.

I’ve been running production DNS servers inside of LXD containers for years, it’s never been a problem. Recently resolved indeed causes conflicts out of the box so the DNS server fails to start until you bind it to a specific interface/address but it otherwise all works just fine.

Okay, so i must be doing something wrong.

What do you mean exactly "bind it to a specific interface/address " are you refering the BIND server configuration or the port forwarding , which i already tried both.

Looking back at your post, I suspect the main issue is that you’re proxying TCP only whereas the bulk of DNS is UDP.

I see, so nslookup worked with the 10.x.x.x. address because that was UDP and the port forward did not work because of the UDP, that makes sense. Thank you very much, I will try again.