both recursive-only BIND9 went deaf until rebooted
Jeremy C. Reed
jreed at isc.org
Wed Aug 13 20:49:52 UTC 2014
On Wed, 13 Aug 2014, lconrad at go2france.com wrote:
> fbsd 8.2 VM with BIND 9.9.5
>
> fbsd 10.0-RELEASE VM with BIND 9.10.0-P2
>
> the older machine had uptime of 400+ days, the new machine only a couple weeks
>
> 24 hour query logging shows several million queries/day
>
> At about the same time last night, both stopped answering queries until
> rebooted.
>
> before reboot,
>
> load of about 1 (we see elevated load alerts with ssh brute force attacks)
>
> memory not swapping, plenty of free MBs.
>
> nothing in syslog,
>
> no sign of ssh brute force, ssh worked
>
> rndc status showed ok
>
> sockstat -4 showed bind listening on :53
This part doesn't sound right. sockstat should show the local IP (or
host) and the :53 port for the the local bound end of the socket for all
the interfaces as allowed by listen-on. The sockstat output shouldn't be
just :53 nor *:53 for example.
So maybe it wasn't listening to the interfaces that you expected since
below you suggest that the loopback one did work.
Maybe something temporarily happened during the interface-interval scan
and it detected that some interface went away? Do your logs have
anything like "no longer listening on 192.168.99.99#53"? I wonder if
"rndc scan" would have helped in that case to re-detect it before next
interface-interval.
> all DNS queries from outside the machines timed out
>
> ssh shell command:
>
> "dig @127.0.0.1 domain.tld any" answered normally
>
> What other forensics could have been checked?
More information about the bind-users
mailing list