No response from localhost with "allow-query { any; };"

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

No response from localhost with "allow-query { any; };"

Axel Rau
Hi!

this is a new server, which answers external queries, sends notifies and pushes axfrs.
It does not answer any query from localhost nor shows any notifies from master in the logs.

From local:
root@ns5:/ # nc -v localhost 53
Connection to localhost 53 port [tcp/domain] succeeded!
^C
root@ns5:/ # nc -vu localhost 53
Connection to localhost 53 port [udp/domain] succeeded!

From master server:
[hermes:local/etc/namedb] root# nc -v ns5.lrau.net 53
Connection to ns5.lrau.net 53 port [tcp/domain] succeeded!
^C
[hermes:local/etc/namedb] root# nc -vu ns5.lrau.net 53
Connection to ns5.lrau.net 53 port [udp/domain] succeeded!


Any help greatly appreciated,
Axel

PS:

part of named.conf:
        allow-notify {
                hermes-ns5;
        };
        allow-transfer {
                full-trusted;
                ns5-ping;
                ns4-he;
                management-hosts;
        };
        allow-query { any; };
        allow-query-cache { recursive-users; };
        allow-recursion { recursive-users; };


root@ns5:/usr/local/etc/namedb/working/slave # named -V
BIND 9.16.5 (Stable Release) <id:c00b458>
running on FreeBSD amd64 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC
built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--with-tuning=default' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1 (tags/RELEASE_801/final 366581)
compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.14
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

default paths:
 named configuration:  /usr/local/etc/namedb/named.conf
 rndc configuration:   /usr/local/etc/namedb/rndc.conf
 DNSSEC root key:      /usr/local/etc/namedb/bind.keys
 nsupdate session key: /var/run/named/session.key
 named PID file:       /var/run/named/pid
 named lock file:      /var/run/named/named.lock

---
PGP-Key: CDE74120  ☀  computing @ chaos claudius


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: No response from localhost with "allow-query { any; };"

Ondřej Surý
Hi Axel,

the `nc` commands you used for testing neither proves that
it’s that specific `named` listening on that port nor DNS
daemon at all.  FWIW it could be a dummy UDP/TCP server
and you would not know.

First you need to use a tool from your operating system
to check what is listening on those ports, and then use
`dig` (or other DNS debugging tool) to send actual DNS
queries.

Ondrej
--
Ondřej Surý (He/Him)
[hidden email]

> On 1. 9. 2020, at 16:11, Axel Rau <[hidden email]> wrote:
>
> Hi!
>
> this is a new server, which answers external queries, sends notifies and pushes axfrs.
> It does not answer any query from localhost nor shows any notifies from master in the logs.
>
> From local:
> root@ns5:/ # nc -v localhost 53
> Connection to localhost 53 port [tcp/domain] succeeded!
> ^C
> root@ns5:/ # nc -vu localhost 53
> Connection to localhost 53 port [udp/domain] succeeded!
>
> From master server:
> [hermes:local/etc/namedb] root# nc -v ns5.lrau.net 53
> Connection to ns5.lrau.net 53 port [tcp/domain] succeeded!
> ^C
> [hermes:local/etc/namedb] root# nc -vu ns5.lrau.net 53
> Connection to ns5.lrau.net 53 port [udp/domain] succeeded!
>
>
> Any help greatly appreciated,
> Axel
>
> PS:
>
> part of named.conf:
> allow-notify {
> hermes-ns5;
> };
> allow-transfer {
> full-trusted;
> ns5-ping;
> ns4-he;
> management-hosts;
> };
> allow-query { any; };
> allow-query-cache { recursive-users; };
> allow-recursion { recursive-users; };
>
>
> root@ns5:/usr/local/etc/namedb/working/slave # named -V
> BIND 9.16.5 (Stable Release) <id:c00b458>
> running on FreeBSD amd64 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC
> built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--with-tuning=default' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
> compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1 (tags/RELEASE_801/final 366581)
> compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
> linked to OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
> compiled with libxml2 version: 2.9.10
> linked to libxml2 version: 20910
> compiled with json-c version: 0.14
> linked to json-c version: 0.15
> compiled with zlib version: 1.2.11
> linked to zlib version: 1.2.11
> threads support is enabled
>
> default paths:
> named configuration:  /usr/local/etc/namedb/named.conf
> rndc configuration:   /usr/local/etc/namedb/rndc.conf
> DNSSEC root key:      /usr/local/etc/namedb/bind.keys
> nsupdate session key: /var/run/named/session.key
> named PID file:       /var/run/named/pid
> named lock file:      /var/run/named/named.lock
>
> ---
> PGP-Key: CDE74120  ☀  computing @ chaos claudius
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: No response from localhost with "allow-query { any; };"

Warren Kumari
In reply to this post by Axel Rau
What is 'localhost'? 

