Recent Problem with BIND 9 under Windows XP
Vinny Abello
vinny at tellurian.com
Thu Jun 28 15:53:16 UTC 2007
Grab a utility like filemon to see what named.exe is trying to do when you start the service. That may give you a big hint.
http://www.microsoft.com/technet/sysinternals/FileAndDisk/Filemon.mspx
Vincent Poy wrote:
> On 6/28/07, Danny Mayer <mayer at ntp.isc.org> wrote:
>> Vincent Poy wrote:
>>> Greetings everyone:
>>>
>>> I'm having a problem with starting the ISC BIND service under Windows
>>> XP SP2 with all the latest MS patches. I had been running BIND 9 for
>>> quite some time and every version of BIND9 including beta's, release
>>> candidates and release versions including 9.4.1 have ran fine until
>>> recently which I am not sure when since I don't usually monitor if
>>> BIND was started except after each installation and reboot. And the
>>> config file has not been modified. BIND is owned by the named account
>>> and is installed in C:\Windows\System32\dns with that directory and
>>> all directory under it having the named account with full permission
>>> to read/write. My system acts as a secondary DNS with named.conf
>>> located in C:\WINDOWS\SYSTEM32\dns\etc. When the system tries to
>>> start ISC BIND service, it shows in the event manager under System as
>>> a Error 2 events:
>>>
>>> Timeout (30000 milliseconds) waiting for the ISC BIND service to connect.
>>>
>>> followed by:
>>>
>>> The ISC BIND service failed to start due to the following error:
>>> The service did not respond to the start or control request in a
>>> timely fashion.
>>>
>> This indicates that named did not register itself when the service
>> started. It needs to do that within the timeout period. I have only seen
>> this happen when there are commandline arguments that keep it in the
>> foreground yet it's still being run as a service. The only options are
>> -f and -g that would cause it to do that and those shouldn't normally be
>> used when running it as a service. Did you start the service manually
>> via the MSC? What does the following key look like?
>
> In the MSC, it's started as c:\windows\system32\dns\bin\named.exe with
> no options. I tried adding the -f and -g options but the results were
> the same. And like I mentioned previously, the service fails even
> when manually started since it gives that pop-up window but the
> service starts fine when it's run as Local System instead of the named
> user. named.exe runs fine as the named user from the command line and
> from the vince user who is a administrator account.
>
>> KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\named\ImagePath
>
> C:\WINDOWS\system32\dns\bin\named.exe
>
>> What permissions does the named account have to access the named.conf
>> file and the associated files? Make sure that you don't have a pid file
>> in the directory. In fact you don't need a pid file so set the option to
>> none:
>> The named account has full access to c:\windows\system32\dns except I
>> noticed that all directories from c:\windows\system32\dns and under when you
>> click on properties has read-only while the files do not have that.
>>
>> pid-file none;
>
> The named account has full access to c:\windows\system32\dns except I
> noticed that all directories from c:\windows\system32\dns and under
> when you click on property has read-only while the files do not have
> that. Here are the permissions of the c:\windows\system32\dns and all
> directories under it which are etc and bin:
>
> C:\Documents and Settings\vince>cacls c:\windows\system32\dns
> c:\windows\system32\dns SOLAR\named:(OI)(CI)F
> NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
> READ_CONTROL
> SYNCHRONIZE
> FILE_GENERIC_READ
> FILE_GENERIC_WRITE
> FILE_READ_DATA
> FILE_WRITE_DATA
> FILE_APPEND_DATA
> FILE_READ_EA
> FILE_WRITE_EA
> FILE_READ_ATTRIBUTES
> FILE_WRITE_ATTRIBUTES
>
> Everyone:(OI)(CI)F
> NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
> DELETE
> FILE_DELETE_CHILD
>
>
>
> C:\Documents and Settings\vince>cacls c:\windows\system32\dns\bin
> c:\windows\system32\dns\bin SOLAR\named:(OI)(CI)F
> NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
> READ_CONTROL
> SYNCHRONIZE
> FILE_GENERIC_READ
> FILE_GENERIC_WRITE
> FILE_READ_DATA
> FILE_WRITE_DATA
> FILE_APPEND_DATA
> FILE_READ_EA
> FILE_WRITE_EA
> FILE_READ_ATTRIBUTES
> FILE_WRITE_ATTRIBUTES
>
> Everyone:(OI)(CI)F
> NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
> DELETE
> FILE_DELETE_CHILD
>
>
>
> C:\Documents and Settings\vince>cacls c:\windows\system32\dns\etc
> c:\windows\system32\dns\etc SOLAR\named:(OI)(CI)F
> NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
> READ_CONTROL
> SYNCHRONIZE
> FILE_GENERIC_READ
> FILE_GENERIC_WRITE
> FILE_READ_DATA
> FILE_WRITE_DATA
> FILE_APPEND_DATA
> FILE_READ_EA
> FILE_WRITE_EA
> FILE_READ_ATTRIBUTES
> FILE_WRITE_ATTRIBUTES
>
> Everyone:(OI)(CI)F
> NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
> DELETE
> FILE_DELETE_CHILD
>
> As for the pid-file, I always had that option even when I installed
> BIND back in 2004 on this system and it never seem to have caused any
> problems.
>
> Cheers,
> Vince
>
>>> If I try to start the ISC BIND service manually, I will get a pop-up
>>> window after 5-10 seconds that says and the same two events are in the
>>> event manager under System as a Error:
>>>
>>> Could not start ISC BIND service on Local Computer.
>>>
>>> Error 1053: The service did not respond to the start or control
>>> request in a timely fashion
>>>
>>> If I start named with the -g option in the Command Prompt, this is what happens:
>>>
>>> C:\Documents and Settings\vince>c:\windows\system32\dns\bin\named -g
>>> 27-Jun-2007 9:51:32.755 starting BIND 9.4.1 -g
>>> 27-Jun-2007 9:51:32.755 found 2 CPUs, using 2 worker threads
>>> 27-Jun-2007 9:51:32.770 loading configuration from 'C:\WINDOWS\system32\dns\etc\
>>> named.conf'
>>> 27-Jun-2007 9:51:32.770 listening on IPv4 interface TCP/IP Interface 1, 192.168.
>>> 0.120#53
>>> 27-Jun-2007 9:51:32.786 listening on IPv4 interface Loopback Interface 2, 127.0.
>>> 0.1#53
>>> 27-Jun-2007 9:51:32.786 listening on IPv4 interface TCP/IP Interface 3, 192.168.
>>> 106.1#53
>>> 27-Jun-2007 9:51:32.786 listening on IPv4 interface TCP/IP Interface 4, 192.168.
>>> 220.1#53
>>> 27-Jun-2007 9:51:32.801 listening on IPv4 interface TCP/IP Interface 5, 208.201.
>>> 244.225#53
>>> 27-Jun-2007 9:51:32.801 listening on IPv4 interface TCP/IP Interface 6, 192.168.
