No response from localhost with "allow-query { any; };"

[Axel Rau]

Hi!

this is a new server, which answers external queries, sends notifies and pushes axfrs.
It does not answer any query from localhost nor shows any notifies from master in the logs.

From local:
root@ns5:/ # nc -v localhost 53
Connection to localhost 53 port [tcp/domain] succeeded!
^C
root@ns5:/ # nc -vu localhost 53
Connection to localhost 53 port [udp/domain] succeeded!

From master server:
[hermes:local/etc/namedb] root# nc -v ns5.lrau.net 53
Connection to ns5.lrau.net 53 port [tcp/domain] succeeded!
^C
[hermes:local/etc/namedb] root# nc -vu ns5.lrau.net 53
Connection to ns5.lrau.net 53 port [udp/domain] succeeded!


Any help greatly appreciated,
Axel

PS:

part of named.conf:
allow-notify {
hermes-ns5;
};
allow-transfer {
full-trusted;
ns5-ping;
ns4-he;
management-hosts;
};
allow-query { any; };
allow-query-cache { recursive-users; };
allow-recursion { recursive-users; };


root@ns5:/usr/local/etc/namedb/working/slave # named -V
BIND 9.16.5 (Stable Release) <id:c00b458>
running on FreeBSD amd64 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC
built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--with-tuning=default' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1 (tags/RELEASE_801/final 366581)
compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd 10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d-freebsd 10 Sep 2019
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.14
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

default paths:
named configuration: /usr/local/etc/namedb/named.conf
rndc configuration: /usr/local/etc/namedb/rndc.conf
DNSSEC root key: /usr/local/etc/namedb/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/pid
named lock file: /var/run/named/named.lock

---
PGP-Key: CDE74120 ☀ computing @ chaos claudius

[Ondřej Surý]

Hi Axel,

the `nc` commands you used for testing neither proves that
it’s that specific `named` listening on that port nor DNS
daemon at all. FWIW it could be a dummy UDP/TCP server
and you would not know.

First you need to use a tool from your operating system
to check what is listening on those ports, and then use
`dig` (or other DNS debugging tool) to send actual DNS
queries.

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

[Warren Kumari]

What is 'localhost'? 

The output you included doesn't really show very much, other than that nc connect to port 53.

I'd suggest:

dig ns5.lrau.net @localhost

dig ns5.lrau.net @127.0.0.1

dig ns5.lrau.net @::1

Also, have a look in /etc/hosts and make sure that you have something like:

127.0.0.1 localhost

(nc may be connecting over v4 and <whatever else you used to test> may be doing v6, etc...)

W

--

I don't think the execution is relevant when it was obviously a bad idea in the first place.
This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.
   ---maf

[Axel Rau]

Thanks for your answer!

Am 01.09.2020 um 16:18 schrieb Warren Kumari <war...@kumari.net>:

The output you included doesn't really show very much, other than that nc connect to port 53.

I'd suggest:

dig ns5.lrau.net @localhost

dig ns5.lrau.net @127.0.0.1

dig ns5.lrau.net @::1

Also, have a look in /etc/hosts and make sure that you have something like:

127.0.0.1 localhost

(nc may be connecting over v4 and <whatever else you used to test> may be doing v6, etc...)

; <<>> DiG 9.16.5 <<>> NS lrau.net @127.0.0.1

;; global options: +cmd

;; connection timed out; no servers could be reached

root@ns5:/ # dig NS lrau.net @::1

; <<>> DiG 9.16.5 <<>> NS lrau.net @::1

;; global options: +cmd

;; connection timed out; no servers could be reached

root@ns5:/ # dig NS lrau.net @91.216.35.21

; <<>> DiG 9.16.5 <<>> NS lrau.net @91.216.35.21

;; global options: +cmd

;; connection timed out; no servers could be reached

root@ns5:/ # dig NS lrau.net @localhost

; <<>> DiG 9.16.5 <<>> NS lrau.net @localhost

;; global options: +cmd

;; connection timed out; no servers could be reached

root@ns5:/ # grep localhost /etc/hosts

127.0.0.1 localhost

::1 localhost

[Axel Rau]

Thanks for answering:

root@ns5:/ # dig NS lrau.net @91.216.35.21

; <<>> DiG 9.16.5 <<>> NS lrau.net @91.216.35.21

;; global options: +cmd

;; connection timed out; no servers could be reached

root@ns5:/ # dig NS lrau.net @localhost

; <<>> DiG 9.16.5 <<>> NS lrau.net @localhost

;; global options: +cmd

;; connection timed out; no servers could be reached

root@ns5:/ # sockstat -p 53

USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      

root     cron       59891 5  dgram  -> /var/run/log

root     sendmail   59197 3  dgram  -> /var/run/log

bind     named      47812 3  dgram  -> /var/run/log

bind     named      47812 137 udp4  91.216.35.21:53       *:*

bind     named      47812 138 udp4  91.216.35.21:53       *:*

bind     named      47812 139 udp4  91.216.35.21:53       *:*

bind     named      47812 140 udp4  91.216.35.21:53       *:*

bind     named      47812 141 udp4  91.216.35.21:53       *:*

bind     named      47812 142 udp4  91.216.35.21:53       *:*

bind     named      47812 143 udp4  91.216.35.21:53       *:*

bind     named      47812 144 udp4  91.216.35.21:53       *:*

bind     named      47812 145 udp4  91.216.35.21:53       *:*

bind     named      47812 146 udp4  91.216.35.21:53       *:*

bind     named      47812 147 udp4  91.216.35.21:53       *:*

bind     named      47812 148 udp4  91.216.35.21:53       *:*

bind     named      47812 149 udp4  91.216.35.21:53       *:*

bind     named      47812 150 udp4  91.216.35.21:53       *:*

bind     named      47812 151 udp4  91.216.35.21:53       *:*

bind     named      47812 152 udp4  91.216.35.21:53       *:*

bind     named      47812 154 tcp4  91.216.35.21:53       *:*

bind     named      47812 155 udp6  2a05:bec0:26:5::71:53 *:*

bind     named      47812 156 udp6  2a05:bec0:26:5::71:53 *:*

bind     named      47812 157 udp6  2a05:bec0:26:5::71:53 *:*

bind     named      47812 158 udp6  2a05:bec0:26:5::71:53 *:*

bind     named      47812 159 udp6  2a05:bec0:26:5::71:53 *:*

bind     named      47812 160 udp6  2a05:bec0:26:5::71:53 *:*

bind     named      47812 161 udp6  2a05:bec0:26:5::71:53 *:*

bind     named      47812 162 udp6  2a05:bec0:26:5::71:53 *:*

bind     named      47812 163 udp6  2a05:bec0:26:5::71:53 *:*

bind     named      47812 164 udp6  2a05:bec0:26:5::71:53 *:*

bind     named      47812 165 udp6  2a05:bec0:26:5::71:53 *:*

bind     named      47812 166 udp6  2a05:bec0:26:5::71:53 *:*

bind     named      47812 167 udp6  2a05:bec0:26:5::71:53 *:*

bind     named      47812 168 udp6  2a05:bec0:26:5::71:53 *:*

bind     named      47812 169 udp6  2a05:bec0:26:5::71:53 *:*

bind     named      47812 170 udp6  2a05:bec0:26:5::71:53 *:*

bind     named      47812 172 tcp6  2a05:bec0:26:5::71:53 *:*

bind     named      47812 512 udp4  91.216.35.21:53       *:*

bind     named      47812 513 udp6  2a05:bec0:26:5::71:53 *:*

root     rsyslogd   45747 0  dgram  /var/run/log

root     rsyslogd   45747 1  dgram  -> /var/run/log

root@ns5:/ # 

Am 01.09.2020 um 16:14 schrieb Ondřej Surý <ond...@isc.org>:

Hi Axel,

the `nc` commands you used for testing neither proves that
it’s that specific `named` listening on that port nor DNS
daemon at all.  FWIW it could be a dummy UDP/TCP server
and you would not know.

First you need to use a tool from your operating system
to check what is listening on those ports, and then use
`dig` (or other DNS debugging tool) to send actual DNS
queries.

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

---
PGP-Key: CDE74120  ☀  computing @ chaos claudius

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[Petr Menšík]

Please include any listen-on { ... } and listen-on-v6 { ... } clauses.

It seems any of 127.0.0.1; ::1; nor localhost; is listed in them.
Because it is not listening on localhost socket, it would not answer any
queries.

If the server should listen on all interfaces, just use:
listen-on { any; };

If it has addresses on which it should not listen, just add localhost;
to current listen-on.

It might be able to respond to:

dig @91.216.35.21 -b 127.0.0.1 localhost

Which would be technically from localhost, but I guess you are looking
for listen-on change.

Cheers,
Petr

Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: peme...@redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

[Axel Rau]

Am 01.09.2020 um 16:57 schrieb Petr Menšík <peme...@redhat.com>:

Please include any listen-on { ... } and listen-on-v6 { ... } clauses.

It seems any of 127.0.0.1; ::1; nor localhost; is listed in them.
Because it is not listening on localhost socket, it would not answer any
queries.

Voilà:

    

    Listen-on {

        91.216.35.21;

        127.0.0.1;

    };

    Listen-on-v6 {

        2a05:bec0:26:5::71;

        ::1;

    };

Axel

[Axel Rau]

tcp queries are being answered, but udp queries receive no response.

This is independent of client location (local, remote).

A ktrace shows 8 bytes are written on fd 89, the 8 bytes read on fd 88.

