View previous topic :: View next topic |
Author |
Message |
LC76 n00b
Joined: 18 Feb 2021 Posts: 5
|
Posted: Thu Feb 18, 2021 10:35 am Post subject: BIND server failure |
|
|
Hi all, I've got a curious one here. I've been running BIND 9 on a server for years and now all of a sudden, whenever it's asked to answer a query for my locally-hosted web sites, it comes back with a server failure. All the local machines on the network have no trouble querying it for DNS transactions for sites in the outside world, it's just failing on queries to my own domains. I haven't changed the configuration at all, it's chrooted,
Code: | /etc/bind on /chroot/dns/etc/bind type none (rw,bind)
/var/bind on /chroot/dns/var/bind type none (rw,bind)
/var/log/named on /chroot/dns/var/log/named type none (rw,bind)
|
there are no log files or messages generated for named anywhere, named-checkconf and named-checkzone report no errors, and if I run the host command, it looks like it can't find any of the zone files:
Code: | host fred.net
Host fred.net not found: 2(SERVFAIL) |
Yet all the symlinks follow through when you step through them manually.
Can anyone shed some light on what's going on? |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 806
|
Posted: Thu Feb 18, 2021 4:20 pm Post subject: |
|
|
Would you mind to share your bind config with us? _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
LC76 n00b
Joined: 18 Feb 2021 Posts: 5
|
Posted: Fri Feb 19, 2021 10:36 pm Post subject: |
|
|
pa4wdh wrote: | Would you mind to share your bind config with us? |
Sure.
Code: | /*
* Refer to the named.conf(5) and named(8) man pages, and the documentation
* in /usr/share/doc/bind-9 for more details.
* Online versions of the documentation can be found here:
* http://www.isc.org/software/bind/documentation
*
* If you are going to set up an authoritative server, make sure you
* understand the hairy details of how DNS works. Even with simple mistakes,
* you can break connectivity for affected parties, or cause huge amounts of
* useless Internet traffic.
*/
acl "xfer" {
/* Deny transfers by default except for the listed hosts.
* If we have other name servers, place them here.
*/
none;
};
/*
* You might put in here some ips which are allowed to use the cache or
* recursive queries
*/
acl "trusted" {
127.0.0.0/8;
192.168.1.0/24;
192.168.2.0/24;
192.168.3.0/24;
192.168.4.0/24;
::1/128;
};
options {
directory "/var/bind";
pid-file "/var/run/named/named.pid";
/* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
//bindkeys-file "/etc/bind/bind.keys";
listen-on-v6 { ::1; };
listen-on { 127.0.0.1; 192.168.1.2; };
allow-query {
/*
* Accept queries from our "trusted" ACL. We will
* allow anyone to query our master zones below.
* This prevents us from becoming a free DNS server
* to the masses.
*/
trusted;
};
allow-query-cache {
/* Use the cache for the "trusted" ACL. */
trusted;
};
allow-recursion {
/* Only trusted addresses are allowed to use recursion. */
trusted;
};
allow-transfer {
/* Zone tranfers are denied by default. */
none;
};
allow-update {
/* Don't allow updates, e.g. via nsupdate. */
none;
};
/*
* If you've got a DNS server around at your upstream provider, enter its
* IP address here, and enable the line below. This will make you benefit
* from its cache, thus reduce overall DNS traffic in the Internet.
*
* Uncomment the following lines to turn on DNS forwarding, and change
* and/or update the forwarding ip address(es):
*/
/*
// forward first;
// forwarders {
// 123.123.123.123; // Your ISP NS
// 124.124.124.124; // Your ISP NS
// 4.2.2.1; // Level3 Public DNS
// 4.2.2.2; // Level3 Public DNS
// 8.8.8.8; // Google Open DNS
// 8.8.4.4; // Google Open DNS
// };
*/
//dnssec-enable yes;
//dnssec-validation yes;
/*
* As of bind 9.8.0:
* "If the root key provided has expired,
* named will log the expiration and validation will not work."
*/
//dnssec-validation auto;
/* if you have problems and are behind a firewall: */
//query-source address * port 53;
};
/*
logging {
channel default_log {
file "/var/log/named/named.log" versions 5 size 50M;
print-time yes;
print-severity yes;
print-category yes;
};
category default { default_log; };
category general { default_log; };
};
*/
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
};
view "internal" {
match-clients { 127.0.0.1; 192.168.1.0/24; 192.168.2.0/24; 192.168.3.0/24; 192.168.4.0/24; };
recursion yes;
zone "." IN {
type hint;
file "named.root";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update { none; };
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
};
zone "fred.net" {
type master;
notify no;
file "pri/external/fred.net.zone";
};
}
view "external" {
allow-query { any; };
allow-recursion { localhost; };
// match-clients { any; };
// recursion no;
zone "." IN {
type hint;
file "named.root";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update { none; };
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
};
zone "fred.net" {
type master;
notify yes;
// allow transfers to slave DNS
allow-transfer { 208.79.240.3; 208.79.241.3; };
file "pri/external/fred.net.zone";
};
};
|
|
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 806
|
Posted: Sat Feb 20, 2021 7:12 am Post subject: |
|
|
That looks good.
I'm trying to figure out why you don't get any logs, BIND logs are usually quite informative. Is syslog running? You've commented out your logging configuration which means is falls back to it's default, which is syslog.
My guess would be that there's some reason why BIND isn't loading your fred.net zone file, would you mind sharing it's contents? _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
LC76 n00b
Joined: 18 Feb 2021 Posts: 5
|
Posted: Sat Feb 20, 2021 7:27 am Post subject: |
|
|
Sure. This is a typical zone file. As I said, all of this has been working flawlessly for years, and then it just... ceased to proceed, as they say. No updates have ever been done on this particular server.
Code: | ; Zone file for mydomain.net
;
$ttl 38400
mydomain.net. IN SOA ns1.mydomain.net. webmaster.mydomain.net. (
2019060902
8H
2H
4W
1D )
; Internet Addresses
mydomain.net. IN A 123.100.025.240
www.mydomain.net. IN CNAME mydomain.net.
groupware.mydomain.net. IN CNAME mydomain.net.
; Machine Addresses
ns1.mydomain.net. IN A 123.100.025.240
IN HINFO Compaq_DL380 Gentoo
ns1.rollernet.us. IN A 208.79.240.3
ns2.rollernet.us. IN A 208.79.241.3
mailbot.mydomain.net. IN A 123.100.025.240
IN HINFO Compaq_DL380 Gentoo
mail2.rollernet.us. IN A 208.79.241.2
; Name Servers
mydomain.net. IN NS ns1.mydomain.net.
IN NS ns1.rollernet.us.
IN NS ns2.rollernet.us.
; Mail Servers
mydomain.net. IN MX 10 mailbot.mydomain.net.
IN MX 20 mail2.rollernet.us.
; SPF Record for domain
mydomain.net. IN TXT "v=spf1 mx ~all"
; SPF Record for mail host
mailbot.mydomain.net. IN TXT "v=spf1 a ~all"
; Reverse DNS entry
240.025.100.123.in-addr.arpa. IN PTR mailbot.mydomain.net.
|
|
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 806
|
Posted: Sat Feb 20, 2021 1:46 pm Post subject: |
|
|
While the syntax is correct, this doesn't seem like a valid zone file for fred.net: It doesn't contain any record for the fred.net domain. Are you sure you sent the correct file?
Given this file, I understand why it doesn't work, i'm actually surprised it has worked. There are records for mydomain.net and rollernet.us and even a reverse record, none of which match the fred.net domain. What would you expect to be resolvable within the fred.net domain? _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
LC76 n00b
Joined: 18 Feb 2021 Posts: 5
|
Posted: Sat Feb 20, 2021 10:05 pm Post subject: |
|
|
Well, for "mydomain", replace that with "fred". I've just replaced the names to remove anything confidential. |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 806
|
Posted: Sun Feb 21, 2021 11:22 am Post subject: |
|
|
I've installed BIND (version 9.16.8 was available from portage), and tried to load your files, replacing "mydomain" with "fred".
I had to make some changes to make it work:
In your bind configuration is missing a ; after te closing bracket for the internal view. Maybe it's a copy/paste error when you copied it to the forums, because bind didn't start at all.
In your zone data, the IP addresses are written as 123.100.025.240 and bind didn't like the 0 in 025. It logged:
21-Feb-2021 11:02:46.469 dns_rdata_fromtext: /etc/bind/fred.net:11: near '123.100.025.240': bad dotted quad
When I changed the IP address to 123.100.25.240 bind did load the zone file and the "fred.net" domain started working.
It still didn't like the out-of-zone data:
21-Feb-2021 12:15:30.490 /etc/bind/fred.net:18: ignoring out-of-zone data (ns1.rollernet.us)
21-Feb-2021 12:15:30.490 /etc/bind/fred.net:19: ignoring out-of-zone data (ns2.rollernet.us)
21-Feb-2021 12:15:30.490 /etc/bind/fred.net:22: ignoring out-of-zone data (mail2.rollernet.us)
21-Feb-2021 12:15:30.490 /etc/bind/fred.net:40: ignoring out-of-zone data (240.025.100.123.in-addr.arpa)
If these records are valuable for you i suggest to move them to their appropriate zones. _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
LC76 n00b
Joined: 18 Feb 2021 Posts: 5
|
Posted: Tue Mar 16, 2021 12:40 pm Post subject: |
|
|
[quote="pa4wdh"]I've installed BIND (version 9.16.8 was available from portage), and tried to load your files, replacing "mydomain" with "fred".
I need to mention that the domain names and addresses are fictional in order to protect the innocent. However it remains that everything was working for years, and then suddenly stopped, without any upgrades or modifications, and that's what stumped me. |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 806
|
Posted: Tue Mar 16, 2021 7:34 pm Post subject: |
|
|
I do know that from version to version BIND can become more picky on the files you're feeding it. It's usually a good thing, since it ensures the files are syntactically correct which gives a more reliable result.
A wild guess at what might have happened:
1) A bind version that accepted your files was running
2) With an update BIND program on disk has changed to a version that doesn't accept the files, and it was not restarted (so the running version was still working and you didn't notice the change)
3) For some reason much later in time BIND process was restarted, now starting the one that didn't accept your files
Does that seem plausible?
To be honest, I'm more worried about that fact that you didn't get log info. As you can see from my post it gave good hints to point out what was wrong, if you had the logs i'm sure you could have found and fixed the problems too. _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
|