LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 05-09-2016, 04:49 PM   #1
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Kubuntu 20.04 on workstation, CentOS 6.x on servers
Posts: 1,181

Rep: Reputation: 47
Random DNS outages


I have a fairly newly setup local DNS server running CentOS 6.7 and whatever is the latest named available for that distro.

It acts as a local DNS server and also a cache/forwarder for rest of my internet.

Every now and then, it just stops working. All name resolutions fail. I need to restart it then everything starts working again. This is quite unacceptable, I should not have to restart a service all the time like that.

Is there a way to figure out why it's doing this, and to stop it? Does it create a log anywhere?
 
Old 05-09-2016, 08:02 PM   #2
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 6,317

Rep: Reputation: Disabled
Does it crash and leave behind a stale pid file?
 
Old 05-10-2016, 01:59 AM   #3
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Kubuntu 20.04 on workstation, CentOS 6.x on servers
Posts: 1,181

Original Poster
Rep: Reputation: 47
Not that I'm aware of, just doing named restart fixes the issue, I don't get any unusual errors, like failing to stop the service. I looked for a log but can't seem to find where it puts it or what it names it, if there is any.
 
Old 05-10-2016, 02:34 AM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,733

Rep: Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835
@OP

Looks like you hit this bug.
Since there is no solution mentioned there, try to use a different bind version. Upgrade if possible or downgrade (according to the guy that opened the bug report downgrading bind solves the problem).
BTW as you can see at the bug report, the named logs are written in /var/named/data/named.run

Regards
 
Old 05-10-2016, 11:51 AM   #5
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Kubuntu 20.04 on workstation, CentOS 6.x on servers
Posts: 1,181

Original Poster
Rep: Reputation: 47
Hmmm wonder if my version is affected, it's only a few numbers off:

BIND 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7

I did a yum update but it's as high as it goes. I'm not sure how to downgrade and even if I did the next time I do a system update it will just update back anyway. I found the named.run file, but it's empty. There's a couple dated ones but they're all empty as well.
 
Old 05-10-2016, 02:05 PM   #6
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,244
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
You should be able to downgrade and then use the '--exclude=' option to exclude bind from being updated.
 
Old 05-10-2016, 04:07 PM   #7
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,733

Rep: Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835
Quote:
it will just update back anyway. I found the named.run file, but it's empty. There's a couple dated ones but they're all empty as well.
Run:
Code:
rndc trace 3
to start logging at debug level 3. Or use 99 as in the bug report suggestion, for more detailed logging
 
Old 05-10-2016, 04:21 PM   #8
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Kubuntu 20.04 on workstation, CentOS 6.x on servers
Posts: 1,181

Original Poster
Rep: Reputation: 47
Quote:
Originally Posted by lazydog View Post
You should be able to downgrade and then use the '--exclude=' option to exclude bind from being updated.
Is there a way to make that permanent somewhere? I just go on all my servers and run "yum update" every now and then, I'll surely forget to put that flag. :P

But first I'll try to confirm if that really is the bug I have. I just tried that rndc command so next time it happens I'll go check that log.
 
Old 05-10-2016, 08:47 PM   #9
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,244
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Quote:
Originally Posted by Red Squirrel View Post
Is there a way to make that permanent somewhere? I just go on all my servers and run "yum update" every now and then, I'll surely forget to put that flag. :P
You could always make a alias for it, for example:

Code:
alias yud='yum update --exclude=bind'
Then when the alias is no longer needed you can simple delete it.
 
Old 05-15-2016, 07:30 PM   #10
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Kubuntu 20.04 on workstation, CentOS 6.x on servers
Posts: 1,181

Original Poster
Rep: Reputation: 47
Did it again with logging on. Where do I find the log file? And is there a way to change it so it's in /var/log, that's where all the other logs are.

Edit: NM noticed it was already posted. Found it. That log is HUGE. I will sift through that and try to see if there's anything relevant to post. There are no time stamps so really it's kind of useless.

