LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Evertyhing indicates that bind sec. dns is working but it is not! (https://www.linuxquestions.org/questions/linux-networking-3/evertyhing-indicates-that-bind-sec-dns-is-working-but-it-is-not-831218/)

laurens 09-09-2010 12:10 PM
Evertyhing indicates that bind sec. dns is working but it is not!
 
Hi all,

I had this strange and quite stressy situation today. I change something in the config of the NS1 (primary nameserver) and because of that BIND9 went down. Seemed that, unfortunately, the sec. NS, NS2, did not took over.

When I first did /etc/init.d/bind9 reload I got this error:
Code:
Stopping named: rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not syncronized, or
* the key is invalid.
[FAILED]
I was able to fix this. I guess I was because now the error has gone. I found the solution on some blog (I remember it has something to do with 'pkill lwresd' and restart bind a couple times.

Anyway, to test the NS1, on my local computer I set up the NS1 as primary and only nameserver. This works fine to test NSs.
This way I can surf the internet and ping the domains that are on the nameserver.

Now when I do the same with my NS2 I can't do nothing. Cannot ping to anything, surf of course works neither.
But from my server ifself, NS2, I can ping everything. Every NSlookup is done via an external nameserver thus logical.

Furthermore everything looks normal on the NS2. No errors, I can change, add, delete, apply, restart, reload without any problem.

I was thinking it had something to do with the rndc key (signing) maybe...

Thanks in advance!

bathory 09-09-2010 01:17 PM
Quote:
Now when I do the same with my NS2 I can't do nothing. Cannot ping to anything, surf of course works neither.
But from my server ifself, NS2, I can ping everything.
I guess you mean that NS2 itself can resolve everything.
Are you sure that your box can access NS2? Or NS2 is not configured to deny recursion. Without config files we can only speculate
Quote:
Every NSlookup is done via an external nameserver thus logical.
What you mean by that? Again we need the config file(s) in order to help further.

Regards

laurens 09-09-2010 02:50 PM
3 Attachment(s)
Quote:
Originally Posted by bathory (Post 4092717)
I guess you mean that NS2 itself can resolve everything.
Are you sure that your box can access NS2? Or NS2 is not configured to deny recursion. Without config files we can only speculate
What you mean by that? Again we need the config file(s) in order to help further.

Regards
Thanks for your reply.

Quote:
But from my server ifself, NS2, I can ping everything; Every NSlookup is done via an external nameserver thus logical.
I meant that when I log onto the server(NS2) via ssh and for example do "ping google.com" this works. When in my windows, I set the prim. nameserver to NS2 "ping google.com" gives me a time-out.

In the attachment I added named.conf, named.conf.local and another file. If you need anything else, let me know!

Thanks

bathory 09-09-2010 05:01 PM
Quote:
I meant that when I log onto the server(NS2) via ssh and for example do "ping google.com" this works. When in my windows, I set the prim. nameserver to NS2 "ping google.com" gives me a time-out.
Can NS2 resolve any of the domains it's supposed to be slave dns? Because I'm getting a SERVFAIL for a couple of domains I've tested.
Anyway the only suspicious thing I've found is
Quote:
listen-on-v6 { any; };
in named.conf.options. Either comment it out, or add:
Code:
listen-on { any; };
so it listens also on the IPv4 address.

Re: the rndc command, there is no rndc-key in any of the files you've attached, nor an include statement to a file containing the rndc-key

laurens 09-09-2010 06:12 PM
Quote:
Originally Posted by bathory (Post 4092888)
Can NS2 resolve any of the domains it's supposed to be slave dns? Because I'm getting a SERVFAIL for a couple of domains I've tested.
Anyway the only suspicious thing I've found is
in named.conf.options. Either comment it out, or add:
Code:
listen-on { any; };
so it listens also on the IPv4 address.

Re: the rndc command, there is no rndc-key in any of the files you've attached, nor an include statement to a file containing the rndc-key
No, from outside it can't resolve anything. Frim 'inside' on the server (ssh) it can resolve everything.
I will change that.

There is a rndc.key file, should I mention the location somewhere?
Thx

bathory 09-10-2010 12:06 AM
Hi,

Take a look at this to see how to configure rndc.

laurens 09-10-2010 10:37 AM
Quote:
Originally Posted by bathory (Post 4093098)
Hi,

Take a look at this to see how to configure rndc.
Hi I believe I did everything I could, generated a new rndc key, triple checked all the settings etc.
Next I initiated a sync between the NS1 and NS2 and the updates where fetched from the NS1. So the communication between those is okay.
Unfortunately when I do a reload I get this error again:
Code:
Andrea58:/etc# rndc reload
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not syncronized, or
* the key is invalid.
Same with the restart
Code:
Andrea58:/etc# /etc/init.d/bind9 restart
Stopping domain name service...: bind9rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not syncronized, or
* the key is invalid.
.
Starting domain name service...: bind9.
Andrea58:/etc#
Eventually it's the purpose to have a working NS2 to rely on.
For the moment it is still the problem when I choose the NS2 as my nameserver in windows it cannot resolve anything, not even the domains hosted on the server.

I saw that the time is not the same on both the servers. Could that be a reason?
Of course I cannot just manually adjust the time on both servers at the very same time. How should it be done?
Code:
10-Sep-2010 15:19:36.871 zone mitsubishiservice.be/IN: refresh: could not set file modification time of '/etc/bind/mitsubishiservice.be.hosts': permission denied
Thanks in advance

bathory 09-10-2010 12:21 PM
Quote:
I saw that the time is not the same on both the servers. Could that be a reason?
Of course I cannot just manually adjust the time on both servers at the very same time. How should it be done?
Code:
Yes, the clocks must be synchronized. You can use ntpdate to synchronize them using a time server in your country:
Code:
/usr/sbin/ntpdate -s be.pool.ntp.org
Regarding rndc, post /etc/rndc.conf and the part of /etc/named.conf where you define rndc.

The good news are that now I can resolve your domains using NS2, so I guess you somehow fixed it. I guess it was the IPv6 only protocol.

Regards

laurens 09-11-2010 10:31 AM
Thanks for your help! Indeed I can now resolve domains that are on the server (but only domains on the servers, no others). This one is solved in other words. Thanks again

bathory 09-11-2010 12:58 PM
Quote:
Indeed I can now resolve domains that are on the server (but only domains on the servers, no others).
For NS2 to be able to resolve any domain, make sure the hint zone "." file (/etc/bind/db.cache) exists and can be read by named.
And since your main problem is answered, you can mark the thread "Solved"

Regards


All times are GMT -5. The time now is 03:10 AM.