BIND : DNS Issue #4

1. Issue - resolving a local domain name to an IP address fails with:

> 192.168.1.3
Server:         127.0.0.1
Address:        127.0.0.1#53

3.1.168.192.in-addr.arpa      name = server.domain.site.
>  server.domain.site
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find server.domain.site.: SERVFAIL

2. Check Server log

In /var/log/messages the following errors can be observed:

Oct 28 15:41:13 kl1 named[17558]: zone localhost/IN: loaded serial 42
Oct 28 15:41:13 kl1 named[17558]: zone domain.site/IN: journal rollforward failed: journal out of sync with zone
Oct 28 15:41:13 kl1 named[17558]: zone domain.site/IN: not loaded due to errors.
Oct 28 15:41:13 kl1 named[17558]: running

3. Resolution

This issue may get experienced if the binary zone journal gets corrupted. To solve this issue: locate and delete the *jnl files for the corresponding zone files in /var/lib/named or its subdirectories

Source:

• https://www.suse.com/support/kb/doc/?id=7009661 

Read More

BIND : WARNING: key file (/etc/bind/rndc.key) exists, but using default configuration file (/etc/bind/rndc.conf)

Solutions:

1. Make sure that the key in /etc/bind/rndc.key is the same as in /etc/bind/rndc.conf
2. Copy rndc.conf key to rndc.key
3. Move /etc/bind/rndc.conf to any another location, for example /temp
4. Reload the rndc utility: #rndc reload

Source :
https://support.plesk.com/hc/en-us/articles/115000153813-Warnings-appear-in-syslog-key-file-exists-but-using-default-configuration-file

Read More

BIND : DNS Issue #3

Issue :
16-Oct-2018 12:16:53.225 general: error: dumping master file: /etc/bind/tmp-rsY5WLIgLf: open: file not found

 Solutions: 

•  Edit : /etc/apparmor.d/usr.sbin.named

• Add : /etc/bind/* rw, 

Source:
https://ubuntuforums.org/showthread.php?t=1089473

Read More

BIND : DNS Issue

Issue 1 :
isc_stdio_open '/var/log/named/named_security.log' failed: permission denied

Solutions  :

chown -R bind:root /var/log/named
chmod -R 775 /var/log/named

--------------------------------------------------------------------------------------------------------------
Issue 2 :
"open: permission denied" upon zone transfer

Solutions :
Edit #/etc/apparmor.d/usr.sbin.named
Add / Edit this line : /etc/bind/slave/* rw,

---------------------------------------------------------------------------------------------------------------

Read More

Ubuntu : Edit resolve.conf file

solution :

#sudo vim /etc/resolvconf/resolv.conf.d/base

then add:

nameserver 8.8.8.8
nameserver 8.8.44

then update :

#sudo resolvconf -u

Read More

BIND : Enable statistics

Error : WARNING: key file (/etc/bind/rndc.key) exists, but using default configuration file (/etc/bind/rndc.conf)

Solution:

1. Add this statement statistics-file "/var/cache/bind/named.stats"; to /etc/bind/named.conf

2.Remove or rename rndc.conf in /etc/bind

3. Add the following to /etc/bind/named.conf

include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

4.Restart bind.

Source : http://www.rainingpackets.com/bind-rndc-error-debian-ubuntu/

Read More

BIND : DNS Issue #2

Error :
...general: error: managed-keys.bind.jnl: open: permission denied

Resolve :
Delete the empty file /var/cache/bind/managed-keys.bind.jnl

Read More

BIND : DNS Issue #1

Q:

Why do I get errors like "dns_zone_load: zone foo/IN: loading master file bar: ran out of space"?

A:
This is often caused by TXT records with missing close quotes. Check that all TXT records containing quoted strings have both open and close quotes.

Source : http://www.bind9.net/BIND-FAQ

Read More

BIND : dnstop monitor BIND Server

dnstop: Monitor BIND DNS Server (DNS Network Traffic) From a Shell Prompt

Refer :

• http://www.cyberciti.biz/faq/dnstop-monitor-bind-dns-server-dns-network-traffic-from-a-shell-prompt/


• http://dns.measurement-factory.com/tools/dnstop/index.html

Read More

BIND : DNSSEC

Tutorial Enable DNSSEC

http://mattiasgeniar.be/2010/07/12/implementing-maintaining-dnssec-on-bind9-nameservers/

DNSSEC validation

http://dnsviz.net/
http://dnscheck.iis.se/#dnscheck
http://www.dnssecmonitor.org/index.php

Read More

DNS Server Problems

Problems:

When do checking domain name and the DNS status at http://pingability.com

Error Got an error when connecting to ns.x.x.x /x.x.x.x with a request for ns.x.x.x/CNAME: IOException: I/O Error on name server x.x.x.x for ns.x.x.x Heads-up Could not perform the CNAME check. IOException: I/O Error on name server x.x.x.x for ns.x.x.x Information No glue records found at parent name servers for ns2.unisel.edu.my Error Got an error when connecting to ns.x.x.x / x.x.x.x with a request for unisel.edu.my/SOA: IOException: I/O Error on name server x.x.x.x for abc.def.com Error The name server did not return any SOA records. This could indicate a 'lame' nameserver - one that is listed as authoratative, but does not return any information for the zone. Information The name server replied to an AXFR request. It returned a list of 113 DNS records it holds. Error Got an error when connecting to ns.x.x.x / x.x.x.x  with a request for abc.def.com/NS: IOException: I/O Error on name server x.x.x.x for unisel.edu.my.

Resolve:

• Firewall server must allow DNS server port - TCP & UDP = 53

Read More

Troubleshoot BIND DNS server problems

Refer to http://www.cyberciti.biz/tips/troubleshooting-bind-dns-2.html

Read More

Flush DNS Cache

• Windows -> ipconfig /flushdns


• Ubuntu -> sudo rndc flush

Read More

Stealth DNS Server

Read More

Internal and External DNS server

Two-in-one DNS server with BIND9

• This tutorial shows you how to configure BIND9 DNS server to serve an internal network and an external network at the same time with different set of information.

1. The problem
It is a typical problem in organizations that are growing that they have to resolve two problems at once:

• To have a DNS server for the internal network of the company because long ago there were already too many computers to remember their IP and even too many computers to maintain a set of host files

• To have a DNS server for the external servers, for external clients, etc.

• To solve this problems become a bigger problem when the growing organization can't supply more resources than one DNS server3. It is a bigger problem because if you just configure your server with all your names, public and private, you'll end up polluting the Internet with private addresses, something that is very bad, and also showing the world part of the topology of your internal network. Something you don't want a possible attacker/cracker to have.

• The other part of the problem is that for efficiency you may want to resolve to internal IPs when you are inside and external IPs when you are outside. Here I am taking about computers which have public and private connections.

Read More

Resolving DNS

Theory Behind Caching-Namerserver and BIND 9:

• Caching-Nameserver is a type of nameserver that will resolve a web addresses (domain names) from its next or master DNS, and will keep those entries in cache, after first time resolution it will resolve DNS queries locally, untill its TTL (Time To Live) is expired.

• BIND 9 is used to resolve domain resolution queries from it own database, as it is SOA (Start Of Authority).

• So now it is clear that in our setup the caching-nameserver will be used to resolve domain names externally (internet), while BIND 9 will be used to resolve domain names from our local network (internally).

• Now we have caching-nameserver and BIND 9 hammer in our hands, lets start fixing it. :)

Read More