Last edited by Red Squirrel; 05-15-2016 at 07:37 PM.
 
Old 05-15-2016, 08:31 PM   #11
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Kubuntu 20.04 on workstation, CentOS 6.x on servers
Posts: 1,181

Original Poster
Rep: Reputation: 47
Log is just filling up with errors, there's definitely something wrong.


Code:
error (no valid RRSIG) resolving 'rambler.ru.dlv.isc.org/DS/IN': 208.67.222.123#53
error (insecurity proof failed) resolving 'rambler.ru.dlv.isc.org/DLV/IN': 208.67.222.123#53
validating @0x7faa4853c8b0: . NS: got insecure response; parent indicates it should be secure
error (insecurity proof failed) resolving './NS/IN': 208.67.220.123#53
  validating @0x7faa280048e0: net SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'sourceforge.net/DS/IN': 208.67.220.123#53
validating @0x7faa44034730: . NS: got insecure response; parent indicates it should be secure
error (insecurity proof failed) resolving './NS/IN': 208.67.222.123#53
validating @0x7faa30013bf0: . NS: got insecure response; parent indicates it should be secure
error (insecurity proof failed) resolving './NS/IN': 208.67.220.123#53
  validating @0x7faa30022840: net SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'minecraft.net/DS/IN': 208.67.220.123#53
validating @0x7faa34050620: . NS: got insecure response; parent indicates it should be secure
error (insecurity proof failed) resolving './NS/IN': 208.67.220.123#53
validating @0x7faa380151c0: . NS: got insecure response; parent indicates it should be secure
error (insecurity proof failed) resolving './NS/IN': 208.67.220.123#53
validating @0x7faa380151c0: . NS: got insecure response; parent indicates it should be secure
error (insecurity proof failed) resolving './NS/IN': 208.67.220.123#53
error (unexpected RCODE REFUSED) resolving '57.27.55.47.list.dsbl.org/TXT/IN': 8.8.8.8#53
error (unexpected RCODE REFUSED) resolving '57.27.55.47.list.dnswl.org/A/IN': 8.8.8.8#53
validating @0x7faa38027d00: . NS: got insecure response; parent indicates it should be secure
error (insecurity proof failed) resolving './NS/IN': 208.67.220.123#53
  validating @0x7faa48527f90: org SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'open-whois.org/DS/IN': 208.67.220.123#53
validating @0x7faa34056c00: . NS: got insecure response; parent indicates it should be secure
error (insecurity proof failed) resolving './NS/IN': 208.67.222.123#53
  validating @0x7faa28036c70: org SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'ahbl.org/DS/IN': 208.67.220.123#53
validating @0x7faa48527300: org DNSKEY: got insecure response; parent indicates it should be secure
error (insecurity proof failed) resolving 'org/DNSKEY/IN': 208.67.220.123#53
error (unexpected RCODE REFUSED) resolving '57.27.55.47.list.dsbl.org/TXT/IN': 8.8.4.4#53
  validating @0x7faa3c0312e0: org SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'spamhaus.org/DS/IN': 208.67.220.123#53
validating @0x7faa28013c50: org DNSKEY: got insecure response; parent indicates it should be secure
error (insecurity proof failed) resolving 'org/DNSKEY/IN': 208.67.222.123#53
  validating @0x7faa380299a0: org SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'ahbl.org/DS/IN': 208.67.222.123#53
  validating @0x7faa30024160: org SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'dnswl.org/DS/IN': 208.67.220.123#53
  validating @0x7faa44037cf0: org SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'bondedsender.org/DS/IN': 208.67.220.123#53
  validating @0x7faa30025170: org SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'w3.org/DS/IN': 208.67.220.123#53
  validating @0x7faa280048e0: com SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'habeas.com/DS/IN': 208.67.220.123#53
  validating @0x7faa34057890: com SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'isipp.com/DS/IN': 208.67.220.123#53
  validating @0x7faa3c02ed30: org SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'dnswl.org/DS/IN': 208.67.222.123#53
  validating @0x7faa28032330: org SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'open-whois.org/DS/IN': 208.67.222.123#53
  validating @0x7faa44037060: net SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'spamcop.net/DS/IN': 208.67.220.123#53
  validating @0x7faa44034730: org SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'w3.org/DS/IN': 208.67.222.123#53
  validating @0x7faa48536f60: org SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'spamhaus.org/DS/IN': 208.67.222.123#53
  validating @0x7faa4003d700: net SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'sorbs.net/DS/IN': 208.67.222.123#53
  validating @0x7faa3c02fd40: com SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'isipp.com/DS/IN': 208.67.222.123#53
  validating @0x7faa44034730: com SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'habeas.com/DS/IN': 208.67.222.123#53
  validating @0x7faa4003aa50: net SOA: got insecure response; parent indicates it should be secure
error (no valid RRSIG) resolving 'spamcop.net/DS/IN': 208.67.222.123#53
error (network unreachable) resolving 'dns1.njabl.org/AAAA/IN': 2001:500:e::1#53
error (network unreachable) resolving 'dns2.njabl.org/AAAA/IN': 2001:500:e::1#53