>>> 1.120#53
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: 127.IN-ADDR.ARPA
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: 254.169.IN-ADDR.ARPA
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: 2.0.192.IN-ADDR.ARPA
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
>>> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
>>> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: D.F.IP6.ARPA
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: 8.E.F.IP6.ARPA
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: 9.E.F.IP6.ARPA
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: A.E.F.IP6.ARPA
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: B.E.F.IP6.ARPA
>>> 27-Jun-2007 9:51:32.833 command channel listening on 127.0.0.1#953
>>> 27-Jun-2007 9:51:32.833 ignoring config file logging statement due to -g option
>>> 27-Jun-2007 9:51:32.848 zone 0.0.127.in-addr.arpa/IN: loaded serial 20041019
>>> 27-Jun-2007 9:51:32.848 zone 0.168.192.in-addr.arpa/IN: loaded serial 2003101801
>>>
>>> 27-Jun-2007 9:51:32.848 zone 1.168.192.in-addr.arpa/IN: loaded serial 2004102701
>>>
>>> 27-Jun-2007 9:51:32.848 zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0
>>> .0.0.0.0.0.IP6.INT/IN: loaded serial 20041019
>>> 27-Jun-2007 9:51:32.848 zone DNALOGIC.NET/IN: loaded serial 2003101805
>>> 27-Jun-2007 9:51:32.864 zone 0.168.192.in-addr.arpa/IN: sending notifies (serial
>>> 2003101801)
>>> 27-Jun-2007 9:51:32.864 running
>>> 27-Jun-2007 9:51:32.864 zone 1.168.192.in-addr.arpa/IN: sending notifies (serial
>>> 2004102701)
>>> 27-Jun-2007 9:51:32.864 zone DNALOGIC.NET/IN: sending notifies (serial 200310180
>>> 5)
>>> 27-Jun-2007 10:13:45.848 zone 1.168.192.in-addr.arpa/IN: refresh: could not set
>>> file modification time of 'slave/db.192.168.1': permission denied
>>>
>>> So it appears to run correctly from the command prompt.
>>>
>>> My named.conf consists of the following as I am using the standard
>>> named.conf format from my primary FreeBSD server and just modifying it
>>> for the Windows port.
>>>
>>> // $FreeBSD: src/etc/namedb/named.conf,v 1.20 2004/11/04 05:24:29 gshapiro Exp $
>>> //
>>> // Refer to the named.conf(5) and named(8) man pages, and the documentation
>>> // in /usr/share/doc/bind9 for more details.
>>> //
>>> // If you are going to set up an authoritative server, make sure you
>>> // understand the hairy details of how DNS works. Even with
>>> // simple mistakes, you can break connectivity for affected parties,
>>> // or cause huge amounts of useless Internet traffic.
>>>
>>> options {
>>> directory "c:\windows\system32\dns\etc";
>>> pid-file "c:\windows\system32\dns\etc\named.pid";
>>> dump-file "c:\windows\system32\dns\etc\named_dump.db";
>>> statistics-file "c:\windows\system32\dns\etc\named.stats";
>>>
>>> // If named is being used only as a local resolver, this is a safe default.
>>> // For named to be accessible to the network, comment this option, specify
>>> // the proper IP address, or delete this option.
>>> // listen-on { 127.0.0.1; };
>>>
>>> // If you have IPv6 enabled on this system, uncomment this option for
>>> // use as a local resolver. To give access to the network, specify
>>> // an IPv6 address, or the keyword "any".
>>> // listen-on-v6 { ::1; };
>>>
>>> // In addition to the "forwarders" clause, you can force your name
>>> // server to never initiate queries of its own, but always ask its
>>> // forwarders only, by enabling the following line:
>>> //
>>> // forward only;
>>>
>>> // If you've got a DNS server around at your upstream provider, enter
>>> // its IP address here, and enable the line below. This will make you
>>> // benefit from its cache, thus reduce overall DNS traffic in the Internet.
>>> /*
>>> forwarders {
>>> 127.0.0.1;
>>> };
>>> */
>>> forwarders {
>>> 208.201.224.11;
>>> 208.204.224.33;
>>> };
>>> /*
>>> * If there is a firewall between you and nameservers you want
>>> * to talk to, you might need to uncomment the query-source
>>> * directive below. Previous versions of BIND always asked
>>> * questions using port 53, but BIND versions 8 and later
>>> * use a pseudo-random unprivileged UDP port by default.
>>> */
>>> // query-source address * port 53;
>>> };
>>>
>>> // If you enable a local name server, don't forget to enter 127.0.0.1
>>> // first in your /etc/resolv.conf so this server will be queried.
>>> // Also, make sure to enable it in /etc/rc.conf.
