subject:"No response from localhost with \"allow\-query \{ any; \};\""

Re: [RESOLVED] Re: No response from localhost with "allow-query { any; };"

2020-09-04 Thread Crist Clark

>From release notes:

Notes for BIND 9.16.1

Known Issues
UDP network ports used for listening can no longer simultaneously be used
for sending traffic. An example configuration which triggers this issue
would be one which uses the same address:port pair for listen-on(-v6)
statements as for notify-source(-v6) or transfer-source(-v6). While this
issue affects all operating systems, it only triggers log messages (e.g.
“unable to create dispatch for reserved port”) on some of them. There are
currently no plans to make such a combination of settings work again.

Also, using fixed sourt ports is at worst considered harmful, at best
considered a quaint reminder of the ol' days of stateless firewalls.
Generally, if you need to do that, you are doing something wrong.

On Fri, Sep 4, 2020 at 2:25 AM Axel Rau  wrote:

>
>
> Am 01.09.2020 um 22:28 schrieb Axel Rau :
>
> tcp queries are being answered, but udp queries receive no response.
> This is independent of client location (local, remote).
>
> A ktrace shows 8 bytes are written on fd 89, the 8 bytes read on fd 88.
> The next read gets an errno 35 (see below).
>
>
> Commenting these out, seems to resolve the issue:
>
> query-source address  91.216.35.21;
> notify-source   91.216.35.21 port 53;
> transfer-source   91.216.35.21 port 53;
>
> query-source-v6 address2a05:bec0:26:5::71;
> notify-source-v6 2a05:bec0:26:5::71 port 53;
> transfer-source-v6 2a05:bec0:26:5::71 port 53;
>
> Queries to localhost shows that the response does not come from localhost:
>
> root@ns5:/var/log # dig localhost @localhost
> ;; reply from unexpected source: 91.216.35.21#53, expected 127.0.0.1#53
>
> ;; reply from unexpected source: 91.216.35.21#53, expected 127.0.0.1#53
>
> ;; reply from unexpected source: 91.216.35.21#53, expected 127.0.0.1#53
>
>
> ; <<>> DiG 9.16.6 <<>> localhost @localhost
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
> No issue with remote queries.
>
> Questions:
>
> What has query-source address to do with a query response?
> Why does the issue not happen on another server (same config, same OS
> version) ?
>
> Axel
> ---
> PGP-Key: CDE74120  ☀  computing @ chaos claudius
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[RESOLVED] Re: No response from localhost with "allow-query { any; };"

2020-09-04 Thread Axel Rau



> Am 01.09.2020 um 22:28 schrieb Axel Rau :
> 
> tcp queries are being answered, but udp queries receive no response.
> This is independent of client location (local, remote).
> 
> A ktrace shows 8 bytes are written on fd 89, the 8 bytes read on fd 88.
> The next read gets an errno 35 (see below).


Commenting these out, seems to resolve the issue:

query-source address  91.216.35.21;
notify-source   91.216.35.21 port 53;
transfer-source   91.216.35.21 port 53;

query-source-v6 address2a05:bec0:26:5::71;
notify-source-v6 2a05:bec0:26:5::71 port 53;
transfer-source-v6 2a05:bec0:26:5::71 port 53;

Queries to localhost shows that the response does not come from localhost:

root@ns5:/var/log # dig localhost @localhost
;; reply from unexpected source: 91.216.35.21#53, expected 127.0.0.1#53

;; reply from unexpected source: 91.216.35.21#53, expected 127.0.0.1#53

;; reply from unexpected source: 91.216.35.21#53, expected 127.0.0.1#53


; <<>> DiG 9.16.6 <<>> localhost @localhost
;; global options: +cmd
;; connection timed out; no servers could be reached

No issue with remote queries.

Questions:

What has query-source address to do with a query response?
Why does the issue not happen on another server (same config, same OS 
version) ?

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: No response from localhost with "allow-query { any; };"

2020-09-01 Thread Axel Rau

tcp queries are being answered, but udp queries receive no response.
This is independent of client location (local, remote).