Is this due to that bug, or something else?
 
Old 05-16-2016, 07:25 AM   #12
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,733

Rep: Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835Reputation: 1835
Quote:
Is this due to that bug, or something else?
This is a dnssec validation error.
Perhaps due to this error the cache gets full, resulting in named failure.
This is also mentioned in this bug report, with the workaround to disable dnssec, so you can try it to see if it solves your problem:
Code:
dnssec-enable no;
dnssec-validation no
 
Old 05-16-2016, 12:41 PM   #13
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Kubuntu 20.04 on workstation, CentOS 6.x on servers
Posts: 1,181

Original Poster
Rep: Reputation: 47
Yeah just tried to disable dnssec as per the suggestion to see if it helps. This is just a local dns server so don't think it really matters, it's not exposed to the internet.
 
Old 05-17-2016, 12:34 AM   #14
v4r3l0v
Member
 
Registered: Dec 2013
Posts: 136

Rep: Reputation: Disabled
It is very important to discern who is actually writing to resolv.conf on your machine. Is it maybe the home router taking over with its own DHCP, and with it- its own suggestions for using DNS servers instead of what you prescribed?
 
Old 05-21-2016, 12:01 PM   #15
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Kubuntu 20.04 on workstation, CentOS 6.x on servers
Posts: 1,181

Original Poster
Rep: Reputation: 47
Quote:
Originally Posted by v4r3l0v View Post
It is very important to discern who is actually writing to resolv.conf on your machine. Is it maybe the home router taking over with its own DHCP, and with it- its own suggestions for using DNS servers instead of what you prescribed?
Not sure what you're tryng to say? There's only really one person with access to the server and resolv.conf is set to correct IP and having it set to a different IP would cause it to fail consistently not just randomly...unless I've been compromised which I can't see how given it's not public facing and all my public facing stuff is on a separate vlan, though that vlan does have access to the DNS server... is there any known exploits for named where there is remote code execution? It would still require that one of the public facing servers is compromised though.

So far so good with DNSSEC off though.... but is that a real solution? Turning something security related off does not sound like a good long term plan, or does it not really matter for a local server? I'll admit I never really read up much on it so not sure of the exact details on how it works.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Raspberry PI, SlackwareARM, fs integrity and power outages andrixnet Slackware - ARM 19 03-18-2016 04:03 AM
Dealing with power outages. jens General 3 12-20-2014 01:10 PM
Iptables rules for master DNS server to allow zone transfer through a random port Toomas Linux - Networking 2 10-27-2010 12:47 AM
[SOLVED] Slack64 -current, KDE4, and intermittent DNS outages Crashbox Slackware 9 08-21-2009 07:53 PM
DNS server meet random ports problem? wegadnie Linux - General 7 11-29-2008 01:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 08:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration