Re: bind 9 goes rogue and revert zone information
I don't think I have these info: # rndc status version: 9.9.5-9+deb8u8-Debian (DNS server) CPUs found: 24 worker threads: 24 UDP listeners per interface: 24 number of zones: 111 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running Note that I did restart named daemon. That's how i get the zone information up again. -rsd On 07/02/2017 22:42, Carl Byington wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Tue, 2017-02-07 at 22:15 -0200, Raul Dias wrote: I am pretty sure it is not restarting. What does 'rndc status' show for boot time and last configured time after the zone has reverted to previous contents? -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAliaaUsACgkQL6j7milTFsHp5wCfawH6RhiaRkWClG208jndd5pA lJUAoISMHrQ0C3opcJlGK3BGAGV6A+Zt =Ur7i -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Att. Raul Dias ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 goes rogue and revert zone information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Tue, 2017-02-07 at 22:15 -0200, Raul Dias wrote: > I am pretty sure it is not restarting. What does 'rndc status' show for boot time and last configured time after the zone has reverted to previous contents? -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAliaaUsACgkQL6j7milTFsHp5wCfawH6RhiaRkWClG208jndd5pA lJUAoISMHrQ0C3opcJlGK3BGAGV6A+Zt =Ur7i -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 goes rogue and revert zone information
On 07/02/2017 20:37, Reindl Harald wrote: try "chattr +i" on your zonefile so that it can't be touched and with some luck the stuff trying to replace it will error out in cronmails or syslog Good idea. Done! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 goes rogue and revert zone information
plain lxc: lxc-start -n dns -d I am pretty sure it is not restarting. e.g. an open shell session would be destroyed on a restart (lxc-attach) The filesystem is not versionable to have access to the previous old zone file. -rsd On 07/02/2017 19:43, Warren Kumari wrote: This really sounds like the zone file is *in* the container itself, and that the container is restarting. You said that this is running under LXC -- is this actually a Docker container? How are you starting the container? W On Tue, Feb 7, 2017 at 11:35 AM, Raul Dias <mailto:r...@dias.com.br>> wrote: I know. So far, the only files changed are the ones I changed myself, like bind config files and vimrc. No hidden toolkit found too. I still think that it is easier to be a misconfiguration done by myself. Still looking for better indications that this could be the case. On 07/02/2017 12:42, Alberto Colosi wrote: IP ports not open does not mean is not hacked. a vulnerability can be used to make a change or an access try to change and audit file access and permission firewall log analisys can give a plus to find a solution (check all IP traffic out from TCP/UDP 53) If you have RNDC , change KEY or disable it *From:* Raul Dias <mailto:r...@dias.com.br> *Sent:* Tuesday, February 7, 2017 3:34 PM *To:* Alberto Colosi; bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> *Subject:* Re: bind 9 goes rogue and revert zone information Sorry, Static files. It is the master server. No dynamic updates. Host under lxc with only bind ports open. On Tue, Feb 7, 2017, 12:27 Alberto Colosi mailto:al...@hotmail.com>> wrote: hi is unclear named structure if is a slave a master if dynamic updates are enabled and if the unix box has been hacked as last , zones are static files on fs ? *From:* bind-users mailto:bind-users-boun...@lists.isc.org>> on behalf of Raul Dias mailto:r...@dias.com.br>> *Sent:* Tuesday, February 7, 2017 3:03 PM *To:* <mailto:bind-users@lists.isc.org>bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> *Subject:* bind 9 goes rogue and revert zone information Hello, I have a very strange behavior that I am failing to understand. 2 to 5 times a week, a named server revert back to a previous version os a master zone. This happens during the night, usually around 20h EST. This zone has a serial of 3017020401 (yes, I typo the 3 somewhere in the past). When it reverts its zone information, it goes back to 3016060101 . I have updated, restarted the host, clean all cache and journal files, grep all files in the host for 3016060101 (just shows up in the logs). So, I have no clue why, or how it is happening. Where does it get the old information. I thought first about the serial, but it would have happened in the past too, right? As it should be a 32bit unsigned integer, it shouldn't be a problem, IMHO. Yet, when "dig domain -t SOA @server", it is there again. The host is a debian Jessie and bind is 9.9.5, 1:9.9.5.dfsg-9+deb8u8 more specifically. Thanks for any direction. -rsd ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from this list bind-users Info Page - Internet Systems Consortium <https://lists.isc.org/mailman/listinfo/bind-users> lists.isc.org <http://lists.isc.org> To see the collection of prior postings to the list, visit the bind-users Archives. Using bind-users: To post a message to all the list members, send ... bind-users mailing list bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users <https://lists.isc.org/mailman/listinfo/bind-users> bind-users Info Page - Internet Systems Consortium <https://lists.isc.org/mailman/listinfo/bind-users> lists.isc.org <http://lists.isc.org> To see the collection of prior postings to the list, visit the bind-users Archives. Using bind-users: To post a message to all the list members, send ... -- Att. Raul Dias ___ Please visit https://lists.isc.org/mailman/l
