Skip to content

Use Case: Listen Port Collision

Jump to bottom
James Swineson edited this page Nov 2, 2017 · 7 revisions

I'm going to run 2 DNS servers on the same Linux machine:

  • m13253/dns-over-https is used to recursively query DNS which bypasses any ISP-level DNS polluting/proxying.
  • Knot Resolver is used to cache the result and provide DNS for my LAN.

They both require listening on port 53, so they cannot be started at the same time. So I have to put dns-over-https client into a netns. Here are the steps:

After installation of dns-over-https, create file /etc/systemd/system/doh-client.service.d/netns.conf:

[Unit]
[email protected]
[email protected]
[email protected]

[Service]
PrivateNetwork=yes

Since I may need to directly request dns-over-https bypassing Knot, I need to bridge that netns to my LAN. create /etc/default/netns-bridge-doh: (I don't like to config static IP on every device so I made a static lease on my DHCP server, and config a static MAC here)

BRIDGE=br0
DHCPV4=1
MACADDR=00:11:22:33:44:55

(Don't forget to create bridge br0 beforehand! See wiki/Bridging if you don't know how to.)

Then we config knot-resolver to listen to [::](IPv6 equvalent of 0.0.0.0, includes IPv4 when listening) too. This is done by overwriting kresd.socket: Create file /etc/systemd/system/kresd.socket.d/listen.conf, fill in

[Socket]
ListenStream=
ListenDatagram=
ListenStream=[::]:53
ListenDatagram=[::]:53

Config knot-resolver to use dns-over-https client as upstream: Write the following line to the end of /etc/knot-resolver/kresd.conf

policy.add(policy.all(policy.FORWARD({'192.168.x.y'})))

Where 192.168.x.y should be the IP of doh netns.

Now start everything:

systemctl daemon-reload
systemctl restart kresd.socket
systemctl start netns-bridge@doh
systemctl start doh-client

And set them to launch automatically on boot:

systemctl enable netns-bridge@doh
systemctl reenable doh-client

Now verify everything is working.

pi@raspberrypi:~$ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      957/sshd
tcp6       0      0 :::53                   :::*                    LISTEN      1/init
tcp6       0      0 :::853                  :::*                    LISTEN      1/init
tcp6       0      0 :::22                   :::*                    LISTEN      957/sshd
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           366/avahi-daemon: r
udp        0      0 0.0.0.0:52708           0.0.0.0:*                           366/avahi-daemon: r
udp        0      0 0.0.0.0:68              0.0.0.0:*                           690/dhclient
udp        0      0 0.0.0.0:68              0.0.0.0:*                           859/dhclient
udp        0      0 0.0.0.0:68              0.0.0.0:*                           399/dhcpcd
udp6       0      0 :::5353                 :::*                                366/avahi-daemon: r
udp6       0      0 :::53269                :::*                                366/avahi-daemon: r
udp6       0      0 :::546                  :::*                                399/dhcpcd
udp6    4224      0 :::53                   :::*                                1/init
pi@raspberrypi:~$ sudo chnetns doh netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp6       0      0 :::53                   :::*                    LISTEN      975/doh-client
udp6       0      0 :::53                   :::*                                975/doh-client
Clone this wiki locally