Discussion:
No response from localhost with "allow-query { any; };"
(too old to reply)
Axel Rau
2020-09-01 14:11:28 UTC
Permalink
Hi!

this is a new server, which answers external queries, sends notifies and pushes axfrs.
It does not answer any query from localhost nor shows any notifies from master in the logs.

From local:
***@ns5:/ # nc -v localhost 53
Connection to localhost 53 port [tcp/domain] succeeded!
^C
***@ns5:/ # nc -vu localhost 53
Connection to localhost 53 port [udp/domain] succeeded!

From master server:
[hermes:local/etc/namedb] root# nc -v ns5.lrau.net 53
Connection to ns5.lrau.net 53 port [tcp/domain] succeeded!
^C
[hermes:local/etc/namedb] root# nc -vu ns5.lrau.net 53
Connection to ns5.lrau.net 53 port [udp/domain] succeeded!


Any help greatly appreciated,
Axel

PS:

part of named.conf:
allow-notify {
hermes-ns5;
};
allow-transfer {
full-trusted;
ns5-ping;
ns4-he;
management-hosts;
};
allow-query { any; };
allow-query-cache { recursive-users; };
allow-recursion { recursive-users; };


***@ns5:/usr/local/etc/namedb/working/slave # named -V
BIND 9.16.5 (Stable Release) <id:c00b458>
running on FreeBSD amd64 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC
built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--with-tuning=default' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1 (tags/RELEASE_801/final 366581)
compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd 10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d-freebsd 10 Sep 2019
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.14
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

default paths:
named configuration: /usr/local/etc/namedb/named.conf
rndc configuration: /usr/local/etc/namedb/rndc.conf
DNSSEC root key: /usr/local/etc/namedb/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/pid
named lock file: /var/run/named/named.lock

---
PGP-Key: CDE74120 ☀ computing @ chaos claudius
Ondřej Surý
2020-09-01 14:14:27 UTC
Permalink
Hi Axel,

the `nc` commands you used for testing neither proves that
it’s that specific `named` listening on that port nor DNS
daemon at all. FWIW it could be a dummy UDP/TCP server
and you would not know.

First you need to use a tool from your operating system
to check what is listening on those ports, and then use
`dig` (or other DNS debugging tool) to send actual DNS
queries.

Ondrej
--
Ondřej Surý (He/Him)
Post by Axel Rau
Hi!
this is a new server, which answers external queries, sends notifies and pushes axfrs.
It does not answer any query from localhost nor shows any notifies from master in the logs.
Connection to localhost 53 port [tcp/domain] succeeded!
^C
Connection to localhost 53 port [udp/domain] succeeded!
[hermes:local/etc/namedb] root# nc -v ns5.lrau.net 53
Connection to ns5.lrau.net 53 port [tcp/domain] succeeded!
^C
[hermes:local/etc/namedb] root# nc -vu ns5.lrau.net 53
Connection to ns5.lrau.net 53 port [udp/domain] succeeded!
Any help greatly appreciated,
Axel
allow-notify {
hermes-ns5;
};
allow-transfer {
full-trusted;
ns5-ping;
ns4-he;
management-hosts;
};
allow-query { any; };
allow-query-cache { recursive-users; };
allow-recursion { recursive-users; };
BIND 9.16.5 (Stable Release) <id:c00b458>
running on FreeBSD amd64 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC
built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--with-tuning=default' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1 (tags/RELEASE_801/final 366581)
compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd 10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d-freebsd 10 Sep 2019
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.14
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
named configuration: /usr/local/etc/namedb/named.conf
rndc configuration: /usr/local/etc/namedb/rndc.conf
DNSSEC root key: /usr/local/etc/namedb/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/pid
named lock file: /var/run/named/named.lock
---
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
Warren Kumari
2020-09-01 14:18:15 UTC
Permalink
What is 'localhost'?

The output you included doesn't really show very much, other than that nc
connect to port 53.

I'd suggest:
dig ns5.lrau.net @localhost
dig ns5.lrau.net @127.0.0.1
dig ns5.lrau.net @::1

Also, have a look in /etc/hosts and make sure that you have something like:
127.0.0.1 localhost


(nc may be connecting over v4 and <whatever else you used to test> may be
doing v6, etc...)