The output you included doesn't really show very much, other than that nc connect to port 53.

I'd suggest:
dig ns5.lrau.net @localhost
dig ns5.lrau.net @::1

Also, have a look in /etc/hosts and make sure that you have something like:
127.0.0.1 localhost


(nc may be connecting over v4 and <whatever else you used to test> may be doing v6, etc...)

W

On Tue, Sep 1, 2020 at 10:12 AM Axel Rau <[hidden email]> wrote:
Hi!

this is a new server, which answers external queries, sends notifies and pushes axfrs.
It does not answer any query from localhost nor shows any notifies from master in the logs.

From local:
root@ns5:/ # nc -v localhost 53
Connection to localhost 53 port [tcp/domain] succeeded!
^C
root@ns5:/ # nc -vu localhost 53
Connection to localhost 53 port [udp/domain] succeeded!

From master server:
[hermes:local/etc/namedb] root# nc -v ns5.lrau.net 53
Connection to ns5.lrau.net 53 port [tcp/domain] succeeded!
^C
[hermes:local/etc/namedb] root# nc -vu ns5.lrau.net 53
Connection to ns5.lrau.net 53 port [udp/domain] succeeded!


Any help greatly appreciated,
Axel

PS:

part of named.conf:
        allow-notify {
                hermes-ns5;
        };
        allow-transfer {
                full-trusted;
                ns5-ping;
                ns4-he;
                management-hosts;
        };
        allow-query { any; };
        allow-query-cache { recursive-users; };
        allow-recursion { recursive-users; };


root@ns5:/usr/local/etc/namedb/working/slave # named -V
BIND 9.16.5 (Stable Release) <id:c00b458>
running on FreeBSD amd64 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC
built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--with-tuning=default' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1 (tags/RELEASE_801/final 366581)
compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.14
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

default paths:
 named configuration:  /usr/local/etc/namedb/named.conf
 rndc configuration:   /usr/local/etc/namedb/rndc.conf
 DNSSEC root key:      /usr/local/etc/namedb/bind.keys
 nsupdate session key: /var/run/named/session.key
 named PID file:       /var/run/named/pid
 named lock file:      /var/run/named/named.lock

---
PGP-Key: CDE74120  ☀  computing @ chaos claudius

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


--
I don't think the execution is relevant when it was obviously a bad idea in the first place.
This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.
   ---maf

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: No response from localhost with "allow-query { any; };"

Axel Rau
Thanks for your answer!

Am 01.09.2020 um 16:18 schrieb Warren Kumari <[hidden email]>:

The output you included doesn't really show very much, other than that nc connect to port 53.

I'd suggest:
dig ns5.lrau.net @localhost
dig ns5.lrau.net @::1

Also, have a look in /etc/hosts and make sure that you have something like:
127.0.0.1 localhost


(nc may be connecting over v4 and <whatever else you used to test> may be doing v6, etc...)

; <<>> DiG 9.16.5 <<>> NS lrau.net @127.0.0.1
;; global options: +cmd
;; connection timed out; no servers could be reached

root@ns5:/ # dig NS lrau.net @::1

; <<>> DiG 9.16.5 <<>> NS lrau.net @::1
;; global options: +cmd
;; connection timed out; no servers could be reached

root@ns5:/ # dig NS lrau.net @91.216.35.21

; <<>> DiG 9.16.5 <<>> NS lrau.net @91.216.35.21
;; global options: +cmd
;; connection timed out; no servers could be reached

root@ns5:/ # dig NS lrau.net @localhost

; <<>> DiG 9.16.5 <<>> NS lrau.net @localhost
;; global options: +cmd
;; connection timed out; no servers could be reached

root@ns5:/ # grep localhost /etc/hosts
127.0.0.1 localhost
::1 localhost

---
PGP-Key: CDE74120  ☀  computing @ chaos claudius


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: No response from localhost with "allow-query { any; };"

