Recent Problem with BIND 9 under Windows XP
Vincent Poy
vincepoy at gmail.com
Thu Jun 28 18:27:41 UTC 2007
On 6/28/07, Vinny Abello <vinny at tellurian.com> wrote:
> Grab a utility like filemon to see what named.exe is trying to do when you start
> the service. That may give you a big hint.
>
> http://www.microsoft.com/technet/sysinternals/FileAndDisk/Filemon.mspx
I've loaded Process Monitor and this is the log but I couldn't see
where named went wrong.
http://d.turboupload.com/d/1904539/Logfile.PML.html
Cheers,
Vince
> Vincent Poy wrote:
> > On 6/28/07, Danny Mayer <mayer at ntp.isc.org> wrote:
> >> Vincent Poy wrote:
> >>> Greetings everyone:
> >>>
> >>> I'm having a problem with starting the ISC BIND service under Windows
> >>> XP SP2 with all the latest MS patches. I had been running BIND 9 for
> >>> quite some time and every version of BIND9 including beta's, release
> >>> candidates and release versions including 9.4.1 have ran fine until
> >>> recently which I am not sure when since I don't usually monitor if
> >>> BIND was started except after each installation and reboot. And the
> >>> config file has not been modified. BIND is owned by the named account
> >>> and is installed in C:\Windows\System32\dns with that directory and
> >>> all directory under it having the named account with full permission
> >>> to read/write. My system acts as a secondary DNS with named.conf
> >>> located in C:\WINDOWS\SYSTEM32\dns\etc. When the system tries to
> >>> start ISC BIND service, it shows in the event manager under System as
> >>> a Error 2 events:
> >>>
> >>> Timeout (30000 milliseconds) waiting for the ISC BIND service to connect.
> >>>
> >>> followed by:
> >>>
> >>> The ISC BIND service failed to start due to the following error:
> >>> The service did not respond to the start or control request in a
> >>> timely fashion.
> >>>
> >> This indicates that named did not register itself when the service
> >> started. It needs to do that within the timeout period. I have only seen
> >> this happen when there are commandline arguments that keep it in the
> >> foreground yet it's still being run as a service. The only options are
> >> -f and -g that would cause it to do that and those shouldn't normally be
> >> used when running it as a service. Did you start the service manually
> >> via the MSC? What does the following key look like?
> >
> > In the MSC, it's started as c:\windows\system32\dns\bin\named.exe with
> > no options. I tried adding the -f and -g options but the results were
> > the same. And like I mentioned previously, the service fails even
> > when manually started since it gives that pop-up window but the
> > service starts fine when it's run as Local System instead of the named
> > user. named.exe runs fine as the named user from the command line and
> > from the vince user who is a administrator account.
> >
> >> KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\named\ImagePath
> >
> > C:\WINDOWS\system32\dns\bin\named.exe
> >
> >> What permissions does the named account have to access the named.conf
> >> file and the associated files? Make sure that you don't have a pid file
> >> in the directory. In fact you don't need a pid file so set the option to
> >> none:
> >> The named account has full access to c:\windows\system32\dns except I
> >> noticed that all directories from c:\windows\system32\dns and under when you
> >> click on properties has read-only while the files do not have that.
> >>
> >> pid-file none;
> >
> > The named account has full access to c:\windows\system32\dns except I
> > noticed that all directories from c:\windows\system32\dns and under
> > when you click on property has read-only while the files do not have
> > that. Here are the permissions of the c:\windows\system32\dns and all
> > directories under it which are etc and bin:
> >
> > C:\Documents and Settings\vince>cacls c:\windows\system32\dns
> > c:\windows\system32\dns SOLAR\named:(OI)(CI)F
> > NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
> > READ_CONTROL
> > SYNCHRONIZE
> > FILE_GENERIC_READ
> > FILE_GENERIC_WRITE
> > FILE_READ_DATA
> > FILE_WRITE_DATA
> > FILE_APPEND_DATA
> > FILE_READ_EA
> > FILE_WRITE_EA
> > FILE_READ_ATTRIBUTES
> > FILE_WRITE_ATTRIBUTES
> >
> > Everyone:(OI)(CI)F
> > NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
> > DELETE
> > FILE_DELETE_CHILD
> >
> >
> >
> > C:\Documents and Settings\vince>cacls c:\windows\system32\dns\bin
> > c:\windows\system32\dns\bin SOLAR\named:(OI)(CI)F
> > NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
> > READ_CONTROL
> > SYNCHRONIZE
> > FILE_GENERIC_READ
> > FILE_GENERIC_WRITE
> > FILE_READ_DATA
> > FILE_WRITE_DATA
> > FILE_APPEND_DATA
> > FILE_READ_EA
> > FILE_WRITE_EA
> > FILE_READ_ATTRIBUTES
> > FILE_WRITE_ATTRIBUTES
> >
> > Everyone:(OI)(CI)F
> > NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
> > DELETE
> > FILE_DELETE_CHILD
> >
> >
> >
> > C:\Documents and Settings\vince>cacls c:\windows\system32\dns\etc
> > c:\windows\system32\dns\etc SOLAR\named:(OI)(CI)F
> > NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
> > READ_CONTROL
> > SYNCHRONIZE
> > FILE_GENERIC_READ
> > FILE_GENERIC_WRITE
> > FILE_READ_DATA
> > FILE_WRITE_DATA
> > FILE_APPEND_DATA
> > FILE_READ_EA
> > FILE_WRITE_EA
> > FILE_READ_ATTRIBUTES
> > FILE_WRITE_ATTRIBUTES
> >
> > Everyone:(OI)(CI)F
> > NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
> > DELETE
> > FILE_DELETE_CHILD
> >
> > As for the pid-file, I always had that option even when I installed
> > BIND back in 2004 on this system and it never seem to have caused any
> > problems.
> >
> > Cheers,
> > Vince
> >
> >>> If I try to start the ISC BIND service manually, I will get a pop-up
> >>> window after 5-10 seconds that says and the same two events are in the
> >>> event manager under System as a Error:
> >>>
> >>> Could not start ISC BIND service on Local Computer.
> >>>
> >>> Error 1053: The service did not respond to the start or control
> >>> request in a timely fashion
> >>>
> >>> If I start named with the -g option in the Command Prompt, this is what happens:
> >>>
> >>> C:\Documents and Settings\vince>c:\windows\system32\dns\bin\named -g
> >>> 27-Jun-2007 9:51:32.755 starting BIND 9.4.1 -g
> >>> 27-Jun-2007 9:51:32.755 found 2 CPUs, using 2 worker threads
> >>> 27-Jun-2007 9:51:32.770 loading configuration from 'C:\WINDOWS\system32\dns\etc\
> >>> named.conf'
> >>> 27-Jun-2007 9:51:32.770 listening on IPv4 interface TCP/IP Interface 1, 192.168.
> >>> 0.120#53
> >>> 27-Jun-2007 9:51:32.786 listening on IPv4 interface Loopback Interface 2, 127.0.
> >>> 0.1#53
> >>> 27-Jun-2007 9:51:32.786 listening on IPv4 interface TCP/IP Interface 3, 192.168.
> >>> 106.1#53
> >>> 27-Jun-2007 9:51:32.786 listening on IPv4 interface TCP/IP Interface 4, 192.168.
> >>> 220.1#53
> >>> 27-Jun-2007 9:51:32.801 listening on IPv4 interface TCP/IP Interface 5, 208.201.
> >>> 244.225#53
> >>> 27-Jun-2007 9:51:32.801 listening on IPv4 interface TCP/IP Interface 6, 192.168.
