服务器 Gind.cn
  1. 服务器 Gind.cn
  3. BIND SERVFAIL升级到Debian Jessie后
Intereting Posts
减慢进程(CPU使用率) opensolaris是否支持Solaris9品牌区域? VMware + Vista 64 =蓝屏? 大型Unix数据中心设置指南? SMBv2和Windows 7 编解码器包,可以很容易地通过组策略部署 如何在启动时将Fedora / RedHat / CentOSconfiguration为在/ tmp中删除文件 GCE项目的SSH密钥不能传播 什么会导致浏览器上下文菜单延迟刷新一个星期? 在Windows 2008 R2服务器中,哪些angular色需要更多内存? 在虚拟机中,我创build了一个网卡,configuration了IP地址,但无法连接到互联网 什么导致SocketException(9001)在node.js app和MongoDB ReplicaSet中处理请求? 转发表和最长的前缀匹配规则 iptables – 在eth1上阻止传入,在eth0上阻止所有 如何自动打开/closuresWindows VPN连接

BIND SERVFAIL升级到Debian Jessie后

我已经完全没有做我的BINDconfiguration,但看起来像Debian Jessie升级已经打破了它。 也许有一些新的select被介绍给它,或者旧的东西现在工作不同,但是我找不到什么错误。

我一直在/var/log/bind/bind.logSERVFAIL

我已经用named-checkzone检查了我的区域,它们都是“OK”。 我已经禁用了整个系统的IPv6。 我重新创build了rndc键,甚至创build了/etc/rndc.conf 。 没有任何工作

这里有一些configuration:

/etc/bind/named.conf 

 include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.log"; include "/etc/bind/named.conf.local"; //include "/etc/bind/named.conf.default-zones"; acl localhost_acl { 127.0.0.0/8; }; acl internal_10_acl { 192.168.10.0/24; }; acl internal_150_acl { 192.168.150.0/24; }; acl vpn_acl { 192.168.200.2; 192.168.200.5; }; key "rndc-key" { algorithm hmac-md5; secret "somesecretkey=="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; };

/etc/bind/named.conf.options 

 options { directory "/var/cache/bind"; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { none; }; listen-on { 127.0.0.1; 192.168.10.1; 192.168.150.1; 192.168.200.1; }; allow-transfer { none; }; max-recursion-queries 200; };

/etc/bind/named.conf.log 

 logging { channel update_debug { file "/var/log/bind/update_debug.log" versions 3 size 100k; severity debug; print-severity yes; print-time yes; }; channel security_info { file "/var/log/bind/security_info.log" versions 1 size 100k; severity debug; print-severity yes; print-time yes; }; channel bind_log { file "/var/log/bind/bind.log" versions 3 size 1m; severity debug; print-category yes; print-severity yes; print-time yes; }; category default { bind_log; }; category lame-servers { security_info; }; category update { update_debug; }; category update-security { update_debug; }; category security { security_info; }; };

/etc/bind/named.conf.local (这是一个很长的): 

 // 1 view "internal_10_view" { allow-query-on { 127.0.0.1; 192.168.10.1; }; allow-query { localhost_acl; internal_10_acl; }; match-clients { localhost_acl; internal_10_acl; }; zone "myhost.tld" { type master; file "/etc/bind/db.myhost.tld_10"; }; zone "168.192.in-addr.arpa" { type master; notify no; file "/etc/bind/db.192.168.10"; }; // formerly named.conf.default-zones zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; // formerly zones.rfc1918 zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; }; // 2 view "internal_150_view" { allow-query-on { 192.168.150.1; }; allow-query { internal_150_acl; }; match-clients { internal_150_acl; }; zone "myhost.tld" { type master; file "/etc/bind/db.myhost.tld_150"; }; zone "168.192.in-addr.arpa" { type master; notify no; file "/etc/bind/db.192.168.150"; }; // formerly named.conf.default-zones zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; // formerly zones.rfc1918 zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; }; // 3 view "vpn_view" { allow-query-on { 192.168.200.1; }; allow-query { vpn_acl; }; match-clients { vpn_acl; }; zone "myhost.tld" { type master; file "/etc/bind/db.myhost.tld_vpn"; }; // formerly named.conf.default-zones zone "." { type hint; file "/etc/bind/db.root"; }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; // formerly zones.rfc1918 zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; zone "32.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; // somedomain.tld zone "somedomain.tld" { type forward; forward first; forwarders { 192.168.34.110; 192.168.34.100; }; }; };

/etc/rndc.conf中 

 key "rndc-key" { algorithm hmac-md5; secret "somesecretkey=="; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; };