Axel Rau
In reply to this post by Ondřej Surý
Thanks for answering:

root@ns5:/ # dig NS lrau.net @91.216.35.21

; <<>> DiG 9.16.5 <<>> NS lrau.net @91.216.35.21
;; global options: +cmd
;; connection timed out; no servers could be reached

root@ns5:/ # dig NS lrau.net @localhost

; <<>> DiG 9.16.5 <<>> NS lrau.net @localhost
;; global options: +cmd
;; connection timed out; no servers could be reached

root@ns5:/ # sockstat -p 53
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
root     cron       59891 5  dgram  -> /var/run/log
root     sendmail   59197 3  dgram  -> /var/run/log
bind     named      47812 3  dgram  -> /var/run/log
bind     named      47812 137 udp4  91.216.35.21:53       *:*
bind     named      47812 138 udp4  91.216.35.21:53       *:*
bind     named      47812 139 udp4  91.216.35.21:53       *:*
bind     named      47812 140 udp4  91.216.35.21:53       *:*
bind     named      47812 141 udp4  91.216.35.21:53       *:*
bind     named      47812 142 udp4  91.216.35.21:53       *:*
bind     named      47812 143 udp4  91.216.35.21:53       *:*
bind     named      47812 144 udp4  91.216.35.21:53       *:*
bind     named      47812 145 udp4  91.216.35.21:53       *:*
bind     named      47812 146 udp4  91.216.35.21:53       *:*
bind     named      47812 147 udp4  91.216.35.21:53       *:*
bind     named      47812 148 udp4  91.216.35.21:53       *:*
bind     named      47812 149 udp4  91.216.35.21:53       *:*
bind     named      47812 150 udp4  91.216.35.21:53       *:*
bind     named      47812 151 udp4  91.216.35.21:53       *:*
bind     named      47812 152 udp4  91.216.35.21:53       *:*
bind     named      47812 154 tcp4  91.216.35.21:53       *:*
bind     named      47812 155 udp6  2a05:bec0:26:5::71:53 *:*
bind     named      47812 156 udp6  2a05:bec0:26:5::71:53 *:*
bind     named      47812 157 udp6  2a05:bec0:26:5::71:53 *:*
bind     named      47812 158 udp6  2a05:bec0:26:5::71:53 *:*
bind     named      47812 159 udp6  2a05:bec0:26:5::71:53 *:*
bind     named      47812 160 udp6  2a05:bec0:26:5::71:53 *:*
bind     named      47812 161 udp6  2a05:bec0:26:5::71:53 *:*
bind     named      47812 162 udp6  2a05:bec0:26:5::71:53 *:*
bind     named      47812 163 udp6  2a05:bec0:26:5::71:53 *:*
bind     named      47812 164 udp6  2a05:bec0:26:5::71:53 *:*
bind     named      47812 165 udp6  2a05:bec0:26:5::71:53 *:*
bind     named      47812 166 udp6  2a05:bec0:26:5::71:53 *:*
bind     named      47812 167 udp6  2a05:bec0:26:5::71:53 *:*
bind     named      47812 168 udp6  2a05:bec0:26:5::71:53 *:*
bind     named      47812 169 udp6  2a05:bec0:26:5::71:53 *:*
bind     named      47812 170 udp6  2a05:bec0:26:5::71:53 *:*
bind     named      47812 172 tcp6  2a05:bec0:26:5::71:53 *:*
bind     named      47812 512 udp4  91.216.35.21:53       *:*
bind     named      47812 513 udp6  2a05:bec0:26:5::71:53 *:*
root     rsyslogd   45747 0  dgram  /var/run/log
root     rsyslogd   45747 1  dgram  -> /var/run/log
root@ns5:/ # 


Am 01.09.2020 um 16:14 schrieb Ondřej Surý <[hidden email]>:

Hi Axel,

the `nc` commands you used for testing neither proves that
it’s that specific `named` listening on that port nor DNS
daemon at all.  FWIW it could be a dummy UDP/TCP server
and you would not know.

First you need to use a tool from your operating system
to check what is listening on those ports, and then use
`dig` (or other DNS debugging tool) to send actual DNS
queries.

Ondrej
--
Ondřej Surý (He/Him)
[hidden email]

On 1. 9. 2020, at 16:11, Axel Rau <[hidden email]> wrote:

Hi!

this is a new server, which answers external queries, sends notifies and pushes axfrs.
It does not answer any query from localhost nor shows any notifies from master in the logs.

