Recent Problem with BIND 9 under Windows XP

Vinny Abello vinny at tellurian.com
Thu Jun 28 15:53:16 UTC 2007


Grab a utility like filemon to see what named.exe is trying to do when you start the service. That may give you a big hint.

http://www.microsoft.com/technet/sysinternals/FileAndDisk/Filemon.mspx

Vincent Poy wrote:
> On 6/28/07, Danny Mayer <mayer at ntp.isc.org> wrote:
>> Vincent Poy wrote:
>>> Greetings everyone:
>>>
>>> I'm having a problem with starting the ISC BIND service under Windows
>>> XP SP2 with all the latest MS patches.  I had been running BIND 9 for
>>> quite some time and every version of BIND9 including beta's, release
>>> candidates and release versions including 9.4.1 have ran fine until
>>> recently which I am not sure when since I don't usually monitor if
>>> BIND was started except after each installation and reboot.  And the
>>> config file has not been modified.  BIND is owned by the named account
>>> and is installed in C:\Windows\System32\dns with that directory and
>>> all directory under it having the named account with full permission
>>> to read/write.  My system acts as a secondary DNS with named.conf
>>> located in C:\WINDOWS\SYSTEM32\dns\etc.  When the system tries to
>>> start ISC BIND service, it shows in the event manager under System as
>>> a Error 2 events:
>>>
>>> Timeout (30000 milliseconds) waiting for the ISC BIND service to connect.
>>>
>>> followed by:
>>>
>>> The ISC BIND service failed to start due to the following error:
>>> The service did not respond to the start or control request in a
>>> timely fashion.
>>>
>> This indicates that named did not register itself when the service
>> started. It needs to do that within the timeout period. I have only seen
>> this happen when there are commandline arguments that keep it in the
>> foreground yet it's still being run as a service. The only options are
>> -f and -g that would cause it to do that and those shouldn't normally be
>> used when running it as a service. Did you start the service manually
>> via the MSC? What does the following key look like?
> 
> In the MSC, it's started as c:\windows\system32\dns\bin\named.exe with
> no options.  I tried adding the -f and -g options but the results were
> the same.  And like I mentioned previously, the service fails even
> when manually started since it gives that pop-up window but the
> service starts fine when it's run as Local System instead of the named
> user.  named.exe runs fine as the named user from the command line and
> from the vince user who is a administrator account.
> 
>> KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\named\ImagePath
> 
> C:\WINDOWS\system32\dns\bin\named.exe
> 
>> What permissions does the named account have to access the named.conf
>> file and the associated files? Make sure that you don't have a pid file
>> in the directory. In fact you don't need a pid file so set the option to
>> none:
>> The named account has full access to c:\windows\system32\dns except I
>> noticed that all directories from c:\windows\system32\dns and under when you
>> click on properties has read-only while the files do not have that.
>>
>> pid-file none;
> 
> The named account has full access to c:\windows\system32\dns except I
> noticed that all directories from c:\windows\system32\dns and under
> when you click on property has read-only while the files do not have
> that.  Here are the permissions of the c:\windows\system32\dns and all
> directories under it which are etc and bin:
> 
> C:\Documents and Settings\vince>cacls c:\windows\system32\dns
> c:\windows\system32\dns SOLAR\named:(OI)(CI)F
>                         NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
>                                                     READ_CONTROL
>                                                     SYNCHRONIZE
>                                                     FILE_GENERIC_READ
>                                                     FILE_GENERIC_WRITE
>                                                     FILE_READ_DATA
>                                                     FILE_WRITE_DATA
>                                                     FILE_APPEND_DATA
>                                                     FILE_READ_EA
>                                                     FILE_WRITE_EA