The next read gets an errno 35 (see below).

clueless,

Axel

root@ns5:/var/log # uname -a

FreeBSD ns5 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC  amd64

root@ns5:/var/log # named -V

BIND 9.16.6 (Stable Release) <id:25846cf>

running on FreeBSD amd64 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC

built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' '--enable-tcp-fastopen' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'

compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1 (tags/RELEASE_801/final 366581)

compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019

linked to OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019

compiled with libuv version: 1.38.1

linked to libuv version: 1.38.1

compiled with libxml2 version: 2.9.10

linked to libxml2 version: 20910

compiled with json-c version: 0.15

linked to json-c version: 0.15

compiled with zlib version: 1.2.11

linked to zlib version: 1.2.11

compiled with protobuf-c version: 1.3.2

linked to protobuf-c version: 1.3.2

threads support is enabled

23480 isc-socket-0 STRU  struct kevent[] = { { ident=512, filter=EVFILT_READ, flags=0, fflags=0, data=0x35, udata=0x0 } }

 23480 isc-socket-0 RET   kevent 0x1

 23480 isc-socket-0 CALL  recvmsg(0x200,0x7fffdbddbb70,0)

 23480 isc-socket-0 GIO   fd 512 read 53 bytes

       0x0000 552a 0120 0001 0000 0000 0001 0377 7777  |U*. .........www|

       0x0010 0568 6569 7365 0264 6500 0001 0001 0000  |.heise.de.......|

       0x0020 2910 0000 0000 0000 0c00 0a00 0810 a161  |)..............a|

       0x0030 cea7 9c05 fa                             |.....|

 23480 isc-socket-0 STRU  struct sockaddr { AF_INET, 193.105.105.1:56885 }

 23480 isc-socket-0 RET   recvmsg 0x35

 23480 isc-socket-0 CALL  _umtx_op(0x802f38bb8,0x15,0x1,0,0)

 23480 isc-socket-0 RET   _umtx_op 0

 23480 isc-socket-0 CALL  kevent(0x5a,0x7fffdbddbec0,0x1,0,0,0)

 23480 isc-socket-0 STRU  struct kevent[] = { { ident=512, filter=EVFILT_READ, flags=0x2<EV_DELETE>, fflags=0, data=0, udata=0x0 } }

 23480 isc-socket-0 STRU  struct kevent[] = {  }

 23480 isc-socket-0 RET   kevent 0

 23480 isc-socket-0 CALL  kevent(0x5a,0,0,0x802fa7200,0x800,0)

 23480 isc-socket-0 STRU  struct kevent[] = {  }

 23480 isc-worker0000 RET   _umtx_op 0

 23480 isc-worker0000 CALL  recvmsg(0x200,0x7fffddfec9c0,0)

 23480 isc-worker0000 RET   recvmsg -1 errno 35

 23480 isc-worker0000 CALL  write(0x59,0x7fffddfecbc0,0x8)

 23480 isc-worker0000 GIO   fd 89 wrote 8 bytes

       0x0000 0002 0000 fdff ffff                      |........|

 23480 isc-worker0000 RET   write 0x8

 23480 isc-worker0000 CALL  _umtx_op(0x80178f188,0xf,0,0,0)

 23480 isc-socket-0 STRU  struct kevent[] = { { ident=88, filter=EVFILT_READ, flags=0, fflags=0, data=0x8, udata=0x0 } }

 23480 isc-socket-0 RET   kevent 0x1

 23480 isc-socket-0 CALL  read(0x58,0x7fffdbddbe40,0x8)

 23480 isc-socket-0 GIO   fd 88 read 8 bytes

       0x0000 0002 0000 fdff ffff                      |........|

 23480 isc-socket-0 RET   read 0x8

 23480 isc-socket-0 CALL  kevent(0x5a,0x7fffdbddbec0,0x1,0,0,0)

 23480 isc-socket-0 STRU  struct kevent[] = { { ident=512, filter=EVFILT_READ, flags=0x1<EV_ADD>, fflags=0, data=0, udata=0x0 } }

 23480 isc-socket-0 STRU  struct kevent[] = {  }

 23480 isc-socket-0 RET   kevent 0

 23480 isc-socket-0 CALL  read(0x58,0x7fffdbddbe40,0x8)

 23480 isc-socket-0 RET   read -1 errno 35

 23480 isc-socket-0 CALL  kevent(0x5a,0,0,0x802fa7200,0x800,0)

 23480 isc-socket-0 STRU  struct kevent[] = {  }

 23480 isc-socket-0 STRU  struct kevent[] = { { ident=512, filter=EVFILT_READ, flags=0, fflags=0, data=0x35, udata=0x0 } }

 23480 isc-socket-0 RET   kevent 0x1

 23480 isc-socket-0 CALL  recvmsg(0x200,0x7fffdbddbb70,0)

 23480 isc-socket-0 GIO   fd 512 read 53 bytes

       0x0000 552a 0120 0001 0000 0000 0001 0377 7777  |U*. .........www|

       0x0010 0568 6569 7365 0264 6500 0001 0001 0000  |.heise.de.......|

       0x0020 2910 0000 0000 0000 0c00 0a00 0810 a161  |)..............a|

       0x0030 cea7 9c05 fa                             |.....|

. . .