A ktrace shows 8 bytes are written on fd 89, the 8 bytes read on fd 88.
The next read gets an errno 35 (see below).

clueless,
Axel


root@ns5:/var/log # uname -a
FreeBSD ns5 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC  amd64

root@ns5:/var/log # named -V
BIND 9.16.6 (Stable Release) 
running on FreeBSD amd64 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC
built by make with '--disable-linux-caps' '--localstatedir=/var' 
'--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' 
'--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' 
'--with-dlz-filesystem=yes' '--enable-dnstap' '--disable-fixed-rrset' 
'--disable-geoip' '--without-maxminddb' '--without-gssapi' 
'--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' 
'--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' 
'--disable-querytrace' '--enable-tcp-fastopen' '--disable-symtable' 
'--prefix=/usr/local' '--mandir=/usr/local/man' 
'--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 
'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe 
-DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include 
-fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c 
-fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG 
-isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1 (tags/RELEASE_801/final 
366581)
compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
compiled with libuv version: 1.38.1
linked to libuv version: 1.38.1
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.3.2
linked to protobuf-c version: 1.3.2
threads support is enabled

23480 isc-socket-0 STRU  struct kevent[] = { { ident=512, filter=EVFILT_READ, 
flags=0, fflags=0, data=0x35, udata=0x0 } }
 23480 isc-socket-0 RET   kevent 0x1
 23480 isc-socket-0 CALL  recvmsg(0x200,0x7fffdbddbb70,0)
 23480 isc-socket-0 GIO   fd 512 read 53 bytes
   0x 552a 0120 0001   0001 0377   |U*. .www|
   0x0010 0568 6569 7365 0264 6500 0001 0001   |.heise.de...|
   0x0020 2910    0c00 0a00 0810 a161  |)..a|
   0x0030 cea7 9c05 fa |.|

 23480 isc-socket-0 STRU  struct sockaddr { AF_INET, 193.105.105.1:56885 }
 23480 isc-socket-0 RET   recvmsg 0x35
 23480 isc-socket-0 CALL  _umtx_op(0x802f38bb8,0x15,0x1,0,0)
 23480 isc-socket-0 RET   _umtx_op 0
 23480 isc-socket-0 CALL  kevent(0x5a,0x7fffdbddbec0,0x1,0,0,0)
 23480 isc-socket-0 STRU  struct kevent[] = { { ident=512, filter=EVFILT_READ, 
flags=0x2, fflags=0, data=0, udata=0x0 } }
 23480 isc-socket-0 STRU  struct kevent[] = {  }
 23480 isc-socket-0 RET   kevent 0
 23480 isc-socket-0 CALL  kevent(0x5a,0,0,0x802fa7200,0x800,0)
 23480 isc-socket-0 STRU  struct kevent[] = {  }
 23480 isc-worker RET   _umtx_op 0
 23480 isc-worker CALL  recvmsg(0x200,0x7fffddfec9c0,0)
 23480 isc-worker RET   recvmsg -1 errno 35
 23480 isc-worker CALL  write(0x59,0x7fffddfecbc0,0x8)
 23480 isc-worker GIO   fd 89 wrote 8 bytes
   0x 0002  fdff   ||

 23480 isc-worker RET   write 0x8
 23480 isc-worker CALL  _umtx_op(0x80178f188,0xf,0,0,0)
 23480 isc-socket-0 STRU  struct kevent[] = { { ident=88, filter=EVFILT_READ, 
flags=0, fflags=0, data=0x8, udata=0x0 } }
 23480 isc-socket-0 RET   kevent 0x1
 23480 isc-socket-0 CALL  read(0x58,0x7fffdbddbe40,0x8)
 23480 isc-socket-0 GIO   fd 88 read 8 bytes
   0x 0002  fdff   ||