W
Post by Axel Rau
Hi!
this is a new server, which answers external queries, sends notifies and
pushes axfrs.
It does not answer any query from localhost nor shows any notifies from
master in the logs.
Connection to localhost 53 port [tcp/domain] succeeded!
^C
Connection to localhost 53 port [udp/domain] succeeded!
[hermes:local/etc/namedb] root# nc -v ns5.lrau.net 53
Connection to ns5.lrau.net 53 port [tcp/domain] succeeded!
^C
[hermes:local/etc/namedb] root# nc -vu ns5.lrau.net 53
Connection to ns5.lrau.net 53 port [udp/domain] succeeded!
Any help greatly appreciated,
Axel
allow-notify {
hermes-ns5;
};
allow-transfer {
full-trusted;
ns5-ping;
ns4-he;
management-hosts;
};
allow-query { any; };
allow-query-cache { recursive-users; };
allow-recursion { recursive-users; };
BIND 9.16.5 (Stable Release) <id:c00b458>
running on FreeBSD amd64 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC
built by make with '--disable-linux-caps' '--localstatedir=/var'
'--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2'
'--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit'
'--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset'
'--disable-geoip' '--without-maxminddb' '--without-gssapi'
'--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile'
'--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python'
'--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1'
'--enable-tcp-fastopen' '--with-tuning=default' '--disable-symtable'
'--prefix=/usr/local' '--mandir=/usr/local/man'
'--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1'
'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe
-DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include
-fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c
-fstack-protector-strong ' 'LIBS=-L/usr/local/lib'
'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp'
'PKG_CONFIG=pkgconf'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1
(tags/RELEASE_801/final 366581)
compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd 10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d-freebsd 10 Sep 2019
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.14
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
named configuration: /usr/local/etc/namedb/named.conf
rndc configuration: /usr/local/etc/namedb/rndc.conf
DNSSEC root key: /usr/local/etc/namedb/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/pid
named lock file: /var/run/named/named.lock
---
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
---maf
Axel Rau
2020-09-01 14:30:44 UTC
Permalink
Thanks for your answer!
The output you included doesn't really show very much, other than that nc connect to port 53.
127.0.0.1 localhost
(nc may be connecting over v4 and <whatever else you used to test> may be doing v6, etc...)
; <<>> DiG 9.16.5 <<>> NS lrau.net @127.0.0.1
;; global options: +cmd
;; connection timed out; no servers could be reached

***@ns5:/ # dig NS lrau.net @::1

; <<>> DiG 9.16.5 <<>> NS lrau.net @::1
;; global options: +cmd
;; connection timed out; no servers could be reached

***@ns5:/ # dig NS lrau.net @91.216.35.21

; <<>> DiG 9.16.5 <<>> NS lrau.net @91.216.35.21
;; global options: +cmd
;; connection timed out; no servers could be reached

***@ns5:/ # dig NS lrau.net @localhost

; <<>> DiG 9.16.5 <<>> NS lrau.net @localhost
;; global options: +cmd
;; connection timed out; no servers could be reached

***@ns5:/ # grep localhost /etc/hosts
127.0.0.1 localhost
::1 localhost

---
PGP-Key: CDE74120 ☀ computing @ chaos claudius
Axel Rau
2020-09-01 14:41:55 UTC
Permalink
Thanks for answering:

***@ns5:/ # dig NS lrau.net @91.216.35.21

; <<>> DiG 9.16.5 <<>> NS lrau.net @91.216.35.21
;; global options: +cmd
;; connection timed out; no servers could be reached

***@ns5:/ # dig NS lrau.net @localhost

; <<>> DiG 9.16.5 <<>> NS lrau.net @localhost
;; global options: +cmd
;; connection timed out; no servers could be reached

