Solved bind9.10 drops port 53 IPv4 after a few minutes

tunage

Member

Reaction score: 1
Messages: 41

I am trying to configure DNSSEC as a master/slave. Following signing the zone and uploading the DS record to my provider, I am able to see what appears to be the proper output from dnssec-verify:
Code:
dnssec-verify -o ex-mailer.com ex-mailer.com.external.signed
Loading zone 'ex-mailer.com' from file 'ex-mailer.com.external.signed'
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
but 3rd party tools such as http://dnsviz.net/d/ex-mailer.com/dnssec/ and/or http://dnssec-debugger.verisignlabs.com/ex-mailer.com say that my configuration is very incorrect and that UDP is not responding
Before:
Code:
netstat -an|grep 53
tcp4 0 0 127.0.0.1.953 *.* LISTEN
tcp4 0 0 127.0.0.1.53 *.* LISTEN
tcp6 0 0 ::1.53 *.* LISTEN
tcp4 0 0 107.191.60.48.53 *.* LISTEN
tcp6 0 0 2001:19f0:7000:8.53 *.* LISTEN
udp4 0 0 127.0.0.1.53 *.*
udp6 0 0 ::1.53 *.*
udp4 0 0 107.191.60.48.53 *.*
udp6 0 0 2001:19f0:7000:8.53 *.*
After:
Code:
netstat -an|grep 53
tcp4       0      0 *.953                  *.*                    LISTEN
tcp4       0      0 127.0.0.1.53           *.*                    LISTEN
tcp6       0      0 ::1.53                 *.*                    LISTEN
tcp6       0      0 2001:19f0:7000:8.53    *.*                    LISTEN
udp4       0      0 127.0.0.1.53           *.*
udp6       0      0 ::1.53                 *.*
udp6       0      0 2001:19f0:7000:8.53    *.*
But, after 10 min or so, UDP on my IPv4 address begins to fail and the port will close on just IPv4. I get these errors following:
Code:
# tail -f /var/log/named/named.log
04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0 failed; interface ignored
04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0 failed; interface ignored
04-Mar-2015 18:39:58.288 network: error: could not listen on UDP socket: permission denied
04-Mar-2015 18:39:58.288 network: error: could not listen on UDP socket: permission denied
04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0 failed; interface ignored
04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0 failed; interface ignored
04-Mar-2015 18:39:58.288 network: error: could not listen on UDP socket: permission denied
04-Mar-2015 18:39:58.288 network: error: could not listen on UDP socket: permission denied
04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0 failed; interface ignored
04-Mar-2015 18:39:58.288 network: error: creating IPv4 interface vtnet0 failed; interface ignored
Code:
# updatedb
>>> WARNING
>>> Executing updatedb as root. This WILL reveal all filenames
>>> on your machine to all login users, which is a security risk.
# locate named.pid
/var/run/named/named.pid
named never dies, just IPv4 port 53 UDP.

Yet dig appears to query just fine following restart of named: before restart, but following UDP freeze:
Code:
gentoo-mini ~ # dig ex-mailer.com ANY @107.191.60.48

; <<>> DiG 9.9.5 <<>> ex-mailer.com ANY @107.191.60.48
;; global options: +cmd
;; connection timed out; no servers could be reached
But after restart of named:
Code:
gentoo-mini ~ # dig ex-mailer.com ANY @107.191.60.48

; <<>> DiG 9.9.5 <<>> ex-mailer.com ANY @107.191.60.48
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56608
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ex-mailer.com. IN ANY

;; Query time: 199 msec
;; SERVER: 107.191.60.48#53(107.191.60.48)
;; WHEN: Wed Mar 04 06:15:32 EST 2015
;; MSG SIZE rcvd: 42
Note the "servfail"

Master config:
Code:
acl "trusted" {
108.61.190.64;
107.191.60.48;
2001:19f0:7000:8945::64;
2001:19f0:6c00:8141::64;
108.61.10.10;
127.0.0.1/32;
::1/128;
};

acl "outside" {
any;
};

options {
directory "/usr/local/etc/namedb/working/";
pid-file "/var/run/named/named.pid";
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
transfer-source 108.61.10.10;
listen-on-v6 { ::1; 2001:19f0:6c00:8141::64;};
listen-on { 127.0.0.1; 108.61.190.64;};
max-cache-ttl 1600;
version none;
allow-query {
any;
/* trusted; */
};

allow-query-cache {
trusted;
};

allow-transfer {
trusted;
};

allow-update {
trusted;
};