 23480 isc-socket-0 RET   read 0x8
 23480 isc-socket-0 CALL  kevent(0x5a,0x7fffdbddbec0,0x1,0,0,0)
 23480 isc-socket-0 STRU  struct kevent[] = { { ident=512, filter=EVFILT_READ, 
flags=0x1, fflags=0, data=0, udata=0x0 } }
 23480 isc-socket-0 STRU  struct kevent[] = {  }
 23480 isc-socket-0 RET   kevent 0
 23480 isc-socket-0 CALL  read(0x58,0x7fffdbddbe40,0x8)
 23480 isc-socket-0 RET   read -1 errno 35
 23480 isc-socket-0 CALL  kevent(0x5a,0,0,0x802fa7200,0x800,0)
 23480 isc-socket-0 STRU  struct kevent[] = {  }
 23480 isc-socket-0 STRU  struct kevent[] = { { ident=512, filter=EVFILT_READ, 
flags=0, fflags=0, data=0x35, udata=0x0 } }
 23480 isc-socket-0 RET   kevent 0x1
 23480 isc-socket-0 CALL  recvmsg(0x200,0x7fffdbddbb70,0)
 23480 isc-socket-0 GIO   fd 512 read 53 bytes
   0x 552a 0120 0001   0001 0377   |U*. .www|
   0x0010 0568 6569 7365 0264 6500 0001 0001   |.heise.de...|
   0x0020 2910    0c00 0a00 0810 a161  |)..a|
   0x0030 cea7

Re: No response from localhost with "allow-query { any; };"

2020-09-01 Thread Axel Rau



> Am 01.09.2020 um 16:57 schrieb Petr Menšík :
> 
> Please include any listen-on { ... } and listen-on-v6 { ... } clauses.
> 
> It seems any of 127.0.0.1; ::1; nor localhost; is listed in them.
> Because it is not listening on localhost socket, it would not answer any
> queries.
> 


Voilà:


Listen-on {
91.216.35.21;
127.0.0.1;
};
Listen-on-v6 {
2a05:bec0:26:5::71;
::1;
};

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: No response from localhost with "allow-query { any; };"

2020-09-01 Thread Petr Menšík

Please include any listen-on { ... } and listen-on-v6 { ... } clauses.

It seems any of 127.0.0.1; ::1; nor localhost; is listed in them.
Because it is not listening on localhost socket, it would not answer any
queries.

If the server should listen on all interfaces, just use:
  listen-on { any; };

If it has addresses on which it should not listen, just add localhost;
to current listen-on.

It might be able to respond to:

dig @91.216.35.21 -b 127.0.0.1 localhost

Which would be technically from localhost, but I guess you are looking
for listen-on change.