From local:
root@ns5:/ # nc -v localhost 53
Connection to localhost 53 port [tcp/domain] succeeded!
^C
root@ns5:/ # nc -vu localhost 53
Connection to localhost 53 port [udp/domain] succeeded!

From master server:
[hermes:local/etc/namedb] root# nc -v ns5.lrau.net 53
Connection to ns5.lrau.net 53 port [tcp/domain] succeeded!
^C
[hermes:local/etc/namedb] root# nc -vu ns5.lrau.net 53
Connection to ns5.lrau.net 53 port [udp/domain] succeeded!


Any help greatly appreciated,
Axel

PS:

part of named.conf:
allow-notify {
hermes-ns5;
};
allow-transfer {
full-trusted;
ns5-ping;
ns4-he;
management-hosts;
};
allow-query { any; };
allow-query-cache { recursive-users; };
allow-recursion { recursive-users; };


root@ns5:/usr/local/etc/namedb/working/slave # named -V
BIND 9.16.5 (Stable Release) <id:c00b458>
running on FreeBSD amd64 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC
built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--with-tuning=default' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1 (tags/RELEASE_801/final 366581)
compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.14
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

default paths:
named configuration:  /usr/local/etc/namedb/named.conf
rndc configuration:   /usr/local/etc/namedb/rndc.conf
DNSSEC root key:      /usr/local/etc/namedb/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file:       /var/run/named/pid
named lock file:      /var/run/named/named.lock

---
PGP-Key: CDE74120  ☀  computing @ chaos claudius

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


---
PGP-Key: CDE74120  ☀  computing @ chaos claudius


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: No response from localhost with "allow-query { any; };"

Petr Mensik
Please include any listen-on { ... } and listen-on-v6 { ... } clauses.

It seems any of 127.0.0.1; ::1; nor localhost; is listed in them.
Because it is not listening on localhost socket, it would not answer any
queries.

If the server should listen on all interfaces, just use:
  listen-on { any; };

If it has addresses on which it should not listen, just add localhost;
to current listen-on.

It might be able to respond to:

dig @91.216.35.21 -b 127.0.0.1 localhost

Which would be technically from localhost, but I guess you are looking
for listen-on change.

Cheers,
Petr

On 9/1/20 4:41 PM, Axel Rau wrote:

> Thanks for answering:
>
> root@ns5:/ # dig NS lrau.net @91.216.35.21
>
> ; <<>> DiG 9.16.5 <<>> NS lrau.net @91.216.35.21
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
> root@ns5:/ # dig NS lrau.net @localhost
>
> ; <<>> DiG 9.16.5 <<>> NS lrau.net @localhost
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
> root@ns5:/ # sockstat -p 53
> USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
> root     cron       59891 5  dgram  -> /var/run/log
> root     sendmail   59197 3  dgram  -> /var/run/log
> bind     named      47812 3  dgram  -> /var/run/log
> bind     named      47812 137 udp4  91.216.35.21:53       *:*
> bind     named      47812 138 udp4  91.216.35.21:53       *:*
> bind     named      47812 139 udp4  91.216.35.21:53       *:*
> bind     named      47812 140 udp4  91.216.35.21:53       *:*
> bind     named      47812 141 udp4  91.216.35.21:53       *:*
> bind     named      47812 142 udp4  91.216.35.21:53       *:*
> bind     named      47812 143 udp4  91.216.35.21:53       *:*
> bind     named      47812 144 udp4  91.216.35.21:53       *:*
> bind     named      47812 145 udp4  91.216.35.21:53       *:*
> bind     named      47812 146 udp4  91.216.35.21:53       *:*
> bind     named      47812 147 udp4  91.216.35.21:53       *:*
> bind     named      47812 148 udp4  91.216.35.21:53       *:*
> bind     named      47812 149 udp4  91.216.35.21:53       *:*
> bind     named      47812 150 udp4  91.216.35.21:53       *:*
> bind     named      47812 151 udp4  91.216.35.21:53       *:*
> bind     named      47812 152 udp4  91.216.35.21:53       *:*
> bind     named      47812 154 tcp4  91.216.35.21:53       *:*
> bind     named      47812 155 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 156 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 157 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 158 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 159 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 160 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 161 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 162 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 163 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 164 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 165 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 166 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 167 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 168 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 169 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 170 udp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 172 tcp6  2a05:bec0:26:5::71:53 *:*
> bind     named      47812 512 udp4  91.216.35.21:53       *:*
> bind     named      47812 513 udp6  2a05:bec0:26:5::71:53 *:*
> root     rsyslogd   45747 0  dgram  /var/run/log
> root     rsyslogd   45747 1  dgram  -> /var/run/log
> root@ns5:/ #
>
>
>> Am 01.09.2020 um 16:14 schrieb Ondřej Surý <[hidden email]>:
>>
>> Hi Axel,
>>
>> the `nc` commands you used for testing neither proves that
>> it’s that specific `named` listening on that port nor DNS
>> daemon at all.  FWIW it could be a dummy UDP/TCP server
>> and you would not know.
>>
>> First you need to use a tool from your operating system
>> to check what is listening on those ports, and then use
>> `dig` (or other DNS debugging tool) to send actual DNS
>> queries.
>>
>> Ondrej
>> --
>> Ondřej Surý (He/Him)
>> [hidden email]
>>
>>> On 1. 9. 2020, at 16:11, Axel Rau <[hidden email]> wrote:
>>>
>>> Hi!
>>>
>>> this is a new server, which answers external queries, sends notifies and pushes axfrs.
>>> It does not answer any query from localhost nor shows any notifies from master in the logs.
>>>
>>> From local:
>>> root@ns5:/ # nc -v localhost 53
>>> Connection to localhost 53 port [tcp/domain] succeeded!
>>> ^C
>>> root@ns5:/ # nc -vu localhost 53
>>> Connection to localhost 53 port [udp/domain] succeeded!
>>>
>>> From master server:
>>> [hermes:local/etc/namedb] root# nc -v ns5.lrau.net 53
>>> Connection to ns5.lrau.net 53 port [tcp/domain] succeeded!
>>> ^C
>>> [hermes:local/etc/namedb] root# nc -vu ns5.lrau.net 53
>>> Connection to ns5.lrau.net 53 port [udp/domain] succeeded!
>>>
>>>
>>> Any help greatly appreciated,
>>> Axel
>>>
>>> PS:
>>>
>>> part of named.conf:
>>> allow-notify {
>>> hermes-ns5;
>>> };
>>> allow-transfer {
>>> full-trusted;
>>> ns5-ping;
>>> ns4-he;
>>> management-hosts;
>>> };
>>> allow-query { any; };
>>> allow-query-cache { recursive-users; };
>>> allow-recursion { recursive-users; };
>>>
>>>
>>> root@ns5:/usr/local/etc/namedb/working/slave # named -V
>>> BIND 9.16.5 (Stable Release) <id:c00b458>
>>> running on FreeBSD amd64 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC
>>> built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--with-tuning=default' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
>>> compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1 (tags/RELEASE_801/final 366581)
>>> compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
>>> linked to OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
>>> compiled with libxml2 version: 2.9.10
>>> linked to libxml2 version: 20910
>>> compiled with json-c version: 0.14
>>> linked to json-c version: 0.15
>>> compiled with zlib version: 1.2.11
>>> linked to zlib version: 1.2.11
>>> threads support is enabled
>>>
>>> default paths:
>>> named configuration:  /usr/local/etc/namedb/named.conf
>>> rndc configuration:   /usr/local/etc/namedb/rndc.conf
>>> DNSSEC root key:      /usr/local/etc/namedb/bind.keys
>>> nsupdate session key: /var/run/named/session.key
>>> named PID file:       /var/run/named/pid
>>> named lock file:      /var/run/named/named.lock
>>>
>>> ---
>>> PGP-Key: CDE74120  ☀  computing @ chaos claudius
>>>
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>>
>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>>
>>>
>>> bind-users mailing list
>>> [hidden email]
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
> ---
> PGP-Key: CDE74120  ☀  computing @ chaos claudius
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: [hidden email]
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: No response from localhost with "allow-query { any; };"

Axel Rau


Am 01.09.2020 um 16:57 schrieb Petr Menšík <[hidden email]>:

Please include any listen-on { ... } and listen-on-v6 { ... } clauses.

It seems any of 127.0.0.1; ::1; nor localhost; is listed in them.
Because it is not listening on localhost socket, it would not answer any
queries.


Voilà:

    
    Listen-on {
        91.216.35.21;
        127.0.0.1;
    };
    Listen-on-v6 {
        2a05:bec0:26:5::71;
        ::1;
    };

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: No response from localhost with "allow-query { any; };"

Axel Rau
tcp queries are being answered, but udp queries receive no response.
This is independent of client location (local, remote).