//forward first;
forwarders {
108.61.10.10;
108.61.190.64;
107.191.60.48;
};
};


logging {
category default { default_log; };
category queries { resolver_file; };
channel default_log {
file "/var/log/named/named.log" versions 5 size 50M;
print-time yes;
print-severity yes;
print-category yes;
severity warning;
};
channel resolver_file {
file "/var/log/named/resolver.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-in_file {
file "/var/log/named/xfer-in.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
category default { default_log; };
category general { default_log; };
};

/*
include "/usr/local/etc/namedb/rndc.key";
*/
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys {"rndc-key"; };
};
key "rndc-key" {
algorithm hmac-md5;
secret "KcnxhOeXddg8dRNrn9Qfew==";
};


view "external" {
match-clients { outside; };
match-destinations { outside; };
recursion yes;
allow-query { outside; };
zone "." IN {
type hint;
file "/usr/local/etc/namedb/named.root";
};
zone "ex-mailer.com" {
type master;
allow-transfer {107.191.60.48;};
also-notify {107.191.60.48;};
key-directory "/usr/local/etc/namedb/";
file "/usr/local/etc/namedb/ex-mailer.com.external.signed";
};

zone "190.61.108.in-addr.arpa"{
type master;
file "/usr/local/etc/namedb/reverse.external";
};
zone "127.in-addr.arpa" {
type master;
file "/usr/local/etc/namedb/127.0.0.1";
};

};
Slave config:
Code:
acl "trusted" {
108.61.190.64;
107.191.60.48;
2001:19f0:7000:8945::64;
2001:19f0:6c00:8141::64;
108.61.10.10;
127.0.0.1/32;
::1/128;
};

acl "outside" {
any;
};

options {
directory "/usr/local/etc/namedb/working/";
pid-file "/var/run/named/named.pid";
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
auth-nxdomain no;
transfer-source 108.61.10.10;
listen-on-v6 { ::1; 2001:19f0:7000:8945::64;};
listen-on { 127.0.0.1; 107.191.60.48;};
max-cache-ttl 1600;
version none;
allow-new-zones yes;
allow-query {
any;
/* trusted; */
};

allow-query-cache {
trusted;
};

allow-transfer {
trusted;
};

allow-update {
trusted;
};

//forward first;
forwarders {
108.61.10.10;
108.61.190.64;
107.191.60.48;
};
};


logging {
category default { default_log; };
category queries { resolver_file; };
channel default_log {
file "/var/log/named/named.log" versions 5 size 50M;
print-time yes;
print-severity yes;
print-category yes;
severity warning;
};
channel resolver_file {
file "/var/log/named/resolver.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-in_file {
file "/var/log/named/xfer-in.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
category default { default_log; };
category general { default_log; };
};


#include "/usr/local/etc/namedb/rndc.key";

controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys {"rndc-key"; };
};

key "rndc-key" {
algorithm hmac-md5;
secret "N/SB9HZwr5yRIBwtRjcA6A==";
};

view "external" {
match-clients { outside; };
match-destinations { outside; };
recursion yes;
allow-query { outside; };
zone "." IN {
type hint;
file "/usr/local/etc/namedb/named.root";
};


include "/usr/local/etc/namedb/tmp/zonelist.db";

zone "ex-mailer.com" {
type slave;
masters {108.61.190.64;};
allow-notify{108.61.190.64;};
allow-transfer {none;};
key-directory "/usr/local/etc/namedb/";
file "/usr/local/etc/namedb/ex-mailer.com.external.signed";
};
zone "190.61.108.in-addr.arpa"{
type master;
file "/usr/local/etc/namedb/reverse.external";
};
zone "127.in-addr.arpa" {
type master;
file "/usr/local/etc/namedb/127.0.0.1";
};

};
 
Last edited by a moderator:

gregober

New Member


Messages: 17

There is no directive :

Code:
allow-recursion-on;
The right way to configure this is to :

Code:
allow-recursion-on {
              trusted;
};

Where "trusted" is your defined ACL.
 
Top