> >>> 1.120#53
> >>> 27-Jun-2007 9:51:32.817 automatic empty zone: 127.IN-ADDR.ARPA
> >>> 27-Jun-2007 9:51:32.817 automatic empty zone: 254.169.IN-ADDR.ARPA
> >>> 27-Jun-2007 9:51:32.817 automatic empty zone: 2.0.192.IN-ADDR.ARPA
> >>> 27-Jun-2007 9:51:32.817 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
> >>> 27-Jun-2007 9:51:32.817 automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
> >>> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
> >>> 27-Jun-2007 9:51:32.817 automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
> >>> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
> >>> 27-Jun-2007 9:51:32.817 automatic empty zone: D.F.IP6.ARPA
> >>> 27-Jun-2007 9:51:32.817 automatic empty zone: 8.E.F.IP6.ARPA
> >>> 27-Jun-2007 9:51:32.817 automatic empty zone: 9.E.F.IP6.ARPA
> >>> 27-Jun-2007 9:51:32.817 automatic empty zone: A.E.F.IP6.ARPA
> >>> 27-Jun-2007 9:51:32.817 automatic empty zone: B.E.F.IP6.ARPA
> >>> 27-Jun-2007 9:51:32.833 command channel listening on 127.0.0.1#953
> >>> 27-Jun-2007 9:51:32.833 ignoring config file logging statement due to -g option
> >>> 27-Jun-2007 9:51:32.848 zone 0.0.127.in-addr.arpa/IN: loaded serial 20041019
> >>> 27-Jun-2007 9:51:32.848 zone 0.168.192.in-addr.arpa/IN: loaded serial 2003101801
> >>>
> >>> 27-Jun-2007 9:51:32.848 zone 1.168.192.in-addr.arpa/IN: loaded serial 2004102701
> >>>
> >>> 27-Jun-2007 9:51:32.848 zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0
> >>> .0.0.0.0.0.IP6.INT/IN: loaded serial 20041019
> >>> 27-Jun-2007 9:51:32.848 zone DNALOGIC.NET/IN: loaded serial 2003101805
> >>> 27-Jun-2007 9:51:32.864 zone 0.168.192.in-addr.arpa/IN: sending notifies (serial
> >>> 2003101801)
> >>> 27-Jun-2007 9:51:32.864 running
> >>> 27-Jun-2007 9:51:32.864 zone 1.168.192.in-addr.arpa/IN: sending notifies (serial
> >>> 2004102701)
> >>> 27-Jun-2007 9:51:32.864 zone DNALOGIC.NET/IN: sending notifies (serial 200310180
> >>> 5)
> >>> 27-Jun-2007 10:13:45.848 zone 1.168.192.in-addr.arpa/IN: refresh: could not set
> >>> file modification time of 'slave/db.192.168.1': permission denied
> >>>
> >>> So it appears to run correctly from the command prompt.
> >>>
> >>> My named.conf consists of the following as I am using the standard
> >>> named.conf format from my primary FreeBSD server and just modifying it
> >>> for the Windows port.
> >>>
> >>> // $FreeBSD: src/etc/namedb/named.conf,v 1.20 2004/11/04 05:24:29 gshapiro Exp $
> >>> //
> >>> // Refer to the named.conf(5) and named(8) man pages, and the documentation
> >>> // in /usr/share/doc/bind9 for more details.
> >>> //
> >>> // If you are going to set up an authoritative server, make sure you
> >>> // understand the hairy details of how DNS works. Even with
> >>> // simple mistakes, you can break connectivity for affected parties,
> >>> // or cause huge amounts of useless Internet traffic.
> >>>
> >>> options {
> >>> directory "c:\windows\system32\dns\etc";
> >>> pid-file "c:\windows\system32\dns\etc\named.pid";
> >>> dump-file "c:\windows\system32\dns\etc\named_dump.db";
> >>> statistics-file "c:\windows\system32\dns\etc\named.stats";
> >>>
> >>> // If named is being used only as a local resolver, this is a safe default.
> >>> // For named to be accessible to the network, comment this option, specify
> >>> // the proper IP address, or delete this option.
> >>> // listen-on { 127.0.0.1; };
> >>>
> >>> // If you have IPv6 enabled on this system, uncomment this option for
> >>> // use as a local resolver. To give access to the network, specify
> >>> // an IPv6 address, or the keyword "any".
> >>> // listen-on-v6 { ::1; };
> >>>
> >>> // In addition to the "forwarders" clause, you can force your name
> >>> // server to never initiate queries of its own, but always ask its
> >>> // forwarders only, by enabling the following line:
> >>> //
> >>> // forward only;
> >>>
> >>> // If you've got a DNS server around at your upstream provider, enter
> >>> // its IP address here, and enable the line below. This will make you
> >>> // benefit from its cache, thus reduce overall DNS traffic in the Internet.
> >>> /*
> >>> forwarders {
> >>> 127.0.0.1;
> >>> };
> >>> */
> >>> forwarders {
> >>> 208.201.224.11;
> >>> 208.204.224.33;
> >>> };
> >>> /*
> >>> * If there is a firewall between you and nameservers you want
> >>> * to talk to, you might need to uncomment the query-source
> >>> * directive below. Previous versions of BIND always asked
> >>> * questions using port 53, but BIND versions 8 and later
> >>> * use a pseudo-random unprivileged UDP port by default.
> >>> */
> >>> // query-source address * port 53;
> >>> };
> >>>
> >>> // If you enable a local name server, don't forget to enter 127.0.0.1
> >>> // first in your /etc/resolv.conf so this server will be queried.