A ktrace shows 8 bytes are written on fd 89, the 8 bytes read on fd 88.
The next read gets an errno 35 (see below).

clueless,
Axel


root@ns5:/var/log # uname -a
FreeBSD ns5 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC  amd64

root@ns5:/var/log # named -V
BIND 9.16.6 (Stable Release) <id:25846cf>
running on FreeBSD amd64 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC
built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' '--enable-tcp-fastopen' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1 (tags/RELEASE_801/final 366581)
compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
compiled with libuv version: 1.38.1
linked to libuv version: 1.38.1
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.3.2
linked to protobuf-c version: 1.3.2
threads support is enabled

23480 isc-socket-0 STRU  struct kevent[] = { { ident=512, filter=EVFILT_READ, flags=0, fflags=0, data=0x35, udata=0x0 } }
 23480 isc-socket-0 RET   kevent 0x1
 23480 isc-socket-0 CALL  recvmsg(0x200,0x7fffdbddbb70,0)
 23480 isc-socket-0 GIO   fd 512 read 53 bytes
       0x0000 552a 0120 0001 0000 0000 0001 0377 7777  |U*. .........www|
       0x0010 0568 6569 7365 0264 6500 0001 0001 0000  |.heise.de.......|
       0x0020 2910 0000 0000 0000 0c00 0a00 0810 a161  |)..............a|
       0x0030 cea7 9c05 fa                             |.....|

 23480 isc-socket-0 STRU  struct sockaddr { AF_INET, 193.105.105.1:56885 }
 23480 isc-socket-0 RET   recvmsg 0x35
 23480 isc-socket-0 CALL  _umtx_op(0x802f38bb8,0x15,0x1,0,0)
 23480 isc-socket-0 RET   _umtx_op 0
 23480 isc-socket-0 CALL  kevent(0x5a,0x7fffdbddbec0,0x1,0,0,0)
 23480 isc-socket-0 STRU  struct kevent[] = { { ident=512, filter=EVFILT_READ, flags=0x2<EV_DELETE>, fflags=0, data=0, udata=0x0 } }
 23480 isc-socket-0 STRU  struct kevent[] = {  }
 23480 isc-socket-0 RET   kevent 0
 23480 isc-socket-0 CALL  kevent(0x5a,0,0,0x802fa7200,0x800,0)
 23480 isc-socket-0 STRU  struct kevent[] = {  }
 23480 isc-worker0000 RET   _umtx_op 0
 23480 isc-worker0000 CALL  recvmsg(0x200,0x7fffddfec9c0,0)
 23480 isc-worker0000 RET   recvmsg -1 errno 35
 23480 isc-worker0000 CALL  write(0x59,0x7fffddfecbc0,0x8)
 23480 isc-worker0000 GIO   fd 89 wrote 8 bytes
       0x0000 0002 0000 fdff ffff                      |........|

 23480 isc-worker0000 RET   write 0x8
 23480 isc-worker0000 CALL  _umtx_op(0x80178f188,0xf,0,0,0)
 23480 isc-socket-0 STRU  struct kevent[] = { { ident=88, filter=EVFILT_READ, flags=0, fflags=0, data=0x8, udata=0x0 } }
 23480 isc-socket-0 RET   kevent 0x1
 23480 isc-socket-0 CALL  read(0x58,0x7fffdbddbe40,0x8)
 23480 isc-socket-0 GIO   fd 88 read 8 bytes
       0x0000 0002 0000 fdff ffff                      |........|