Re: bind 9 goes rogue and revert zone information
Am 07.02.2017 um 23:52 schrieb Alberto Colosi: The truth is to solve it not to ask what an hacker (maybe a child runned a tool found on internet as virus toolkits). the truth is to *find out* what happens and since it's more likely that some forgotten piece of cronscript lives somewhere than a hacker did it a triggered cronmail would call that script if it spits out something on stderr that "chattr +i" for now stops anything including root to touch that file until "chattr -i" was issued is just a side-effect To quote me is not a solution to the issue. Good your last line only on your last mail not sure to whom you are talking because the quoting of your last mail was completly weird yeah, but why should they be so dumb and set your dns zone to the values 24 hours before so that you notice the issue and much better question: from where do they have the exactly data of your own zone 24 hours before? try "chattr +i" on your zonefile so that it can't be touched and with some luck the stuff trying to replace it will error out in cronmails or syslog ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 goes rogue and revert zone information
The truth is to solve it not to ask what an hacker (maybe a child runned a tool found on internet as virus toolkits). To quote me is not a solution to the issue. Good your last line only on your last mail. - Reply message - From: "Reindl Harald" To: "bind-users@lists.isc.org" Subject: bind 9 goes rogue and revert zone information Date: Tue, Feb 7, 2017 23:38 Am 07.02.2017 um 23:31 schrieb Alberto Colosi: > lucky you say > > zombie host and hijacked resourced poisoned DNS are not an hack > > In years as Security Desk Seat I had at leat one attack from zombie > hosts from a US University. Admins even not known was hacked. > > Target of hackers is not only credit cards or other so valuable things. > Even only a zombie host is a valuable item for them. yeah, but why should they be so dumb and set your dns zone to the values 24 hours before so that you notice the issue and much better question: from where do they have the exactly data of your own zone 24 hours before? try "chattr +i" on your zonefile so that it can't be touched and with some luck the stuff trying to replace it will error out in cronmails or syslog > > *From:* bind-users on behalf of Alan > Clegg > *Sent:* Tuesday, February 7, 2017 10:48 PM > *To:* bind-users@lists.isc.org > *Subject:* Re: bind 9 goes rogue and revert zone information > > On 2/7/17 8:42 AM, Alberto Colosi wrote: >> IP ports not open does not mean is not hacked. >> >> a vulnerability can be used to make a change or an access > > Occam's razor... if you were a hacker and broke into someone's DNS > server, would the thing that you focus on be resetting the data every 24 > hours? > > This isn't a hack, this is a screwed up backup/restore or virtualization > configuration. > > Don't waste time chasing ghosts ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 goes rogue and revert zone information
On 2/7/17 4:31 PM, Alberto Colosi wrote: > lucky you say > > zombie host and hijacked resourced poisoned DNS are not an hack > > In years as Security Desk Seat I had at leat one attack from zombie > hosts from a US University. Admins even not known was hacked. > > Target of hackers is not only credit cards or other so valuable things. > Even only a zombie host is a valuable item for them. I didn't say that there weren't people around messing with DNS. What I said was this e-mail does not have anything to do with such an event. Don't chase ghosts. signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 goes rogue and revert zone information
lucky you say zombie host and hijacked resourced poisoned DNS are not an hack In years as Security Desk Seat I had at leat one attack from zombie hosts from a US University. Admins even not known was hacked. Target of hackers is not only credit cards or other so valuable things. Even only a zombie host is a valuable item for them. From: bind-users on behalf of Alan Clegg Sent: Tuesday, February 7, 2017 10:48 PM To: bind-users@lists.isc.org Subject: Re: bind 9 goes rogue and revert zone information On 2/7/17 8:42 AM, Alberto Colosi wrote: > IP ports not open does not mean is not hacked. > > a vulnerability can be used to make a change or an access Occam's razor... if you were a hacker and broke into someone's DNS server, would the thing that you focus on be resetting the data every 24 hours? This isn't a hack, this is a screwed up backup/restore or virtualization configuration. Don't waste time chasing ghosts. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 goes rogue and revert zone information
Am 07.02.2017 um 23:31 schrieb Alberto Colosi: lucky you say zombie host and hijacked resourced poisoned DNS are not an hack In years as Security Desk Seat I had at leat one attack from zombie hosts from a US University. Admins even not known was hacked. Target of hackers is not only credit cards or other so valuable things. Even only a zombie host is a valuable item for them. yeah, but why should they be so dumb and set your dns zone to the values 24 hours before so that you notice the issue and much better question: from where do they have the exactly data of your own zone 24 hours before? try "chattr +i" on your zonefile so that it can't be touched and with some luck the stuff trying to replace it will error out in cronmails or syslog *From:* bind-users on behalf of Alan Clegg *Sent:* Tuesday, February 7, 2017 10:48 PM *To:* bind-users@lists.isc.org *Subject:* Re: bind 9 goes rogue and revert zone information On 2/7/17 8:42 AM, Alberto Colosi wrote: IP ports not open does not mean is not hacked. a vulnerability can be used to make a change or an access Occam's razor... if you were a hacker and broke into someone's DNS server, would the thing that you focus on be resetting the data every 24 hours? This isn't a hack, this is a screwed up backup/restore or virtualization configuration. Don't waste time chasing ghosts ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 goes rogue and revert zone information
On 2/7/17 8:42 AM, Alberto Colosi wrote: > IP ports not open does not mean is not hacked. > > a vulnerability can be used to make a change or an access Occam's razor... if you were a hacker and broke into someone's DNS server, would the thing that you focus on be resetting the data every 24 hours? This isn't a hack, this is a screwed up backup/restore or virtualization configuration. Don't waste time chasing ghosts. signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 goes rogue and revert zone information
This really sounds like the zone file is *in* the container itself, and that the container is restarting. You said that this is running under LXC -- is this actually a Docker container? How are you starting the container? W On Tue, Feb 7, 2017 at 11:35 AM, Raul Dias wrote: > I know. > > So far, the only files changed are the ones I changed myself, like bind > config files and vimrc. > > No hidden toolkit found too. > > I still think that it is easier to be a misconfiguration done by myself. > > Still looking for better indications that this could be the case. > > On 07/02/2017 12:42, Alberto Colosi wrote: > > IP ports not open does not mean is not hacked. > > a vulnerability can be used to make a change or an access > > > try to change and audit file access and permission firewall log analisys > can give a plus to find a solution (check all IP traffic out from TCP/UDP > 53) > > > If you have RNDC , change KEY or disable it > > > > > -- > *From:* Raul Dias > *Sent:* Tuesday, February 7, 2017 3:34 PM > *To:* Alberto Colosi; bind-users@lists.isc.org > *Subject:* Re: bind 9 goes rogue and revert zone information > > > Sorry, > Static files. > It is the master server. > No dynamic updates. > Host under lxc with only bind ports open. > > On Tue, Feb 7, 2017, 12:27 Alberto Colosi wrote: > >> hi is unclear named structure if is a slave a master if dynamic updates >> are enabled and if the unix box has been hacked >> >> as last , zones are static files on fs ? >> >> >> ------ >> *From:* bind-users on behalf of Raul >> Dias < r...@dias.com.br> >> *Sent:* Tuesday, February 7, 2017 3:03 PM >> *To:* bind-users@lists.isc.org >> *Subject:* bind 9 goes rogue and revert zone information >> >> Hello, >> >> I have a very strange behavior that I am failing to understand. >> >> 2 to 5 times a week, a named server revert back to a previous version os >> a master zone. >> This happens during the night, usually around 20h EST. >> >> This zone has a serial of 3017020401 <(301)%20702-0401> (yes, I typo the >> 3 somewhere in the >> past). >> When it reverts its zone information, it goes back to 3016060101 >> <(301)%20606-0101>. >> >> I have updated, restarted the host, clean all cache and journal files, >> grep all files in the host for 3016060101 <(301)%20606-0101> (just shows >> up in the logs). >> >> So, I have no clue why, or how it is happening. Where does it get the >> old information. >> >> I thought first about the serial, but it would have happened in the past >> too, right? As it should be a 32bit unsigned integer, it shouldn't be a >> problem, IMHO. >> >> Yet, when "dig domain -t SOA @server", it is there again. >> >> The host is a debian Jessie and bind is 9.9.5, 1:9.9.5.dfsg-9+deb8u8 >> more specifically. >> >> >> Thanks for any direction. >> -rsd >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> bind-users Info Page - Internet Systems Consortium >> <https://lists.isc.org/mailman/listinfo/bind-users> >> lists.isc.org >> To see the collection of prior postings to the list, visit the bind-users >> Archives. Using bind-users: To post a message to all the list members, send >> ... >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> bind-users Info Page - Internet Systems Consortium >> <https://lists.isc.org/mailman/listinfo/bind-users> >> lists.isc.org >> To see the collection of prior postings to the list, visit the bind-users >> Archives. Using bind-users: To post a message to all the list members, send >> ... >> >> > -- > Att. Raul Dias > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 goes rogue and revert zone information
In article , Raul Dias wrote: > I have a very strange behavior that I am failing to understand. > > 2 to 5 times a week, a named server revert back to a previous version os > a master zone. > This happens during the night, usually around 20h EST. > > This zone has a serial of 3017020401 (yes, I typo the 3 somewhere in the > past). > When it reverts its zone information, it goes back to 3016060101. It sounds to me like there's a cron job restoring the zone from a backup. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 goes rogue and revert zone information
I know. So far, the only files changed are the ones I changed myself, like bind config files and vimrc. No hidden toolkit found too. I still think that it is easier to be a misconfiguration done by myself. Still looking for better indications that this could be the case. On 07/02/2017 12:42, Alberto Colosi wrote: IP ports not open does not mean is not hacked. a vulnerability can be used to make a change or an access try to change and audit file access and permission firewall log analisys can give a plus to find a solution (check all IP traffic out from TCP/UDP 53) If you have RNDC , change KEY or disable it *From:* Raul Dias *Sent:* Tuesday, February 7, 2017 3:34 PM *To:* Alberto Colosi; bind-users@lists.isc.org *Subject:* Re: bind 9 goes rogue and revert zone information Sorry, Static files. It is the master server. No dynamic updates. Host under lxc with only bind ports open. On Tue, Feb 7, 2017, 12:27 Alberto Colosi <mailto:al...@hotmail.com>> wrote: hi is unclear named structure if is a slave a master if dynamic updates are enabled and if the unix box has been hacked as last , zones are static files on fs ? *From:* bind-users mailto:bind-users-boun...@lists.isc.org>> on behalf of Raul Dias mailto:r...@dias.com.br>> *Sent:* Tuesday, February 7, 2017 3:03 PM *To:* bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> *Subject:* bind 9 goes rogue and revert zone information Hello, I have a very strange behavior that I am failing to understand. 2 to 5 times a week, a named server revert back to a previous version os a master zone. This happens during the night, usually around 20h EST. This zone has a serial of 3017020401 (yes, I typo the 3 somewhere in the past). When it reverts its zone information, it goes back to 3016060101. I have updated, restarted the host, clean all cache and journal files, grep all files in the host for 3016060101 (just shows up in the logs). So, I have no clue why, or how it is happening. Where does it get the old information. I thought first about the serial, but it would have happened in the past too, right? As it should be a 32bit unsigned integer, it shouldn't be a problem, IMHO. Yet, when "dig domain -t SOA @server", it is there again. The host is a debian Jessie and bind is 9.9.5, 1:9.9.5.dfsg-9+deb8u8 more specifically. Thanks for any direction. -rsd ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users Info Page - Internet Systems Consortium <https://lists.isc.org/mailman/listinfo/bind-users> lists.isc.org <http://lists.isc.org> To see the collection of prior postings to the list, visit the bind-users Archives. Using bind-users: To post a message to all the list members, send ... bind-users mailing list bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users bind-users Info Page - Internet Systems Consortium <https://lists.isc.org/mailman/listinfo/bind-users> lists.isc.org <http://lists.isc.org> To see the collection of prior postings to the list, visit the bind-users Archives. Using bind-users: To post a message to all the list members, send ... -- Att. Raul Dias ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 goes rogue and revert zone information
