BIND9 stopped working.

Discussion in 'ISPConfig 3 Priority Support' started by S0ft, Dec 19, 2015.

  1. S0ft

    S0ft Member HowtoForge Supporter

    It is configured with this guide. https://www.howtoforge.com/perfect-server-debian-wheezy-nginx-bind-dovecot-ispconfig-3-p3

    Bind9 stopped working, But still active.
    [​IMG]

    In one of my servers stopped working bind9
    5 days ago I installed CSF firewall due to a stranger was doing DDOS of 880K to my servers already from 3 weeks ago.
    The rest is still working well.

    I found important points
    vi /var/log/syslog
    Code:
    SV1 Dec 18 14:16:14 named [2309]: no longer listening on :: # 53
SV1 Dec 18 14:16:14 named [2309]: no longer listening on 127.0.0.1 # 53
SV1 Dec 18 14:16:14 named [2309]: no longer listening on 127.0.0.2 # 53
SV1 Dec 18 14:16:14 named [2309]: no longer listening on 23.XX.1X.136 # 53

...

Dec 18 14:17:29 sv1 postfix/qmgr[4786]: C1E3D162FDB: from=<[email protected]>, size=651, nrcpt=1 (queue active)
Dec 18 14:17:38 sv1 kernel: [10101669.517236] Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=107.178.160.194 DST=23.XX.1X.136 LEN=40 TOS

Dec 19 02:43:20 sv1 postfix/error[5288]: AB5BB160773: to=<[email protected]>, relay=none, delay=3002, delays=2994/8.1/0/0, dsn=4.4.3, status=deferred (delivery temporarily suspended: Host or domain name not found. Name service error for name=msv1.domain.com type=MX: Host not found, try again)


(I always used msv1.domain.com without problems. If used sv1.domain.com the emails do not reach.)
    Config Nameserver primary, secondary, and together.
    vi /etc/bind/named.conf.local
    Code:
    zone "sv1.domain.com" {
        type master;
        allow-transfer {none;};
        file "/etc/bind/pri.sv1.domain.com";
};
zone "sv2.domain.com" {
        type master;
        allow-transfer {none;};
        file "/etc/bind/pri.sv2.domain.com";
};
zone "domain.com" {
        type master;
        allow-transfer {none;};
        file "/etc/bind/pri.domain.com";
};
    You have 5 months this configuration.
    vi /etc/bind/pri.domain.com
    Code:
    $TTL        3600
@       IN      SOA     sv1.domain.com. admin.domain.com. (
                        2015031703       ; serial, todays date + todays serial #
                        7200              ; refresh, seconds
                        540              ; retry, seconds
                        604800              ; expire, seconds
                        86400 )            ; minimum, seconds
;

domain.com. 3600 A        23.XX.1X.136
mail 3600 A        23.XX.1X.136
sv1 86400 A        23.XX.1X.136
sv2 86400 A        23.XX.1X.136
www 3600 A        23.XX.1x.136
domain.com. 3600      MX    10   mail.domain.com.
domain.com. 3600      NS        sv1.domain.com.
domain.com. 3600      NS        sv2.domain.com.
     
    Last edited: Dec 19, 2015
    S0ft, Dec 19, 2015
    #1
  2. florian030

    florian030 Well-Known Member HowtoForge Supporter

    try to stop bind: service bind9 stop and check if bind is not running anymore: ps -ef|grep bind
     
    florian030, Dec 19, 2015
    #2
  3. S0ft

    S0ft Member HowtoForge Supporter

    Code:
    root@sv1:~# service bind9 stop
[....] Stopping domain name service...: bind9waiting for pid 7947 to die
. ok
root@sv1:~# ps -ef|grep bind
root     21577 21500  0 10:22 pts/0    00:00:00 grep bind
     
    S0ft, Dec 19, 2015
    #3
  4. florian030

    florian030 Well-Known Member HowtoForge Supporter

    Can you post the error-log when you try to start bind?
     
    florian030, Dec 20, 2015
    #4
  5. S0ft

    S0ft Member HowtoForge Supporter

    I think that the problem is in the Iptables as I've configured CSF firewall I think that I've blocked me something related to the DNS.

    root@sv1:~# iptables -L -n -v
    Code:
    Chain LOGDROPIN (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:111
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:113
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:500
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:513
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:513
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:520
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
3 87 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
3 87 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain LOGDROPOUT (7 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain PORTFLOOD (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *Port Flood* "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0


    23.XX.1x.136 is my real IP.

