Skip to content

BIND 9.19.24 not listening to rndc port 953 on localhost

Summary

On FreeBSD 13.3-STABLE, with BIND 9.19.24 installed from package, starting named results in named not listening to localhost port 953 (with corresponding error messages in syslog), resulting in rndc not working.

BIND version affected

BIND 9.19.24 (Development Release) <id:>
running on FreeBSD amd64 13.3-STABLE FreeBSD 13.3-STABLE stable/13-n257580-6bf21b4c0c61 DNS_VIMAGE
built by make with  '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-libxml2' '--with-openssl=/usr' '--enable-dnsrps' '--with-readline=libedit' '--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-querytrace' '--enable-tcp-fastopen' '--prefix=/usr/local' '--mandir=/usr/local/share/man' '--disable-silent-rules' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd13.2' 'build_alias=amd64-portbld-freebsd13.2' 'CC=cc' 'CFLAGS=-O2 -pipe  -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c  -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf' 'PKG_CONFIG_LIBDIR=/wrkdirs/usr/ports/dns/bind9-devel/work/.pkgconfig:/usr/local/libdata/pkgconfig:/usr/local/share/pkgconfig:/usr/libdata/pkgconfig' 'PYTHON=/usr/local/bin/python3.11' 'READLINE_CFLAGS=-L/usr/local/lib'
compiled by CLANG FreeBSD Clang 14.0.5 (https://github.com/llvm/llvm-project.git llvmorg-14.0.5-0-gc12386ae247c)
compiled with OpenSSL version: OpenSSL 1.1.1t-freebsd  7 Feb 2023
linked to OpenSSL version: OpenSSL 1.1.1w-freebsd  11 Sep 2023
compiled with libuv version: 1.48.0
linked to libuv version: 1.48.0
compiled with liburcu version: 0.14.0
compiled with system jemalloc version: 2020110501
compiled with libnghttp2 version: 1.62.1
linked to libnghttp2 version: 1.59.0
compiled with libxml2 version: 2.11.8
linked to libxml2 version: 21106
compiled with json-c version: 0.17
linked to json-c version: 0.17
compiled with zlib version: 1.2.13
linked to zlib version: 1.3.1
compiled with protobuf-c version: 1.4.1
linked to protobuf-c version: 1.4.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): no
TKEY mode 3 support (GSS-API): no

default paths:
  named configuration:  /usr/local/etc/namedb/named.conf
  rndc configuration:   /usr/local/etc/namedb/rndc.conf
  nsupdate session key: /var/run/named/session.key
  named PID file:       /var/run/named/pid

Steps to reproduce

  1. Install 9.19.24 package: pkg install bind9-devel-9.19.24_1
  2. Add to /etc/rc.conf: named_enable="YES"
  3. No modifications to named.conf (i.e. default from FreeBSD pkg) which means named runs as user bind, not root
  4. Start named with: service named start
  5. Try to use rndc: rndc status
  6. Observe error message from rndc:
# rndc status
rndc: connect failed: 127.0.0.1#953: connection refused
  1. Observe startup error messages in syslog:
# egrep 127.0.0.1#953 /var/log/daemon.log | tail -1
Jul  2 11:00:12 nlab1 named[38461]: /usr/local/etc/namedb/named.conf:17: couldn't add command channel 127.0.0.1#953: permission denied
  1. Start named manually as root (drop "-u bind" from command line), resulting in working rndc and no error message in syslog.
  2. Run named under truss, and observe that it tries to bind to port 953 after setting uid to bind (53):
# truss -df /usr/local/sbin/named -t /var/named -u bind -c /usr/local/etc/namedb/named.conf
# egrep 'setuid|setresuid|127.0.0.1:953' truss.log
38461: 0.063859531 setresuid(0xffffffff,0x35,0xffffffff) = 0 (0x0)
38461: 0.064231316 setresuid(0xffffffff,0x0,0xffffffff) = 0 (0x0)
38461: 0.064999183 setresuid(0xffffffff,0x35,0xffffffff) = 0 (0x0)
38461: 0.065332218 setresuid(0xffffffff,0x0,0xffffffff) = 0 (0x0)
38461: 0.083518302 setuid(0x35)                  = 0 (0x0)
38461: 0.093282161 bind(59,{ AF_INET 127.0.0.1:953 },16) ERR#13 'Permission denied'

So we set uid 53 (bind) at 0.083518302, and then try to bind to port 953 at 0.093282161.

What is the current bug behavior?

named tries to bind to privileged port 953 after setting uid to a non-root user.

What is the expected correct behavior?

named should bind to privileged port 953 before setting uid to a non-root user.

BIND 9.18.27, also installed from FreeBSD package, works fine.

Relevant configuration files

Relevant logs

Edited by Ondřej Surý
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information