ROZWIĄZANO:
Wczoraj bez uprzedzenia serwerownia skonfigurowała na Fortigate "Security Profile AV, IPS , DNS"
I Fortigate nasze zapytania DNS blokował. Wyłączyli te reguły po zgłoszeniu.
Super 10 h nerwów i debugowania.... w piach.
Przepraszam, że zawracałem Wam głowę i dziękuję za poświęcony czas.
Kod: Zaznacz cały
host -tA wp.pl
wp.pl has address 212.77.98.9
-------
Postawiłem na serwerze, BINDa cachującego (głównie na potrzeby serwera pocztowego - znajdującego się na tej samej maszynie co BIND).
Wszystko działo ok przez kilka dni. Gdy nagle praktycznie przestał resolvować jakąkolwiek domenę.
Kod: Zaznacz cały
ping onet.pl
ping: onet.pl: Temporary failure in name resolution
Kod: Zaznacz cały
host -tA wp.pl
Host wp.pl not found: 2(SERVFAIL)
Kod: Zaznacz cały
Nov 16 22:25:05 atena named[2824]: client @0x7f4f040104c8 127.0.0.1#36200 (ntp.ubuntu.com): query: ntp.ubuntu.com IN A + (127.0.0.1)
Nov 16 22:25:05 atena named[2824]: client @0x7f4f04017228 127.0.0.1#36200 (ntp.ubuntu.com): query: ntp.ubuntu.com IN AAAA + (127.0.0.1)
Nov 16 22:25:05 atena named[2824]: SERVFAIL unexpected RCODE resolving '_.com/A/IN': 199.9.14.201#53
Nov 16 22:25:05 atena named[2824]: SERVFAIL unexpected RCODE resolving '_.com/A/IN': 198.97.190.53#53
[..]
Nov 16 22:25:05 atena named[2824]: SERVFAIL unexpected RCODE resolving 'ntp.ubuntu.com/A/IN': 199.9.14.201#53
Nov 16 22:25:05 atena named[2824]: SERVFAIL unexpected RCODE resolving 'ntp.ubuntu.com/AAAA/IN': 199.9.14.201#53
[..]
Serwer odpalony jest na maszynie wirtualnej w serwerowni (zanim zacznę do nich uderzać może pomożecie mi znaleźć rozwiązanie
Ubuntu 21.10 (potrzebowałem PHP 8.0 stąd taki wybór a nie LTS)
Kod: Zaznacz cały
BIND 9.16.15-Ubuntu (Stable Release) <id:4469e3e>
running on Linux x86_64 5.13.0-21-generic #21-Ubuntu SMP Tue Oct 19 08:59:28 UTC 2021
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/bind9-Q8tYQJ/bind9-9.16.15=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -flto=auto -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 11.2.0
compiled with OpenSSL version: OpenSSL 1.1.1l 24 Aug 2021
linked to OpenSSL version: OpenSSL 1.1.1l 24 Aug 2021
compiled with libuv version: 1.40.0
linked to libuv version: 1.40.0
compiled with libxml2 version: 2.9.12
linked to libxml2 version: 20912
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.2
threads support is enabled
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
/etc/bind/named.conf.options
Kod: Zaznacz cały
dnssec-validation auto;
listen-on-v6 { any; };
// hide version number from clients for security reasons.
version "not currently available";
// optional - BIND default behavior is recursion
recursion yes;
// provide recursion service to trusted clients only
allow-recursion { 127.0.0.1; };
// enable the query log
querylog yes;
max-cache-size 5%;
Z ciekawości ubiłem BINDa. to w logach było:
Nov 16 22:24:35 atena systemd-resolved[2639]: Using degraded feature set UDP instead of TCP for DNS server 127.0.0.1.
Nov 16 22:24:35 atena systemd-resolved[2639]: Using degraded feature set TCP instead of UDP for DNS server 127.0.0.1.
Jak BIND startuje:
Kod: Zaznacz cały
Nov 16 22:24:43 atena named[2824]: BIND 9 is maintained by Internet Systems Consortium,
Nov 16 22:24:43 atena named[2824]: Inc. (ISC), a non-profit 501(c)(3) public-benefit.
Nov 16 22:24:43 atena named[2824]: corporation. Support and training for BIND 9 are.
Nov 16 22:24:43 atena named[2824]: available at https://www.isc.org/support
Nov 16 22:24:43 atena named[2824]: ----------------------------------------------------
Nov 16 22:24:43 atena named[2824]: adjusted limit on open files from 524288 to 1048576
Nov 16 22:24:43 atena named[2824]: found 4 CPUs, using 4 worker threads
Nov 16 22:24:43 atena named[2824]: using 4 UDP listeners per interface
Nov 16 22:24:43 atena named[2824]: using up to 21000 sockets
Nov 16 22:24:43 atena named[2824]: loading configuration from '/etc/bind/named.conf'
Nov 16 22:24:43 atena named[2824]: reading built-in trust anchors from file '/etc/bind/bind.keys'
Nov 16 22:24:43 atena named[2824]: looking for GeoIP2 databases in '/usr/share/GeoIP'
Nov 16 22:24:43 atena named[2824]: using default UDP/IPv4 port range: [32768, 60999]
Nov 16 22:24:43 atena named[2824]: listening on IPv4 interface lo, 127.0.0.1#53
Nov 16 22:24:43 atena named[2824]: listening on IPv4 interface ens160, 10.7.50.100#53
Nov 16 22:24:43 atena named[2824]: generating session key for dynamic DNS
Nov 16 22:24:43 atena named[2824]: sizing zone task pool based on 5 zones
Nov 16 22:24:43 atena named[2824]: /etc/bind/named.conf.options:39: 'max-cache-size 5%' - setting to 800MB (out of 16003MB)
Nov 16 22:24:43 atena named[2824]: obtaining root key for view _default from '/etc/bind/bind.keys'
Nov 16 22:24:43 atena named[2824]: set up managed keys zone for view _default, file 'managed-keys.bind'
Nov 16 22:24:43 atena named[2824]: automatic empty zone: 10.IN-ADDR.ARPA
Nov 16 22:24:43 atena named[2824]: automatic empty zone: 16.172.IN-ADDR.ARPA
Nov 16 22:24:43 atena named[2824]: automatic empty zone: 17.172.IN-ADDR.ARPA
Nov 16 22:24:43 atena named[2824]: automatic empty zone: 18.172.IN-ADDR.ARPA
[..]
