<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif">This really sounds like the zone file is *in* the container itself, and that the container is restarting. </div><div class="gmail_default" style="font-family:verdana,sans-serif">You said that this is running under LXC -- is this actually a Docker container? How are you starting the container? </div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">W</div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 7, 2017 at 11:35 AM, Raul Dias <span dir="ltr"><<a href="mailto:raul@dias.com.br" target="_blank">raul@dias.com.br</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p><font size="+1"><tt>I know.</tt></font></p>
<p><font size="+1"><tt>So far, the only files changed are the ones I
changed myself, like bind config files and vimrc.</tt></font></p>
<p><font size="+1"><tt>No hidden toolkit found too.</tt></font></p>
<p><font size="+1"><tt>I still think that it is easier to be a
misconfiguration done by myself.</tt></font></p>
<p><font size="+1"><tt>Still looking for better indications that
this could be the case.</tt></font><br>
</p><div><div class="h5">
<br>
<div class="m_-8204832513296923634moz-cite-prefix">On 07/02/2017 12:42, Alberto Colosi
wrote:<br>
</div>
<blockquote type="cite">
<div id="m_-8204832513296923634divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif" dir="ltr">
<p>IP ports not open does not mean is not hacked.</p>
<p>a vulnerability can be used to make a change or an access</p>
<p><br>
</p>
<p>try to change and audit file access and permission firewall
log analisys can give a plus to find a solution (check all IP
traffic out from TCP/UDP 53)</p>
<p><br>
</p>
<p>If you have RNDC , change KEY or disable it</p>
<p><br>
</p>
<p><br>
</p>
<br>
<div style="color:rgb(0,0,0)">
<hr style="display:inline-block;width:98%">
<div id="m_-8204832513296923634divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" color="#000000" face="Calibri, sans-serif"><b>From:</b>
Raul Dias <a class="m_-8204832513296923634moz-txt-link-rfc2396E" href="mailto:raul@dias.com.br" target="_blank"><raul@dias.com.br></a><br>
<b>Sent:</b> Tuesday, February 7, 2017 3:34 PM<br>
<b>To:</b> Alberto Colosi; <a class="m_-8204832513296923634moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<b>Subject:</b> Re: bind 9 goes rogue and revert zone
information</font>
<div> </div>
</div>
<div>
<p dir="ltr">Sorry, <br>
Static files. <br>
It is the master server. <br>
No dynamic updates. <br>
Host under lxc with only bind ports open. </p>
<br>
<div class="gmail_quote">
<div dir="ltr">On Tue, Feb 7, 2017, 12:27 Alberto Colosi
<<a href="mailto:alcol@hotmail.com" target="_blank">alcol@hotmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr" class="m_-8204832513296923634gmail_msg">
<div id="m_-8204832513296923634m_-6378113803947496027divtagdefaultwrapper" dir="ltr" class="m_-8204832513296923634gmail_msg" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif">
<p class="m_-8204832513296923634gmail_msg">hi is unclear named structure
if is a slave a master if dynamic updates are
enabled and if the unix box has been hacked
<br class="m_-8204832513296923634gmail_msg">
</p>
<p class="m_-8204832513296923634gmail_msg">as last , zones are static
files on fs ?<br class="m_-8204832513296923634gmail_msg">
</p>
<br class="m_-8204832513296923634gmail_msg">
<br class="m_-8204832513296923634gmail_msg">
<div class="m_-8204832513296923634gmail_msg" style="color:rgb(0,0,0)">
<div class="m_-8204832513296923634gmail_msg">
<hr class="m_-8204832513296923634gmail_msg" style="display:inline-block;width:98%">
<div id="m_-8204832513296923634m_-6378113803947496027x_divRplyFwdMsg" dir="ltr" class="m_-8204832513296923634gmail_msg"><font class="m_-8204832513296923634gmail_msg" style="font-size:11pt" color="#000000" face="Calibri, sans-serif"><b class="m_-8204832513296923634gmail_msg">From:</b> bind-users
<<a href="mailto:bind-users-bounces@lists.isc.org" class="m_-8204832513296923634gmail_msg" target="_blank">bind-users-bounces@lists.isc.<wbr>org</a>>
on behalf of Raul Dias <<a href="mailto:raul@dias.com.br" class="m_-8204832513296923634gmail_msg" target="_blank"></a><a class="m_-8204832513296923634moz-txt-link-abbreviated" href="mailto:raul@dias.com.br" target="_blank">raul@dias.com.br</a>><br class="m_-8204832513296923634gmail_msg">
<b class="m_-8204832513296923634gmail_msg">Sent:</b> Tuesday,
February 7, 2017 3:03 PM<br class="m_-8204832513296923634gmail_msg">
<b class="m_-8204832513296923634gmail_msg">To:</b> <a href="mailto:bind-users@lists.isc.org" class="m_-8204832513296923634gmail_msg" target="_blank">
</a><a class="m_-8204832513296923634moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br class="m_-8204832513296923634gmail_msg">
<b class="m_-8204832513296923634gmail_msg">Subject:</b> bind 9
goes rogue and revert zone information</font>
<div class="m_-8204832513296923634gmail_msg"> </div>
</div>
</div>
<font class="m_-8204832513296923634gmail_msg" size="2"><span class="m_-8204832513296923634gmail_msg" style="font-size:10pt">
</span></font></div>
</div>
</div>
<div dir="ltr" class="m_-8204832513296923634gmail_msg">
<div id="m_-8204832513296923634m_-6378113803947496027divtagdefaultwrapper" dir="ltr" class="m_-8204832513296923634gmail_msg" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif">
<div class="m_-8204832513296923634gmail_msg" style="color:rgb(0,0,0)"><font class="m_-8204832513296923634gmail_msg" size="2"><span class="m_-8204832513296923634gmail_msg" style="font-size:10pt">
<div class="m_-8204832513296923634m_-6378113803947496027PlainText m_-8204832513296923634gmail_msg">Hello,<br class="m_-8204832513296923634gmail_msg">
<br class="m_-8204832513296923634gmail_msg">
I have a very strange behavior that I am
failing to understand.<br class="m_-8204832513296923634gmail_msg">
<br class="m_-8204832513296923634gmail_msg">
2 to 5 times a week, a named server revert
back to a previous version os <br class="m_-8204832513296923634gmail_msg">
a master zone.<br class="m_-8204832513296923634gmail_msg">
This happens during the night, usually
around 20h EST.<br class="m_-8204832513296923634gmail_msg">
<br class="m_-8204832513296923634gmail_msg">
This zone has a serial of <a href="tel:(301)%20702-0401" value="+13017020401" target="_blank">3017020401</a> (yes, I
typo the 3 somewhere in the <br class="m_-8204832513296923634gmail_msg">
past).<br class="m_-8204832513296923634gmail_msg">
When it reverts its zone information, it
goes back to <a href="tel:(301)%20606-0101" value="+13016060101" target="_blank">3016060101</a>.<br class="m_-8204832513296923634gmail_msg">
<br class="m_-8204832513296923634gmail_msg">
I have updated, restarted the host, clean
all cache and journal files, <br class="m_-8204832513296923634gmail_msg">
grep all files in the host for <a href="tel:(301)%20606-0101" value="+13016060101" target="_blank">3016060101</a>
(just shows up in the logs).<br class="m_-8204832513296923634gmail_msg">
<br class="m_-8204832513296923634gmail_msg">
So, I have no clue why, or how it is
happening. Where does it get the <br class="m_-8204832513296923634gmail_msg">
old information.<br class="m_-8204832513296923634gmail_msg">
<br class="m_-8204832513296923634gmail_msg">
I thought first about the serial, but it
would have happened in the past <br class="m_-8204832513296923634gmail_msg">
too, right? As it should be a 32bit
unsigned integer, it shouldn't be a <br class="m_-8204832513296923634gmail_msg">
problem, IMHO.<br class="m_-8204832513296923634gmail_msg">
<br class="m_-8204832513296923634gmail_msg">
Yet, when "dig domain -t SOA @server", it is
there again.<br class="m_-8204832513296923634gmail_msg">
<br class="m_-8204832513296923634gmail_msg">
The host is a debian Jessie and bind is
9.9.5, 1:9.9.5.dfsg-9+deb8u8 <br class="m_-8204832513296923634gmail_msg">
more specifically.<br class="m_-8204832513296923634gmail_msg">
<br class="m_-8204832513296923634gmail_msg">
<br class="m_-8204832513296923634gmail_msg">
Thanks for any direction.<br class="m_-8204832513296923634gmail_msg">
-rsd<br class="m_-8204832513296923634gmail_msg">
</div>
</span></font></div>
</div>
</div>
<div dir="ltr" class="m_-8204832513296923634gmail_msg">
<div id="m_-8204832513296923634m_-6378113803947496027divtagdefaultwrapper" dir="ltr" class="m_-8204832513296923634gmail_msg" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif">
<div class="m_-8204832513296923634gmail_msg" style="color:rgb(0,0,0)"><font class="m_-8204832513296923634gmail_msg" size="2"><span class="m_-8204832513296923634gmail_msg" style="font-size:10pt">
<div class="m_-8204832513296923634m_-6378113803947496027PlainText m_-8204832513296923634gmail_msg">______________________________<wbr>_________________<br class="m_-8204832513296923634gmail_msg">
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" id="m_-8204832513296923634m_-6378113803947496027LPlnk466544" class="m_-8204832513296923634gmail_msg" target="_blank">
https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a> to unsubscribe
from this list
<div id="m_-8204832513296923634m_-6378113803947496027LPBorder_GT_14864775824190.4043319260749525" class="m_-8204832513296923634gmail_msg" style="margin-bottom:20px;overflow:auto;width:100%;text-indent:0px">
<table id="m_-8204832513296923634m_-6378113803947496027LPContainer_14864775824160.13849999929841195" class="m_-8204832513296923634gmail_msg" style="width:90%;background-color:rgb(255,255,255);overflow:auto;padding-top:20px;padding-bottom:20px;margin-top:20px;border-top:1px dotted rgb(200,200,200);border-bottom:1px dotted rgb(200,200,200)" cellspacing="0">
<tbody class="m_-8204832513296923634gmail_msg">
<tr class="m_-8204832513296923634gmail_msg" style="border-spacing:0px" valign="top">
<td id="m_-8204832513296923634m_-6378113803947496027TextCell_14864775824170.7564930497559307" colspan="2" class="m_-8204832513296923634gmail_msg" style="vertical-align:top;padding:0px;display:table-cell">
<div id="m_-8204832513296923634m_-6378113803947496027LPRemovePreviewContainer_14864775824170.43017907344134954" class="m_-8204832513296923634gmail_msg">
</div>
<div id="m_-8204832513296923634m_-6378113803947496027LPTitle_14864775824170.19200812919455768" class="m_-8204832513296923634gmail_msg">
<a id="m_-8204832513296923634m_-6378113803947496027LPUrlAnchor_14864775824180.1512364738465708" href="https://lists.isc.org/mailman/listinfo/bind-users" class="m_-8204832513296923634gmail_msg" style="text-decoration:none" target="_blank">bind-users
Info Page - Internet Systems
Consortium</a></div>
<div id="m_-8204832513296923634m_-6378113803947496027LPMetadata_14864775824180.916798881690403" class="m_-8204832513296923634gmail_msg">
<a href="http://lists.isc.org" class="m_-8204832513296923634gmail_msg" target="_blank">lists.isc.org</a></div>
<div id="m_-8204832513296923634m_-6378113803947496027LPDescription_14864775824180.2670839929936373" class="m_-8204832513296923634gmail_msg">
To see the collection of prior
postings to the list, visit the
bind-users Archives. Using
bind-users: To post a message to
all the list members, send ...</div>
</td>
</tr>
</tbody>
</table>
</div>
<br class="m_-8204832513296923634gmail_msg">
<br class="m_-8204832513296923634gmail_msg">
bind-users mailing list<br class="m_-8204832513296923634gmail_msg">
<a href="mailto:bind-users@lists.isc.org" class="m_-8204832513296923634gmail_msg" target="_blank">bind-users@lists.isc.org</a><br class="m_-8204832513296923634gmail_msg">
<a href="https://lists.isc.org/mailman/listinfo/bind-users" id="m_-8204832513296923634m_-6378113803947496027LPlnk936340" class="m_-8204832513296923634gmail_msg" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a>
<div id="m_-8204832513296923634m_-6378113803947496027LPBorder_GT_14864775824060.9236100371214397" class="m_-8204832513296923634gmail_msg" style="margin-bottom:20px;overflow:auto;width:100%;text-indent:0px">
<table id="m_-8204832513296923634m_-6378113803947496027LPContainer_14864775824030.17638056296957494" class="m_-8204832513296923634gmail_msg" style="width:90%;background-color:rgb(255,255,255);overflow:auto;padding-top:20px;padding-bottom:20px;margin-top:20px;border-top:1px dotted rgb(200,200,200);border-bottom:1px dotted rgb(200,200,200)" cellspacing="0">
<tbody class="m_-8204832513296923634gmail_msg">
<tr class="m_-8204832513296923634gmail_msg" style="border-spacing:0px" valign="top">
<td id="m_-8204832513296923634m_-6378113803947496027TextCell_14864775824040.48113321329058234" colspan="2" class="m_-8204832513296923634gmail_msg" style="vertical-align:top;padding:0px;display:table-cell">
<div id="m_-8204832513296923634m_-6378113803947496027LPRemovePreviewContainer_14864775824040.8890874910058216" class="m_-8204832513296923634gmail_msg">
</div>
<div id="m_-8204832513296923634m_-6378113803947496027LPTitle_14864775824040.45845883886540384" class="m_-8204832513296923634gmail_msg">
<a id="m_-8204832513296923634m_-6378113803947496027LPUrlAnchor_14864775824040.9979807710434343" href="https://lists.isc.org/mailman/listinfo/bind-users" class="m_-8204832513296923634gmail_msg" style="text-decoration:none" target="_blank">bind-users
Info Page - Internet Systems
Consortium</a></div>
<div id="m_-8204832513296923634m_-6378113803947496027LPMetadata_14864775824050.07716195786181723" class="m_-8204832513296923634gmail_msg">
<a href="http://lists.isc.org" class="m_-8204832513296923634gmail_msg" target="_blank">lists.isc.org</a></div>
<div id="m_-8204832513296923634m_-6378113803947496027LPDescription_14864775824050.6037070824872509" class="m_-8204832513296923634gmail_msg">
To see the collection of prior
postings to the list, visit the
bind-users Archives. Using
bind-users: To post a message to
all the list members, send ...</div>
</td>
</tr>
</tbody>
</table>
</div>
<br class="m_-8204832513296923634gmail_msg">
</div>
</span></font></div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div></div><span class="HOEnZb"><font color="#888888"><pre class="m_-8204832513296923634moz-signature" cols="72">--
Att. Raul Dias</pre>
</font></span></div>
<br>______________________________<wbr>_________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">I don't think the execution is relevant when it was obviously a bad idea in the first place.<br>This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.<br> ---maf</div>
</div></div>