Date: Fri, 30 Sep 2016 08:48:21 -0600 From: markham breitbach <markham@ssimicro.com> To: Tim Daneliuk <tundra@tundraware.com>, Matthew Seaman <matthew@FreeBSD.org>, freebsd-questions@freebsd.org Subject: Re: [Mildly OT] Userland Control Of getbostbyname() Message-ID: <2500486a-6434-4b41-5cb4-bb729904399c@ssimicro.com> In-Reply-To: <089e1154-317f-6462-095b-35403ba944b0@tundraware.com> References: <a0681443-0282-48ac-5884-6d1f3868787a@tundraware.com> <12a5cae8-8aa1-68a1-5130-a6813c07c972@freebsd.org> <089e1154-317f-6462-095b-35403ba944b0@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --5hqLBohSD77RCDOSJKX6xiOvCHL5NTWUj Content-Type: multipart/mixed; boundary="jOk4qAPG5UmjhVJkwvVPXNWrj4gvd8ILp"; protected-headers="v1" From: markham breitbach <markham@ssimicro.com> To: Tim Daneliuk <tundra@tundraware.com>, Matthew Seaman <matthew@FreeBSD.org>, freebsd-questions@freebsd.org Message-ID: <2500486a-6434-4b41-5cb4-bb729904399c@ssimicro.com> Subject: Re: [Mildly OT] Userland Control Of getbostbyname() References: <a0681443-0282-48ac-5884-6d1f3868787a@tundraware.com> <12a5cae8-8aa1-68a1-5130-a6813c07c972@freebsd.org> <089e1154-317f-6462-095b-35403ba944b0@tundraware.com> In-Reply-To: <089e1154-317f-6462-095b-35403ba944b0@tundraware.com> --jOk4qAPG5UmjhVJkwvVPXNWrj4gvd8ILp Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable You could use jails to do this. It's a lot of work, but possible. I did a project where we essentially used jails to create app containers.=20 I think we had them down around 40-50MB depending on the application.=20 Whatever applications are in that jail have access to their own nameservices, etc. and you can tune the permissions within the jail to allow that application's manager to modify resolv.conf, etc.=20 We also had a case where we used nullfs mounts to link to a common "basejail" (ezjail does this now too). This is useful in a case where you have many similar jails, as they can all be quickly updated and you only need to have one copy of the common files. Also adds a layer of security as the base system is all read-only. -Markham On 2016-09-30 8:20 AM, Tim Daneliuk wrote: > On 09/30/2016 09:15 AM, Matthew Seaman wrote: >> On 09/30/16 14:47, Tim Daneliuk wrote: >>> Is it possible to control *which* DNS server (and port) a userland pr= ogram >>> queries for DNS resolution when doing gethosbyname() and gethostbyip(= ) >>> calls? dig and nslookup seem capable of defining the DNS server to q= uery, >>> but I don't know if they're doing the call directly or via the gethos= tby... >>> calls. >>> >>> In a perfect world, I'd get a solution to this that was language agno= stic - >>> a way to tell my userland programs - in C, Java, Python, perl, go ...= =20 >>> always use this server:port when doing name resolution. >> Server, yes but not port, and only globally -- by editing /etc/resolv.= conf >> >> However, if you're running with the standard local_unbound enabled, th= en >> you can specify a forward-addr including a port in >> /var/unbound/forward.conf like so: >> >> forward-addr: 192.0.2.1@1053 >> >> Note: this is an all or nothing solution, although it does fulfil your= >> criterion of being language agnostic. Every application will get >> directed to your alternative DNS server+port, not just some chosen one= =2E >> >> You can override the resolvers per application if you're willing to co= de >> that per application. Of course the API used is language specific, an= d >> you can't use gethostbyname(3) and that ilk, (which can do lookups fro= m >> many sources other than the DNS) but only by doing DNS lookups directl= y >> from your code. >> >> Cheers, >> >> Matthew >> >> >> > Thanks Matthew, that's kind of what I figured. The fundamental require= ment > for my use case is that all the config changes be do-able without root > or sudo access. It's sounds like this is not possible short of - as yo= u > point out - writing custom query code. This breaks the other half of > my use case - existing code should just run and use the newly selected > resolver. Sigh ... > > I suspect more people are going to run into this as the industry moves = more > and more to containerized microservices. There are any number of scena= rios > where you want to be able to spin up custom compute topologies on-deman= d > without having to go through the administrative overhead of getting a D= NS > admin to make your changes every time. > --jOk4qAPG5UmjhVJkwvVPXNWrj4gvd8ILp-- --5hqLBohSD77RCDOSJKX6xiOvCHL5NTWUj Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iEYEARECAAYFAlfue0EACgkQKQ+fauj+jf7ugACgg/Ld3gHM11LPh9mP0Mf70D3p 53cAoIUNWaOihfK6llda/Rb3k3/T7y0X =Ihkx -----END PGP SIGNATURE----- --5hqLBohSD77RCDOSJKX6xiOvCHL5NTWUj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2500486a-6434-4b41-5cb4-bb729904399c>