Recent Problem with BIND 9 under Windows XP

Thu Jun 28 03:13:53 UTC 2007

Vincent Poy wrote:

<<snip>>

>> Remember when you're testing it and it appears to work from the command line, > you are running from a different user account. You could possibly try to run it
>> from the command line using the runas utility and specify the credentials that the > service runs under, but I've never tried it and don't know what result you might
>> get. It should work in theory though. I would give that a try if logging to file turns > up nothing.
> 
> You're right about the lack of syslog in Windows so it will only log a
> event rather than detailed like syslog on a Unix box would.  Is there
> a way to log to a specific logfile using named.conf in Windows?

See at the end of this message.

> Thanks for the reminder about testing named from the command line, it
> runs from a different user account.  I tried running it on the command
> line as the named user and it appears to run correctly:
> 

<<snip>> 

> When I tested it originally, it was running from the vince account on
> the command line and the vince account is setup as a Administrator.

That's what I suspected.

> One thing that puzzles me is that for the ISC BIND service, if I
> change it to run as Local System Account, it will run fine but if I
> tried it with named or vince, it will have the problem after 3 seconds
> (I timed it this time) that I mentioned when I wrote the original
> message about this problem.  So I don't know why it's won't start the
> service running as the named user when it worked in the past.

I think your NTFS permissions may not be setup to allow the account you have setup for the BIND service to write out data. Maybe the permissions were reset from a higher directory and propagated down that is restricting writing temporary files, or maybe permissions on just specific files are not being inherited properly...

Do something like the following in the named.conf. Note that this is very customized and is designed to sort different log events into different files. You may not need this for your simple troubleshooting, but it's nice to have. Be sure the service account can write files out to the place you define for the logs to be created. You'll probably see something in the logs where it cannot create a file or modify a file.

logging {
	channel named_log {
		file "c:\bind\log\named.log" versions 3 size 1m;
		severity dynamic;
		print-category yes;
		print-time yes;
	};
	channel security_log {
		file "c:\bind\log\security.log" versions 3 size 1m;
		severity dynamic;
		print-category yes;
		print-time yes;	
	};
	channel update_log {
		file "c:\bind\log\update.log" versions 3 size 1m;
		severity dynamic;
		print-category yes;
		print-time yes;
	};
	channel xfer_log {
		file "c:\bind\log\xfer.log" versions 3 size 1m;
		severity dynamic;
		print-category yes;
		print-time yes;
	};
	category default { named_log; };
	category lame-servers { null; };
	category security { security_log; };
	category update { update_log; };
	category update-security { update_log; };
	category xfer-in { xfer_log; };
	category xfer-out { xfer_log; };
};

-- 

Vinny Abello
Network Engineer
vinny at tellurian.com
(973)940-6100
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0  E935 5325 FBCB 0100 977A

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN

"Courage is resistance to fear, mastery of fear - not absence of fear" -- Mark Twain