***@ns5:/ # sockstat -p 53
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root cron 59891 5 dgram -> /var/run/log
root sendmail 59197 3 dgram -> /var/run/log
bind named 47812 3 dgram -> /var/run/log
bind named 47812 137 udp4 91.216.35.21:53 *:*
bind named 47812 138 udp4 91.216.35.21:53 *:*
bind named 47812 139 udp4 91.216.35.21:53 *:*
bind named 47812 140 udp4 91.216.35.21:53 *:*
bind named 47812 141 udp4 91.216.35.21:53 *:*
bind named 47812 142 udp4 91.216.35.21:53 *:*
bind named 47812 143 udp4 91.216.35.21:53 *:*
bind named 47812 144 udp4 91.216.35.21:53 *:*
bind named 47812 145 udp4 91.216.35.21:53 *:*
bind named 47812 146 udp4 91.216.35.21:53 *:*
bind named 47812 147 udp4 91.216.35.21:53 *:*
bind named 47812 148 udp4 91.216.35.21:53 *:*
bind named 47812 149 udp4 91.216.35.21:53 *:*
bind named 47812 150 udp4 91.216.35.21:53 *:*
bind named 47812 151 udp4 91.216.35.21:53 *:*
bind named 47812 152 udp4 91.216.35.21:53 *:*
bind named 47812 154 tcp4 91.216.35.21:53 *:*
bind named 47812 155 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 156 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 157 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 158 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 159 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 160 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 161 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 162 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 163 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 164 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 165 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 166 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 167 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 168 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 169 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 170 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 172 tcp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 512 udp4 91.216.35.21:53 *:*
bind named 47812 513 udp6 2a05:bec0:26:5::71:53 *:*
root rsyslogd 45747 0 dgram /var/run/log
root rsyslogd 45747 1 dgram -> /var/run/log
Post by Ondřej Surý
Hi Axel,
the `nc` commands you used for testing neither proves that
it’s that specific `named` listening on that port nor DNS
daemon at all. FWIW it could be a dummy UDP/TCP server
and you would not know.
First you need to use a tool from your operating system
to check what is listening on those ports, and then use
`dig` (or other DNS debugging tool) to send actual DNS
queries.
Ondrej
--
Ondřej SurÃœ (He/Him)
Post by Axel Rau
Hi!
this is a new server, which answers external queries, sends notifies and pushes axfrs.
It does not answer any query from localhost nor shows any notifies from master in the logs.
Connection to localhost 53 port [tcp/domain] succeeded!
^C
Connection to localhost 53 port [udp/domain] succeeded!
[hermes:local/etc/namedb] root# nc -v ns5.lrau.net 53
Connection to ns5.lrau.net 53 port [tcp/domain] succeeded!
^C
[hermes:local/etc/namedb] root# nc -vu ns5.lrau.net 53
Connection to ns5.lrau.net 53 port [udp/domain] succeeded!
Any help greatly appreciated,
Axel
allow-notify {
hermes-ns5;
};
allow-transfer {
full-trusted;
ns5-ping;
ns4-he;
management-hosts;
};
allow-query { any; };
allow-query-cache { recursive-users; };
allow-recursion { recursive-users; };
BIND 9.16.5 (Stable Release) <id:c00b458>
running on FreeBSD amd64 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC
built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--with-tuning=default' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1 (tags/RELEASE_801/final 366581)
compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd 10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d-freebsd 10 Sep 2019
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.14
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
named configuration: /usr/local/etc/namedb/named.conf
rndc configuration: /usr/local/etc/namedb/rndc.conf
DNSSEC root key: /usr/local/etc/namedb/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/pid
named lock file: /var/run/named/named.lock
---
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
---
PGP-Key: CDE74120 ☀ computing @ chaos claudius
Petr Menšík
2020-09-01 14:57:39 UTC
Permalink
Please include any listen-on { ... } and listen-on-v6 { ... } clauses.

It seems any of 127.0.0.1; ::1; nor localhost; is listed in them.
Because it is not listening on localhost socket, it would not answer any
queries.

If the server should listen on all interfaces, just use:
listen-on { any; };

If it has addresses on which it should not listen, just add localhost;
to current listen-on.

It might be able to respond to:

dig @91.216.35.21 -b 127.0.0.1 localhost

Which would be technically from localhost, but I guess you are looking
for listen-on change.