我@ jessie:〜$ sudo netstat -lnptu | grep“命名\ W * $” 

 tcp 0 0 192.168.10.1:53 0.0.0.0:* LISTEN 1871/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1871/named tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1871/named udp 0 0 192.168.200.1:53 0.0.0.0:* 1871/named udp 0 0 192.168.10.1:53 0.0.0.0:* 1871/named udp 0 0 127.0.0.1:53 0.0.0.0:* 1871/named

我@ jessie:〜$ ps aux | grep命名 

 bind 5843 0.0 1.0 297780 84412 ? Ssl 00:52 0:16 /usr/sbin/named -f -u bind -4

我@ jessie:/ etc / bind $ named -V 

 BIND 9.9.5-9-Debian (Extended Support Version) <id:f9b8a50e> built by make with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks -DDIG_SIGCHASE -O2' compiled by GCC 4.9.2 using OpenSSL version: OpenSSL 1.0.1k 8 Jan 2015 using libxml2 version: 2.9.2

我@ jessie's_client:〜$ dig @ 192.168.10.1 launchpad.net 

 ; <<>> DiG 9.9.5-9-Debian <<>> @192.168.10.1 launchpad.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19673 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;launchpad.net. IN A ;; Query time: 0 msec ;; SERVER: 192.168.10.1#53(192.168.10.1) ;; WHEN: Thu May 07 23:29:38 MSK 2015 ;; MSG SIZE rcvd: 42

最后在/var/log/bind/bind.loglogging一些日志 

 07-May-2015 22:52:49.287 resolver: debug 1: createfetch: _xmpp-server._tcp.pandion.im SRV 07-May-2015 22:52:49.287 resolver: debug 1: createfetch: . NS 07-May-2015 22:52:49.954 resolver: debug 1: createfetch: _xmpp-server._tcp.pandion.im SRV 07-May-2015 22:52:50.353 resolver: debug 1: createfetch: launchpad.net A 07-May-2015 22:52:51.288 resolver: debug 1: createfetch: _xmpp-server._tcp.pandion.im SRV 07-May-2015 22:52:51.575 query-errors: debug 1: client 127.0.0.1#47208 (pandion.im): view internal_10_view: query failed (SERVFAIL) for pandion.im/IN/AAAA at query.c:7004 07-May-2015 22:52:53.138 query-errors: debug 1: client 127.0.0.1#55548 (_jabber._tcp.none.su): view internal_10_view: query failed (SERVFAIL) for _jabber._tcp.none.su/IN/SRV at query.c:7004 07-May-2015 22:52:53.955 resolver: debug 1: createfetch: _jabber._tcp.pandion.im SRV 07-May-2015 22:52:54.622 resolver: debug 1: createfetch: _jabber._tcp.pandion.im SRV 07-May-2015 22:52:55.353 query-errors: debug 1: client 192.168.10.2#37375 (launchpad.net): view internal_10_view: query failed (SERVFAIL) for launchpad.net/IN/A at query.c:7004 07-May-2015 22:52:55.354 resolver: debug 1: createfetch: launchpad.net A 07-May-2015 22:52:55.956 resolver: debug 1: createfetch: _jabber._tcp.pandion.im SRV

/var/log/bind/security_info.log 

 07-May-2015 00:45:26.055 warning: using built-in root key for view vpn_view 07-May-2015 12:31:37.603 warning: using built-in root key for view internal_10_view 07-May-2015 12:31:37.769 warning: using built-in root key for view internal_150_view 07-May-2015 12:31:37.773 warning: using built-in root key for view vpn_view 07-May-2015 12:31:44.859 warning: using built-in root key for view internal_10_view 07-May-2015 12:31:44.865 warning: using built-in root key for view internal_150_view 07-May-2015 12:31:44.871 warning: using built-in root key for view vpn_view 07-May-2015 12:31:46.005 warning: using built-in root key for view internal_10_view 07-May-2015 12:31:46.011 warning: using built-in root key for view internal_150_view 07-May-2015 12:31:46.016 warning: using built-in root key for view vpn_view 07-May-2015 12:31:47.108 warning: using built-in root key for view internal_10_view 07-May-2015 12:31:47.114 warning: using built-in root key for view internal_150_view 07-May-2015 12:31:47.121 warning: using built-in root key for view vpn_view 07-May-2015 12:31:48.946 warning: using built-in root key for view internal_10_view 07-May-2015 12:31:48.951 warning: using built-in root key for view internal_150_view 07-May-2015 12:31:48.957 warning: using built-in root key for view vpn_view 07-May-2015 14:07:39.729 warning: using built-in root key for view internal_10_view 07-May-2015 14:07:39.737 warning: using built-in root key for view internal_150_view 07-May-2015 14:07:39.743 warning: using built-in root key for view vpn_view 07-May-2015 14:12:05.871 warning: using built-in root key for view internal_10_view 07-May-2015 14:12:05.880 warning: using built-in root key for view internal_150_view 07-May-2015 14:12:05.890 warning: using built-in root key for view vpn_view 07-May-2015 14:27:07.630 warning: using built-in root key for view internal_10_view 07-May-2015 14:27:07.638 warning: using built-in root key for view internal_150_view 07-May-2015 14:27:07.644 warning: using built-in root key for view vpn_view