>>>
>>> zone "." {
>>> type hint;
>>> file "named.root";
>>> };
>>> /*
>>> zone "0.0.127.IN-ADDR.ARPA" {
>>> type master;
>>> file "master/localhost.rev";
>>> };
>>>
>>> // RFC 3152
>>> zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"
>>> {
>>> type master;
>>> file "master/localhost-v6.rev";
>>> };
>>>
>>> // RFC 1886 -- deprecated
>>> zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
>>> type master;
>>> file "master/localhost-v6.rev";
>>> };
>>> */
>>> // NB: Do not use the IP addresses below, they are faked, and only
>>> // serve demonstration/documentation purposes!
>>> //
>>> // Example slave zone config entries. It can be convenient to become
>>> // a slave at least for the zone your own domain is in. Ask
>>> // your network administrator for the IP address of the responsible
>>> // primary.
>>> //
>>> // Never forget to include the reverse lookup (IN-ADDR.ARPA) zone!
>>> // (This is named after the first bytes of the IP address, in reverse
>>> // order, with ".IN-ADDR.ARPA" appended.)
>>> //
>>> // Before starting to set up a primary zone, make sure you fully
>>> // understand how DNS and BIND works. There are sometimes
>>> // non-obvious pitfalls. Setting up a slave zone is simpler.
>>> //
>>> // NB: Don't blindly enable the examples below. :-) Use actual names
>>> // and addresses instead.
>>>
>>> /*
>>> zone "example.com" {
>>> type slave;
>>> file "slave/example.com";
>>> masters {
>>> 192.168.1.1;
>>> };
>>> };
>>>
>>> // An example dynamic zone
>>> key "exampleorgkey" {
>>> algorithm hmac-md5;
>>> secret "sf87HJqjkqh8ac87a02lla==";
>>> };
>>>
>>> zone "example.org" {
>>> type master;
>>> allow-update {
>>> key "exampleorgkey";
>>> };
>>> file "dynamic/example.org";
>>> };
>>>
>>> zone "0.168.192.in-addr.arpa" {
>>> type slave;
>>> file "slave/0.168.192.in-addr.arpa";
>>> masters {
>>> 192.168.1.1;
>>> };
>>> };
>>> */
>>>
>>> zone "0.0.127.in-addr.arpa" {
>>> type master;
>>> file "master/db.127.0.0";
>>> };
>>>
>>> zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
>>> type master;
>>> file "master/db.127.0.0-v6";
>>> };
>>>
>>> zone "0.168.192.in-addr.arpa" {
>>> type slave;
>>> file "slave/db.192.168.0";
>>> masters {
>>> 208.201.244.224;
>>> };
>>> };
>>>
>>> zone "1.168.192.in-addr.arpa" {
>>> type slave;
>>> file "slave/db.192.168.1";
>>> masters {
>>> 208.201.244.224;
>>> };
>>> };
>>>
>>> zone "DNALOGIC.NET" {
>>> type slave;
>>> file "slave/db.DNALOGIC.NET";
>>> masters {
>>> 208.201.244.224;
>>> };
>>> };
>>>
>>> /*
>>> zone "ULTIMATESOUND.NET" {
>>> type slave;
>>> file "slave/db.ULTIMATESOUND.NET";
>>> masters {
>>> 66.193.144.6;
>>> };
>>> };
>>> */
>>>
>>> /*
>>> zone "NOLS.COM" {
>>> type slave;
>>> file "slave/db.NOLS.COM";
>>> masters {
>>> 208.179.75.219;
>>> };
>>> };
>>> */
>>>
>>> Does anyone know how I can find out what is causing ISC BIND service
>>> not to start when it worked correctly in the past? I have uninstalled
>>> and reinstalled 9.4.1 and the results are the same. I don't have
>>> another machine to test as this is a home network.
>>>
>>> Thank you for any help in advance!
>>>
>>> Cheers,
>>> Vince
>>>
>>>
>>>
>>
>
>
>
--
Vinny Abello
Network Engineer
vinny at tellurian.com
(973)940-6100
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN
"Courage is resistance to fear, mastery of fear - not absence of fear" -- Mark Twain
More information about the bind-users
mailing list