LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 03-16-2010, 11:13 AM   #1
caksin
Member
 
Registered: Jul 2008
Location: Ankara, Türkiye
Distribution: Ubuntu, Pardus
Posts: 47

Rep: Reputation: 16
Dns problem with bind9


I've a server for all;
web server, dns server, sql server, mail server and for a couple of domains.
For about the last 1 month or so there are complaints that people can't reach the sites hosted on the server and it's getting more and more frequent.
Also they say they couldn't send or receive e-mails from time to time. I can never replicate/cacth this error cuz whenever they say "I can't reach the site", I can.
I had them try with the ip when they couldn't reach with address and voila, they can access the site.
In daemon.log there are 3 types of errors; (and wonder if one of these could be causing my headaches)
  1. Quote:
    date time www named[4551]: FORMERR resolving 'hormail.com/MX/IN': some.ip#53
    I searched and read about this error that it should be because someone is trying to resolve an ipv6 address. But it's mostly like "hotmai" or "hormail"
    Is this all there's to it?
  2. Quote:
    date time www named[4551]: unexpected RCODE (REFUSED) resolving 'ns3.some.domain/A/IN': some.ip#53
    Searched this too and found out it was not about my server, and that some other server refused to resolve the given address.
  3. Quote:
    ate time www named[4551]: lame server resolving 'some.sub.domain' (in 'same.sub.domain'?): some.ip#53
    With a "last message repeated x times" note, "x" is mostly 3 if not always.
    I figured out that the "some.ip" is supposed to be the authoritative for the "some.sub.domain" but is not - and this is logged in my server cuz it my server querried this "lame server", cuz it is in fact not authoritative for that domain.
    Is this supposed to happen when recursive querries are allowed? Now I set recursion to no through webmin and I guess it does reload bind itself without reqiring me to reload it seperately since I clicked save.

I also read somewhere that postfix and blacklisted ip s could be causing this problem. Didn't get what he meant so checked my syslog and found out billions! of lines like this;
Quote:
www dovecot: pop3-login: Disconnected: user=<Aaaaaa>, method=PLAIN, rip=213.80.73.45, lip=server.ip
www dovecot: pop3-login: Disconnected: user=<Abcdef>, method=PLAIN, rip=213.80.73.45, lip=server.ip
www dovecot: pop3-login: Disconnected: user=<Action>, method=PLAIN, rip=213.80.73.45, lip=server.ip
So someone was trying to send mail through my server using something like a brute force attack?
Thnx all in advance.
 
Old 03-16-2010, 01:07 PM   #2
spampig
Member
 
Registered: Feb 2010
Location: /Earth/UK/England/Hampshire
Distribution: Debian, Ubuntu, CentOS, Slackware
Posts: 262
Blog Entries: 2

Rep: Reputation: 56
Quote:
Originally Posted by caksin View Post
I've a server for all;....
....so checked my syslog and found out billions! of lines like this;


So someone was trying to send mail through my server using something like a brute force attack?
....
www dovecot: pop3-login: Disconnected: user=<Aaaaaa>, method=PLAIN, rip=213.80.73.45, lip=server.ip
www dovecot: pop3-login: Disconnected: user=<Abcdef>, method=PLAIN, rip=213.80.73.45, lip=server.ip
www dovecot: pop3-login: Disconnected: user=<Action>, method=PLAIN, rip=213.80.73.45, lip=server.ip
....
Thnx all in advance.
It looks like a BF but __not__ to send mail (well directly anyway) - Dovecot is a POP/IMAP server that stores mail, so someone is trying to read other peoples mail by the look of it. That said, if Postfix is using the Dovecot SASL library, getting a username and password would be useful to log in to your server and send authenticated mail.

Ideally there needs to be a limit on connection attempts to Dovecot as it looks like a weak link here. There is some talk of adding a feature:

http://www.mail-archive.com/dovecot@.../msg26615.html


Your BIND errors you've pretty much explained for yourself. Users often do dumb stuff and then blame the host (hootmail or hotmall instead of hotmail - just like you've seen). With regards to the lame server, this says it best:

http://www.linuxquestions.org/questi...6/#post1491408

HTH
 
1 members found this post helpful.
Old 03-18-2010, 08:59 AM   #3
caksin
Member
 
Registered: Jul 2008
Location: Ankara, Türkiye
Distribution: Ubuntu, Pardus
Posts: 47

Original Poster
Rep: Reputation: 16
Ok I get the Dovecot part, appearantly there are no built in solutions/options in dovecot for this problem.
One of the guys in that mail-list wrote some script to limit it. That's for sure a problem but for the time being the major problem I have is constantly growing; people can't send or receive emails and they can not reach the sites hosted on the server more and more often. I just thought could the login attempts be slowing down the server due to frequent querries, but I guess it's not so highly possible.
So it should be about the dns problem, how is it possible that I can reach the sites or send/receive emails when people in our other office can not? Does anyone have any idea about how this could be possible? Tiz driving me crazy
 
Old 03-18-2010, 09:09 AM   #4
spampig
Member
 
Registered: Feb 2010
Location: /Earth/UK/England/Hampshire
Distribution: Debian, Ubuntu, CentOS, Slackware
Posts: 262
Blog Entries: 2

Rep: Reputation: 56
Can I ask, what makes you so sure it's a DNS issue rather than a plain connectivity issue? Where is the server - is it a hosting company offering or do you have it your office/building? To really nail it you would needs a user to say 'at 13:05 today I was unable to connect to the website x.y.z hosted on the server' and then look in the apache access logs to see if the request even made it that far. Ditto with POP/IMAP. With regards to Postfix blocking IP addresses, this would only happen if they were on some kind of blocklist and it had been configured to use it. It would normally show a message in the mail log to indicate that it had done it.
 