任何build议可能是错误的?

如果您不熟悉新的max-recursion-queries选项或者为什么添加了这个选项,那么这个问题真的很难排除故障。

CVE-2014-8500在2014 年末被确定为影响多个名称服务器产品,包括BIND。 利用这个漏洞可以让一个恶意的域名服务器制作一个无限的引用链,最终导致资源枯竭。 ISC针对这个问题的解决方法是在服务器愿意代表单个查询执行recursion的级别上添加一个上限。 天花板由默认为75的新的max-recursion-queries选项控制。

事实certificate,recursion的75个级别对于一个空的名称服务器caching来说并不是非常友好 – 在一个完整的进程重新启动之后,您将始终拥有这个caching。 有很多域将无法解决此默认情况下,由于多less级别的引用最终遍历所请求的logging和. (根)。 pandion.im. 域名恰好是其中之一,这可能与TLD的无缝授权有关。 下面是dig +trace +additional pandion.im

 im. 172800 IN NS ns4.ja.net. im. 172800 IN NS hoppy.iom.com. im. 172800 IN NS barney.advsys.co.uk. im. 172800 IN NS pebbles.iom.com. ns4.ja.net. 172800 IN A 193.62.157.66 hoppy.iom.com. 172800 IN A 217.23.163.140 barney.advsys.co.uk. 172800 IN A 217.23.160.50 pebbles.iom.com. 172800 IN A 80.168.83.242 ns4.ja.net. 172800 IN AAAA 2001:630:0:47::42 ;; Received 226 bytes from 199.7.83.42#53(199.7.83.42) in 29 ms pandion.im. 259200 IN NS ed.ns.cloudflare.com. pandion.im. 259200 IN NS jill.ns.cloudflare.com. ;; Received 81 bytes from 80.168.83.242#53(80.168.83.242) in 98 ms

im.的名称服务器im. 正在委托pandion.im. 到Cloudflare的名称服务器,而不提供IP地址胶水 。 在一个空的caching上,这意味着服务器必须启动一个单独的引用遍历来获取这些名称服务器的IP地址,并且所有这些引用都会针对原始查询的最大recursion数进行计数。 在这一点上,只有当服务器已经知道其他查询的名字服务器的IP地址时,查询才会成功: 

 # service named restart && sleep 1 && dig @localhost pandion.im | grep status Checking named config: Stopping named: [ OK ] Starting named: [ OK ] ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63173

再试一次,这次试图在pandion.im.之前查找这些名称服务器pandion.im.

 # service named restart && sleep 1 && dig @localhost ed.ns.cloudflare.com jill.ns.cloudflare.com pandion.im | grep status Checking named config: Stopping named: [ OK ] Starting named: [ OK ] ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26428 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30491 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22162

长话短说,这个问题是非常不直观的识别,尤其是因为如果这个过程仍然在运行,它似乎最终会“消失”。 我们的合作伙伴之一根据现实世界的使用情况推荐了200的值。 从200开始,如果你喜欢的太高,可以尝尝。

检查你的日志目录权限。

我在我的日志中发现: 

 Jun 5 18:46:38 xsystem named[1116]: isc_stdio_open '/var/log/named.debug.log' failed: permission denied Jun 5 18:46:38 xsystem named[1116]: configuring logging: permission denied Jun 5 18:46:38 xsystem named[1116]: loading configuration: permission denied Jun 5 18:46:38 xsystem named[1116]: exiting (due to fatal error)

而在研究中,看起来我的/var/log被改为group read-only 。 在升级之前,它被设置为adm read-write 。 因为我已经使用adm组绑定了/var/log ,所以失败了。

解决方法: sudo chmod g+w /var/log并重新启动bind(named)

ps我将日志绑定到/var/log not /var/log/named/