 23480 isc-socket-0 RET   read 0x8
 23480 isc-socket-0 CALL  kevent(0x5a,0x7fffdbddbec0,0x1,0,0,0)
 23480 isc-socket-0 STRU  struct kevent[] = { { ident=512, filter=EVFILT_READ, flags=0x1<EV_ADD>, fflags=0, data=0, udata=0x0 } }
 23480 isc-socket-0 STRU  struct kevent[] = {  }
 23480 isc-socket-0 RET   kevent 0
 23480 isc-socket-0 CALL  read(0x58,0x7fffdbddbe40,0x8)
 23480 isc-socket-0 RET   read -1 errno 35
 23480 isc-socket-0 CALL  kevent(0x5a,0,0,0x802fa7200,0x800,0)
 23480 isc-socket-0 STRU  struct kevent[] = {  }
 23480 isc-socket-0 STRU  struct kevent[] = { { ident=512, filter=EVFILT_READ, flags=0, fflags=0, data=0x35, udata=0x0 } }
 23480 isc-socket-0 RET   kevent 0x1
 23480 isc-socket-0 CALL  recvmsg(0x200,0x7fffdbddbb70,0)
 23480 isc-socket-0 GIO   fd 512 read 53 bytes
       0x0000 552a 0120 0001 0000 0000 0001 0377 7777  |U*. .........www|
       0x0010 0568 6569 7365 0264 6500 0001 0001 0000  |.heise.de.......|
       0x0020 2910 0000 0000 0000 0c00 0a00 0810 a161  |)..............a|
       0x0030 cea7 9c05 fa                             |.....|
. . .
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

[RESOLVED] Re: No response from localhost with "allow-query { any; };"

Axel Rau


Am 01.09.2020 um 22:28 schrieb Axel Rau <[hidden email]>:

tcp queries are being answered, but udp queries receive no response.
This is independent of client location (local, remote).

A ktrace shows 8 bytes are written on fd 89, the 8 bytes read on fd 88.
The next read gets an errno 35 (see below).

Commenting these out, seems to resolve the issue:

query-source address  91.216.35.21;
notify-source   91.216.35.21 port 53;
transfer-source   91.216.35.21 port 53;

query-source-v6 address    2a05:bec0:26:5::71;
notify-source-v6 2a05:bec0:26:5::71 port 53;
transfer-source-v6 2a05:bec0:26:5::71 port 53;

Queries to localhost shows that the response does not come from localhost:

root@ns5:/var/log # dig localhost @localhost
;; reply from unexpected source: 91.216.35.21#53, expected 127.0.0.1#53

;; reply from unexpected source: 91.216.35.21#53, expected 127.0.0.1#53

;; reply from unexpected source: 91.216.35.21#53, expected 127.0.0.1#53


; <<>> DiG 9.16.6 <<>> localhost @localhost
;; global options: +cmd
;; connection timed out; no servers could be reached

No issue with remote queries.

Questions:

What has query-source address to do with a query response?
Why does the issue not happen on another server (same config, same OS&bind version) ? 

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [RESOLVED] Re: No response from localhost with "allow-query { any; };"

Crist Clark
From release notes:

Notes for BIND 9.16.1

Known Issues
UDP network ports used for listening can no longer simultaneously be used for sending traffic. An example configuration which triggers this issue would be one which uses the same address:port pair for listen-on(-v6) statements as for notify-source(-v6) or transfer-source(-v6). While this issue affects all operating systems, it only triggers log messages (e.g. “unable to create dispatch for reserved port”) on some of them. There are currently no plans to make such a combination of settings work again.

Also, using fixed sourt ports is at worst considered harmful, at best considered a quaint reminder of the ol' days of stateless firewalls. Generally, if you need to do that, you are doing something wrong.


On Fri, Sep 4, 2020 at 2:25 AM Axel Rau <[hidden email]> wrote:


Am 01.09.2020 um 22:28 schrieb Axel Rau <[hidden email]>:

tcp queries are being answered, but udp queries receive no response.
This is independent of client location (local, remote).

A ktrace shows 8 bytes are written on fd 89, the 8 bytes read on fd 88.
The next read gets an errno 35 (see below).

Commenting these out, seems to resolve the issue:

query-source address  91.216.35.21;
notify-source   91.216.35.21 port 53;
transfer-source   91.216.35.21 port 53;

query-source-v6 address    2a05:bec0:26:5::71;
notify-source-v6 2a05:bec0:26:5::71 port 53;
transfer-source-v6 2a05:bec0:26:5::71 port 53;

Queries to localhost shows that the response does not come from localhost:

root@ns5:/var/log # dig localhost @localhost
;; reply from unexpected source: 91.216.35.21#53, expected 127.0.0.1#53

;; reply from unexpected source: 91.216.35.21#53, expected 127.0.0.1#53

;; reply from unexpected source: 91.216.35.21#53, expected 127.0.0.1#53


; <<>> DiG 9.16.6 <<>> localhost @localhost
;; global options: +cmd
;; connection timed out; no servers could be reached

No issue with remote queries.

Questions:

What has query-source address to do with a query response?
Why does the issue not happen on another server (same config, same OS&bind version) ? 

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users