Old 03-18-2010, 09:44 AM   #5
caksin
Member
 
Registered: Jul 2008
Location: Ankara, Türkiye
Distribution: Ubuntu, Pardus
Posts: 47

Original Poster
Rep: Reputation: 16
Yes it's a hosting company, a co-location service. Ok I will check the access logs and report back . I thought it was a dns problem because of the the thing I mentioned in the first post;
Quote:
I had them try with the ip when they couldn't reach with address and voila, they can access the site.
I might be mistaken of course, I'm not sure about the problem.
 
Old 03-18-2010, 09:55 AM   #6
spampig
Member
 
Registered: Feb 2010
Location: /Earth/UK/England/Hampshire
Distribution: Debian, Ubuntu, CentOS, Slackware
Posts: 262
Blog Entries: 2

Rep: Reputation: 56
I understand that Caksin but you've pointed out you have some users who can't spell things like 'hotmail' :-) From my own experience with 'discount' hosting/VPS hosting I've seen issues with BIND running out of allocated memory. The named process uses quite a bit of meat. If this is a full power independent dedicated server it should be fine and dandy. If it's a VPS offering I would bear in mind that they can be flaky.
 
Old 03-18-2010, 10:29 AM   #7
caksin
Member
 
Registered: Jul 2008
Location: Ankara, Türkiye
Distribution: Ubuntu, Pardus
Posts: 47

Original Poster
Rep: Reputation: 16
Hm thnx for the heads up spampig, but the company is a very good one and we have our machine located in their building. It's also quite a good system (xeon 1.60 8 core) but as I mentioned all the stuff is in it, all the servers. May be it really is overloaded. The traceroute is problematic by the way, can not reach to the server. It get's stuck at the 11th stop using dnsstuff's traceroute check. Could this be it?
 
Old 03-18-2010, 10:46 AM   #8
spampig
Member
 
Registered: Feb 2010
Location: /Earth/UK/England/Hampshire
Distribution: Debian, Ubuntu, CentOS, Slackware
Posts: 262
Blog Entries: 2

Rep: Reputation: 56
Assuming you have all of that to yourself (rather than a slice or share of it) then I would be really surprised for a xeon 1.60 8 core machine to fail to answer DNS requests. I'm also slightly baffled that you don't have any issues reaching it yourself. I guess that you are running more than one name server and they are authorative for domains you have hosted? Something else is not occasionally answering with NXDOMAIN for the effected customers?
 
Old 03-18-2010, 10:56 AM   #9
caksin
Member
 
Registered: Jul 2008
Location: Ankara, Türkiye
Distribution: Ubuntu, Pardus
Posts: 47

Original Poster
Rep: Reputation: 16
Yes the system is totally ours. If I understood you correctly; there is a bind9 installation with only 4 virtual domains. And the same system is authoritative for those domains, you're right. You mean there could be something else - other than bind - trying to respond to querries? I've got absolutely no idea what's not correctly happening.
 
Old 03-18-2010, 11:14 AM   #10
spampig
Member
 
Registered: Feb 2010
Location: /Earth/UK/England/Hampshire
Distribution: Debian, Ubuntu, CentOS, Slackware
Posts: 262
Blog Entries: 2

Rep: Reputation: 56
So I'm not confused here, are you using BIND to give authoritative answers for your domains to the rest of the world, or resolving queries to other domains for your clients (or both)???

It would be normal to provide more than one authoritative DNS server for a domain for redundancy. I guess you have a second one set up some place to resolve your domains in case of load/failure?

So I'm totally clear your clients try to access 'yourdomain.com'. Their software runs off to resolve 'yourdomain.com' by using their ISP's name servers. If they don't already have this in cache they will recurse the request until they find either a cached version from another server that still has 'time to live (TTL)' or directly from your AUTHORITATIVE bind server if nothing else knows along the way. During the process something fails and on occasions clients don't get an IP for the name. Is this the scenario you are facing or are you trying to force them to query your server directly?

What I would do is just run a quick check to see what the rest of the world thinks should be answering for your domain(s):
"nslookup -querytype=ns yourdomain.com 8.8.8.8" (this will check what the google name servers think your domain name servers should be)
"nslookup -querytype=ns yourdomain.com" this will use your defaults. Any differences?
 