Hi Mukund, On 07/02/2017 12:42, Mukund Sivaraman wrote: Hi Raul When you say "When it reverts its zone information", how are you observing it? Are you reading the master file from disk to check what's in it, or are you doing a dig for the SOA record to check the serial? By this, I'm asking if your master file is in sync with the journal if you're reading it directly (rndc sync). with dig. the zone files are kept in the 30170401 format. the slaves dns servers do not update to the 3016060101 as it is older than the later. I was not aware of rndc sync. Which is fine right now. But I will see what happens next time it drifts. This is newbie question. Why there is a journal file for a static master zone? After the zone has a serial of 3017020401, is it updated in any way? Do you run any rndc commands against the nameserver during this time? Nope. Is the serial value 3016060101 of any significance? You say it "reverts back to a previous version". Was 3016060101 a previously observed serial? What happens to the contents of the zone? Are the contents the same, or do they appear to have older data? 3016* was the last zone update until this year. So, the content stayed the same for at least 6 months. The major changes were a few A and CNAME records, which gets reverted to the previous values (301606*) when the problem occurs. Older ns data gets propagated to the Internet. When you clean journal files, have they been sync'd into the master file? I don't think so. As I said earlier, I am not aware about the usefulness of it in this scenario. What I did was to stop the server, Removed them and start the daemon back. Everything were fine after this for a few days. You mention again "get the old information".. does it mean that you noticed that the zone contains old data? How are you checking the contents? Directly by reading the master file or via query? Query. The files are always right (3017* data). Can you send the output of named-checkconf -px for your named config? If you want details to be private, you can create a bug ticket by mailing it to . Mukund Thanks. Sent over to bind9-bugs. -rsd ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 goes rogue and revert zone information
Hi Raul On Tue, Feb 07, 2017 at 12:03:40PM -0200, Raul Dias wrote: > Hello, > > I have a very strange behavior that I am failing to understand. > > 2 to 5 times a week, a named server revert back to a previous version os a > master zone. > This happens during the night, usually around 20h EST. > > This zone has a serial of 3017020401 (yes, I typo the 3 somewhere in the > past). > When it reverts its zone information, it goes back to 3016060101. > > I have updated, restarted the host, clean all cache and journal files, grep > all files in the host for 3016060101 (just shows up in the logs). > > So, I have no clue why, or how it is happening. Where does it get the old > information. > > I thought first about the serial, but it would have happened in the past > too, right? As it should be a 32bit unsigned integer, it shouldn't be a > problem, IMHO. > > Yet, when "dig domain -t SOA @server", it is there again. > > The host is a debian Jessie and bind is 9.9.5, 1:9.9.5.dfsg-9+deb8u8 more > specifically. When you say "When it reverts its zone information", how are you observing it? Are you reading the master file from disk to check what's in it, or are you doing a dig for the SOA record to check the serial? By this, I'm asking if your master file is in sync with the journal if you're reading it directly (rndc sync). After the zone has a serial of 3017020401, is it updated in any way? Do you run any rndc commands against the nameserver during this time? Is the serial value 3016060101 of any significance? You say it "reverts back to a previous version". Was 3016060101 a previously observed serial? What happens to the contents of the zone? Are the contents the same, or do they appear to have older data? When you clean journal files, have they been sync'd into the master file? You mention again "get the old information".. does it mean that you noticed that the zone contains old data? How are you checking the contents? Directly by reading the master file or via query? Can you send the output of named-checkconf -px for your named config? If you want details to be private, you can create a bug ticket by mailing it to . Mukund signature.asc Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 goes rogue and revert zone information
On Tue, Feb 7, 2017 at 9:34 AM, Raul Dias wrote: > Sorry, > Static files. > It is the master server. > No dynamic updates. > Host under lxc with only bind ports open. > If it is the master, and there are no automatic updates, I strongly suspect: 1: there is a cron job (or similar) which rewrites the old zone file -- some busticated automation or, more likely 2: you said that this is a "host under lxc" -- this sounds VERY much like it is in a container, and the container is restarting every N (sometime around 20h Eastern!) -- the zonefile in the container, and not in an external volume / persistent disk... W > > On Tue, Feb 7, 2017, 12:27 Alberto Colosi wrote: > >> hi is unclear named structure if is a slave a master if dynamic updates >> are enabled and if the unix box has been hacked >> >> as last , zones are static files on fs ? >> >> >> -- >> *From:* bind-users on behalf of Raul >> Dias >> *Sent:* Tuesday, February 