issues with BIND since a change of server

Thomas Manson dev.mansonthomas at gmail.com
Thu Oct 4 16:57:39 UTC 2012 

Hi John,

  Thanks... checking the syslog show me a permission issue on the
rndc.key...

 it was bind:bind, I change it to root:bind and it works successfully now,
and I don't have the 53 port issue...

Many THanks John for making me check the obvious lol ;))

Regards,
Thomas.

On Thu, Oct 4, 2012 at 6:00 PM, John Miller <johnmill at brandeis.edu> wrote:

> Hi Thomas,
>
> Since this is Ubuntu, what does /var/log/syslog have to say about the
> matter?  Do you have any specific configuration for rndc controls, or are
> you primarily using the stock Ubuntu named.conf.local and
> named.conf.options?
>
> John
>
>
> On 10/04/2012 11:27 AM, Thomas Manson wrote:
>
>> Hi,
>>
>>    I had to change of server because the previous was getting old, and I
>> had to do it very fast because of a mis-communication of my host...
>>
>>    I'm on Ubuntu 12.04 server, x86_64.
>>
>> root at ns0:/etc/bind# aptitude show bind9
>> Package: bind9
>> New: yes
>> State: installed
>> Automatically installed: no
>> Version: 1:9.8.1.dfsg.P1-4ubuntu0.3
>>
>>
>>    since then I've some trouble :
>>
>> * I've a RNDC error on stopping the service :
>>
>> root at ns0:/etc/bind# service bind9 start
>>   * Starting domain name service... bind9
>>     ...done.
>> root at ns0:/etc/bind# service bind9 status
>>   * bind9 is running
>> root at ns0:/etc/bind# service bind9 stop
>>   * Stopping domain name service... bind9
>> rndc: connect failed: 127.0.0.1#953: connection refused
>> waiting for pid 28560 to die
>>     ...done.
>>
>> and it appears that nothing listen on port 953 :
>>
>> root at ns0:/etc/bind# netstat -a | grep 953
>> unix  2      [ ACC ]     STREAM     LISTENING     9853953  private/anvil
>> root at ns0:/etc/bind#
>>
>>
>> When I perform a zonecheck on one of my domain, I get an error saying
>> that the server do not listen :
>>
>>
>> The server do not listen or answer on the port TCP 53: (translated from
>> french)
>>
>>   * Réf: /IETF RFC1035 (p.32 4.2. Transport)
>>     <ftp://ftp.ietf.org/rfc/**rfc1035.txt<ftp://ftp.ietf.org/rfc/rfc1035.txt>
>> >/
>>
>>
>>     The DNS assumes that messages will be transmitted as datagrams or in
>>     a byte stream carried by a virtual circuit. While virtual circuits
>>     can be used for any DNS activity, datagrams are preferred for
>>     queries due to their lower overhead and better performance.
>>
>>
>> while the port is open, checked from another machine :
>>
>> thomas at home:/home/special/www$ sudo nmap 88.190.17.222 -sS -p 53
>>
>> Starting Nmap 5.21 ( http://nmap.org ) at 2012-10-04 14:55 CEST
>> Nmap scan report for ns0.ordiworld.fr <http://ns0.ordiworld.fr>
>>
>> (88.190.17.222)
>> Host is up (0.023s latency).
>> PORT   STATE SERVICE
>> 53/tcp open  domain
>>
>> Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
>> thomas at home:/home/special/www$
>> thomas at home:/home/special/www$
>> thomas at home:/home/special/www$
>> thomas at home:/home/special/www$ telnet ns0.ordiworld.fr
>> <http://ns0.ordiworld.fr> 53
>> Trying 88.190.17.222...
>> Connected to ns0.ordiworld.fr <http://ns0.ordiworld.fr>.
>>
>> Escape character is '^]'.
>>
>>
>> coucou
>> Connection closed by foreign host.
>>
>>
>> One time, after adding a log cagtegory, the zonecheck was performed with
>> success, without the port 53 errors, but after a restart, the error
>> appears again !
>>
>> I've 474 domain names... Bind is running with the root account.
>>
>> I've increased the max open file (soft and hard limit) to 65535, (by
>> editing /etc/security/limits.conf and running ulimit -n 65535 from root
>> prompt and restart bind)
>>
>> I would appreciate any help, I'm really lost here...
>>
>>
>>
>> I've set some logging option but don't see errors in the produced files  :
>>
>> ##############################**############################""
>> //include "/etc/bind/zones.rfc1918";
>> logging {
>>   channel security_file {
>>     file "/var/log/named/security.log" versions 3 size 30m;
>>     severity dynamic;
>>     print-time yes;
>>   };
>>   category security {
>>     security_file;
>>   };
>>
>>
>>      channel query.log {
>>          file "/var/log/named/query.log";
>>          severity debug 3;
>>      };
>>      category queries { query.log; };
>>
>>
>> channel config.log {
>>      file "/var/log/named/config.log";
>>      severity debug 3;
>> };
>> category config { config.log; };
>>
>>
>>
>> channel general.log {
>>      file "/var/log/named/general.log";
>>      severity debug 3;
>> };
>> category general { general.log; };
>>
>>
>> channel default.log {
>>      file "/var/log/named/default.log";
>>      severity debug 3;
>> };
>> category default { default.log; };
>>
>> channel resolver.log {
>>      file "/var/log/named/resolver.log";
>>      severity debug 3;
>> };
>> category resolver { resolver.log; };
>>
>>
>> channel network.log {
>>      file "/var/log/named/network.log";
>>      severity debug 3;
>> };
>> category network { network.log; };
>>
>> };
>> ##############################**############################""
>>
>>
>>
>>
>>
>> /etc/resolv.conf :
>> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
>> resolvconf(8)
>> #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
>> nameserver 127.0.0.1
>> nameserver 88.191.254.60
>> nameserver 88.191.254.70
>>
>>
>> my /etc/hosts file (for the netstat error) :
>>
>> root at ns0:/etc/bind# cat /etc/hosts
>> 127.0.0.1 localhost localhost.localdomain
>>
>> 88.190.17.222 ns0.ordiworld.fr <http://ns0.ordiworld.fr> ns0
>> sd-28447.dedibox.fr <http://sd-28447.dedibox.fr> sd-28447
>>
>> 2a01:e0b:1000:17:be30:5bff:**fed0:2bd ns0.ordiworld.fr
>> <http://ns0.ordiworld.fr> ns0 sd-28447.dedibox.fr
>> <http://sd-28447.dedibox.fr> sd-28447
>>
>>
>> # The following lines are desirable for IPv6 capable hosts
>> ::1     localhost ip6-localhost ip6-loopback
>> fe00::0 ip6-localnet
>> ff00::0 ip6-mcastprefix
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>> ff02::3 ip6-allhosts
>>
>>
>>
>> ______________________________**_________________
>> Please visit https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>to unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>
>>
>>  ______________________________**_________________
> Please visit https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20121004/e6e657e4/attachment.html>

More information about the bind-users mailing list