How to bind to port 53 when using 'named -u bind' with FreeBSD
- Updated on 10 Oct 2018
- 1 minute to read
Normally binding to a reserved port on FreeBSD requires the process to be be running as root. For most uses this is not a problem as named binds to port 53 before changing user id; however, if you are running in a environment where interface addresses are changing this can be a issue. FreeBSD has a kernel module, mac-portacl, that will allow a non-privileged user to bind to specified ports.
Assuming that the user bind has user id 53, adding the following configuration elements and rebooting will allow named, running as bind, to bind to the reserved port 53.
/boot/loader.conf: mac_portacl_load="YES" /etc/sysctl.conf: net.inet.ip.portrange.reservedlow=0 net.inet.ip.portrange.reservedhigh=0 security.mac.portacl.port_high=1023 security.mac.portacl.suser_exempt=1 security.mac.portacl.rules=uid:53:tcp:53,uid:53:udp:53
More information about mac-portacl can be found here: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac-policies.html