named: could not listen on UDP socket: permission denied

AlbyVA · Jun 30, 2012

I have a VPN tunnel set up as tun0 and I'm running all my server traffic through that tunnel, including DNS traffic. In running named, I'm starting to see the following error in my /var/log/messages file about once every hour. DNS seems to be working just fine, but I have no idea what is causing this error to be reported in the log file. [*] [*]

Any clues and/or fixes?

Thanks,

Code:

Jun 29 23:52:56 godzilla named[1207]: could not listen on UDP socket: permission denied
Jun 29 23:52:56 godzilla named[1207]: creating IPv4 interface tun0 failed; interface ignored
Jun 30 00:52:56 godzilla named[1207]: could not listen on UDP socket: permission denied
Jun 30 00:52:56 godzilla named[1207]: creating IPv4 interface tun0 failed; interface ignored
Jun 30 01:52:56 godzilla named[1207]: could not listen on UDP socket: permission denied
Jun 30 01:52:56 godzilla named[1207]: creating IPv4 interface tun0 failed; interface ignored
Jun 30 02:52:56 godzilla named[1207]: could not listen on UDP socket: permission denied
Jun 30 02:52:56 godzilla named[1207]: creating IPv4 interface tun0 failed; interface ignored
Jun 30 03:52:56 godzilla named[1207]: could not listen on UDP socket: permission denied
Jun 30 03:52:56 godzilla named[1207]: creating IPv4 interface tun0 failed; interface ignored
Jun 30 04:52:56 godzilla named[1207]: could not listen on UDP socket: permission denied
Jun 30 04:52:56 godzilla named[1207]: creating IPv4 interface tun0 failed; interface ignored
Jun 30 05:52:56 godzilla named[1207]: could not listen on UDP socket: permission denied
Jun 30 05:52:56 godzilla named[1207]: creating IPv4 interface tun0 failed; interface ignored
Jun 30 06:52:56 godzilla named[1207]: could not listen on UDP socket: permission denied
Jun 30 06:52:56 godzilla named[1207]: creating IPv4 interface tun0 failed; interface ignored
Jun 30 07:52:56 godzilla named[1207]: could not listen on UDP socket: permission denied
Jun 30 07:52:56 godzilla named[1207]: creating IPv4 interface tun0 failed; interface ignored
Jun 30 08:52:56 godzilla named[1207]: could not listen on UDP socket: permission denied
Jun 30 08:52:56 godzilla named[1207]: creating IPv4 interface tun0 failed; interface ignored

fullauto · Jul 1, 2012

Any chance you have another instance of named running?

AlbyVA · Jul 1, 2012

fullauto said:
Any chance you have another instance of named running?

Positive.

Code:

godzilla# ps -auwwx | grep named
bind        1207   0.0  3.2  51236  24484  ??  Is   Thu06AM    0:05.62 /usr/sbin/named -t /var/named -u bind

AlbyVA · Jul 1, 2012

I did some research and it seems like there might be some issue with named running as (bind) vs. (root). But I'm not 100% sure since the following remarks don't seem to focus directly on my issue. At least the good thing is that nothing is failing, named is running just fine. It's just that my /var/log/messages are being filled with this error every hour.

Source: http://forums.freebsd.org/showthread.php?t=11196

[*] [*] [*] [*]

olli@ · Aug 20, 2012

Just in case someone finds this thread via Google (like me) ...

The problem is as follows: If named runs as the "named" user (i.e. not as root), it cannot bind to port numbers below 1024. Therefore, when named is started as root, it first binds to port 53 (that's the standard DNS port number) on all interfaces, then it releases its root privileges and changes to user "named".

However, if you have a dynamic interface (like tun0 in this case), named needs to re-bind to it every time the IP on that interface changes. But it cannot do that once it has released its root privileges (it retries once per hour). That's what is causing the error messages.

If everything is fine for you and you just want to get rid of the error messages, then change the "listen-on" directive in your named.conf file. It should only include the IP addresses that you need for providing DNS.

If you need to provide DNS on the dynamic interface, the quick solution is to run named as root all the time. But this is not recommended for security reasons. A better solution is to either use a script (such as "linkup" for the ppp daemon) that restarts named each time the IP address changes, or use the "portacl" MAC module and set up a portacl rule that specifically allows the "named" user to bind to port 53.

AlbyVA · Aug 21, 2012

olli@ said:
Just in case someone finds this thread via Google (like me) ...

The problem is as follows: If named runs as the "named" user (i.e. not as root), it cannot bind to port numbers below 1024. Therefore, when named is started as root, it first binds to port 53 (that's the standard DNS port number) on all interfaces, then it releases its root privileges and changes to user "named".

However, if you have a dynamic interface (like tun0 in this case), named needs to re-bind to it every time the IP on that interface changes. But it cannot do that once it has released its root privileges (it retries once per hour). That's what is causing the error messages.

If everything is fine for you and you just want to get rid of the error messages, then change the "listen-on" directive in your named.conf file. It should only include the IP addresses that you need for providing DNS.

If you need to provide DNS on the dynamic interface, the quick solution is to run named as root all the time. But this is not recommended for security reasons. A better solution is to either use a script (such as "linkup" for the ppp daemon) that restarts named each time the IP address changes, or use the "portacl" MAC module and set up a portacl rule that specifically allows the "named" user to bind to port 53.

I'd like to get rid of the message. My named.conf file says the following for listen-on:

Code:

// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
#listen-on      { 127.0.0.1; };

// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver.  To give access to the network, specify
// an IPv6 address, or the keyword "any".
#listen-on-v6   { ::1; };

Should I just comment this out? And will doing so not impact my DNS operations locally
nor globally with incoming DNS queries or zone transfers from my HE.NET secondary servers?

Thanks,

kpa · Aug 21, 2012

The hash sign (#) is also a comment sign in BIND configuration files, your server is now accepting connections on all interfaces. You should only list statically configured interfaces with their addresses including localhost.

Code:

listen-on { public-ipv4; 127.0.0.1; };
listen-on-v6 { public-ipv6; ::1; }

Whether these changes have an effect on your DNS depends on which addresses are queried and from where, there's no way to answer that without more information.

olli@ · Aug 21, 2012

AlbyVA said:

I'd like to get rid of the message. My named.conf file says the following for listen-on:

Code:

// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
#listen-on      { 127.0.0.1; };

// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver.  To give access to the network, specify
// an IPv6 address, or the keyword "any".
#listen-on-v6   { ::1; };

Should I just comment this out?

It already is commented out, because "#" means the same as "//" in BIND configuration files. In this case, the default means to bind to all interfaces. This is exactly what's causing the error messages: It also binds to the tun0 interface, which is a dynamic one (I guess a PPP uplink or similar), i.e. its IP address may change, but the named process cannot re-bind to the new IP address.

I suggest you type "ifconfig" and look at the lines starting with the word "inet". Those are your current IP addresses. Then create a "listen-on" directive in your named.conf file that includes only those addresses that you need to provide DNS service on, for example:

Code:

listen-on {
    127.0.0.1;
    10.20.30.40;
};

Note that localhost (127.0.0.1) should always be included. Don't forget the terminating semicolons. If you also use IPv6, you have to do the same with your inet6 addresses and a "listen-on-v6" directive.

And will doing so not impact my DNS operations locally nor globally with incoming DNS queries or zone transfers from my HE.NET secondary servers?

I can't tell because I don't know your particular setup. It depends on which interface and IP address the DNS queries arrive at your server.

By the way, you can also add "interface-interval 0;" to your named.conf file. This will disable the interface scanning that normally occurs every 60 minutes by default. Since named doesn't run as root by default so it cannot re-bind port 53 (unless you use the "portacl" MAC module), interface scanning is useless anyway, so it can be safely disabled.

AlbyVA · Aug 21, 2012

Jackpot. Adding my interface IPs (both v4 and v6) into the named.conf file under
the listen-on field resolved my issues. But now I have to wonder, maybe adding
interface-interval XX; makes more sense.

This can be marked resolved.

Thanks,