DNS dying

[Kevin Darcy]

Guillermo Villasana Cardoza wrote:

> Jim Reid wrote:
> >
> > >>>>> "Guillermo" == Guillermo Villasana Cardoza <terius at villasana.com.mx> writes:
> >
> >     Guillermo> I know the -- MARK -- is from syslog... but after the
> >     Guillermo> last query made... the dns died. The times it has died
> >     Guillermo> the last query is a points to a CNAME or a Lame server
> >     Guillermo> error...
> >
> > The logs you provided do not really give any proof of what you said is
> > happening. They tell us that your server found a mangled MX record at
> > 07:03:31 on Oct 3rd, but they do not show when or even if the name
> > server died. And there's no indication from the logs you showed that
> > your name server getting a query or reply that caused it to fall
> > over. Or in fact any problem that caused a catastophic failure.
> >
> > The name server is unlikely to die because of a lame delegation or a
> > CNAME target of an MX record. These are *very* common errors and if
> > they caused name servers to die, the Internet would be a very
> > different place because huge numbers of name servers would be
> > continually falling over. OTOH if these configuration errors did make
> > name servers die, maybe they wouldn't occur so often?
> >
>
> I suspected as much...
>
> >     Guillermo> How can I see what is making it really die?
> >
> > The name server should print a message in the system logs if it
> > encounters a fatal error: like running out of memory or being unable
> > to set up sockets on port 53. Check all your system log files. What
> > version of BIND are you running and what OS is it running on? Maybe
> > you're running a version that's got a security hole and someone is
> > exploiting that hole? If you think that your server is being attacked,
> > you could turn on query logging and see for sure what the last query
> > was before the server died. As a last resort, you could also run the
> > name server with debugging turned up high and wade through the
> > megaybtes of trace/debug messages.
>
> I searched all my logs and I got no error in them.
> >
> > You also said that the name server was working fine until a few days
> > ago. What has changed since the server ran normally? Could you have
> > applied a patch that changed or zapped a shared system library? The
> > most recent change(s) to your system will be the most likely
> > explanation for the problem.
>
> Well no upgrade was made in this last few days...I'm also thinking it is
> some sort of attack, but the logs doesn't show that either... No strange
> activity in cron, nor unusual telnets or ftps.
>
> I  will turn up the debugging on the DNS.
> I am running a Linux Mandrake 7.0 with Bind 8.2.1

8.2.1 has a root-level exploit. Assume you've been cracked until you can verify
otherwise. A brief glance at the logs may not be enough to detect the cracking, if the
perpetrator is any good, since superuser can falsify the logs.


- Kevin