both recursive-only BIND9 went deaf until rebooted

Jeremy C. Reed jreed at isc.org
Wed Aug 13 20:49:52 UTC 2014


On Wed, 13 Aug 2014, lconrad at go2france.com wrote:

> fbsd 8.2 VM with BIND 9.9.5
> 
> fbsd 10.0-RELEASE VM with BIND 9.10.0-P2
> 
> the older machine had uptime of 400+ days, the new machine only a couple weeks
> 
> 24 hour query logging shows several million queries/day
> 
> At about the same time last night, both stopped answering queries until
> rebooted.
> 
> before reboot,
> 
> load of about 1 (we see elevated load alerts with ssh brute force attacks)
> 
> memory not swapping, plenty of free MBs.
> 
> nothing in syslog,
> 
> no sign of ssh brute force, ssh worked
> 
> rndc status showed ok
> 
> sockstat -4 showed  bind listening on :53

This part doesn't sound right.  sockstat should show the local IP (or 
host) and the :53 port for the the local bound end of the socket for all 
the interfaces as allowed by listen-on. The sockstat output shouldn't be 
just :53 nor *:53 for example.

So maybe it wasn't listening to the interfaces that you expected since 
below you suggest that the loopback one did work.

Maybe something temporarily happened during the interface-interval scan 
and it detected that some interface went away? Do your logs have 
anything like "no longer listening on 192.168.99.99#53"? I wonder if 
"rndc scan" would have helped in that case to re-detect it before next 
interface-interval.

> all DNS queries from outside the machines timed out
> 
> ssh shell command:
> 
> "dig @127.0.0.1 domain.tld any"  answered normally
> 
> What other forensics could have been checked?


More information about the bind-users mailing list