>                                                     FILE_READ_ATTRIBUTES
>                                                     FILE_WRITE_ATTRIBUTES
> 
>                         Everyone:(OI)(CI)F
>                         NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
>                                                     DELETE
>                                                     FILE_DELETE_CHILD
> 
> 
> 
> C:\Documents and Settings\vince>cacls c:\windows\system32\dns\bin
> c:\windows\system32\dns\bin SOLAR\named:(OI)(CI)F
>                             NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
>                                                         READ_CONTROL
>                                                         SYNCHRONIZE
>                                                         FILE_GENERIC_READ
>                                                         FILE_GENERIC_WRITE
>                                                         FILE_READ_DATA
>                                                         FILE_WRITE_DATA
>                                                         FILE_APPEND_DATA
>                                                         FILE_READ_EA
>                                                         FILE_WRITE_EA
>                                                         FILE_READ_ATTRIBUTES
>                                                         FILE_WRITE_ATTRIBUTES
> 
>                             Everyone:(OI)(CI)F
>                             NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
>                                                         DELETE
>                                                         FILE_DELETE_CHILD
> 
> 
> 
> C:\Documents and Settings\vince>cacls c:\windows\system32\dns\etc
> c:\windows\system32\dns\etc SOLAR\named:(OI)(CI)F
>                             NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
>                                                         READ_CONTROL
>                                                         SYNCHRONIZE
>                                                         FILE_GENERIC_READ
>                                                         FILE_GENERIC_WRITE
>                                                         FILE_READ_DATA
>                                                         FILE_WRITE_DATA
>                                                         FILE_APPEND_DATA
>                                                         FILE_READ_EA
>                                                         FILE_WRITE_EA
>                                                         FILE_READ_ATTRIBUTES
>                                                         FILE_WRITE_ATTRIBUTES
> 
>                             Everyone:(OI)(CI)F
>                             NT AUTHORITY\SYSTEM:(OI)(CI)(special access:)
>                                                         DELETE
>                                                         FILE_DELETE_CHILD
> 
> As for the pid-file, I always had that option even when I installed
> BIND back in 2004 on this system and it never seem to have caused any
> problems.
> 
> Cheers,
> Vince
> 
>>> If I try to start the ISC BIND service manually, I will get a pop-up
>>> window after 5-10 seconds that says and the same two events are in the
>>> event manager under System as a Error:
>>>
>>> Could not start ISC BIND service on Local Computer.
>>>
>>> Error 1053: The service did not respond to the start or control
>>> request in a timely fashion
>>>
>>> If I start named with the -g option in the Command Prompt, this is what happens:
>>>
>>> C:\Documents and Settings\vince>c:\windows\system32\dns\bin\named -g
>>> 27-Jun-2007 9:51:32.755 starting BIND 9.4.1 -g
>>> 27-Jun-2007 9:51:32.755 found 2 CPUs, using 2 worker threads
>>> 27-Jun-2007 9:51:32.770 loading configuration from 'C:\WINDOWS\system32\dns\etc\
>>> named.conf'
>>> 27-Jun-2007 9:51:32.770 listening on IPv4 interface TCP/IP Interface 1, 192.168.
>>> 0.120#53
>>> 27-Jun-2007 9:51:32.786 listening on IPv4 interface Loopback Interface 2, 127.0.
>>> 0.1#53
>>> 27-Jun-2007 9:51:32.786 listening on IPv4 interface TCP/IP Interface 3, 192.168.
>>> 106.1#53
>>> 27-Jun-2007 9:51:32.786 listening on IPv4 interface TCP/IP Interface 4, 192.168.
>>> 220.1#53
