Hello, I have a very strange problem. The server just doesn't want to resolve any external domain at all. BIND is working, it doesn't show any significant errors. I have a CentOS 5.11 64-bit (gradual updates & upgrades from 5.6 since 2011) with ISPConfig 2 installed. The server functions as a webhoster, so has email, ftp & mysql. No connectivity issues, websites and emails are all working (emails can receive but cannot send due to not able to resolve). The only problem at the moment is BIND since a few hours ago. So at the moment nothing I try seems to take effect. Below are results of the standard things that I should do. I added forwarders, which didn't help.. Below are some outputs. badib.biz is a local domain, and dig & nslookup works, but gives error for external domains. [root@ns2 named]# dig @localhost badib.biz ; <<>> DiG 9.8.5-P2 <<>> @localhost badib.biz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23517 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1 ;; QUESTION SECTION: ;badib.biz. IN A ;; ANSWER SECTION: badib.biz. 38400 IN A 103.11.134.58 ;; AUTHORITY SECTION: badib.biz. 38400 IN NS ns1.swin.co.id. badib.biz. 38400 IN NS ns2.swin.co.id. badib.biz. 38400 IN NS ns2.badib.biz. ;; ADDITIONAL SECTION: ns2.badib.biz. 38400 IN A 103.11.134.58 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Dec 18 12:18:53 WIB 2014 ;; MSG SIZE rcvd: 123 [root@ns2 named]# dig @103.11.134.58 badib.biz ; <<>> DiG 9.8.5-P2 <<>> @103.11.134.58 badib.biz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19576 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1 ;; QUESTION SECTION: ;badib.biz. IN A ;; ANSWER SECTION: badib.biz. 38400 IN A 103.11.134.58 ;; AUTHORITY SECTION: badib.biz. 38400 IN NS ns1.swin.co.id. badib.biz. 38400 IN NS ns2.badib.biz. badib.biz. 38400 IN NS ns2.swin.co.id. ;; ADDITIONAL SECTION: ns2.badib.biz. 38400 IN A 103.11.134.58 ;; Query time: 0 msec ;; SERVER: 103.11.134.58#53(103.11.134.58) ;; WHEN: Thu Dec 18 12:19:42 WIB 2014 ;; MSG SIZE rcvd: 123 [root@ns2 named]# dig @103.11.134.58 whitehouse.gov ; <<>> DiG 9.8.5-P2 <<>> @103.11.134.58 whitehouse.gov ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 43005 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;whitehouse.gov. IN A ;; Query time: 5000 msec ;; SERVER: 103.11.134.58#53(103.11.134.58) ;; WHEN: Thu Dec 18 12:20:55 WIB 2014 ;; MSG SIZE rcvd: 32 [root@ns2 named]# nslookup google.com ;; Got SERVFAIL reply from 127.0.0.1, trying next server ;; connection timed out; no servers could be reached Below are queries with netstat [root@ns2 named]# netstat -tap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:imaps *:* LISTEN 2685/dovecot tcp 0 0 *op3s *:* LISTEN 2685/dovecot tcp 0 0 *:ldp *:* LISTEN 2160/rpc.statd tcp 0 0 *op3 *:* LISTEN 2685/dovecot tcp 0 0 *:imap *:* LISTEN 2685/dovecot tcp 0 0 *:sunrpc *:* LISTEN 2117/portmap tcp 0 0 *:ndmp *:* LISTEN 10381/perl tcp 0 0 *:http *:* LISTEN 2748/httpd tcp 0 0 *:hosts2-ns *:* LISTEN 9770/ispconfig_http tcp 0 0 ns2.badib.biz:domain *:* LISTEN 27718/named tcp 0 0 localhost.localdomai:domain *:* LISTEN 27718/named tcp 0 0 *:ftp *:* LISTEN 2699/proftpd tcp 0 0 *:ssh *:* LISTEN 2634/sshd tcp 0 0 localhost.localdomain:rndc *:* LISTEN 27718/named tcp 0 0 *:https *:* LISTEN 2748/httpd [root@ns2 named]# netstat -uap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 *:entrust-sps *:* 2160/rpc.statd udp 0 0 *:sanity *:* 2160/rpc.statd udp 0 0 ns2.badib.biz:6276 *:* 2517/dccd udp 0 0 localhost.localdomain:6276 *:* 2517/dccd udp 0 0 *:ndmp *:* 10381/perl udp 0 0 ns2.badib.biz:56465 103.11.135.2:domain ESTABLISHED 27718/named udp 0 0 ns2.badib.biz:13596 103.11.135.2:domain ESTABLISHED 27718/named udp 0 0 ns2.badib.biz:startron 103.11.134.2:domain ESTABLISHED - udp 376 0 ns2.badib.biz:59302 ns2.badib.biz:domain ESTABLISHED - udp 0 0 ns2.badib.biz:58281 103.11.135.2:domain ESTABLISHED - udp 0 0 ns2.badib.biz:50477 103.11.134.2:domain ESTABLISHED - udp 0 0 ns2.badib.biz:58804 103.11.135.2:domain ESTABLISHED - udp 0 0 ns2.badib.biz:domain *:* 27718/named udp 0 0 localhost.localdomain:domain *:* 27718/named udp 0 0 ns2.badib.biz:10332 103.11.134.2:domain ESTABLISHED - This is the named.conf (I excluded the local domains below). /var/named/chroot/etc/named.conf /*logging { * channel default_debug { * file "data/named.logs"; * severity dynamic; * }; };*/ options { empty-zones-enable no; pid-file "/var/named/chroot/var/run/named/named.pid"; directory "/var/named/chroot/var/named"; auth-nxdomain yes; recursion yes; allow-query { any; }; version "KneecZar"; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ listen-on port 53 { any; }; forward first; forwarders { 103.11.135.2; 103.11.134.2; 8.8.8.8; 8.8.4.4; }; dnssec-enable no; dnssec-validation no; }; // // a caching only nameserver config // zone "." { type hint; file "named.root"; }; zone "0.0.127.in-addr.arpa" { type master; file "named.local"; }; Below log entries. There would be occasional out-of-zone errors but all was working. Dec 18 11:50:42 ns2 snmpd[2615]: Received TERM or STOP signal... shutting down... Dec 18 11:58:39 ns2 named[7180]: received control channel command 'stop' Dec 18 11:58:39 ns2 named[7180]: shutting down: flushing changes Dec 18 11:58:39 ns2 named[7180]: stopping command channel on 127.0.0.1#953 Dec 18 11:58:39 ns2 named[7180]: no longer listening on 127.0.0.1#53 Dec 18 11:58:39 ns2 named[7180]: no longer listening on 103.11.134.58#53 Dec 18 11:58:39 ns2 named[7180]: exiting Dec 18 11:58:41 ns2 named[27718]: starting BIND 9.8.5-P2 -u named -4 -t /var/named/chroot Dec 18 11:58:41 ns2 named[27718]: built with '--bindir=/usr/bin' '--sbindir=/usr/sbin' '-sysconfdir=/var/named/chroot/etc' '--disable-openssl-version-check' Dec 18 11:58:41 ns2 named[27718]: ---------------------------------------------------- Dec 18 11:58:41 ns2 named[27718]: BIND 9 is maintained by Internet Systems Consortium, Dec 18 11:58:41 ns2 named[27718]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Dec 18 11:58:41 ns2 named[27718]: corporation. Support and training for BIND 9 are Dec 18 11:58:41 ns2 named[27718]: available at https://www.isc.org/support Dec 18 11:58:41 ns2 named[27718]: ---------------------------------------------------- Dec 18 11:58:41 ns2 named[27718]: using up to 4096 sockets Dec 18 11:58:41 ns2 named[27718]: loading configuration from '/var/named/chroot/etc/named.conf' Dec 18 11:58:41 ns2 named[27718]: reading built-in trusted keys from file '/var/named/chroot/etc/bind.keys' Dec 18 11:58:41 ns2 named[27718]: using default UDP/IPv4 port range: [1024, 65535] Dec 18 11:58:41 ns2 named[27718]: using default UDP/IPv6 port range: [1024, 65535] Dec 18 11:58:41 ns2 named[27718]: no IPv6 interfaces found Dec 18 11:58:41 ns2 named[27718]: listening on IPv4 interface lo, 127.0.0.1#53 Dec 18 11:58:41 ns2 named[27718]: listening on IPv4 interface eth0, 103.11.134.58#53 Dec 18 11:58:41 ns2 named[27718]: generating session key for dynamic DNS Dec 18 11:58:41 ns2 named[27718]: sizing zone task pool based on 15 zones Dec 18 11:58:41 ns2 named[27718]: set up managed keys zone for view _default, file 'managed-keys.bind' Dec 18 11:58:41 ns2 named[27718]: command channel listening on 127.0.0.1#953 Dec 18 11:58:41 ns2 named[27718]: the working directory is not writable Dec 18 11:58:41 ns2 named[27718]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700 Dec 18 11:58:41 ns2 named[27718]: pri.badib.biz:33: ignoring out-of-zone data (ns2.swin.co.id) Dec 18 11:58:41 ns2 named[27718]: pri.badib.biz:34: ignoring out-of-zone data (ns1.swin.co.id) Dec 18 11:58:41 ns2 named[27718]: zone badib.biz/IN: 'badib.biz' found SPF/TXT record but no SPF/SPF record found, add matching type SPF record Dec 18 11:58:41 ns2 named[27718]: zone badib.biz/IN: loaded serial 2013051200 Dec 18 11:58:41 ns2 named[27718]: pri.kopnet.biz:27: ignoring out-of-zone data (ns2.swin.co.id) Dec 18 11:58:41 ns2 named[27718]: pri.kopnet.biz:30: ignoring out-of-zone data (ns2.badib.biz) Dec 18 11:58:41 ns2 named[27718]: zone kopnet.biz/IN: 'kopnet.biz' found SPF/TXT record but no SPF/SPF record found, add matching type SPF record Dec 18 11:58:41 ns2 named[27718]: zone kopnet.biz/IN: loaded serial 2014042300 Dec 18 11:58:41 ns2 named[27718]: pri.badibs.com:25: ignoring out-of-zone data (ns2.swin.co.id) Dec 18 11:58:41 ns2 named[27718]: zone badibs.com/IN: 'badibs.com' found SPF/TXT record but no SPF/SPF record found, add matching type SPF record Dec 18 11:58:41 ns2 named[27718]: zone badibs.com/IN: loaded serial 2012070301 Dec 18 11:58:41 ns2 named[27718]: pri.bhaita.com:25: ignoring out-of-zone data (ns2.swin.co.id) Dec 18 11:58:41 ns2 named[27718]: pri.bhaita.com:28: ignoring out-of-zone data (ns2.badib.biz) Dec 18 11:58:41 ns2 named[27718]: zone bhaita.com/IN: 'bhaita.com' found SPF/TXT record but no SPF/SPF record found, add matching type SPF record Dec 18 11:58:41 ns2 named[27718]: zone bhaita.com/IN: loaded serial 2014062100 Dec 18 11:58:41 ns2 named[27718]: pri.hakushiki.com:26: ignoring out-of-zone data (ns2.swin.co.id) Dec 18 11:58:41 ns2 named[27718]: pri.hakushiki.com:29: ignoring out-of-zone data (ns2.badib.biz) Dec 18 11:58:41 ns2 named[27718]: zone hakushiki.com/IN: 'hakushiki.com' found SPF/TXT record but no SPF/SPF record found, add matching type SPF record Dec 18 11:58:41 ns2 named[27718]: zone hakushiki.com/IN: loaded serial 2012021603 Dec 18 11:58:41 ns2 named[27718]: pri.intisamudra.com:25: ignoring out-of-zone data (ns2.swin.co.id) Dec 18 11:58:41 ns2 named[27718]: pri.intisamudra.com:28: ignoring out-of-zone data (ns2.badib.biz) Dec 18 11:58:41 ns2 named[27718]: zone intisamudra.com/IN: 'intisamudra.com' found SPF/TXT record but no SPF/SPF record found, add matching type SPF record Dec 18 11:58:41 ns2 named[27718]: zone intisamudra.com/IN: loaded serial 2012011906 Dec 18 11:58:41 ns2 named[27718]: pri.polofelix.com:25: ignoring out-of-zone data (ns2.swin.co.id) Dec 18 11:58:41 ns2 named[27718]: pri.polofelix.com:28: ignoring out-of-zone data (ns2.badib.biz) Dec 18 11:58:41 ns2 named[27718]: zone polofelix.com/IN: 'polofelix.com' found SPF/TXT record but no SPF/SPF record found, add matching type SPF record Dec 18 11:58:41 ns2 named[27718]: zone polofelix.com/IN: loaded serial 2012090700 Dec 18 11:58:41 ns2 named[27718]: pri.kepulauanarukab.go.id:34: ignoring out-of-zone data (ns2.swin.co.id) Dec 18 11:58:41 ns2 named[27718]: pri.kepulauanarukab.go.id:37: ignoring out-of-zone data (ns2.badib.biz) Dec 18 11:58:41 ns2 named[27718]: zone kepulauanarukab.go.id/IN: 'kepulauanarukab.go.id' found SPF/TXT record but no SPF/SPF record found, add matching type SPF record Dec 18 11:58:41 ns2 named[27718]: zone kepulauanarukab.go.id/IN: loaded serial 2014072001 Dec 18 11:58:41 ns2 named[27718]: pri.nab.web.id:26: ignoring out-of-zone data (ns2.swin.co.id) Dec 18 11:58:41 ns2 named[27718]: pri.nab.web.id:29: ignoring out-of-zone data (ns2.badib.biz) Dec 18 11:58:41 ns2 named[27718]: zone nab.web.id/IN: 'nab.web.id' found SPF/TXT record but no SPF/SPF record found, add matching type SPF record Dec 18 11:58:41 ns2 named[27718]: zone nab.web.id/IN: loaded serial 2012011913 Dec 18 11:58:41 ns2 named[27718]: pri.badib.info:25: ignoring out-of-zone data (ns2.swin.co.id) Dec 18 11:58:41 ns2 named[27718]: pri.badib.info:28: ignoring out-of-zone data (ns2.badib.biz) Dec 18 11:58:41 ns2 named[27718]: zone badib.info/IN: 'badib.info' found SPF/TXT record but no SPF/SPF record found, add matching type SPF record Dec 18 11:58:41 ns2 named[27718]: zone badib.info/IN: loaded serial 2014061101 Dec 18 11:58:41 ns2 named[27718]: pri.badib.net:28: ignoring out-of-zone data (ns2.swin.co.id) Dec 18 11:58:41 ns2 named[27718]: pri.badib.net:31: ignoring out-of-zone data (ns2.badib.biz) Dec 18 11:58:41 ns2 named[27718]: zone badib.net/IN: 'badib.net' found SPF/TXT record but no SPF/SPF record found, add matching type SPF record Dec 18 11:58:41 ns2 named[27718]: zone badib.net/IN: loaded serial 2014042300 Dec 18 11:58:41 ns2 named[27718]: pri.badibs.net:25: ignoring out-of-zone data (ns2.swin.co.id) Dec 18 11:58:41 ns2 named[27718]: pri.badibs.net:28: ignoring out-of-zone data (ns2.badib.biz) Dec 18 11:58:41 ns2 named[27718]: zone badibs.net/IN: 'badibs.net' found SPF/TXT record but no SPF/SPF record found, add matching type SPF record Dec 18 11:58:41 ns2 named[27718]: zone badibs.net/IN: loaded serial 2012070302 Dec 18 11:58:41 ns2 named[27718]: pri.badib.org:25: ignoring out-of-zone data (ns2.swin.co.id) Dec 18 11:58:41 ns2 named[27718]: pri.badib.org:28: ignoring out-of-zone data (ns2.badib.biz) Dec 18 11:58:41 ns2 named[27718]: pri.badib.org:29: ignoring out-of-zone data (ns1.badib.biz) Dec 18 11:58:41 ns2 named[27718]: zone badib.org/IN: 'badib.org' found SPF/TXT record but no SPF/SPF record found, add matching type SPF record Dec 18 11:58:41 ns2 named[27718]: zone badib.org/IN: loaded serial 2012070301 Dec 18 11:58:41 ns2 named[27718]: managed-keys-zone ./IN: loaded serial 0 Dec 18 11:58:41 ns2 named[27718]: running Dec 18 11:58:41 ns2 named[27718]: zone nab.web.id/IN: sending notifies (serial 2012011913) Dec 18 11:58:41 ns2 named[27718]: zone intisamudra.com/IN: sending notifies (serial 2012011906) Dec 18 11:58:41 ns2 named[27718]: zone badib.org/IN: sending notifies (serial 2012070301) Dec 18 11:58:41 ns2 named[27718]: zone badibs.net/IN: sending notifies (serial 2012070302) Dec 18 11:58:41 ns2 named[27718]: zone badib.net/IN: sending notifies (serial 2014042300) Dec 18 11:58:41 ns2 named[27718]: zone hakushiki.com/IN: sending notifies (serial 2012021603) Dec 18 11:58:41 ns2 named[27718]: zone badibs.com/IN: sending notifies (serial 2012070301) Dec 18 11:58:41 ns2 named[27718]: zone polofelix.com/IN: sending notifies (serial 2012090700) Dec 18 11:58:41 ns2 named[27718]: zone kepulauanarukab.go.id/IN: sending notifies (serial 2014072001) Dec 18 11:58:41 ns2 named[27718]: zone bhaita.com/IN: sending notifies (serial 2014062100) Dec 18 11:58:41 ns2 named[27718]: zone kopnet.biz/IN: sending notifies (serial 2014042300) Dec 18 11:58:41 ns2 named[27718]: zone badib.biz/IN: sending notifies (serial 2013051200) Dec 18 11:58:41 ns2 named[27718]: zone badib.info/IN: sending notifies (serial 2014061101) Dec 18 12:05:08 ns2 kernel: device eth0 left promiscuous mode Dec 18 12:05:11 ns2 smartd[9858]: Device: /dev/sda [SAT], 2 Currently unreadable (pending) sectors Dec 18 12:05:11 ns2 smartd[9858]: Device: /dev/sda [SAT], 2 Offline uncorrectable sectors Dec 18 12:07:47 ns2 named[27718]: client 103.11.135.2#29260: transfer of 'intisamudra.com/IN': IXFR ended Dec 18 12:08:29 ns2 named[27718]: client 103.11.135.2#25463: transfer of 'badib.biz/IN': IXFR ended Dec 18 12:18:51 ns2 named[27718]: client 103.11.135.2#36326: transfer of 'polofelix.com/IN': IXFR ended Dec 18 12:19:38 ns2 named[27718]: client 103.11.135.2#13056: transfer of 'badibs.com/IN': IXFR ended Firewall disabled doesn't make a difference. SELINUX is disabled. I have had this server running since 2012 without any problems until now. From an external linux box: [root@ns2 named]# nc -vzu ns2.badib.biz 53 Connection to ns2.badib.biz 53 port [udp/domain] succeeded! [root@ns2 named]# dig @103.11.134.58 google.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> @103.11.134.58 google.com ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached So, any ideas? Thank you beforehand. Nizar A. Badib
Title misleading ... DNS issue My apologies for the misleading title. Stopping BIND, and editing the etc/resolv.conf: [root@ns2 ~]# cat /etc/resolv.conf nameserver 37.235.1.174 nameserver 103.11.134.2 nameserver 103.11.135.2 nameserver 103.11.134.58 Still cannot resolve any domains, including the local ones [root@ns2 ~]# dig @8.8.8.8 badib.biz ; <<>> DiG 9.8.5-P2 <<>> @8.8.8.8 badib.biz ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached I can ping to any IP, so its not a connectivity issue. [root@ns2 ~]# ping 202.171.1.2 PING 202.171.1.2 (202.171.1.2) 56(84) bytes of data. 64 bytes from 202.171.1.2: icmp_seq=1 ttl=61 time=0.873 ms 64 bytes from 202.171.1.2: icmp_seq=2 ttl=61 time=1.11 ms --- 202.171.1.2 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 0.873/0.994/1.115/0.121 ms Anything else I should check? Thanks. Nizar A. Badib
First - named has no rw persmissions on -- Dec 18 11:58:41 ns2 named[27718]: the working directory is not writable -- Second - maybe this post will help u somehow http://www.linuxquestions.org/questions/linux-networking-3/ignoring-out-of-zone-data-in-my-dns-file-775866/
Ghostdare, the rw issue I've had a while but wasn't urgent at the time because BIND still worked. I will read the post you suggest. And it seems my problem has been resolved. My upstream provider filtered UDP port 53 to an entire IP block due to DNS queries by bots spamming some other servers. Only the affected servers have been filtered, my server no more. A good time to try to solve the other issues though. Thank you Ghostdare for your reply.