    root@sv1:~# cat /var/log/messages
    Code:
    Dec 21 09:31:40 sv1 kernel: imklog 5.8.11, log source = /proc/kmsg started.
Dec 21 09:31:40 sv1 rsyslogd: [origin software="rsyslogd" swVersion="5.8.11" x-pid="2315" x-info="http://www.rsyslog.com"] start
Dec 21 09:32:10 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 4805 due to rate-limiting
Dec 21 09:32:16 sv1 rsyslogd-2177: imuxsock lost 137 messages from pid 4805 due to rate-limiting
Dec 21 09:33:41 sv1 kernel: [10343626.654939] Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=123.128.43.87 DST=23.XX.1X.136 LEN=29 TOS=0x00 PREC=0x00 TTL=51 ID=59256 DF PROTO=UDP SPT=32297 DPT=53413 LEN=9
Dec 21 09:33:43 sv1 kernel: [10343628.878315] Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=123.128.43.87 DST=23.XX.1X.136 LEN=29 TOS=0x00 PREC=0x00 TTL=51 ID=59257 DF PROTO=UDP SPT=32297 DPT=53413 LEN=9
Dec 21 09:33:46 sv1 kernel: [10343631.860006] Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=123.128.43.87 DST=23.XX.1X.136 LEN=29 TOS=0x00 PREC=0x00 TTL=51 ID=59258 DF PROTO=UDP SPT=32297 DPT=53413 LEN=9
Dec 21 09:35:01 sv1 pure-ftpd: (?@::1) [INFO] New connection from ::1
Dec 21 09:35:01 sv1 pure-ftpd: (?@::1) [INFO] Logout.
Dec 21 09:37:10 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 4805 due to rate-limiting
Dec 21 09:38:05 sv1 kernel: [10343890.819829] Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=182.68.8.141 DST=23.XX.1X.136 LEN=88 TOS=0x00 PREC=0x00 TTL=240 ID=41494 DF PROTO=UDP SPT=10003 DPT=14660 LEN=68
Dec 21 09:38:11 sv1 rsyslogd-2177: imuxsock lost 323 messages from pid 4805 due to rate-limiting
Dec 21 09:38:31 sv1 kernel: [10343916.602086] Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=101.23.65.92 DST=23.XX.1X.136 LEN=29 TOS=0x00 PREC=0x00 TTL=50 ID=55562 DF PROTO=UDP SPT=31583 DPT=53413 LEN=9
Dec 21 09:38:34 sv1 kernel: [10343919.838697] Firewall: *UDP_IN Blocked* IN=venet0 OUT= MAC= SRC=101.23.65.92 DST=23.XX.1X.136 LEN=29 TOS=0x00 PREC=0x00 TTL=50 ID=55563 DF PROTO=UDP SPT=31583 DPT=53413 LEN=9
Dec 21 09:40:01 sv1 pure-ftpd: (?@::1) [INFO] New connection from ::1
Dec 21 09:40:01 sv1 pure-ftpd: (?@::1) [INFO] Logout.
Dec 21 09:42:10 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 4805 due to rate-limiting
Dec 21 09:43:11 sv1 rsyslogd-2177: imuxsock lost 246 messages from pid 4805 due to rate-limiting
Dec 21 09:45:02 sv1 pure-ftpd: (?@::1) [INFO] New connection from ::1
Dec 21 09:45:02 sv1 pure-ftpd: (?@::1) [INFO] Logout.
Dec 21 09:47:10 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 4805 due to rate-limiting
Dec 21 09:49:11 sv1 rsyslogd-2177: imuxsock lost 659 messages from pid 4805 due to rate-limiting
Dec 21 09:50:01 sv1 pure-ftpd: (?@::1) [INFO] New connection from ::1
Dec 21 09:50:01 sv1 pure-ftpd: (?@::1) [INFO] Logout.
Dec 21 09:52:05 sv1 kernel: [10344730.122499] Firewall: *TCP_IN Blocked* IN=venet0 OUT= MAC= SRC=51.254.151.5 DST=23.XX.1X.136 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=22904 PROTO=TCP SPT=49120 DPT=8080 WINDOW=1024 RES=0x00 SYN URGP=0
Dec 21 09:52:10 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 4805 due to rate-limiting

    This is my entire iptables
    Can you see something that blocks the DNS?
    https://mega.nz/#!xs8DTRAL!x3HNbBl2XMNO0HNY6Js4IwfYYX2zGeIniuRkAXMbA0I
     