>>> 27-Jun-2007 9:51:32.801 listening on IPv4 interface TCP/IP Interface 5, 208.201.
>>> 244.225#53
>>> 27-Jun-2007 9:51:32.801 listening on IPv4 interface TCP/IP Interface 6, 192.168.
>>> 1.120#53
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: 127.IN-ADDR.ARPA
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: 254.169.IN-ADDR.ARPA
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: 2.0.192.IN-ADDR.ARPA
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
>>> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
>>> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: D.F.IP6.ARPA
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: 8.E.F.IP6.ARPA
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: 9.E.F.IP6.ARPA
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: A.E.F.IP6.ARPA
>>> 27-Jun-2007 9:51:32.817 automatic empty zone: B.E.F.IP6.ARPA
>>> 27-Jun-2007 9:51:32.833 command channel listening on 127.0.0.1#953
>>> 27-Jun-2007 9:51:32.833 ignoring config file logging statement due to -g option
>>> 27-Jun-2007 9:51:32.848 zone 0.0.127.in-addr.arpa/IN: loaded serial 20041019
>>> 27-Jun-2007 9:51:32.848 zone 0.168.192.in-addr.arpa/IN: loaded serial 2003101801
>>>
>>> 27-Jun-2007 9:51:32.848 zone 1.168.192.in-addr.arpa/IN: loaded serial 2004102701
>>>
>>> 27-Jun-2007 9:51:32.848 zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0
>>> .0.0.0.0.0.IP6.INT/IN: loaded serial 20041019
>>> 27-Jun-2007 9:51:32.848 zone DNALOGIC.NET/IN: loaded serial 2003101805
>>> 27-Jun-2007 9:51:32.864 zone 0.168.192.in-addr.arpa/IN: sending notifies (serial
>>>  2003101801)
>>> 27-Jun-2007 9:51:32.864 running
>>> 27-Jun-2007 9:51:32.864 zone 1.168.192.in-addr.arpa/IN: sending notifies (serial
>>>  2004102701)
>>> 27-Jun-2007 9:51:32.864 zone DNALOGIC.NET/IN: sending notifies (serial 200310180
>>> 5)
>>> 27-Jun-2007 10:13:45.848 zone 1.168.192.in-addr.arpa/IN: refresh: could not set
>>> file modification time of 'slave/db.192.168.1': permission denied
>>>
>>> So it appears to run correctly from the command prompt.
>>>
>>> My named.conf consists of the following as I am using the standard
>>> named.conf format from my primary FreeBSD server and just modifying it
>>> for the Windows port.
>>>
>>> // $FreeBSD: src/etc/namedb/named.conf,v 1.20 2004/11/04 05:24:29 gshapiro Exp $
>>> //
>>> // Refer to the named.conf(5) and named(8) man pages, and the documentation
>>> // in /usr/share/doc/bind9 for more details.
>>> //
>>> // If you are going to set up an authoritative server, make sure you
>>> // understand the hairy details of how DNS works.  Even with
>>> // simple mistakes, you can break connectivity for affected parties,
>>> // or cause huge amounts of useless Internet traffic.
>>>
>>> options {
>>>        directory       "c:\windows\system32\dns\etc";
>>>        pid-file        "c:\windows\system32\dns\etc\named.pid";
>>>        dump-file       "c:\windows\system32\dns\etc\named_dump.db";
>>>        statistics-file "c:\windows\system32\dns\etc\named.stats";
>>>
>>> // If named is being used only as a local resolver, this is a safe default.
>>> // For named to be accessible to the network, comment this option, specify
>>> // the proper IP address, or delete this option.
>>> //      listen-on       { 127.0.0.1; };
>>>
>>> // If you have IPv6 enabled on this system, uncomment this option for
>>> // use as a local resolver.  To give access to the network, specify
>>> // an IPv6 address, or the keyword "any".
>>> //      listen-on-v6    { ::1; };
>>>
>>> // In addition to the "forwarders" clause, you can force your name
>>> // server to never initiate queries of its own, but always ask its
>>> // forwarders only, by enabling the following line:
>>> //
>>> //      forward only;
>>>
>>> // If you've got a DNS server around at your upstream provider, enter
>>> // its IP address here, and enable the line below.  This will make you
>>> // benefit from its cache, thus reduce overall DNS traffic in the Internet.
>>> /*
>>>        forwarders {
>>>                127.0.0.1;
>>>        };
>>> */
>>>        forwarders {
>>>                208.201.224.11;
>>>                208.204.224.33;
>>>        };
>>>        /*
>>>         * If there is a firewall between you and nameservers you want
>>>         * to talk to, you might need to uncomment the query-source
>>>         * directive below.  Previous versions of BIND always asked