Nov 16 22:24:43 atena named[2824]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Nov 16 22:24:43 atena named[2824]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Nov 16 22:24:43 atena named[2824]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Nov 16 22:24:43 atena named[2824]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Nov 16 22:24:43 atena named[2824]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Nov 16 22:24:43 atena named[2824]: automatic empty zone: D.F.IP6.ARPA
Nov 16 22:24:43 atena named[2824]: automatic empty zone: 8.E.F.IP6.ARPA
Nov 16 22:24:43 atena named[2824]: automatic empty zone: 9.E.F.IP6.ARPA
Nov 16 22:24:43 atena named[2824]: automatic empty zone: A.E.F.IP6.ARPA
Nov 16 22:24:43 atena named[2824]: automatic empty zone: B.E.F.IP6.ARPA
Nov 16 22:24:43 atena named[2824]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Nov 16 22:24:43 atena named[2824]: automatic empty zone: EMPTY.AS112.ARPA
Nov 16 22:24:43 atena named[2824]: automatic empty zone: HOME.ARPA
Nov 16 22:24:43 atena named[2824]: /etc/bind/named.conf.options:39: 'max-cache-size 5%' - setting to 800MB (out of 16003MB)
Nov 16 22:24:43 atena named[2824]: configuring command channel from '/etc/bind/rndc.key'
Nov 16 22:24:43 atena named[2824]: command channel listening on 127.0.0.1#953
Nov 16 22:24:43 atena named[2824]: managed-keys-zone: loaded serial 30
Nov 16 22:24:43 atena named[2824]: zone 0.in-addr.arpa/IN: loaded serial 1
Nov 16 22:24:43 atena named[2824]: zone 127.in-addr.arpa/IN: loaded serial 1
Nov 16 22:24:43 atena named[2824]: zone 255.in-addr.arpa/IN: loaded serial 1
Nov 16 22:24:43 atena named[2824]: zone localhost/IN: loaded serial 2
Nov 16 22:24:43 atena named[2824]: all zones loaded
Nov 16 22:24:43 atena named[2824]: running
Nov 16 22:24:43 atena systemd[1]: Started BIND Domain Name Server.
Nov 16 22:24:43 atena systemd[1]: Starting local BIND 9 via resolvconf...
Czy można jakoś dokładniej zdiagnozować co się dzieje?
Możliwe jest połączenie się na port 53 do b.root-servers.net [TDP]
Kod: Zaznacz cały
telnet 199.9.14.201 53
Trying 199.9.14.201...
Connected to 199.9.14.201.
Escape character is '^]'.
^]
Kod: Zaznacz cały
dig google.com @199.9.14.201
; <<>> DiG 9.16.15-Ubuntu <<>> google.com @199.9.14.201
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56579
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 37cd31ec47762f02 (echoed)
;; QUESTION SECTION:
;google.com. IN A
;; Query time: 0 msec
;; SERVER: 199.9.14.201#53(199.9.14.201)
;; WHEN: Tue Nov 16 22:48:01 CET 2021
;; MSG SIZE rcvd: 51
Wyłączyłem BIND i przywróciłem resolver
/etc/systemd/resolved.conf
Kod: Zaznacz cały
DNS=8.8.8.8 8.8.4.4
DNSSEC=no
Kod: Zaznacz cały
dig wp.pl
; <<>> DiG 9.16.15-Ubuntu <<>> wp.pl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24521
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;wp.pl. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Nov 16 23:29:35 CET 2021
;; MSG SIZE rcvd: 34
Kod: Zaznacz cały
dig +trace wp.pl
; <<>> DiG 9.16.15-Ubuntu <<>> +trace wp.pl
;; global options: +cmd
. 30500 IN NS m.root-servers.net.
. 30500 IN NS b.root-servers.net.
. 30500 IN NS c.root-servers.net.
. 30500 IN NS d.root-servers.net.
. 30500 IN NS e.root-servers.net.
. 30500 IN NS f.root-servers.net.
. 30500 IN NS g.root-servers.net.
. 30500 IN NS h.root-servers.net.
. 30500 IN NS a.root-servers.net.
. 30500 IN NS i.root-servers.net.
. 30500 IN NS j.root-servers.net.
. 30500 IN NS k.root-servers.net.
. 30500 IN NS l.root-servers.net.
couldn't get address for 'm.root-servers.net': failure
couldn't get address for 'b.root-servers.net': failure
couldn't get address for 'c.root-servers.net': failure
couldn't get address for 'd.root-servers.net': failure
couldn't get address for 'e.root-servers.net': failure
couldn't get address for 'f.root-servers.net': failure
couldn't get address for 'g.root-servers.net': failure
couldn't get address for 'h.root-servers.net': failure
couldn't get address for 'a.root-servers.net': failure
couldn't get address for 'i.root-servers.net': failure
couldn't get address for 'j.root-servers.net': failure
couldn't get address for 'k.root-servers.net': failure
couldn't get address for 'l.root-servers.net': failure
dig: couldn't get address for 'm.root-servers.net': no more