Cheers,
Petr
Post by Axel Rau
;; global options: +cmd
;; connection timed out; no servers could be reached
;; global options: +cmd
;; connection timed out; no servers could be reached
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root cron 59891 5 dgram -> /var/run/log
root sendmail 59197 3 dgram -> /var/run/log
bind named 47812 3 dgram -> /var/run/log
bind named 47812 137 udp4 91.216.35.21:53 *:*
bind named 47812 138 udp4 91.216.35.21:53 *:*
bind named 47812 139 udp4 91.216.35.21:53 *:*
bind named 47812 140 udp4 91.216.35.21:53 *:*
bind named 47812 141 udp4 91.216.35.21:53 *:*
bind named 47812 142 udp4 91.216.35.21:53 *:*
bind named 47812 143 udp4 91.216.35.21:53 *:*
bind named 47812 144 udp4 91.216.35.21:53 *:*
bind named 47812 145 udp4 91.216.35.21:53 *:*
bind named 47812 146 udp4 91.216.35.21:53 *:*
bind named 47812 147 udp4 91.216.35.21:53 *:*
bind named 47812 148 udp4 91.216.35.21:53 *:*
bind named 47812 149 udp4 91.216.35.21:53 *:*
bind named 47812 150 udp4 91.216.35.21:53 *:*
bind named 47812 151 udp4 91.216.35.21:53 *:*
bind named 47812 152 udp4 91.216.35.21:53 *:*
bind named 47812 154 tcp4 91.216.35.21:53 *:*
bind named 47812 155 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 156 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 157 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 158 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 159 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 160 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 161 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 162 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 163 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 164 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 165 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 166 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 167 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 168 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 169 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 170 udp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 172 tcp6 2a05:bec0:26:5::71:53 *:*
bind named 47812 512 udp4 91.216.35.21:53 *:*
bind named 47812 513 udp6 2a05:bec0:26:5::71:53 *:*
root rsyslogd 45747 0 dgram /var/run/log
root rsyslogd 45747 1 dgram -> /var/run/log
Post by Ondřej Surý
Hi Axel,
the `nc` commands you used for testing neither proves that
it’s that specific `named` listening on that port nor DNS
daemon at all. FWIW it could be a dummy UDP/TCP server
and you would not know.
First you need to use a tool from your operating system
to check what is listening on those ports, and then use
`dig` (or other DNS debugging tool) to send actual DNS
queries.
Ondrej
--
Ondřej SurÃœ (He/Him)
Post by Axel Rau
Hi!
this is a new server, which answers external queries, sends notifies and pushes axfrs.
It does not answer any query from localhost nor shows any notifies from master in the logs.
Connection to localhost 53 port [tcp/domain] succeeded!
^C
Connection to localhost 53 port [udp/domain] succeeded!
[hermes:local/etc/namedb] root# nc -v ns5.lrau.net 53
Connection to ns5.lrau.net 53 port [tcp/domain] succeeded!
^C
[hermes:local/etc/namedb] root# nc -vu ns5.lrau.net 53
Connection to ns5.lrau.net 53 port [udp/domain] succeeded!
Any help greatly appreciated,
Axel
allow-notify {
hermes-ns5;
};
allow-transfer {
full-trusted;
ns5-ping;
ns4-he;
management-hosts;
};
allow-query { any; };
allow-query-cache { recursive-users; };
allow-recursion { recursive-users; };
BIND 9.16.5 (Stable Release) <id:c00b458>
running on FreeBSD amd64 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC
built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' '--with-tuning=default' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1 (tags/RELEASE_801/final 366581)
compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd 10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d-freebsd 10 Sep 2019
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.14
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
named configuration: /usr/local/etc/namedb/named.conf
rndc configuration: /usr/local/etc/namedb/rndc.conf
DNSSEC root key: /usr/local/etc/namedb/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/pid
named lock file: /var/run/named/named.lock
---
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
---
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: ***@redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
Axel Rau
2020-09-01 15:06:25 UTC
Permalink
Post by Petr Menšík
Please include any listen-on { ... } and listen-on-v6 { ... } clauses.
It seems any of 127.0.0.1; ::1; nor localhost; is listed in them.
Because it is not listening on localhost socket, it would not answer any
queries.
Voilà:


Listen-on {
91.216.35.21;
127.0.0.1;
};
Listen-on-v6 {
2a05:bec0:26:5::71;
::1;
};

Axel
---
PGP-Key: CDE74120 ☀ computing @ chaos claudius
Axel Rau
2020-09-01 20:28:57 UTC
Permalink
tcp queries are being answered, but udp queries receive no response.
This is independent of client location (local, remote).

A ktrace shows 8 bytes are written on fd 89, the 8 bytes read on fd 88.
The next read gets an errno 35 (see below).

clueless,
Axel


***@ns5:/var/log # uname -a
FreeBSD ns5 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC amd64

***@ns5:/var/log # named -V
BIND 9.16.6 (Stable Release) <id:25846cf>
running on FreeBSD amd64 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC
built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' '--enable-tcp-fastopen' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1 (tags/RELEASE_801/final 366581)
compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd 10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d-freebsd 10 Sep 2019
compiled with libuv version: 1.38.1
linked to libuv version: 1.38.1
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.3.2
linked to protobuf-c version: 1.3.2
threads support is enabled