Cheers,
Petr

On 9/1/20 4:41 PM, Axel Rau wrote:
> Thanks for answering:
> 
> root@ns5:/ # dig NS lrau.net @91.216.35.21
> 
> ; <<>> DiG 9.16.5 <<>> NS lrau.net @91.216.35.21
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> 
> root@ns5:/ # dig NS lrau.net @localhost
> 
> ; <<>> DiG 9.16.5 <<>> NS lrau.net @localhost
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> 
> root@ns5:/ # sockstat -p 53
> USER COMMANDPID   FD PROTO  LOCAL ADDRESS FOREIGN ADDRESS
> root cron   59891 5  dgram  -> /var/run/log
> root sendmail   59197 3  dgram  -> /var/run/log
> bind named  47812 3  dgram  -> /var/run/log
> bind named  47812 137 udp4  91.216.35.21:53   *:*
> bind named  47812 138 udp4  91.216.35.21:53   *:*
> bind named  47812 139 udp4  91.216.35.21:53   *:*
> bind named  47812 140 udp4  91.216.35.21:53   *:*
> bind named  47812 141 udp4  91.216.35.21:53   *:*
> bind named  47812 142 udp4  91.216.35.21:53   *:*
> bind named  47812 143 udp4  91.216.35.21:53   *:*
> bind named  47812 144 udp4  91.216.35.21:53   *:*
> bind named  47812 145 udp4  91.216.35.21:53   *:*
> bind named  47812 146 udp4  91.216.35.21:53   *:*
> bind named  47812 147 udp4  91.216.35.21:53   *:*
> bind named  47812 148 udp4  91.216.35.21:53   *:*
> bind named  47812 149 udp4  91.216.35.21:53   *:*
> bind named  47812 150 udp4  91.216.35.21:53   *:*
> bind named  47812 151 udp4  91.216.35.21:53   *:*
> bind named  47812 152 udp4  91.216.35.21:53   *:*
> bind named  47812 154 tcp4  91.216.35.21:53   *:*
> bind named  47812 155 udp6  2a05:bec0:26:5::71:53 *:*
> bind named  47812 156 udp6  2a05:bec0:26:5::71:53 *:*
> bind named  47812 157 udp6  2a05:bec0:26:5::71:53 *:*
> bind named  47812 158 udp6  2a05:bec0:26:5::71:53 *:*
> bind named  47812 159 udp6  2a05:bec0:26:5::71:53 *:*
> bind named  47812 160 udp6  2a05:bec0:26:5::71:53 *:*
> bind named  47812 161 udp6  2a05:bec0:26:5::71:53 *:*
> bind named  47812 162 udp6  2a05:bec0:26:5::71:53 *:*
> bind named  47812 163 udp6  2a05:bec0:26:5::71:53 *:*
> bind named  47812 164 udp6  2a05:bec0:26:5::71:53 *:*
> bind named  47812 165 udp6  2a05:bec0:26:5::71:53 *:*
> bind named  47812 166 udp6  2a05:bec0:26:5::71:53 *:*
> bind named  47812 167 udp6  2a05:bec0:26:5::71:53 *:*
> bind named  47812 168 udp6  2a05:bec0:26:5::71:53 *:*
> bind named  47812 169 udp6  2a05:bec0:26:5::71:53 *:*
> bind named  47812 170 udp6  2a05:bec0:26:5::71:53 *:*
> bind named  47812 172 tcp6  2a05:bec0:26:5::71:53 *:*
> bind named  47812 512 udp4  91.216.35.21:53   *:*
> bind named  47812 513 udp6  2a05:bec0:26:5::71:53 *:*
> root rsyslogd   45747 0  dgram  /var/run/log
> root rsyslogd   45747 1  dgram  -> /var/run/log
> root@ns5:/ #
> 
> 
>> Am 01.09.2020 um 16:14 schrieb Ondřej Surý :
>>
>> Hi Axel,
>>
>> the `nc` commands you used for testing neither proves that
>> it’s that specific `named` listening on that port nor DNS
>> daemon at all.  FWIW it could be a dummy UDP/TCP server
>> and you would not know.
>>
>> First you need to use a tool from your operating system
>> to check what is listening on those ports, and then use
>> `dig` (or other DNS debugging tool) to send actual DNS
>> queries.
>>
>> Ondrej
>> --
>> Ondřej Surý (He/Him)
>> ond...@isc.org
>>
>>> On 1. 9. 2020, at 16:11, Axel Rau  wrote:
>>>
>>> Hi!
>>>
>>> this is a new server, which answers external queries, sends notifies and 
>>> pushes axfrs.
>>> It does not answer any query from localhost nor shows any notifies from 
>>> master in the logs.
>>>
>>> From local:
>>> root@ns5:/ # nc -v localhost 53
>>> Connection to localhost 53 port [tcp/domain] succeeded!
>>> ^C
>>> root@ns5:/ # nc -vu localhost 53
>>> Connection to localhost 53 port [udp/domain] succeeded!
>>>
>>> From master server:
>>> [hermes:local/etc/namedb] root# nc -v ns5.lrau.net 53
>>> Connection to ns5.lrau.net 53 port [tcp/domain] succeeded!
>>> ^C
>>> [hermes:local/etc/namedb] root# nc -vu ns5.lrau.net 53
>>> Connection to ns5.lrau.net 53 port [udp/domain] succeeded!
>>>
>>>

Re: No response from localhost with "allow-query { any; };"

2020-09-01 Thread Axel Rau

Thanks for answering:

root@ns5:/ # dig NS lrau.net @91.216.35.21

; <<>> DiG 9.16.5 <<>> NS lrau.net @91.216.35.21
;; global options: +cmd
;; connection timed out; no servers could be reached

root@ns5:/ # dig NS lrau.net @localhost

; <<>> DiG 9.16.5 <<>> NS lrau.net @localhost
;; global options: +cmd
;; connection timed out; no servers could be reached

