dnsdist: Fatal error: binding socket to 0.0.0.0:53: Permission denied

[Ziris85]

Hello! On first blush I thought this might be a bug in the container or something, but I thought I'd start here since it's certainly possible it's just something funky in my setup. I'm running a microk8s cluster, and my attempts at deploying dnsdist were failing due to the aforementioned error. Of course this lead me to the needed capabilities, which I tried with a simple pod definition:

# cat dnsdist.yaml
apiVersion: v1
kind: Pod
metadata:
  name: dnsdist
spec:
  containers:
    - image: powerdns/dnsdist-20:latest
      imagePullPolicy: IfNotPresent
      name: dnsdist
      resources: {}
      securityContext:
        capabilities:
          add:
            - NET_BIND_SERVICE
          drop:
            - ALL
  restartPolicy: Always
status: {}

This still fails to bind to port 53:

# kubectl logs dnsdist
dnsdist 2.0.0 comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2
Fatal error: binding socket to 0.0.0.0:53: Permission denied

Even if I blast the permissions wide open with privileged: true it doesn't work. If someone has a moment and a second set of eyes, I would greatly appreciate it! Thank you!

[Ziris85]

Explored the notion that it might just be grouchy that it's trying to bind to all interfaces, so I narrowed it down - still the same issue:

# cat dnsdist.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: dnsdist
spec:
  containers:
    - image: powerdns/dnsdist-20:latest
      imagePullPolicy: IfNotPresent
      name: dnsdist
      resources: {}
      env:
      - name: podip
        valueFrom:
          fieldRef:
            fieldPath: status.podIP
      command: ["dnsdist"]
      args: ['-l', '$(podip)']
      securityContext:
        capabilities:
          add:
            - NET_BIND_SERVICE
          drop:
            - ALL
  restartPolicy: Always
status: {}

[Ziris85]

OK, I was originally avoiding the sysctl approach because I thinking "oh no sysctl mods hacky/bad for security" when I realized that the "NET_BIND_SERVICE" is basically doing the same thing. So a minor tweak here and this works:

apiVersion: v1
kind: Pod
metadata:
  name: dnsdist
spec:
  securityContext:
    sysctls:
      - name: net.ipv4.ip_unprivileged_port_start
        value: "0"
  containers:
    - image: powerdns/dnsdist-20:latest
      imagePullPolicy: IfNotPresent
      name: dnsdist
      resources: {}
  restartPolicy: Always
status: {}

I'll leave this discussion open since I'm still kind of curious why the NET_BIND_SERVICE approach wasn't working, if anyone has any ideas (and if for no other reason than academic curiosity), but I'm otherwise all set here 👍

[AxelBomp]

Hi,

With docker you'll need to add the parameter net.ipv4.ip_unprivileged_port_start directly to your sysctl.conf on the machine running your container to allow the use of ports below 1024 by a user other than root.

For example:

root@machine:~# cat /etc/sysctl.conf
net.ipv4.ip_unprivileged_port_start=53 (unprivileged ports start at 53)

Then

root@machine:~# sysctl -p

I tried all the other methods, and this is the only one that worked for me, or alternatively by explicitly specifying the root user to run your container (I would not recommend that at all).