23480 isc-socket-0 STRU struct kevent[] = { { ident=512, filter=EVFILT_READ, flags=0, fflags=0, data=0x35, udata=0x0 } }
23480 isc-socket-0 RET kevent 0x1
23480 isc-socket-0 CALL recvmsg(0x200,0x7fffdbddbb70,0)
23480 isc-socket-0 GIO fd 512 read 53 bytes
0x0000 552a 0120 0001 0000 0000 0001 0377 7777 |U*. .........www|
0x0010 0568 6569 7365 0264 6500 0001 0001 0000 |.heise.de.......|
0x0020 2910 0000 0000 0000 0c00 0a00 0810 a161 |)..............a|
0x0030 cea7 9c05 fa |.....|

23480 isc-socket-0 STRU struct sockaddr { AF_INET, 193.105.105.1:56885 }
23480 isc-socket-0 RET recvmsg 0x35
23480 isc-socket-0 CALL _umtx_op(0x802f38bb8,0x15,0x1,0,0)
23480 isc-socket-0 RET _umtx_op 0
23480 isc-socket-0 CALL kevent(0x5a,0x7fffdbddbec0,0x1,0,0,0)
23480 isc-socket-0 STRU struct kevent[] = { { ident=512, filter=EVFILT_READ, flags=0x2<EV_DELETE>, fflags=0, data=0, udata=0x0 } }
23480 isc-socket-0 STRU struct kevent[] = { }
23480 isc-socket-0 RET kevent 0
23480 isc-socket-0 CALL kevent(0x5a,0,0,0x802fa7200,0x800,0)
23480 isc-socket-0 STRU struct kevent[] = { }
23480 isc-worker0000 RET _umtx_op 0
23480 isc-worker0000 CALL recvmsg(0x200,0x7fffddfec9c0,0)
23480 isc-worker0000 RET recvmsg -1 errno 35
23480 isc-worker0000 CALL write(0x59,0x7fffddfecbc0,0x8)
23480 isc-worker0000 GIO fd 89 wrote 8 bytes
0x0000 0002 0000 fdff ffff |........|

23480 isc-worker0000 RET write 0x8
23480 isc-worker0000 CALL _umtx_op(0x80178f188,0xf,0,0,0)
23480 isc-socket-0 STRU struct kevent[] = { { ident=88, filter=EVFILT_READ, flags=0, fflags=0, data=0x8, udata=0x0 } }
23480 isc-socket-0 RET kevent 0x1
23480 isc-socket-0 CALL read(0x58,0x7fffdbddbe40,0x8)
23480 isc-socket-0 GIO fd 88 read 8 bytes
0x0000 0002 0000 fdff ffff |........|

23480 isc-socket-0 RET read 0x8
23480 isc-socket-0 CALL kevent(0x5a,0x7fffdbddbec0,0x1,0,0,0)
23480 isc-socket-0 STRU struct kevent[] = { { ident=512, filter=EVFILT_READ, flags=0x1<EV_ADD>, fflags=0, data=0, udata=0x0 } }
23480 isc-socket-0 STRU struct kevent[] = { }
23480 isc-socket-0 RET kevent 0
23480 isc-socket-0 CALL read(0x58,0x7fffdbddbe40,0x8)
23480 isc-socket-0 RET read -1 errno 35
23480 isc-socket-0 CALL kevent(0x5a,0,0,0x802fa7200,0x800,0)
23480 isc-socket-0 STRU struct kevent[] = { }
23480 isc-socket-0 STRU struct kevent[] = { { ident=512, filter=EVFILT_READ, flags=0, fflags=0, data=0x35, udata=0x0 } }
23480 isc-socket-0 RET kevent 0x1
23480 isc-socket-0 CALL recvmsg(0x200,0x7fffdbddbb70,0)
23480 isc-socket-0 GIO fd 512 read 53 bytes
0x0000 552a 0120 0001 0000 0000 0001 0377 7777 |U*. .........www|
0x0010 0568 6569 7365 0264 6500 0001 0001 0000 |.heise.de.......|
0x0020 2910 0000 0000 0000 0c00 0a00 0810 a161 |)..............a|
0x0030 cea7 9c05 fa |.....|
. . .
---
PGP-Key: CDE74120 ☀ computing @ chaos claudius

Continue reading on narkive:
Search results for 'No response from localhost with "allow-query { any; };"' (Questions and Answers)
5
replies
can i get question answer of asp.net ?
started 2006-10-11 00:02:47 UTC
software
Loading...