both recursive-only BIND9 went deaf until rebooted
Jeremy C. Reed
jreed at isc.org
Wed Aug 13 20:49:52 UTC 2014
On Wed, 13 Aug 2014, lconrad at go2france.com wrote:
> fbsd 8.2 VM with BIND 9.9.5
> fbsd 10.0-RELEASE VM with BIND 9.10.0-P2
> the older machine had uptime of 400+ days, the new machine only a couple weeks
> 24 hour query logging shows several million queries/day
> At about the same time last night, both stopped answering queries until
> before reboot,
> load of about 1 (we see elevated load alerts with ssh brute force attacks)
> memory not swapping, plenty of free MBs.
> nothing in syslog,
> no sign of ssh brute force, ssh worked
> rndc status showed ok
> sockstat -4 showed bind listening on :53
This part doesn't sound right. sockstat should show the local IP (or
host) and the :53 port for the the local bound end of the socket for all
the interfaces as allowed by listen-on. The sockstat output shouldn't be
just :53 nor *:53 for example.
So maybe it wasn't listening to the interfaces that you expected since
below you suggest that the loopback one did work.
Maybe something temporarily happened during the interface-interval scan
and it detected that some interface went away? Do your logs have
anything like "no longer listening on 192.168.99.99#53"? I wonder if
"rndc scan" would have helped in that case to re-detect it before next
> all DNS queries from outside the machines timed out
> ssh shell command:
> "dig @127.0.0.1 domain.tld any" answered normally
> What other forensics could have been checked?
More information about the bind-users