both recursive-only BIND9 went deaf until rebooted

Jeremy C. Reed jreed at
Wed Aug 13 20:49:52 UTC 2014

On Wed, 13 Aug 2014, lconrad at wrote:

> fbsd 8.2 VM with BIND 9.9.5
> fbsd 10.0-RELEASE VM with BIND 9.10.0-P2
> the older machine had uptime of 400+ days, the new machine only a couple weeks
> 24 hour query logging shows several million queries/day
> At about the same time last night, both stopped answering queries until
> rebooted.
> before reboot,
> load of about 1 (we see elevated load alerts with ssh brute force attacks)
> memory not swapping, plenty of free MBs.
> nothing in syslog,
> no sign of ssh brute force, ssh worked
> rndc status showed ok
> sockstat -4 showed  bind listening on :53

This part doesn't sound right.  sockstat should show the local IP (or 
host) and the :53 port for the the local bound end of the socket for all 
the interfaces as allowed by listen-on. The sockstat output shouldn't be 
just :53 nor *:53 for example.

So maybe it wasn't listening to the interfaces that you expected since 
below you suggest that the loopback one did work.

Maybe something temporarily happened during the interface-interval scan 
and it detected that some interface went away? Do your logs have 
anything like "no longer listening on"? I wonder if 
"rndc scan" would have helped in that case to re-detect it before next 

> all DNS queries from outside the machines timed out
> ssh shell command:
> "dig @ domain.tld any"  answered normally
> What other forensics could have been checked?

More information about the bind-users mailing list