root@ns5:/ # sockstat -p 53
USER COMMANDPID   FD PROTO  LOCAL ADDRESS FOREIGN ADDRESS
root cron   59891 5  dgram  -> /var/run/log
root sendmail   59197 3  dgram  -> /var/run/log
bind named  47812 3  dgram  -> /var/run/log
bind named  47812 137 udp4  91.216.35.21:53   *:*
bind named  47812 138 udp4  91.216.35.21:53   *:*
bind named  47812 139 udp4  91.216.35.21:53   *:*
bind named  47812 140 udp4  91.216.35.21:53   *:*
bind named  47812 141 udp4  91.216.35.21:53   *:*
bind named  47812 142 udp4  91.216.35.21:53   *:*
bind named  47812 143 udp4  91.216.35.21:53   *:*
bind named  47812 144 udp4  91.216.35.21:53   *:*
bind named  47812 145 udp4  91.216.35.21:53   *:*
bind named  47812 146 udp4  91.216.35.21:53   *:*
bind named  47812 147 udp4  91.216.35.21:53   *:*
bind named  47812 148 udp4  91.216.35.21:53   *:*
bind named  47812 149 udp4  91.216.35.21:53   *:*
bind named  47812 150 udp4  91.216.35.21:53   *:*
bind named  47812 151 udp4  91.216.35.21:53   *:*
bind named  47812 152 udp4  91.216.35.21:53   *:*
bind named  47812 154 tcp4  91.216.35.21:53   *:*
bind named  47812 155 udp6  2a05:bec0:26:5::71:53 *:*
bind named  47812 156 udp6  2a05:bec0:26:5::71:53 *:*
bind named  47812 157 udp6  2a05:bec0:26:5::71:53 *:*
bind named  47812 158 udp6  2a05:bec0:26:5::71:53 *:*
bind named  47812 159 udp6  2a05:bec0:26:5::71:53 *:*
bind named  47812 160 udp6  2a05:bec0:26:5::71:53 *:*
bind named  47812 161 udp6  2a05:bec0:26:5::71:53 *:*
bind named  47812 162 udp6  2a05:bec0:26:5::71:53 *:*
bind named  47812 163 udp6  2a05:bec0:26:5::71:53 *:*
bind named  47812 164 udp6  2a05:bec0:26:5::71:53 *:*
bind named  47812 165 udp6  2a05:bec0:26:5::71:53 *:*
bind named  47812 166 udp6  2a05:bec0:26:5::71:53 *:*
bind named  47812 167 udp6  2a05:bec0:26:5::71:53 *:*
bind named  47812 168 udp6  2a05:bec0:26:5::71:53 *:*
bind named  47812 169 udp6  2a05:bec0:26:5::71:53 *:*
bind named  47812 170 udp6  2a05:bec0:26:5::71:53 *:*
bind named  47812 172 tcp6  2a05:bec0:26:5::71:53 *:*
bind named  47812 512 udp4  91.216.35.21:53   *:*
bind named  47812 513 udp6  2a05:bec0:26:5::71:53 *:*
root rsyslogd   45747 0  dgram  /var/run/log
root rsyslogd   45747 1  dgram  -> /var/run/log
root@ns5:/ #


> Am 01.09.2020 um 16:14 schrieb Ondřej Surý :
> 
> Hi Axel,
> 
> the `nc` commands you used for testing neither proves that
> it’s that specific `named` listening on that port nor DNS
> daemon at all.  FWIW it could be a dummy UDP/TCP server
> and you would not know.
> 
> First you need to use a tool from your operating system
> to check what is listening on those ports, and then use
> `dig` (or other DNS debugging tool) to send actual DNS
> queries.
> 
> Ondrej
> --
> Ondřej Surý (He/Him)
> ond...@isc.org
> 
>> On 1. 9. 2020, at 16:11, Axel Rau  wrote:
>> 
>> Hi!
>> 
>> this is a new server, which answers external queries, sends notifies and 
>> pushes axfrs.
>> It does not answer any query from localhost nor shows any notifies from 
>> master in the logs.
>> 
>> From local:
>> root@ns5:/ # nc -v localhost 53
>> Connection to localhost 53 port [tcp/domain] succeeded!
>> ^C
>> root@ns5:/ # nc -vu localhost 53
>> Connection to localhost 53 port [udp/domain] succeeded!
>> 
>> From master server:
>> [hermes:local/etc/namedb] root# nc -v ns5.lrau.net 53
>> Connection to ns5.lrau.net 53 port [tcp/domain] succeeded!
>> ^C
>> [hermes:local/etc/namedb] root#  nc -vu ns5.lrau.net 53
>> Connection to ns5.lrau.net 53 port [udp/domain] succeeded!
>> 
>> 
>> Any help greatly appreciated,
>> Axel
>> 
>> PS:
>> 
>> part of named.conf:
>>  allow-notify {
>>  hermes-ns5;
>>  };
>>  allow-transfer {
>>  full-trusted;
>>  ns5-ping;
>>  ns4-he;
>>  management-hosts;
>>  };
>>  allow-query { any; };
>>  allow-query-cache { recursive-users; };
>>  allow-recursion { recursive-users; };
>> 
>> 
>> root@ns5:/usr/local/etc/namedb/working/slave # named -V
>> BIND 9.16.5 (Stable Release) 
>> running on FreeBSD amd64 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC
>> built by make with '--disable-linux-caps' '--localstatedir=/var' 
>> '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' 
>> '--with-openssl=/usr'

Re: No response from localhost with "allow-query { any; };"

2020-09-01 Thread Axel Rau

Thanks for your answer!

> Am 01.09.2020 um 16:18 schrieb Warren Kumari :
> 
> The output you included doesn't really show very much, other than that nc 
> connect to port 53.
> 
> I'd suggest:
> dig ns5.lrau.net  @localhost
> dig ns5.lrau.net  @127.0.0.1 
> dig ns5.lrau.net  @::1
> 
> Also, have a look in /etc/hosts and make sure that you have something like:
> 127.0.0.1 localhost
> 
> 
> (nc may be connecting over v4 and  may be 
> doing v6, etc...)
> 

; <<>> DiG 9.16.5 <<>> NS lrau.net @127.0.0.1
;; global options: +cmd
;; connection timed out; no servers could be reached

root@ns5:/ # dig NS lrau.net @::1

; <<>> DiG 9.16.5 <<>> NS lrau.net @::1
;; global options: +cmd
;; connection timed out; no servers could be reached

root@ns5:/ # dig NS lrau.net @91.216.35.21

; <<>> DiG 9.16.5 <<>> NS lrau.net @91.216.35.21
;; global options: +cmd
;; connection timed out; no servers could be reached

root@ns5:/ # dig NS lrau.net @localhost

; <<>> DiG 9.16.5 <<>> NS lrau.net @localhost
;; global options: +cmd
;; connection timed out; no servers could be reached

root@ns5:/ # grep localhost /etc/hosts
127.0.0.1   localhost
::1 localhost

---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: No response from localhost with "allow-query { any; };"

2020-09-01 Thread Warren Kumari

What is 'localhost'?

The output you included doesn't really show very much, other than that nc
connect to port 53.

I'd suggest:
dig ns5.lrau.net @localhost
dig ns5.lrau.net @127.0.0.1
dig ns5.lrau.net @::1

Also, have a look in /etc/hosts and make sure that you have something like:
127.0.0.1 localhost


(nc may be connecting over v4 and  may be
doing v6, etc...)

W

On Tue, Sep 1, 2020 at 10:12 AM Axel Rau  wrote:

> Hi!
>
> this is a new server, which answers external queries, sends notifies and
> pushes axfrs.
> It does not answer any query from localhost nor shows any notifies from
> master in the logs.
>
> From local:
> root@ns5:/ # nc -v localhost 53
> Connection to localhost 53 port [tcp/domain] succeeded!
> ^C
> root@ns5:/ # nc -vu localhost 53
> Connection to localhost 53 port [udp/domain] succeeded!
>
> From master server:
> [hermes:local/etc/namedb] root# nc -v ns5.lrau.net 53
> Connection to ns5.lrau.net 53 port [tcp/domain] succeeded!
> ^C
> [hermes:local/etc/namedb] root# nc -vu ns5.lrau.net 53
> Connection to ns5.lrau.net 53 port [udp/domain] succeeded!
>
>
> Any help greatly appreciated,
> Axel
>
> PS:
>
> part of named.conf:
> allow-notify {
> hermes-ns5;
> };
> allow-transfer {
> full-trusted;
> ns5-ping;
> ns4-he;
> management-hosts;
> };
> allow-query { any; };
> allow-query-cache { recursive-users; };
> allow-recursion { recursive-users; };
>
>
> root@ns5:/usr/local/etc/namedb/working/slave # named -V
> BIND 9.16.5 (Stable Release) 
> running on FreeBSD amd64 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC
> built by make with '--disable-linux-caps' '--localstatedir=/var'
> '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2'
> '--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit'
> '--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset'
> '--disable-geoip' '--without-maxminddb' '--without-gssapi'
> '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile'
> '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python'
> '--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1'
> '--enable-tcp-fastopen' '--with-tuning=default' '--disable-symtable'
> '--prefix=/usr/local' '--mandir=/usr/local/man'
> '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1'
> 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe
> -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include
> -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c
> -fstack-protector-strong ' 'LIBS=-L/usr/local/lib'
> 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp'
> 'PKG_CONFIG=pkgconf'
> compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1
> (tags/RELEASE_801/final 366581)
> compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
> linked to OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
> compiled with libxml2 version: 2.9.10
> linked to libxml2 version: 20910
> compiled with json-c version: 0.14
> linked to json-c version: 0.15
> compiled with zlib version: 1.2.11
> linked to zlib version: 1.2.11
> threads support is enabled
>
> default paths:
>  named configuration:  /usr/local/etc/namedb/named.conf
>  rndc configuration:   /usr/local/etc/namedb/rndc.conf
>  DNSSEC root key:  /usr/local/etc/namedb/bind.keys
>  nsupdate session key: /var/run/named/session.key
>  named PID file:   /var/run/named/pid
>  named lock file:  /var/run/named/named.lock
>
> ---
> PGP-Key: CDE74120  ☀  computing @ chaos claudius
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: No response from localhost with "allow-query { any; };"

2020-09-01 Thread Ondřej Surý

Hi Axel,

the `nc` commands you used for testing neither proves that
it’s that specific `named` listening on that port nor DNS
daemon at all.  FWIW it could be a dummy UDP/TCP server
and you would not know.

First you need to use a tool from your operating system
to check what is listening on those ports, and then use
`dig` (or other DNS debugging tool) to send actual DNS
queries.

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

> On 1. 9. 2020, at 16:11, Axel Rau  wrote:
> 
> Hi!
> 
> this is a new server, which answers external queries, sends notifies and 
> pushes axfrs.
> It does not answer any query from localhost nor shows any notifies from 
> master in the logs.
> 
> From local:
> root@ns5:/ # nc -v localhost 53
> Connection to localhost 53 port [tcp/domain] succeeded!
> ^C
> root@ns5:/ # nc -vu localhost 53
> Connection to localhost 53 port [udp/domain] succeeded!
> 
> From master server:
> [hermes:local/etc/namedb] root# nc -v ns5.lrau.net 53
> Connection to ns5.lrau.net 53 port [tcp/domain] succeeded!
> ^C
> [hermes:local/etc/namedb] root#   nc -vu ns5.lrau.net 53
> Connection to ns5.lrau.net 53 port [udp/domain] succeeded!
> 
> 
> Any help greatly appreciated,
> Axel
> 
> PS:
> 
> part of named.conf:
>   allow-notify {
>   hermes-ns5;
>   };
>   allow-transfer {
>   full-trusted;
>   ns5-ping;
>   ns4-he;
>   management-hosts;
>   };
>   allow-query { any; };
>   allow-query-cache { recursive-users; };
>   allow-recursion { recursive-users; };
> 
> 
> root@ns5:/usr/local/etc/namedb/working/slave # named -V
> BIND 9.16.5 (Stable Release) 
> running on FreeBSD amd64 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC
> built by make with '--disable-linux-caps' '--localstatedir=/var' 
> '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' 
> '--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' 
> '--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset' 
> '--disable-geoip' '--without-maxminddb' '--without-gssapi' 
> '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' 
> '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' 
> '--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1' 
> '--enable-tcp-fastopen' '--with-tuning=default' '--disable-symtable' 
> '--prefix=/usr/local' '--mandir=/usr/local/man' 
> '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 
> 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe 
> -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include 
> -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c 
> -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG 
> -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
> compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1 
> (tags/RELEASE_801/final 366581)
> compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
> linked to OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
> compiled with libxml2 version: 2.9.10
> linked to libxml2 version: 20910
> compiled with json-c version: 0.14
> linked to json-c version: 0.15
> compiled with zlib version: 1.2.11
> linked to zlib version: 1.2.11
> threads support is enabled
> 
> default paths:
> named configuration:  /usr/local/etc/namedb/named.conf
> rndc configuration:   /usr/local/etc/namedb/rndc.conf
> DNSSEC root key:  /usr/local/etc/namedb/bind.keys
> nsupdate session key: /var/run/named/session.key
> named PID file:   /var/run/named/pid
> named lock file:  /var/run/named/named.lock
> 
> ---
> PGP-Key: CDE74120  ☀  computing @ chaos claudius
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

