issues with BIND since a change of server
Thomas Manson
dev.mansonthomas at gmail.com
Thu Oct 4 16:57:39 UTC 2012
Hi John,
Thanks... checking the syslog show me a permission issue on the
rndc.key...
it was bind:bind, I change it to root:bind and it works successfully now,
and I don't have the 53 port issue...
Many THanks John for making me check the obvious lol ;))
Regards,
Thomas.
On Thu, Oct 4, 2012 at 6:00 PM, John Miller <johnmill at brandeis.edu> wrote:
> Hi Thomas,
>
> Since this is Ubuntu, what does /var/log/syslog have to say about the
> matter? Do you have any specific configuration for rndc controls, or are
> you primarily using the stock Ubuntu named.conf.local and
> named.conf.options?
>
> John
>
>
> On 10/04/2012 11:27 AM, Thomas Manson wrote:
>
>> Hi,
>>
>> I had to change of server because the previous was getting old, and I
>> had to do it very fast because of a mis-communication of my host...
>>
>> I'm on Ubuntu 12.04 server, x86_64.
>>
>> root at ns0:/etc/bind# aptitude show bind9
>> Package: bind9
>> New: yes
>> State: installed
>> Automatically installed: no
>> Version: 1:9.8.1.dfsg.P1-4ubuntu0.3
>>
>>
>> since then I've some trouble :
>>
>> * I've a RNDC error on stopping the service :
>>
>> root at ns0:/etc/bind# service bind9 start
>> * Starting domain name service... bind9
>> ...done.
>> root at ns0:/etc/bind# service bind9 status
>> * bind9 is running
>> root at ns0:/etc/bind# service bind9 stop
>> * Stopping domain name service... bind9
>> rndc: connect failed: 127.0.0.1#953: connection refused
>> waiting for pid 28560 to die
>> ...done.
>>
>> and it appears that nothing listen on port 953 :
>>
>> root at ns0:/etc/bind# netstat -a | grep 953
>> unix 2 [ ACC ] STREAM LISTENING 9853953 private/anvil
>> root at ns0:/etc/bind#
>>
>>
>> When I perform a zonecheck on one of my domain, I get an error saying
>> that the server do not listen :
>>
>>
>> The server do not listen or answer on the port TCP 53: (translated from
>> french)
>>
>> * Réf: /IETF RFC1035 (p.32 4.2. Transport)
>> <ftp://ftp.ietf.org/rfc/**rfc1035.txt<ftp://ftp.ietf.org/rfc/rfc1035.txt>
>> >/
>>
>>
>> The DNS assumes that messages will be transmitted as datagrams or in
>> a byte stream carried by a virtual circuit. While virtual circuits
>> can be used for any DNS activity, datagrams are preferred for
>> queries due to their lower overhead and better performance.
>>
>>
>> while the port is open, checked from another machine :
>>
>> thomas at home:/home/special/www$ sudo nmap 88.190.17.222 -sS -p 53
>>
>> Starting Nmap 5.21 ( http://nmap.org ) at 2012-10-04 14:55 CEST
>> Nmap scan report for ns0.ordiworld.fr <http://ns0.ordiworld.fr>
>>
>> (88.190.17.222)
>> Host is up (0.023s latency).
>> PORT STATE SERVICE
>> 53/tcp open domain
>>
>> Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
>> thomas at home:/home/special/www$
>> thomas at home:/home/special/www$
>> thomas at home:/home/special/www$
>> thomas at home:/home/special/www$ telnet ns0.ordiworld.fr
>> <http://ns0.ordiworld.fr> 53
>> Trying 88.190.17.222...
>> Connected to ns0.ordiworld.fr <http://ns0.ordiworld.fr>.
>>
>> Escape character is '^]'.
>>
>>
>> coucou
>> Connection closed by foreign host.
>>
>>
>> One time, after adding a log cagtegory, the zonecheck was performed with
>> success, without the port 53 errors, but after a restart, the error
>> appears again !
>>
>> I've 474 domain names... Bind is running with the root account.
>>
>> I've increased the max open file (soft and hard limit) to 65535, (by
>> editing /etc/security/limits.conf and running ulimit -n 65535 from root
>> prompt and restart bind)
>>
>> I would appreciate any help, I'm really lost here...
>>
>>
>>
>> I've set some logging option but don't see errors in the produced files :
>>
>> ##############################**############################""
>> //include "/etc/bind/zones.rfc1918";
>> logging {
>> channel security_file {
>> file "/var/log/named/security.log" versions 3 size 30m;
>> severity dynamic;
>> print-time yes;
>> };
>> category security {
>> security_file;
>> };
>>
>>
>> channel query.log {
>> file "/var/log/named/query.log";
>> severity debug 3;
>> };
>> category queries { query.log; };
>>
>>
>> channel config.log {
>> file "/var/log/named/config.log";
>> severity debug 3;
>> };
>> category config { config.log; };
>>
>>
>>
>> channel general.log {
>> file "/var/log/named/general.log";
>> severity debug 3;
>> };
>> category general { general.log; };
>>
>>
>> channel default.log {
>> file "/var/log/named/default.log";
>> severity debug 3;
>> };
>> category default { default.log; };
>>
>> channel resolver.log {
>> file "/var/log/named/resolver.log";
>> severity debug 3;
>> };
>> category resolver { resolver.log; };
>>
>>
>> channel network.log {
>> file "/var/log/named/network.log";
>> severity debug 3;
>> };
>> category network { network.log; };
>>
>> };
>> ##############################**############################""
>>
>>
>>
>>
>>
>> /etc/resolv.conf :
>> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
>> resolvconf(8)
>> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
>> nameserver 127.0.0.1
>> nameserver 88.191.254.60
>> nameserver 88.191.254.70
>>
>>
>> my /etc/hosts file (for the netstat error) :
>>
>> root at ns0:/etc/bind# cat /etc/hosts
>> 127.0.0.1 localhost localhost.localdomain
>>
>> 88.190.17.222 ns0.ordiworld.fr <http://ns0.ordiworld.fr> ns0
>> sd-28447.dedibox.fr <http://sd-28447.dedibox.fr> sd-28447
>>
>> 2a01:e0b:1000:17:be30:5bff:**fed0:2bd ns0.ordiworld.fr
>> <http://ns0.ordiworld.fr> ns0 sd-28447.dedibox.fr
>> <http://sd-28447.dedibox.fr> sd-28447
>>
>>
>> # The following lines are desirable for IPv6 capable hosts
>> ::1 localhost ip6-localhost ip6-loopback
>> fe00::0 ip6-localnet
>> ff00::0 ip6-mcastprefix
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>> ff02::3 ip6-allhosts
>>
>>
>>
>> ______________________________**_________________
>> Please visit https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>to unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>
>>
>> ______________________________**_________________
> Please visit https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20121004/e6e657e4/attachment.html>
More information about the bind-users
mailing list