On Wed, 13 Aug 2014, lcon...@go2france.com wrote:
fbsd 8.2 VM with BIND 9.9.5
fbsd 10.0-RELEASE VM with BIND 9.10.0-P2
the older machine had uptime of 400+ days, the new machine only a couple weeks
24 hour query logging shows several million queries/day
At about the same time last night, both stopped answering queries until
rebooted.
before reboot,
load of about 1 (we see elevated load alerts with ssh brute force attacks)
memory not swapping, plenty of free MBs.
nothing in syslog,
no sign of ssh brute force, ssh worked
rndc status showed ok
sockstat -4 showed bind listening on :53
This part doesn't sound right. sockstat should show the local IP (or
host) and the :53 port for the the local bound end of the socket for all
the interfaces as allowed by listen-on. The sockstat output shouldn't be
just :53 nor *:53 for example.
So maybe it wasn't listening to the interfaces that you expected since
below you suggest that the loopback one did work.
Maybe something temporarily happened during the interface-interval scan
and it detected that some interface went away? Do your logs have
anything like no longer listening on 192.168.99.99#53? I wonder if
rndc scan would have helped in that case to re-detect it before next
interface-interval.
all DNS queries from outside the machines timed out
ssh shell command:
dig @127.0.0.1 domain.tld any answered normally
What other forensics could have been checked?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