No response from localhost with "allow-query { any; };"

2020-09-01 Thread Axel Rau

Hi!

this is a new server, which answers external queries, sends notifies and pushes 
axfrs.
It does not answer any query from localhost nor shows any notifies from master 
in the logs.

From local:
root@ns5:/ # nc -v localhost 53
Connection to localhost 53 port [tcp/domain] succeeded!
^C
root@ns5:/ # nc -vu localhost 53
Connection to localhost 53 port [udp/domain] succeeded!

From master server:
[hermes:local/etc/namedb] root# nc -v ns5.lrau.net 53
Connection to ns5.lrau.net 53 port [tcp/domain] succeeded!
^C
[hermes:local/etc/namedb] root# nc -vu ns5.lrau.net 53
Connection to ns5.lrau.net 53 port [udp/domain] succeeded!


Any help greatly appreciated,
Axel

PS:

part of named.conf:
allow-notify {
hermes-ns5;
};
allow-transfer {
full-trusted;
ns5-ping;
ns4-he;
management-hosts;
};
allow-query { any; };
allow-query-cache { recursive-users; };
allow-recursion { recursive-users; };


root@ns5:/usr/local/etc/namedb/working/slave # named -V
BIND 9.16.5 (Stable Release) 
running on FreeBSD amd64 12.1-RELEASE-p8 FreeBSD 12.1-RELEASE-p8 GENERIC
built by make with '--disable-linux-caps' '--localstatedir=/var' 
'--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' 
'--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' 
'--with-dlz-filesystem=yes' '--disable-dnstap' '--disable-fixed-rrset' 
'--disable-geoip' '--without-maxminddb' '--without-gssapi' 
'--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' 
'--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' 
'--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-tcp-fastopen' 
'--with-tuning=default' '--disable-symtable' '--prefix=/usr/local' 
'--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' 
'--build=amd64-portbld-freebsd12.1' 'build_alias=amd64-portbld-freebsd12.1' 
'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem 
/usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c 
-fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG 
-isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1 (tags/RELEASE_801/final 
366581)
compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d-freebsd  10 Sep 2019
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.14
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

default paths:
 named configuration:  /usr/local/etc/namedb/named.conf
 rndc configuration:   /usr/local/etc/namedb/rndc.conf
 DNSSEC root key:  /usr/local/etc/namedb/bind.keys
 nsupdate session key: /var/run/named/session.key
 named PID file:   /var/run/named/pid
 named lock file:  /var/run/named/named.lock

---
PGP-Key: CDE74120  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [RESOLVED] Re: No response from localhost with "allow-query { any; };"

[RESOLVED] Re: No response from localhost with "allow-query { any; };"

Re: No response from localhost with "allow-query { any; };"

Re: No response from localhost with "allow-query { any; };"

Re: No response from localhost with "allow-query { any; };"

Re: No response from localhost with "allow-query { any; };"

Re: No response from localhost with "allow-query { any; };"

Re: No response from localhost with "allow-query { any; };"

Re: No response from localhost with "allow-query { any; };"

No response from localhost with "allow-query { any; };"

10 matches

Site Navigation

Mail list logo

Footer information