>>>         * questions using port 53, but BIND versions 8 and later
>>>         * use a pseudo-random unprivileged UDP port by default.
>>>         */
>>>        // query-source address * port 53;
>>> };
>>>
>>> // If you enable a local name server, don't forget to enter 127.0.0.1
>>> // first in your /etc/resolv.conf so this server will be queried.
>>> // Also, make sure to enable it in /etc/rc.conf.
>>>
>>> zone "." {
>>>        type hint;
>>>        file "named.root";
>>> };
>>> /*
>>> zone "0.0.127.IN-ADDR.ARPA" {
>>>        type master;
>>>        file "master/localhost.rev";
>>> };
>>>
>>> // RFC 3152
>>> zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"
>>> {
>>>        type master;
>>>        file "master/localhost-v6.rev";
>>> };
>>>
>>> // RFC 1886 -- deprecated
>>> zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
>>>        type master;
>>>        file "master/localhost-v6.rev";
>>> };
>>> */
>>> // NB: Do not use the IP addresses below, they are faked, and only
>>> // serve demonstration/documentation purposes!
>>> //
>>> // Example slave zone config entries.  It can be convenient to become
>>> // a slave at least for the zone your own domain is in.  Ask
>>> // your network administrator for the IP address of the responsible
>>> // primary.
>>> //
>>> // Never forget to include the reverse lookup (IN-ADDR.ARPA) zone!
>>> // (This is named after the first bytes of the IP address, in reverse
>>> // order, with ".IN-ADDR.ARPA" appended.)
>>> //
>>> // Before starting to set up a primary zone, make sure you fully
>>> // understand how DNS and BIND works.  There are sometimes
>>> // non-obvious pitfalls.  Setting up a slave zone is simpler.
>>> //
>>> // NB: Don't blindly enable the examples below. :-)  Use actual names
>>> // and addresses instead.
>>>
>>> /*
>>> zone "example.com" {
>>>        type slave;
>>>        file "slave/example.com";
>>>        masters {
>>>                192.168.1.1;
>>>        };
>>> };
>>>
>>> // An example dynamic zone
>>> key "exampleorgkey" {
>>>        algorithm hmac-md5;
>>>        secret "sf87HJqjkqh8ac87a02lla==";
>>> };
>>>
>>> zone "example.org" {
>>>        type master;
>>>        allow-update {
>>>                key "exampleorgkey";
>>>        };
>>>        file "dynamic/example.org";
>>> };
>>>
>>> zone "0.168.192.in-addr.arpa" {
>>>        type slave;
>>>        file "slave/0.168.192.in-addr.arpa";
>>>        masters {
>>>                192.168.1.1;
>>>        };
>>> };
>>> */
>>>
>>> zone "0.0.127.in-addr.arpa" {
>>>        type master;
>>>        file "master/db.127.0.0";
>>> };
>>>
>>> zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
>>>        type master;
>>>        file "master/db.127.0.0-v6";
>>> };
>>>
>>> zone "0.168.192.in-addr.arpa" {
>>>        type slave;
>>>        file "slave/db.192.168.0";
>>>        masters {
>>>                208.201.244.224;
>>>        };
>>> };
>>>
>>> zone "1.168.192.in-addr.arpa" {
>>>        type slave;
>>>        file "slave/db.192.168.1";
>>>        masters {
>>>                208.201.244.224;
>>>        };
>>> };
>>>
>>> zone "DNALOGIC.NET" {
>>>        type slave;
>>>        file "slave/db.DNALOGIC.NET";
>>>        masters {
>>>                208.201.244.224;
>>>        };
>>> };
>>>
>>> /*
>>> zone "ULTIMATESOUND.NET" {
>>>        type slave;
>>>        file "slave/db.ULTIMATESOUND.NET";
>>>        masters {
>>>                66.193.144.6;
>>>        };
>>> };
>>> */
>>>
>>> /*
>>> zone "NOLS.COM" {
>>>        type slave;
>>>        file "slave/db.NOLS.COM";
>>>        masters {
>>>                208.179.75.219;
>>>        };
>>> };
>>> */
>>>
>>> Does anyone know how I can find out what is causing ISC BIND service
>>> not to start when it worked correctly in the past?  I have uninstalled
>>> and reinstalled 9.4.1 and the results are the same.  I don't have
>>> another machine to test as this is a home network.
>>>
>>> Thank you for any help in advance!
>>>
>>> Cheers,
>>> Vince
>>>
>>>
>>>
>>
> 
> 
> 

-- 

Vinny Abello
Network Engineer
vinny at tellurian.com
(973)940-6100
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0  E935 5325 FBCB 0100 977A

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN

"Courage is resistance to fear, mastery of fear - not absence of fear" -- Mark Twain



More information about the bind-users mailing list