Prometheus and Grafana : Monitor BIND DNS server

 1.Pre-requisites
- BIND need to have been build with libxml2 support
# named -V | grep libxml2

2.Installed Bind Prometheus Exporter
- Download the latest release of bind_exporter binary:

# curl -s https://api.github.com/repos/prometheus-community/bind_exporter/releases/latest | grep browser_download_url | grep linux-amd64 |  cut -d '"' -f 4 | wget -qi -
# tar xvf bind_exporter*.tar.gz
# sudo mv bind_exporter-*/bind_exporter /usr/local/bin
# bind_exporter --version

3. Configure BIND to open a statistics channel
- Edit the file /etc/named.conf to add

statistics-channels {
  inet 127.0.0.1 port 8053 allow { 127.0.0.1; };
};

4.Create Bind Exporter systemd service
- Add Prometheus system user account:
#sudo groupadd --system prometheus
#sudo useradd -s /sbin/nologin --system -g prometheus prometheus

- Create a systemd service unit file:

sudo tee /etc/systemd/system/bind_exporter.service<<EOF
[Unit]
Description=Prometheus
Documentation=https://github.com/digitalocean/bind_exporter
Wants=network-online.target
After=network-online.target

[Service]
Type=simple
User=prometheus
Group=prometheus
ExecReload=/bin/kill -HUP \$MAINPID
ExecStart=/usr/local/bin/bind_exporter \
  --bind.pid-file=/var/run/named/named.pid \
  --bind.timeout=20s \
  --web.listen-address=0.0.0.0:9153 \
  --web.telemetry-path=/metrics \
  --bind.stats-url=http://localhost:8053/ \
  --bind.stats-groups=server,view,tasks

SyslogIdentifier=prometheus
Restart=always

[Install]
WantedBy=multi-user.target
EOF

- Reload systemd and start bind_exporter service
#sudo systemctl daemon-reload
#sudo systemctl restart bind_exporter.service

- Enable the service to start on boot:
#sudo systemctl enable bind_exporter.service

- Open the port on the firewall
#sudo firewall-cmd --add-port=9153/tcp --permanent
#sudo firewall-cmd --reload

5.Configure Prometheus Server
- Edit file prometheus.yml
#sudo vi /etc/prometheus/prometheus.yml

- Add the jobs definition

- job_name: dns-master
    static_configs:
      - targets: ['10.1.5.3:9153']
        labels:
          alias: dns-master

  - job_name: dns-slave1
    static_configs:
      - targets: ['10.1.5.4:9153']
        labels:
          alias: dns-slave

#sudo systemctl restart prometheus

6. Add Grafana Dashboard
- Use already created Grafana dashboard ID is 1666
- Import Bind Grafana Dashboard by navigating to Dashboard > Import

source : https://computingforgeeks.com/monitor-bind-dns-server-with-prometheus-grafana/?expand_article=1

Read More

BIND : DNS Issue #5

 Issue:

dnssec: info: validating 83.0.11.10.in-addr.arpa/PTR: bad cache hit (10.in-addr.arpa/DS)
lame-servers: info: broken trust chain resolving '83.0.11.10.in-addr.arpa/PTR/IN': 8.8.8.8#53
dnssec: info: validating 65.0.11.10.in-addr.arpa/PTR: bad cache hit (10.in-addr.arpa/DS)
lame-servers: info: broken trust chain resolving '65.0.11.10.in-addr.arpa/PTR/IN': 8.8.8.8#53
dnssec: info: validating 114.0.11.10.in-addr.arpa/PTR: bad cache hit (10.in-addr.arpa/DS)
lame-servers: info: broken trust chain resolving '114.0.11.10.in-addr.arpa/PTR/IN': 8.8.8.8#53
dnssec: info: validating 129.0.11.10.in-addr.arpa/PTR: bad cache hit (10.in-addr.arpa/DS)
lame-servers: info: broken trust chain resolving '129.0.11.10.in-addr.arpa/PTR/IN': 8.8.8.8#53
dnssec: info: validating 34.0.11.10.in-addr.arpa/PTR: bad cache hit (10.in-addr.arpa/DS)

Solutions:

1. Edit /etc/bind/named.conf.options
2. Add this file under directory "/var/cache/bind";

.......
dnssec-enable no;
dnssec-validation no;

3. Save the file
4. Restart bind

Read More

BIND : DNS Issue #4

1. Issue - resolving a local domain name to an IP address fails with:

> 192.168.1.3
Server:         127.0.0.1
Address:        127.0.0.1#53

3.1.168.192.in-addr.arpa      name = server.domain.site.
>  server.domain.site
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find server.domain.site.: SERVFAIL

2. Check Server log

In /var/log/messages the following errors can be observed:

Oct 28 15:41:13 kl1 named[17558]: zone localhost/IN: loaded serial 42
Oct 28 15:41:13 kl1 named[17558]: zone domain.site/IN: journal rollforward failed: journal out of sync with zone
Oct 28 15:41:13 kl1 named[17558]: zone domain.site/IN: not loaded due to errors.
Oct 28 15:41:13 kl1 named[17558]: running

3. Resolution

This issue may get experienced if the binary zone journal gets corrupted. To solve this issue: locate and delete the *jnl files for the corresponding zone files in /var/lib/named or its subdirectories

Source:

• https://www.suse.com/support/kb/doc/?id=7009661 

Read More

BIND : WARNING: key file (/etc/bind/rndc.key) exists, but using default configuration file (/etc/bind/rndc.conf)

Solutions:

1. Make sure that the key in /etc/bind/rndc.key is the same as in /etc/bind/rndc.conf
2. Copy rndc.conf key to rndc.key
3. Move /etc/bind/rndc.conf to any another location, for example /temp
4. Reload the rndc utility: #rndc reload

Source :
https://support.plesk.com/hc/en-us/articles/115000153813-Warnings-appear-in-syslog-key-file-exists-but-using-default-configuration-file

Read More

BIND : DNS Issue #3

Issue :
16-Oct-2018 12:16:53.225 general: error: dumping master file: /etc/bind/tmp-rsY5WLIgLf: open: file not found

 Solutions: 

•  Edit : /etc/apparmor.d/usr.sbin.named

• Add : /etc/bind/* rw, 

Source:
https://ubuntuforums.org/showthread.php?t=1089473

Read More

BIND : DNS Issue

Issue 1 :
isc_stdio_open '/var/log/named/named_security.log' failed: permission denied

Solutions  :

chown -R bind:root /var/log/named
chmod -R 775 /var/log/named

--------------------------------------------------------------------------------------------------------------
Issue 2 :
"open: permission denied" upon zone transfer

Solutions :
Edit #/etc/apparmor.d/usr.sbin.named
Add / Edit this line : /etc/bind/slave/* rw,

---------------------------------------------------------------------------------------------------------------

Read More

BIND : Graphing DNS queries with bindgraph

source :

1. https://slaskdot.org/2013/08/22/graphing-dns-queries-with-bindgraph/
2. http://www.cyberciti.biz/faq/freebsd-bind-named-bindgraph-installtion-configuration/ 
3. https://slaskdot.org/2013/08/22/graphing-dns-queries-with-bindgraph/ 
4. http://opentodo.net/2012/09/monitoring-dns-queries-with-bindgraph/

Read More

BIND : Enable statistics

Error : WARNING: key file (/etc/bind/rndc.key) exists, but using default configuration file (/etc/bind/rndc.conf)

Solution:

1. Add this statement statistics-file "/var/cache/bind/named.stats"; to /etc/bind/named.conf

2.Remove or rename rndc.conf in /etc/bind

3. Add the following to /etc/bind/named.conf

include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

4.Restart bind.

Source : http://www.rainingpackets.com/bind-rndc-error-debian-ubuntu/

Read More

BIND Issue : Slave DNS refused notify from non-master

http://benjamin.sonntag.fr/a37-named_zone_sonntag_eu_org_refused_notify_from_non-master.html

Read More

BIND : DNS Issue #1

Q:

Why do I get errors like "dns_zone_load: zone foo/IN: loading master file bar: ran out of space"?

A:
This is often caused by TXT records with missing close quotes. Check that all TXT records containing quoted strings have both open and close quotes.

Source : http://www.bind9.net/BIND-FAQ

Read More