7, 2017 3:03 PM >> *To:* bind-users@lists.isc.org >> *Subject:* bind 9 goes rogue and revert zone information >> >> Hello, >> >> I have a very strange behavior that I am failing to understand. >> >> 2 to 5 times a week, a named server revert back to a previous version os >> a master zone. >> This happens during the night, usually around 20h EST. >> >> This zone has a serial of 3017020401 <(301)%20702-0401> (yes, I typo the >> 3 somewhere in the >> past). >> When it reverts its zone information, it goes back to 3016060101 >> <(301)%20606-0101>. >> >> I have updated, restarted the host, clean all cache and journal files, >> grep all files in the host for 3016060101 <(301)%20606-0101> (just shows >> up in the logs). >> >> So, I have no clue why, or how it is happening. Where does it get the >> old information. >> >> I thought first about the serial, but it would have happened in the past >> too, right? As it should be a 32bit unsigned integer, it shouldn't be a >> problem, IMHO. >> >> Yet, when "dig domain -t SOA @server", it is there again. >> >> The host is a debian Jessie and bind is 9.9.5, 1:9.9.5.dfsg-9+deb8u8 >> more specifically. >> >> >> Thanks for any direction. >> -rsd >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> bind-users Info Page - Internet Systems Consortium >> <https://lists.isc.org/mailman/listinfo/bind-users> >> lists.isc.org >> To see the collection of prior postings to the list, visit the bind-users >> Archives. Using bind-users: To post a message to all the list members, send >> ... >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> bind-users Info Page - Internet Systems Consortium >> <https://lists.isc.org/mailman/listinfo/bind-users> >> lists.isc.org >> To see the collection of prior postings to the list, visit the bind-users >> Archives. Using bind-users: To post a message to all the list members, send >> ... >> >> > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 goes rogue and revert zone information
IP ports not open does not mean is not hacked. a vulnerability can be used to make a change or an access try to change and audit file access and permission firewall log analisys can give a plus to find a solution (check all IP traffic out from TCP/UDP 53) If you have RNDC , change KEY or disable it From: Raul Dias Sent: Tuesday, February 7, 2017 3:34 PM To: Alberto Colosi; bind-users@lists.isc.org Subject: Re: bind 9 goes rogue and revert zone information Sorry, Static files. It is the master server. No dynamic updates. Host under lxc with only bind ports open. On Tue, Feb 7, 2017, 12:27 Alberto Colosi mailto:al...@hotmail.com>> wrote: hi is unclear named structure if is a slave a master if dynamic updates are enabled and if the unix box has been hacked as last , zones are static files on fs ? From: bind-users mailto:bind-users-boun...@lists.isc.org>> on behalf of Raul Dias mailto:r...@dias.com.br>> Sent: Tuesday, February 7, 2017 3:03 PM To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Subject: bind 9 goes rogue and revert zone information Hello, I have a very strange behavior that I am failing to understand. 2 to 5 times a week, a named server revert back to a previous version os a master zone. This happens during the night, usually around 20h EST. This zone has a serial of 3017020401 (yes, I typo the 3 somewhere in the past). When it reverts its zone information, it goes back to 3016060101. I have updated, restarted the host, clean all cache and journal files, grep all files in the host for 3016060101 (just shows up in the logs). So, I have no clue why, or how it is happening. Where does it get the old information. I thought first about the serial, but it would have happened in the past too, right? As it should be a 32bit unsigned integer, it shouldn't be a problem, IMHO. Yet, when "dig domain -t SOA @server", it is there again. The host is a debian Jessie and bind is 9.9.5, 1:9.9.5.dfsg-9+deb8u8 more specifically. Thanks for any direction. -rsd ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users Info Page - Internet Systems Consortium<https://lists.isc.org/mailman/listinfo/bind-users> lists.isc.org<http://lists.isc.org> To see the collection of prior postings to the list, visit the bind-users Archives. Using bind-users: To post a message to all the list members, send ... bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users bind-users Info Page - Internet Systems Consortium<https://lists.isc.org/mailman/listinfo/bind-users> lists.isc.org<http://lists.isc.org> To see the collection of prior postings to the list, visit the bind-users Archives. Using bind-users: To post a message to all the list members, send ... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 goes rogue and revert zone information
Sorry, Static files. It is the master server. No dynamic updates. Host under lxc with only bind ports open. On Tue, Feb 7, 2017, 12:27 Alberto Colosi wrote: > hi is unclear named structure if is a slave a master if dynamic updates > are enabled and if the unix box has been hacked > > as last , zones are static files on fs ? > > > -- > *From:* bind-users on behalf of Raul > Dias > *Sent:* Tuesday, February 7, 2017 3:03 PM > *To:* bind-users@lists.isc.org > *Subject:* bind 9 goes rogue and revert zone information > > Hello, > > I have a very strange behavior that I am failing to understand. > > 2 to 5 times a week, a named server revert back to a previous version os > a master zone. > This happens during the night, usually around 20h EST. > > This zone has a serial of 3017020401 (yes, I typo the 3 somewhere in the > past). > When it reverts its zone information, it goes back to 3016060101. > > I have updated, restarted the host, clean all cache and journal files, > grep all files in the host for 3016060101 (just shows up in the logs). > > So, I have no clue why, or how it is happening. Where does it get the > old information. > > I thought first about the serial, but it would have happened in the past > too, right? As it should be a 32bit unsigned integer, it shouldn't be a > problem, IMHO. > > Yet, when "dig domain -t SOA @server", it is there again. > > The host is a debian Jessie and bind is 9.9.5, 1:9.9.5.dfsg-9+deb8u8 > more specifically. > > > Thanks for any direction. > -rsd > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > bind-users Info Page - Internet Systems Consortium > <https://lists.isc.org/mailman/listinfo/bind-users> > lists.isc.org > To see the collection of prior postings to the list, visit the bind-users > Archives. Using bind-users: To post a message to all the list members, send > ... > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > bind-users Info Page - Internet Systems Consortium > <https://lists.isc.org/mailman/listinfo/bind-users> > lists.isc.org > To see the collection of prior postings to the list, visit the bind-users > Archives. Using bind-users: To post a message to all the list members, send > ... > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9 goes rogue and revert zone information
hi is unclear named structure if is a slave a master if dynamic updates are enabled and if the unix box has been hacked as last , zones are static files on fs ? From: bind-users on behalf of Raul Dias Sent: Tuesday, February 7, 2017 3:03 PM To: bind-users@lists.isc.org Subject: bind 9 goes rogue and revert zone information Hello, I have a very strange behavior that I am failing to understand. 2 to 5 times a week, a named server revert back to a previous version os a master zone. This happens during the night, usually around 20h EST. This zone has a serial of 3017020401 (yes, I typo the 3 somewhere in the past). When it reverts its zone information, it goes back to 3016060101. I have updated, restarted the host, clean all cache and journal files, grep all files in the host for 3016060101 (just shows up in the logs). So, I have no clue why, or how it is happening. Where does it get the old information. I thought first about the serial, but it would have happened in the past too, right? As it should be a 32bit unsigned integer, it shouldn't be a problem, IMHO. Yet, when "dig domain -t SOA @server", it is there again. The host is a debian Jessie and bind is 9.9.5, 1:9.9.5.dfsg-9+deb8u8 more specifically. Thanks for any direction. -rsd ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users Info Page - Internet Systems Consortium<https://lists.isc.org/mailman/listinfo/bind-users> lists.isc.org To see the collection of prior postings to the list, visit the bind-users Archives. Using bind-users: To post a message to all the list members, send ... bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users bind-users Info Page - Internet Systems Consortium<https://lists.isc.org/mailman/listinfo/bind-users> lists.isc.org To see the collection of prior postings to the list, visit the bind-users Archives. Using bind-users: To post a message to all the list members, send ... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind 9 goes rogue and revert zone information
Hello, I have a very strange behavior that I am failing to understand. 2 to 5 times a week, a named server revert back to a previous version os a master zone. This happens during the night, usually around 20h EST. This zone has a serial of 3017020401 (yes, I typo the 3 somewhere in the past). When it reverts its zone information, it goes back to 3016060101. I have updated, restarted the host, clean all cache and journal files, grep all files in the host for 3016060101 (just shows up in the logs). So, I have no clue why, or how it is happening. Where does it get the old information. I thought first about the serial, but it would have happened in the past too, right? As it should be a 32bit unsigned integer, it shouldn't be a problem, IMHO. Yet, when "dig domain -t SOA @server", it is there again. The host is a debian Jessie and bind is 9.9.5, 1:9.9.5.dfsg-9+deb8u8 more specifically. Thanks for any direction. -rsd ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users