socket.c:5597: unexpected error: bind: Operation not permanente

hello guys,

My bind-911 server after few hours stop working and sending errors like below.
Code:
Feb  4 13:52:06 dns named[87962]: ----------------------------------------------------
Feb  4 13:52:06 dns named[87962]: BIND 9 is maintained by Internet Systems Consortium,
Feb  4 13:52:06 dns named[87962]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Feb  4 13:52:06 dns named[87962]: corporation.  Support and training for BIND 9 are
Feb  4 13:52:06 dns named[87962]: available at https://www.isc.org/support
Feb  4 13:52:06 dns named[87962]: ----------------------------------------------------
Feb  4 13:52:06 dns named[87962]: command channel listening on 127.0.0.1#953
Feb  4 13:52:06 dns named[87962]: all zones loaded
Feb  4 13:52:06 dns named[87962]: running
Feb  4 20:34:04 dns named[87962]: not listening on any interfaces
Feb  4 20:34:14 dns named[87962]: socket.c:5597: unexpected error:
Feb  4 20:34:14 dns named[87962]: bind: Operation not permanente
Feb  4 20:34:14 dns named[87962]: could not listen on UDP socket: unexpected error
Feb  4 20:34:14 dns named[87962]: creating IPv4 interface em0 failed; interface ignored
Feb  4 20:34:14 dns named[87962]: not listening on any interfaces
Feb  4 20:50:04 dns named[87962]: not listening on any interfaces
Feb  4 20:50:04 dns named[87962]: socket.c:5597: unexpected error:
Feb  4 20:50:04 dns named[87962]: bind: Operation not permitted
Feb  4 20:50:04 dns named[87962]: could not listen on UDP socket: unexpected error
Feb  4 20:50:04 dns named[87962]: creating IPv4 interface em0 failed; interface ignored
Feb  4 20:50:04 dns named[87962]: not listening on any interfaces

I have totally basic configuration. Listen on some ip and added one domain. Bind is in jail, jail is created from sources which host is built. Someone can tell me where can be a problem ?
 
It looks like you're trying to bind it to em0 and that interface isn't available. Did you configure it to listen on the host's IP address perhaps?
 
Code:
// $FreeBSD$
//
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/local/share/doc/bind for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works.  Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.

options {
        // All file and path names are relative to the chroot directory,
        // if any, and should be fully qualified.
        directory       "/usr/local/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";

// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
        listen-on       { 79.137.56.144;};

// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver.  To give access to the network, specify
// an IPv6 address, or the keyword "any".
//      listen-on-v6    { ::1; };

(...)

When it's running ....
Code:
root@dns:/ # sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
bind     named      79540 21 tcp4   79.137.56.144:53      *:*
bind     named      79540 22 tcp4   79.137.56.144:953     *:*
bind     named      79540 512 udp4  79.137.56.144:53      *:*
bind     named      79540 513 udp4  79.137.56.144:53      *:*
bind     named      79540 514 udp4  79.137.56.144:53      *:*
bind     named      79540 515 udp4  79.137.56.144:53      *:*
bind     named      79540 516 udp4  79.137.56.144:53      *:*
bind     named      79540 517 udp4  79.137.56.144:53      *:*
bind     named      79540 518 udp4  79.137.56.144:53      *:*
root     syslogd    70126 6  udp4   79.137.56.144:514     *:*
When it doesn't work:
Code:
root@dns:/ # sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
bind     named      79540 21 tcp4   79.137.56.144:53      *:*
bind     named      79540 22 tcp4   79.137.56.144:953     *:*
And process is still active. It stops working after few hours. Im wondering why.
 
I don't run BIND in a jail (it's already chroot(8)'ed so there's no benefit). But I can imagine it needs allow.raw_sockets.

More importantly, is that IP address bound to the jail?
 
I don't run BIND in a jail (it's already chroot(8)'ed so there's no benefit). But I can imagine it needs allow.raw_sockets.

More importantly, is that IP address bound to the jail?

Yes, sure.
jls output:
Code:
root@HardenedBSD:/home/bryn1u # jls
   JID  IP Address      Hostname                      Path
    2  79.137.56.144   dns.proton.edu.pl             /jails/DNS
jail.conf
Code:
DNS {
        path = /jails/DNS;
        enforce_statfs=2;
        exec.clean;
        exec.consolelog = "/var/log/jail_DNS_console.log";
        devfs_ruleset = 10;
        mount += "dev /jails/DNS/dev devfs rw,ruleset=10";
        mount += "fdesc /jails/DNS/dev/fd fdescfs rw";
        mount += "proc /jails/DNS/proc procfs rw";
        host.hostname = dns.proton.edu.pl;
        ip4.addr = 79.137.56.144;
        interface = em0;
        securelevel = 3;
        allow.raw_sockets;
        exec.start = "/bin/sh /etc/rc";
        exec.stop = "/bin/sh /etc/rc.shutdown";
}
The funn thing is after server reboot , jail starts but there is some problem with bind becouse output sockstat -4 shows:
Code:
root@dns:/ # sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
bind     named      79901 22 tcp4   79.137.56.144:953     *:*
root     syslogd    95400 6  udp4   79.137.56.144:514     *:*
root@dns:/ #
I have no idea what's going on. Can i debug it somehow ?
It starts working when i enter service named restart.
You said that bind is already chrooted. You mean that basic installation include chroot for bind911 by default ?
 
You mean that basic installation include chroot for bind911 by default ?
Yes, just not enabled by default.

Code:
named_enable="YES"
named_chrootdir="/var/named"
named_chroot_autoupdate="YES"
 
Back
Top