Old 03-18-2010, 11:42 AM   #11
caksin
Member
 
Registered: Jul 2008
Location: Ankara, Türkiye
Distribution: Ubuntu, Pardus
Posts: 47

Original Poster
Rep: Reputation: 16
Yes just our domains, we don't do anything for anyone else - well that sounds so selfish but that's not true, valid only for this particular question - We don't have any slave dns servers, I know the risks but well, what can you do.
That's the correct scenario you wrote, that's the one killing me
Ok here are the results of what you asked;
- without the google ip:
Quote:
DNS request timed out.
timeout was 2 seconds.
Sunucu: UnKnown
Address: 192.168.2.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
- with the google ip
Quote:
Sunucu: google-public-dns-a.google.com
Address: 8.8.8.8

mydomain.com nameserver = ns2.mydomain.com
mydomain.com nameserver = ns1.mydomain.com
But the 192.168 makes me think I couldn't successfully query since it's a local ip. Is that so do you think?

Last edited by caksin; 03-18-2010 at 11:44 AM.
 
Old 03-18-2010, 11:55 AM   #12
spampig
Member
 
Registered: Feb 2010
Location: /Earth/UK/England/Hampshire
Distribution: Debian, Ubuntu, CentOS, Slackware
Posts: 262
Blog Entries: 2

Rep: Reputation: 56
What the top result tells me is the system you run it on could not find an authortative server for your domain(s) - but the google server did. Two things spring from this - first, where did you run that first query? On your own PC? It's a concern that it can't find an auth name server for your domain in the global DNS system. Second, the results from google show two name servers, but you tell me you have one {did I read somewhere you had aliased a second to point to the first?}. The next question is does:

nslookup -querytype=A ns1.mydomain.com 8.8.8.8
nslookup -querytype=A ns2.mydomain.com 8.8.8.8

return the same single IP for your name server (both queries)?

If you are only hosting a few domains, and not resolving any odd internal IP addresses on your name server can you not make use of the name servers of the domain register? In the UK if you register a domain with one of the normal reputable companies you can usually use their name servers and build you simple zones on their infrastructure via a simple web config page. Is that different from what happens where you are? I appreciate the situation in different parts of the world may not be the same. What I'm trying to get at, is there any need for you to run a name server at all?
 
Old 03-18-2010, 12:18 PM   #13
caksin
Member
 
Registered: Jul 2008
Location: Ankara, Türkiye
Distribution: Ubuntu, Pardus
Posts: 47

Original Poster
Rep: Reputation: 16
They both return a non existent domain error, what the heck?
But they should in fact point to the same ip.
Things are the same here too, that was just a choice, if I can not resolve this problem soon, that might be what we'll have to do. :S

Last edited by caksin; 03-18-2010 at 12:19 PM.
 
Old 03-18-2010, 12:33 PM   #14
spampig
Member
 
Registered: Feb 2010
Location: /Earth/UK/England/Hampshire
Distribution: Debian, Ubuntu, CentOS, Slackware
Posts: 262
Blog Entries: 2

Rep: Reputation: 56
It's probable that you are going to need to visit that domain control panel anyway, to tell it where you NS is. It may be worth letting their infrastructure carry the brunt and set it up to resolve your A,AAAA, MX etc. The only thing you would need to take care of is the reverse DNS mapping, and that is likely to be dealt with by the hosting company that gave you the IP. Don't overlook this as incorrect/mismatched reverse dns (PTR) will result in non-delivered email in great quantity :-)

Glad you're getting closer to the pot of gold :-)
 
1 members found this post helpful.
Old 03-18-2010, 05:54 PM   #15
caksin
Member
 
Registered: Jul 2008
Location: Ankara, Türkiye
Distribution: Ubuntu, Pardus
Posts: 47

Original Poster
Rep: Reputation: 16
Thnx but you know what, today at work I told the guys from the hosting commpany to enter a reverse dns record for our ip to resolve to mail.mydomain.com and guess what, we can not send mail to hotmail anylonger. They used to get treated as spam but now hotmail directly refuses them, of course from all our domains cuz they all use the same mail server. I checked the blacklists and couldn't find anything, the only thing that used to look wrong before was the reverse dns and now it is also ok but everything seems to be worse :S
Sux when you can not understand things
Btw I want to thank you for your attention and all the time you took to respond, there; I have

Last edited by caksin; 03-18-2010 at 05:55 PM.
 
  


Reply

Tags
dns, server, lame, bind, sample, conf, named, entry, resolving


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Reverse DNS on Bind9 Taleya Linux - Networking 1 11-04-2009 12:39 PM
bind9 problem : windows client can't use DNS service and12345 Linux - Server 2 12-08-2008 06:49 PM
DNS Server (BIND9) mpgram Linux - Server 1 02-22-2008 11:36 AM
Bind9 DNS Issue b00gz Linux - Networking 10 07-15-2006 12:32 PM
BIND9 slave DNS problem HELP!!! mlu Linux - Networking 2 05-05-2005 07:31 AM


All times are GMT -5. The time now is 09:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration