Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
BIND server failure
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
LC76
n00b
n00b


Joined: 18 Feb 2021
Posts: 5

PostPosted: Thu Feb 18, 2021 10:35 am    Post subject: BIND server failure Reply with quote

Hi all, I've got a curious one here. I've been running BIND 9 on a server for years and now all of a sudden, whenever it's asked to answer a query for my locally-hosted web sites, it comes back with a server failure. All the local machines on the network have no trouble querying it for DNS transactions for sites in the outside world, it's just failing on queries to my own domains. I haven't changed the configuration at all, it's chrooted,

Code:
/etc/bind on /chroot/dns/etc/bind type none (rw,bind)
/var/bind on /chroot/dns/var/bind type none (rw,bind)
/var/log/named on /chroot/dns/var/log/named type none (rw,bind)


there are no log files or messages generated for named anywhere, named-checkconf and named-checkzone report no errors, and if I run the host command, it looks like it can't find any of the zone files:
Code:
 host fred.net
Host fred.net not found: 2(SERVFAIL)


Yet all the symlinks follow through when you step through them manually.

Can anyone shed some light on what's going on?
Back to top
View user's profile Send private message
pa4wdh
l33t
l33t


Joined: 16 Dec 2005
Posts: 806

PostPosted: Thu Feb 18, 2021 4:20 pm    Post subject: Reply with quote

Would you mind to share your bind config with us?
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
Back to top
View user's profile Send private message
LC76
n00b
n00b


Joined: 18 Feb 2021
Posts: 5

PostPosted: Fri Feb 19, 2021 10:36 pm    Post subject: Reply with quote

pa4wdh wrote:
Would you mind to share your bind config with us?


Sure.

Code:
/*
 * Refer to the named.conf(5) and named(8) man pages, and the documentation
 * in /usr/share/doc/bind-9 for more details.
 * Online versions of the documentation can be found here:
 * http://www.isc.org/software/bind/documentation
 *
 * If you are going to set up an authoritative server, make sure you
 * understand the hairy details of how DNS works. Even with simple mistakes,
 * you can break connectivity for affected parties, or cause huge amounts of
 * useless Internet traffic.
 */

acl "xfer" {
   /* Deny transfers by default except for the listed hosts.
    * If we have other name servers, place them here.
    */
   none;
};

/*
 * You might put in here some ips which are allowed to use the cache or
 * recursive queries
 */
acl "trusted" {
   127.0.0.0/8;
   192.168.1.0/24;
   192.168.2.0/24;
   192.168.3.0/24;
   192.168.4.0/24;
   ::1/128;
};

options {
   directory "/var/bind";
   pid-file "/var/run/named/named.pid";

   /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
   //bindkeys-file "/etc/bind/bind.keys";

   listen-on-v6 { ::1; };
   listen-on { 127.0.0.1; 192.168.1.2; };

   allow-query {
      /*
       * Accept queries from our "trusted" ACL.  We will
       * allow anyone to query our master zones below.
       * This prevents us from becoming a free DNS server
       * to the masses.
       */
      trusted;
   };

   allow-query-cache {
      /* Use the cache for the "trusted" ACL. */
      trusted;
   };

   allow-recursion {
      /* Only trusted addresses are allowed to use recursion. */
      trusted;
   };

   allow-transfer {
      /* Zone tranfers are denied by default. */
      none;
   };

   allow-update {
      /* Don't allow updates, e.g. via nsupdate. */
      none;
   };

   /*
   * If you've got a DNS server around at your upstream provider, enter its
   * IP address here, and enable the line below. This will make you benefit
   * from its cache, thus reduce overall DNS traffic in the Internet.
   *
   * Uncomment the following lines to turn on DNS forwarding, and change
   *  and/or update the forwarding ip address(es):
   */
/*
//   forward first;
//   forwarders {
   //   123.123.123.123;   // Your ISP NS
   //   124.124.124.124;   // Your ISP NS
   //   4.2.2.1;      // Level3 Public DNS
   //   4.2.2.2;      // Level3 Public DNS
//      8.8.8.8;      // Google Open DNS
//      8.8.4.4;      // Google Open DNS
//   };

*/

   //dnssec-enable yes;
   //dnssec-validation yes;

   /*
    * As of bind 9.8.0:
    * "If the root key provided has expired,
    * named will log the expiration and validation will not work."
    */
   //dnssec-validation auto;

   /* if you have problems and are behind a firewall: */
   //query-source address * port 53;
};

/*
logging {
   channel default_log {
      file "/var/log/named/named.log" versions 5 size 50M;
      print-time yes;
      print-severity yes;
      print-category yes;
   };

   category default { default_log; };
   category general { default_log; };
};
*/

include "/etc/bind/rndc.key";
controls {
   inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
};





view "internal" {
   match-clients { 127.0.0.1; 192.168.1.0/24; 192.168.2.0/24; 192.168.3.0/24; 192.168.4.0/24; };
   recursion yes;

      zone "." IN {
         type hint;
         file "named.root";
      };

      zone "localhost" IN {
         type master;
         file "pri/localhost.zone";
         allow-update { none; };
         notify no;
      };

      zone "127.in-addr.arpa" IN {
         type master;
         file "pri/127.zone";
         allow-update { none; };
         notify no;
      };


      zone "fred.net" {

         type master;
         notify no;

         file "pri/external/fred.net.zone";
      };
}
     


view "external" {
   allow-query { any; };
   allow-recursion { localhost; };
//   match-clients { any; };
//   recursion no;

      zone "." IN {
         type hint;
         file "named.root";
      };

      zone "localhost" IN {
         type master;
         file "pri/localhost.zone";
         allow-update { none; };
         notify no;
      };

      zone "127.in-addr.arpa" IN {
         type master;
         file "pri/127.zone";
         allow-update { none; };
         notify no;
      };


      zone "fred.net" {

      type master;
         notify yes;

         // allow transfers to slave DNS
         allow-transfer { 208.79.240.3; 208.79.241.3; };

         file "pri/external/fred.net.zone";
      };

};
Back to top
View user's profile Send private message
pa4wdh
l33t
l33t


Joined: 16 Dec 2005
Posts: 806

PostPosted: Sat Feb 20, 2021 7:12 am    Post subject: Reply with quote

That looks good.
I'm trying to figure out why you don't get any logs, BIND logs are usually quite informative. Is syslog running? You've commented out your logging configuration which means is falls back to it's default, which is syslog.
My guess would be that there's some reason why BIND isn't loading your fred.net zone file, would you mind sharing it's contents?
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
Back to top
View user's profile Send private message
LC76
n00b
n00b


Joined: 18 Feb 2021
Posts: 5

PostPosted: Sat Feb 20, 2021 7:27 am    Post subject: Reply with quote

Sure. This is a typical zone file. As I said, all of this has been working flawlessly for years, and then it just... ceased to proceed, as they say. No updates have ever been done on this particular server.

Code:
; Zone file for mydomain.net
;
$ttl 38400
mydomain.net.   IN   SOA   ns1.mydomain.net. webmaster.mydomain.net. (
         2019060902
         8H
         2H
         4W
         1D )
; Internet Addresses
mydomain.net.            IN    A        123.100.025.240
www.mydomain.net.          IN    CNAME    mydomain.net.
groupware.mydomain.net.       IN    CNAME    mydomain.net.

; Machine Addresses
ns1.mydomain.net.         IN    A        123.100.025.240
                            IN    HINFO      Compaq_DL380 Gentoo
ns1.rollernet.us.         IN    A         208.79.240.3
ns2.rollernet.us.         IN    A         208.79.241.3
mailbot.mydomain.net.       IN    A           123.100.025.240
                            IN    HINFO      Compaq_DL380 Gentoo
mail2.rollernet.us.         IN    A         208.79.241.2   

; Name Servers
mydomain.net.              IN    NS       ns1.mydomain.net.
                     IN    NS      ns1.rollernet.us.            
                     IN    NS      ns2.rollernet.us.            

; Mail Servers               
mydomain.net.              IN    MX    10   mailbot.mydomain.net.
                     IN    MX    20   mail2.rollernet.us.