> >>> // Also, make sure to enable it in /etc/rc.conf.
> >>>
> >>> zone "." {
> >>> type hint;
> >>> file "named.root";
> >>> };
> >>> /*
> >>> zone "0.0.127.IN-ADDR.ARPA" {
> >>> type master;
> >>> file "master/localhost.rev";
> >>> };
> >>>
> >>> // RFC 3152
> >>> zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"
> >>> {
> >>> type master;
> >>> file "master/localhost-v6.rev";
> >>> };
> >>>
> >>> // RFC 1886 -- deprecated
> >>> zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
> >>> type master;
> >>> file "master/localhost-v6.rev";
> >>> };
> >>> */
> >>> // NB: Do not use the IP addresses below, they are faked, and only
> >>> // serve demonstration/documentation purposes!
> >>> //
> >>> // Example slave zone config entries. It can be convenient to become
> >>> // a slave at least for the zone your own domain is in. Ask
> >>> // your network administrator for the IP address of the responsible
> >>> // primary.
> >>> //
> >>> // Never forget to include the reverse lookup (IN-ADDR.ARPA) zone!
> >>> // (This is named after the first bytes of the IP address, in reverse
> >>> // order, with ".IN-ADDR.ARPA" appended.)
> >>> //
> >>> // Before starting to set up a primary zone, make sure you fully
> >>> // understand how DNS and BIND works. There are sometimes
> >>> // non-obvious pitfalls. Setting up a slave zone is simpler.
> >>> //
> >>> // NB: Don't blindly enable the examples below. :-) Use actual names
> >>> // and addresses instead.
> >>>
> >>> /*
> >>> zone "example.com" {
> >>> type slave;
> >>> file "slave/example.com";
> >>> masters {
> >>> 192.168.1.1;
> >>> };
> >>> };
> >>>
> >>> // An example dynamic zone
> >>> key "exampleorgkey" {
> >>> algorithm hmac-md5;
> >>> secret "sf87HJqjkqh8ac87a02lla==";
> >>> };
> >>>
> >>> zone "example.org" {
> >>> type master;
> >>> allow-update {
> >>> key "exampleorgkey";
> >>> };
> >>> file "dynamic/example.org";
> >>> };
> >>>
> >>> zone "0.168.192.in-addr.arpa" {
> >>> type slave;
> >>> file "slave/0.168.192.in-addr.arpa";
> >>> masters {
> >>> 192.168.1.1;
> >>> };
> >>> };
> >>> */
> >>>
> >>> zone "0.0.127.in-addr.arpa" {
> >>> type master;
> >>> file "master/db.127.0.0";
> >>> };
> >>>
> >>> zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
> >>> type master;
> >>> file "master/db.127.0.0-v6";
> >>> };
> >>>
> >>> zone "0.168.192.in-addr.arpa" {
> >>> type slave;
> >>> file "slave/db.192.168.0";
> >>> masters {
> >>> 208.201.244.224;
> >>> };
> >>> };
> >>>
> >>> zone "1.168.192.in-addr.arpa" {
> >>> type slave;
> >>> file "slave/db.192.168.1";
> >>> masters {
> >>> 208.201.244.224;
> >>> };
> >>> };
> >>>
> >>> zone "DNALOGIC.NET" {
> >>> type slave;
> >>> file "slave/db.DNALOGIC.NET";
> >>> masters {
> >>> 208.201.244.224;
> >>> };
> >>> };
> >>>
> >>> /*
> >>> zone "ULTIMATESOUND.NET" {
> >>> type slave;
> >>> file "slave/db.ULTIMATESOUND.NET";
> >>> masters {
> >>> 66.193.144.6;
> >>> };
> >>> };
> >>> */
> >>>
> >>> /*
> >>> zone "NOLS.COM" {
> >>> type slave;
> >>> file "slave/db.NOLS.COM";
> >>> masters {
> >>> 208.179.75.219;
> >>> };
> >>> };
> >>> */
> >>>
> >>> Does anyone know how I can find out what is causing ISC BIND service
> >>> not to start when it worked correctly in the past? I have uninstalled
> >>> and reinstalled 9.4.1 and the results are the same. I don't have
> >>> another machine to test as this is a home network.
> >>>
> >>> Thank you for any help in advance!
> >>>
> >>> Cheers,
> >>> Vince
More information about the bind-users
mailing list