Hello,
To clean up our local nameserver infrastructure from multiple mixed master/slave servers to a single master, I just configured multiple new namservers within jails on different hosts. All hosts are running FreeBSD 11.0-RELEASE-p10 and bind911-9.11.1 from packages.
While on the master-ns rndc is working:
on the slaves rndc is running but not working:
tcpdump reveals there is a proper connection in both directions:
So the host definately *is* reachable, but either rndc isn't responding or the responses are being dropped.
The master-ns is running on a host within our mgmt-VLAN which has no PF configured. The other hosts are acting as gateways and have pf configured.
All jails have similar settings regarding raw sockets, sysvipc etc. I even checked the differences of
All hostst share the same jail- and networking related settings in /boot/loader.conf and /etc/sysctl.conf
rndc on all hosts is configured via rndc.conf (no seperate rndc.key file); in named.conf the keys are included and 'controls' are set accordingly (currently
Using the localhost (127.0.0.1) or any external IP for rndc (in both, named.conf and rndc.conf) doesn't make any difference.
The only difference between the host where rndc is working and the others is PF, so to ensure it won't (shouldnt?) block rndc/dns traffic I temporarily added this rule on all hosts:
pflog0 doesn't report any blocked packets on port 953 when trying to connect to/via rndc, either within the jail or from another host.
I'm really out of ideas here. While every sysctl knob and jail/networking related configuration I've checked (and know/remember I've ever set or changed) is identical, I still don't want to rule out that I've missed something.
OTOH, the only thing that is different between the working host configuration and the others (and consistent between them) is PF. Although I've set a (very open) rule and it isn't reporting any blocked packets, my bet would be on PF as the culprit here...
I'd really apreciate any idea or hint on this as I'm really out of ideas...
To clean up our local nameserver infrastructure from multiple mixed master/slave servers to a single master, I just configured multiple new namservers within jails on different hosts. All hosts are running FreeBSD 11.0-RELEASE-p10 and bind911-9.11.1 from packages.
While on the master-ns rndc is working:
Code:
# rndc status
version: BIND 9.11.1 <id:e3dc2e7> ([hidden])
running on ns0: FreeBSD amd64 11.0-RELEASE-p10 FreeBSD 11.0-RELEASE-p10 #5 r309898M: Fri May 5 12:14:20 CEST 2017 root@stor1:/usr/obj/usr/src/sys/NETGRAPH_VIMAGE
boot time: Wed, 24 May 2017 11:42:05 GMT
last configured: Wed, 24 May 2017 11:42:05 GMT
configuration file: /usr/local/etc/namedb/named.conf
CPUs found: 8
worker threads: 8
UDP listeners per interface: 7
number of zones: 918 (882 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 0/900/1000
tcp clients: 0/150
server is up and running
Code:
# netstat -na4 | grep 953
tcp4 0 0 10.60.50.2.953 *.* LISTEN
# nc -v 10.60.50.2 953
Connection to 10.60.50.2 953 port [tcp/rndc] succeeded!
^C
# rndc status
rndc: recv failed: host unreachable
# rndc -s 127.0.0.1 status
rndc: recv failed: host unreachable
# rndc -s 10.60.50.2 status
rndc: recv failed: host unreachable
tcpdump reveals there is a proper connection in both directions:
Code:
# tcpdump -nti lo0 port 953
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 262144 bytes
IP 10.60.50.2.15234 > 10.60.50.2.953: Flags [S ], seq 4272549536, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 685264170 ecr 0], length 0
IP 10.60.50.2.953 > 10.60.50.2.15234: Flags [S.], seq 3987622948, ack 4272549537, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 685264170 ecr 685264170], length 0
IP 10.60.50.2.15234 > 10.60.50.2.953: Flags [.], ack 1, win 1276, options [nop,nop,TS val 685264170 ecr 685264170], length 0
IP 10.60.50.2.15234 > 10.60.50.2.953: Flags [P.], seq 1:148, ack 1, win 1276, options [nop,nop,TS val 685264170 ecr 685264170], length 147
IP 10.60.50.2.15234 > 10.60.50.2.953: Flags [F.], seq 148, ack 1, win 1276, options [nop,nop,TS val 685264170 ecr 685264170], length 0
IP 10.60.50.2.953 > 10.60.50.2.15234: Flags [.], ack 149, win 1274, options [nop,nop,TS val 685264170 ecr 685264170], length 0
IP 10.60.50.2.953 > 10.60.50.2.15234: Flags [F.], seq 1, ack 149, win 1276, options [nop,nop,TS val 685264170 ecr 685264170], length 0
IP 10.60.50.2.953 > 10.60.50.2.15234: Flags [F.], seq 1, ack 149, win 1276, options [nop,nop,TS val 685264401 ecr 685264170], length 0
IP 10.60.50.2.953 > 10.60.50.2.15234: Flags [F.], seq 1, ack 149, win 1276, options [nop,nop,TS val 685264664 ecr 685264170], length 0
[...]
The master-ns is running on a host within our mgmt-VLAN which has no PF configured. The other hosts are acting as gateways and have pf configured.
All jails have similar settings regarding raw sockets, sysvipc etc. I even checked the differences of
iocage get all <jail>
from all hosts with diff and apart from host-specific options (UUIDs, names...) they are identically configured.All hostst share the same jail- and networking related settings in /boot/loader.conf and /etc/sysctl.conf
rndc on all hosts is configured via rndc.conf (no seperate rndc.key file); in named.conf the keys are included and 'controls' are set accordingly (currently
allow { any; } keys { rndc-key; };
for troubleshooting).Using the localhost (127.0.0.1) or any external IP for rndc (in both, named.conf and rndc.conf) doesn't make any difference.
The only difference between the host where rndc is working and the others is PF, so to ensure it won't (shouldnt?) block rndc/dns traffic I temporarily added this rule on all hosts:
Code:
pass quick proto { tcp, udp } from any to any port { domain, rndc }
pflog0 doesn't report any blocked packets on port 953 when trying to connect to/via rndc, either within the jail or from another host.
I'm really out of ideas here. While every sysctl knob and jail/networking related configuration I've checked (and know/remember I've ever set or changed) is identical, I still don't want to rule out that I've missed something.
OTOH, the only thing that is different between the working host configuration and the others (and consistent between them) is PF. Although I've set a (very open) rule and it isn't reporting any blocked packets, my bet would be on PF as the culprit here...
I'd really apreciate any idea or hint on this as I'm really out of ideas...