; SPF Record for domain
mydomain.net.            IN    TXT    "v=spf1 mx ~all"

; SPF Record for mail host
mailbot.mydomain.net.       IN    TXT     "v=spf1 a ~all"

; Reverse DNS entry
240.025.100.123.in-addr.arpa.      IN    PTR   mailbot.mydomain.net.
Back to top
View user's profile Send private message
pa4wdh
l33t
l33t


Joined: 16 Dec 2005
Posts: 806

PostPosted: Sat Feb 20, 2021 1:46 pm    Post subject: Reply with quote

While the syntax is correct, this doesn't seem like a valid zone file for fred.net: It doesn't contain any record for the fred.net domain. Are you sure you sent the correct file?

Given this file, I understand why it doesn't work, i'm actually surprised it has worked. There are records for mydomain.net and rollernet.us and even a reverse record, none of which match the fred.net domain. What would you expect to be resolvable within the fred.net domain?
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
Back to top
View user's profile Send private message
LC76
n00b
n00b


Joined: 18 Feb 2021
Posts: 5

PostPosted: Sat Feb 20, 2021 10:05 pm    Post subject: Reply with quote

Well, for "mydomain", replace that with "fred". I've just replaced the names to remove anything confidential.
Back to top
View user's profile Send private message
pa4wdh
l33t
l33t


Joined: 16 Dec 2005
Posts: 806

PostPosted: Sun Feb 21, 2021 11:22 am    Post subject: Reply with quote

I've installed BIND (version 9.16.8 was available from portage), and tried to load your files, replacing "mydomain" with "fred".

I had to make some changes to make it work:
In your bind configuration is missing a ; after te closing bracket for the internal view. Maybe it's a copy/paste error when you copied it to the forums, because bind didn't start at all.

In your zone data, the IP addresses are written as 123.100.025.240 and bind didn't like the 0 in 025. It logged:
21-Feb-2021 11:02:46.469 dns_rdata_fromtext: /etc/bind/fred.net:11: near '123.100.025.240': bad dotted quad
When I changed the IP address to 123.100.25.240 bind did load the zone file and the "fred.net" domain started working.

It still didn't like the out-of-zone data:
21-Feb-2021 12:15:30.490 /etc/bind/fred.net:18: ignoring out-of-zone data (ns1.rollernet.us)
21-Feb-2021 12:15:30.490 /etc/bind/fred.net:19: ignoring out-of-zone data (ns2.rollernet.us)
21-Feb-2021 12:15:30.490 /etc/bind/fred.net:22: ignoring out-of-zone data (mail2.rollernet.us)
21-Feb-2021 12:15:30.490 /etc/bind/fred.net:40: ignoring out-of-zone data (240.025.100.123.in-addr.arpa)
If these records are valuable for you i suggest to move them to their appropriate zones.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
Back to top
View user's profile Send private message
LC76
n00b
n00b


Joined: 18 Feb 2021
Posts: 5

PostPosted: Tue Mar 16, 2021 12:40 pm    Post subject: Reply with quote

[quote="pa4wdh"]I've installed BIND (version 9.16.8 was available from portage), and tried to load your files, replacing "mydomain" with "fred".

I need to mention that the domain names and addresses are fictional in order to protect the innocent. However it remains that everything was working for years, and then suddenly stopped, without any upgrades or modifications, and that's what stumped me.
Back to top
View user's profile Send private message
pa4wdh
l33t
l33t


Joined: 16 Dec 2005
Posts: 806

PostPosted: Tue Mar 16, 2021 7:34 pm    Post subject: Reply with quote

I do know that from version to version BIND can become more picky on the files you're feeding it. It's usually a good thing, since it ensures the files are syntactically correct which gives a more reliable result.

A wild guess at what might have happened:
1) A bind version that accepted your files was running
2) With an update BIND program on disk has changed to a version that doesn't accept the files, and it was not restarted (so the running version was still working and you didn't notice the change)
3) For some reason much later in time BIND process was restarted, now starting the one that didn't accept your files
Does that seem plausible?

To be honest, I'm more worried about that fact that you didn't get log info. As you can see from my post it gave good hints to point out what was wrong, if you had the logs i'm sure you could have found and fixed the problems too.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum