22nd December 2008, 15:31
|
|
Junior Member
|
|
Join Date: Dec 2008
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
As I indicated in the previous /etc/bind is symlinked to /var/lib/named/bind/, so...
Code:
root@wonder:/var/lib/named/etc/bind# ls -la
total 56
drwxr-sr-x 2 root root 4096 2008-12-21 13:51 .
drwx------ 3 root root 4096 2008-12-20 16:23 ..
-rw-r--r-- 1 bind bind 237 2008-04-09 15:44 db.0
-rw-r--r-- 1 bind bind 271 2008-04-09 15:44 db.127
-rw-r--r-- 1 bind bind 237 2008-04-09 15:44 db.255
-rw-r--r-- 1 bind bind 353 2008-04-09 15:44 db.empty
-rw-r--r-- 1 bind bind 270 2008-04-09 15:44 db.local
-rw-r--r-- 1 bind bind 2878 2008-04-09 15:44 db.root
-rw-r--r-- 1 bind bind 907 2008-04-09 15:44 named.conf
-rw-r--r-- 1 bind bind 165 2008-04-09 15:44 named.conf.local
-rw-r--r-- 1 bind bind 3041 2008-12-21 13:51 named.conf.options
-rw------- 1 root root 695 2008-12-21 13:51 named.conf.options~
-rw-r----- 1 bind bind 77 2008-05-26 17:26 rndc.key
-rw-r--r-- 1 bind bind 1317 2008-04-09 15:44 zones.rfc1918
named.conf is virgin:
Code:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
include "/etc/bind/named.conf.local";
I have not yet modified named.conf.local, but I have made mods to named.conf.options (using the bind acls/options from the current RH webserver which will be retired when I get this box up). However, bind9 is/was failing on this chrooted setup B4 I did anything to options, nevertheless:
Code:
// acls added TB 12.21.2008
acl "xfer" {
127.0.0.1; //localhost
localhost;
192.168.5.11; //temp new wonder IP
69.54.194.91; //wonder.what-if.com
69.54.194.92; //imagine.what-if.com
};
acl "trusted" {
127.0.0.1; //localhost
localhost;
192.168.5.11; //temp new wonder IP
66.255.223.103; //local IFI netw
69.54.194.91; //wonder.what-if.com
69.54.194.92; //imagine.what-if.com
};
acl "bogon" {
// Filter out the bogon networks. These are networks
// listed by IANA as test, RFC1918, Multicast, experi-
// mental, etc. If you see DNS queries or updates with
// a source address within these networks, this is likely
// of malicious origin. CAUTION: If you are using RFC1918
// netblocks on your network, remove those netblocks from
// this list of blackhole ACLs!
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
5.0.0.0/8;
...
197.0.0.0/8;
223.0.0.0/8;
224.0.0.0/3;
};
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
// query-source address * port 53;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
// additional options TB 12.21.2008
check-names master ignore;
check-names response ignore;
check-names slave warn;
version "<Phhhhhbbt!>";
notify yes;
allow-recursion {
trusted;
};
allow-transfer {
xfer;
};
allow-query {
trusted;
};
blackhole {
bogon;
};
};
|
23rd December 2008, 14:45
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,665
Thanks: 1,896
Thanked 2,593 Times in 2,444 Posts
|
|
Try this:
Code:
chmod 755 /var/lib/named/etc
|
23rd December 2008, 15:09
|
|
Junior Member
|
|
Join Date: Dec 2008
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
still no go
thanks, but no difference... bind still fails
Code:
root@wonder:/var/lib/named# ls -la
total 20
drwx------ 5 root root 4096 2008-12-20 16:23 .
drwxr-xr-x 33 root root 4096 2008-12-21 12:50 ..
drwx------ 2 root root 4096 2008-12-21 13:05 dev
drwxr-xr-x 3 root root 4096 2008-12-20 16:23 etc
drwx------ 4 root root 4096 2008-12-20 16:23 var
syslog:
Code:
Dec 23 09:04:27 wonder named[10310]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 23 09:04:27 wonder named[10310]: found 1 CPU, using 1 worker thread
Dec 23 09:04:27 wonder named[10310]: loading configuration from '/etc/bind/named.conf'
Dec 23 09:04:27 wonder named[10310]: none:0: open: /etc/bind/named.conf: permission denied
Dec 23 09:04:27 wonder named[10310]: loading configuration: permission denied
Dec 23 09:04:27 wonder named[10310]: exiting (due to fatal error)
more ideas for me to check?
|
23rd December 2008, 15:32
|
|
Junior Member
|
|
Join Date: Dec 2008
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
more info
just for grins, I also tried chmod 755 /var/lib/named. Bind still failed, but now w/ new errors:
Code:
Dec 23 09:11:24 wonder named[10340]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 23 09:11:24 wonder named[10340]: found 1 CPU, using 1 worker thread
Dec 23 09:11:24 wonder named[10340]: loading configuration from '/etc/bind/named.conf'
Dec 23 09:11:24 wonder named[10340]: /etc/bind/named.conf.options:93: change directory to '/var/cache/bind' failed: permission denied
Dec 23 09:11:24 wonder named[10340]: /etc/bind/named.conf.options:93: parsing failed
Dec 23 09:11:24 wonder named[10340]: loading configuration: permission denied
Dec 23 09:11:24 wonder named[10340]: exiting (due to fatal error)
var is owned 755 root:root, /var/cache is 755 root:root, and /var/cache/bind is 755 bind:bind (also tried 755 root:bind for the last dir, but bind still failed).
/etc/apparmor.d/usr.sbin.named shows:
Code:
# Dynamic updates needs zone and journal files rw. We just allow rw for all
# in /etc/bind, and let DAC handle the rest > moved to /var/lib/named/etc/bind
/var/lib/named/etc/bind/* rw,
# if local zones are in a subdirectory
/var/lib/named/etc/bind/zones/* rw,
/var/lib/named/etc/bind/zones/external/* rw,
/var/lib/named/etc/bind/zones/internal/* rw,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** rw,
/var/cache/bind/ rw,
# some people like to put logs in /var/log/named/
/var/log/named/** rw,
# dnscvsutil package
/var/lib/dnscvsutil/compiled/** rw,
/proc/net/if_inet6 r,
/usr/sbin/named mr,
/var/lib/named/var/run/bind/run/named.pid w,
#/var/run/bind/run/named.pid w,
# support for resolvconf
/var/lib/named/var/run/bind/named.options r,
#/var/run/bind/named.options r,
# add also following lines thanks to Spezi2u
/var/lib/named/dev/null rw,
/var/lib/named/dev/random rw,
|
23rd December 2008, 16:53
|
|
Junior Member
|
|
Join Date: Dec 2008
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
ok... a bit more info
I tried commenting out the original default directory string in named.conf.options. Bind still fails, but w/ this error now...
Code:
Dec 23 10:37:19 wonder named[10423]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 23 10:37:19 wonder named[10423]: found 1 CPU, using 1 worker thread
Dec 23 10:37:19 wonder named[10423]: loading configuration from '/etc/bind/named.conf'
Dec 23 10:37:19 wonder named[10423]: listening on IPv6 interfaces, port 53
Dec 23 10:37:19 wonder named[10423]: listening on IPv4 interface lo, 127.0.0.1#53
Dec 23 10:37:19 wonder named[10423]: listening on IPv4 interface eth0, 192.168.5.11#53
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 254.169.IN-ADDR.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: D.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 8.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 9.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: A.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: B.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: command channel listening on 127.0.0.1#953
Dec 23 10:37:19 wonder named[10423]: command channel listening on ::1#953
Dec 23 10:37:19 wonder named[10423]: could not open entropy source /dev/random: permission denied
Dec 23 10:37:19 wonder named[10423]: using pre-chroot entropy source /dev/random
Dec 23 10:37:19 wonder named[10423]: couldn't open pid file '/var/run/bind/run/named.pid': Permission denied
Dec 23 10:37:19 wonder named[10423]: exiting (due to early fatal error)
permissions for /var/run/bind/run is:
Code:
drwxrwxr-x 2 root bind 40 2008-12-20 17:19 run
and permission for /dev/random is
Code:
crw-rw-rw- 1 root root 1, 8 2008-12-20 17:18 random
and per the perfect server tutorial, I had made both the null and random devices in /var/lib/named/dev/. Permissions here are:
Code:
srw-rw-rw- 1 root root 0 2008-12-21 13:05 log
crw-rw-rw- 1 root root 1, 3 2008-12-20 16:24 null
crw-rw-rw- 1 root root 1, 8 2008-12-20 16:24 random
|
23rd December 2008, 18:03
|
|
Junior Member
|
|
Join Date: Dec 2008
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
I think its fixed...
ok... by commenting out the original directory string in named.conf.options (directory "/var/cache/bind"  , I eliminated that error, but I no longer was specifying where the zone files are...
so, chmod 755 /var/lib/named/var/cache/bind, /var/lib/named/cache fixed the error, but I was still getting errors regarding entropy /dev/random and named.pid...
Code:
Dec 23 10:37:19 wonder named[10423]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 23 10:37:19 wonder named[10423]: found 1 CPU, using 1 worker thread
Dec 23 10:37:19 wonder named[10423]: loading configuration from '/etc/bind/named.conf'
Dec 23 10:37:19 wonder named[10423]: listening on IPv6 interfaces, port 53
Dec 23 10:37:19 wonder named[10423]: listening on IPv4 interface lo, 127.0.0.1#53
Dec 23 10:37:19 wonder named[10423]: listening on IPv4 interface eth0, 192.168.5.11#53
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 254.169.IN-ADDR.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: D.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 8.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: 9.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: A.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: automatic empty zone: B.E.F.IP6.ARPA
Dec 23 10:37:19 wonder named[10423]: command channel listening on 127.0.0.1#953
Dec 23 10:37:19 wonder named[10423]: command channel listening on ::1#953
Dec 23 10:37:19 wonder named[10423]: could not open entropy source /dev/random: permission denied
Dec 23 10:37:19 wonder named[10423]: using pre-chroot entropy source /dev/random
Dec 23 10:37:19 wonder named[10423]: couldn't open pid file '/var/run/bind/run/named.pid': Permission denied
Dec 23 10:37:19 wonder named[10423]: exiting (due to early fatal error)
chmod 755 to /var/lib/named/dev/ seems to fix the 'entropy source' error... ( /dev/random/ is actually /var/lib/named/dev/random due to chroot)
Code:
Dec 23 11:07:29 wonder named[10480]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 23 11:07:29 wonder named[10480]: found 1 CPU, using 1 worker thread
Dec 23 11:07:29 wonder named[10480]: loading configuration from '/etc/bind/named.conf'
Dec 23 11:07:29 wonder named[10480]: listening on IPv6 interfaces, port 53
Dec 23 11:07:29 wonder named[10480]: listening on IPv4 interface lo, 127.0.0.1#53
Dec 23 11:07:29 wonder named[10480]: listening on IPv4 interface eth0, 192.168.5.11#53
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 254.169.IN-ADDR.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: D.F.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 8.E.F.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: 9.E.F.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: A.E.F.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: automatic empty zone: B.E.F.IP6.ARPA
Dec 23 11:07:29 wonder named[10480]: command channel listening on 127.0.0.1#953
Dec 23 11:07:29 wonder named[10480]: command channel listening on ::1#953
Dec 23 11:07:29 wonder named[10480]: couldn't open pid file '/var/run/bind/run/named.pid': Permission denied
Dec 23 11:07:29 wonder named[10480]: exiting (due to early fatal error)
chmod 755 to /var/lib/named/var/run/bind/, /var/lib/named/var/run/, and finally /var/lib/named/var/ eliminated the 'permission denied' error for named.pid (again, /var/run/bind/run/named.pid is actually /var/lib/named/var/run/bind/run/named.pid due to chroot)
Code:
Dec 23 11:14:37 wonder named[10604]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 23 11:14:37 wonder named[10604]: found 1 CPU, using 1 worker thread
Dec 23 11:14:37 wonder named[10604]: loading configuration from '/etc/bind/named.conf'
Dec 23 11:14:37 wonder named[10604]: listening on IPv6 interfaces, port 53
Dec 23 11:14:37 wonder named[10604]: listening on IPv4 interface lo, 127.0.0.1#53
Dec 23 11:14:37 wonder named[10604]: listening on IPv4 interface eth0, 192.168.5.11#53
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 254.169.IN-ADDR.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: D.F.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 8.E.F.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: 9.E.F.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: A.E.F.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: automatic empty zone: B.E.F.IP6.ARPA
Dec 23 11:14:37 wonder named[10604]: command channel listening on 127.0.0.1#953
Dec 23 11:14:37 wonder named[10604]: command channel listening on ::1#953
Dec 23 11:14:37 wonder named[10604]: zone 0.in-addr.arpa/IN: loaded serial 1
Dec 23 11:14:37 wonder named[10604]: zone 127.in-addr.arpa/IN: loaded serial 1
Dec 23 11:14:37 wonder named[10604]: zone 255.in-addr.arpa/IN: loaded serial 1
Dec 23 11:14:37 wonder named[10604]: zone localhost/IN: loaded serial 2
Dec 23 11:14:37 wonder named[10604]: running
so is this unique to my install... did I miss a permissions step somewhere in the tutorial... should this be added to the 'perfect server' tutor?
|
24th December 2008, 16:56
|
|
Super Moderator
|
|
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,665
Thanks: 1,896
Thanked 2,593 Times in 2,444 Posts
|
|
I strongly recommend to disable AppArmor - that might have been the reason for your problems.
|
24th December 2008, 17:39
|
|
Junior Member
|
|
Join Date: Dec 2008
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
but...
While I appreciate your views/opinion on AppArmor, the problem started w/ chrooting bind. I did, indeed, follow the steps exactly by stopping and purging AppArmor from the system.
With AppArmor purged AND later w/ it re-installed (w/ the appropriate lines added to the AppArmor named profile - at NO point did I get any error suggesting it was related to AppArmor ie:
Code:
... kernel: [ 9136.933011] audit(1206428817.898:3): operation="inode_permission" request_mask="r::" denied_mask="r::" name="/var/lib/named/etc/bind/named.conf" pid=11825 profile="/usr/sbin/named" namespace="default"
However, under both scenarios, I only obtained syslog errors directly related to and fixed by assigning 755 permissions to the chrooted directories created in step #13, page #4 of the tutorial (specifically those in /var/lib/named/... ) In ferreting thru the various threads, it seems an equal number trying the tutorial, run into either the AppArmor errors OR the same Bind9 permission errors, ie:
Code:
... named[11824]: starting BIND 9.4.2 -u bind -t /var/lib/named
... named[11824]: found 1 CPU, using 1 worker thread
... named[11824]: loading configuration from '/etc/bind/named.conf'
... named[11824]: none:0: open: /etc/bind/named.conf: permission denied
... named[11824]: loading configuration: permission denied
... named[11824]: exiting (due to fatal error)
Which is why I posted the permission issues I found on a virgin install.
Bind9 failed in the same way when the server was gutted, AppArmor stopped/purged, and rebooted as when AppArmor was re-installed and correctly configured - so I'm not thinking it is/was a AppArmor issue.
AppArmor may well get purged before I'm done setting up the server completely, but I don't think the issues w/ chrooting bind can all be dismissed as AppArmor as the sole culprit.
|
28th December 2008, 18:38
|
|
Member
|
|
Join Date: Sep 2007
Posts: 47
Thanks: 2
Thanked 11 Times in 6 Posts
|
|
Hi there, was away for a while ( Christmas & stuff  )
did you get to fix it ?
I mostly dumped ubuntu-server crap in favor of plain debian and on the one server that still has it I purged ( apt-get purge package ) apparmor...
( but still do use ubuntu as desktop )
anyway if you still need assistance...
happy Christmas & NY to all...
__________________
Windows, the only virus you pay for
|
12th January 2009, 23:00
|
|
HowtoForge Supporter
|
|
Join Date: Apr 2007
Location: Helsinki
Posts: 374
Thanks: 24
Thanked 36 Times in 24 Posts
|
|
Truly weird.
Has anyone solved this?
My talents seem to have been expired.
|
| Thread Tools |
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT +2. The time now is 11:28.
|
English | 
Deutsch
SamTzu
Recent comments
5 hours 41 min ago
12 hours 22 min ago
16 hours 12 min ago
17 hours 51 min ago
1 day 2 hours ago
1 day 11 hours ago
1 day 12 hours ago
1 day 16 hours ago
1 day 20 hours ago
1 day 20 hours ago