    Last edited: Dec 21, 2015
    S0ft, Dec 21, 2015
    #5
  6. S0ft

    S0ft Member HowtoForge Supporter

    I have been researching deeply and it is a DDOS attack
    It destroys the DNS

    Code:
    Dec 21 05:00:11 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 3485 due to rate-limiting
Dec 21 05:00:13 sv1 rsyslogd-2177: imuxsock lost 113 messages from pid 3485 due to rate-limiting
Dec 21 05:00:17 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 3485 due to rate-limiting
Dec 21 05:01:07 sv1 rsyslogd-2177: imuxsock lost 29 messages from pid 3485 due to rate-limiting
Dec 21 06:00:12 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 3485 due to rate-limiting
Dec 21 06:00:14 sv1 rsyslogd-2177: imuxsock lost 88 messages from pid 3485 due to rate-limiting
Dec 21 06:00:17 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 3485 due to rate-limiting
Dec 21 06:01:08 sv1 rsyslogd-2177: imuxsock lost 109 messages from pid 3485 due to rate-limiting
Dec 21 07:00:14 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 3485 due to rate-limiting
Dec 21 07:00:15 sv1 rsyslogd-2177: imuxsock lost 23 messages from pid 3485 due to rate-limiting
Dec 21 07:00:20 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 3485 due to rate-limiting
Dec 21 07:00:21 sv1 rsyslogd-2177: imuxsock lost 14 messages from pid 3485 due to rate-limiting
Dec 21 07:00:24 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 3485 due to rate-limiting
Dec 21 07:01:09 sv1 rsyslogd-2177: imuxsock lost 31 messages from pid 3485 due to rate-limiting
Dec 21 08:00:14 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 3485 due to rate-limiting
Dec 21 08:00:15 sv1 rsyslogd-2177: imuxsock lost 31 messages from pid 3485 due to rate-limiting
Dec 21 08:00:18 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 3485 due to rate-limiting
Dec 21 08:00:21 sv1 rsyslogd-2177: imuxsock lost 69 messages from pid 3485 due to rate-limiting
Dec 21 09:00:26 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 3485 due to rate-limiting
Dec 21 09:00:29 sv1 rsyslogd-2177: imuxsock lost 136 messages from pid 3485 due to rate-limiting
Dec 21 09:32:26 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 3485 due to rate-limiting
Dec 21 09:32:28 sv1 rsyslogd-2177: imuxsock lost 66 messages from pid 3485 due to rate-limiting
Dec 21 10:32:33 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 3485 due to rate-limiting
Dec 21 10:32:34 sv1 rsyslogd-2177: imuxsock lost 33 messages from pid 3485 due to rate-limiting
Dec 21 10:48:16 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 3485 due to rate-limiting
Dec 21 10:49:12 sv1 rsyslogd-2177: imuxsock lost 12 messages from pid 3485 due to rate-limiting
Dec 21 11:32:18 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 3485 due to rate-limiting
Dec 21 11:32:19 sv1 rsyslogd-2177: imuxsock lost 5 messages from pid 3485 due to rate-limiting
Dec 21 12:32:19 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 3485 due to rate-limiting
Dec 21 12:32:20 sv1 rsyslogd-2177: imuxsock lost 1 messages from pid 3485 due to rate-limiting
Dec 21 12:32:24 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 3485 due to rate-limiting
Dec 21 12:32:26 sv1 rsyslogd-2177: imuxsock lost 106 messages from pid 3485 due to rate-limiting
Dec 21 13:32:20 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 3485 due to rate-limiting
Dec 21 13:32:21 sv1 rsyslogd-2177: imuxsock lost 34 messages from pid 3485 due to rate-limiting
Dec 21 13:32:25 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 3485 due to rate-limiting
Dec 21 13:32:27 sv1 rsyslogd-2177: imuxsock lost 23 messages from pid 3485 due to rate-limiting
Dec 21 16:15:51 sv1 kernel: imklog 5.8.11, log source = /proc/kmsg started.
Dec 21 16:15:51 sv1 rsyslogd: [origin software = "rsyslogd" swVersion = "5.8.11" x-pid ="1887" x-info = "http://www.rsyslog.com"] start
Dec 21 16:25:50 sv1 kernel: imklog 5.8.11, log source = /proc/kmsg started.
Dec 21 16:25:50 sv1 rsyslogd: [origin software = "rsyslogd" swVersion = "5.8.11" x-pid ="1889" x-info = "http://www.rsyslog.com"] start
Dec 21 16:32:27 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 1854 due to rate-limiting
Dec 21 16:32:28 sv1 rsyslogd-2177: imuxsock lost 1 messages from pid 1854 due to rate-limiting
Dec 21 17:02:25 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 1854 due to rate-limiting
Dec 21 17:02:26 sv1 rsyslogd-2177: imuxsock lost 12 messages from pid 1854 due to rate-limiting
Dec 21 18:16:54 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 1854 due to rate-limiting
Dec 21 18:16:55 sv1 rsyslogd-2177: imuxsock lost 36 messages from pid 1854 due to rate-limiting
Dec 21 19:17:30 sv1 rsyslogd-2177: imuxsock begins to drop messages from pid 1854 due to rate-limiting
Dec 21 19:18:02 sv1 rsyslogd-2177: imuxsock lost 54 messages from pid 1854 due to rate-limiting
     
    S0ft, Dec 23, 2015
    #6

Share This Page