Skip to content

❗Ubuntu port 53 and systemd‐resolved

Jump to bottom
Romano edited this page Dec 29, 2023 · 1 revision

❗ SPECIAL INSTRUCTIONS FOR UBUNTU USERS ❗

All Ubuntu releases starting with 16.10 (first released in October 2016) come installed with systemd-resolved, which effectively prevents the seeder's built-in DNS server from working correctly. This is due to both applications requiring use of port 53, and systemd-resolved takes priority by default. There are a few ways to resolve this issue:

1 ⚠️ Disable binding of systemd-resolved to port 53 by editing the /etc/systemd/resolved.conf file and adding this line to the bottom of the file:

DNSStubListener=no

Save and reboot, and now systemd-resolved will no longer interfere with the seeder's DNS server.

NOTE: This method is only supported by systemd 232 and newer. You can check your version of systemd with the cmd: systemctl --version

2 ⚠️ Completely disable the systemd-resolved service with the following cmds (not recommended as it may cause undesired side-effects if you use the same server for anything other than running the seeder app):

sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved

You can now run the seeder app on the vps.example.com system using the following terminal cmd (must be run with root permissions or the DNS server will not be able to listen for and respond to requests properly):

sudo ./dnsseed -h dnsseed.example.com -n vps.example.com

If you want the DNS server to report SOA records, you must provide an email address using the -m argument:

./dnsseed -h dnsseed.example.com -n vps.example.com -m email@example.com

Non-Root Workarounds

Because non-root users cannot access ports below 1024, an extra step is required to allow you to run the DNS server (which must always use port 53) without root privileges. There are two known options for running the seeder app using a non-root user account:

  1. The first non-root method is to use the setcap command to change the capabilities of the dnsseed binary file to specifically allow the app to bind to a port less than 1024 (this one-time cmd requires root privileges):
sudo setcap 'cap_net_bind_service=+ep' /path/to/dnsseed

Once the setcap command is complete, you can start the seeder app as per normal, without the need for sudo:

./dnsseed -h dnsseed.example.com -n vps.example.com -m email@example.com
  1. The second non-root method is to add a redirect entry for port 53 in the iptables firewall system before running the seeder app as a non-root user (this one-time cmd requires root privileges):
sudo iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port 15353

After adding the new iptables rule, the seeder app can be called without sudo, but you must always specify the redirected port using the -p argument:

./dnsseed -h dnsseed.example.com -n vps.example.com -m email@example.com -p 15353
Clone this wiki locally