?
Solved

Issues running bind 9 on Ubuntu 9.10 server

Posted on 2010-04-10
34
Medium Priority
?
1,539 Views
Last Modified: 2013-11-15
I am migrating a primary DNS server from Solaris 10 running bind 9.3.4-P1 to Ubuntu 9.10 running bind 9.6.1-P2 and I am running into issues even running the named process.

I have current copied from the running primary and secondary DNS servers (both on Solaris 10) and I put them in /var/dns (same location as previously used). I updated the /etc/bind/named.conf file and when I attempt to start bind "/etc/init.d/bind9 start" it fails.

The various log files show that it is having permission problems accessing the /var/dns/named.root. Even changing the file and the /var/dns directory to mode 777 I get the same error message.

Attached is from the syslog generated when attempting to start named

All help is appreciated

syslog-tail
0
Comment
Question by:jvossler
  • 19
  • 14
34 Comments
 

Author Comment

by:jvossler
ID: 30332292
Here is the output files from checkconf (stderr and stdout). It is also complaining about the reverse localhost zone for some reason.

checkconf.err.txt
0
 

Author Comment

by:jvossler
ID: 30332321
Here is the stdout from checkconf
checkconf.out.txt
0
 
LVL 5

Expert Comment

by:linuxgfx
ID: 30397311
could you please paste the bind configuration files here it seams a RNDC poblem to me, also it could be a path error because debian uses bind in a chroot diffrent from Solaris which uses in a normal dir.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 

Author Comment

by:jvossler
ID: 30404670
Right now I am not using chroot afaik. I did not configure it for that.

Here are the configuration files from /etc/bind

 *** rndc.conf

# Start of rndc.conf
key "rndc-key" {
      algorithm hmac-md5;
      secret "dzkOoDCGH9w3Bp1imCUqbA==";
};

options {
      default-key "rndc-key";
      default-server 127.0.0.1;
      default-port 953;
};
# End of rndc.conf



 *** named.conf

// MASTER & CACHING NAME SERVER for IT Infrastructures, INC.
// maintained by: just me
// CHANGELOG:
// 1. Fri 05 Sep 2008 - Created
// 2. Mon 01 Mar 2010 - migrated to Linux (Ubuntu 9.10 server)
// 3.
//
//
//include "/etc/bind/rndc.key";
//
key "rndc-key" {
      algorithm hmac-md5;
      secret "fRRny51stZtCg/ArATeiBA==";
};
//
controls {
  inet 127.0.0.1
  port 953
  allow {
    127.0.0.1;
  }
  keys {
    rndc-key;
  };
};
options {
  directory "/var/dns";
  dump-file "/var/log/named/named.dump";
  statistics-file "/var/log/named/named.stats";
  //###zone-statistics yes;
  // version statement - inhibited for security
  // (avoids hacking any known weaknesses)      
  version "get lost";
  // Set the cache size above the 32M default
  //###max-cache-size 512M;
  // Set location of PID file
  pid-file "rndc.pid";
  forwarders {
    207.69.188.185;
    207.69.188.186;
    207.69.188.187;
  };
  // optional - disables all transfers
  // slaves allowed in zone clauses
  allow-transfer {192.168.5.103;
                  192.168.5.104;
                  192.168.5.105;
                  192.168.5.106;
                  192.168.1.1;
                  192.168.2.1;
                  192.168.3.1;
                  192.168.4.1;
                  192.168.5.1;
                  192.168.6.1;
                  192.168.7.1;
                  192.168.8.1;
                  192.168.9.1;
                  72.19.183.2;
  };
      // Closed DNS - permits only local IPs to issue recursive queries
  // remove if an Open DNS required to support all users
  // or add additional ranges
  allow-recursion {192.168.1.0/24;
                                       192.168.2.0/24;
                                       192.168.3.0/24;
                                       192.168.4.0/24;
                                       192.168.5.0/24;
                                       192.168.6.0/24;
                                       192.168.7.0/24;
                                       192.168.8.0/24;
                                       192.168.9.0/24;
  };
};
//
// log to /var/log/dns/example.log all events from
// info UP in severity (no debug)
// defaults to use 3 files in rotation
// BIND 8.x logging MUST COME FIRST in this file
// BIND 9.x parses the whole file before using the log
// failure messages up to this point are in (syslog)
// typically /var/log/messages
//
logging{
  channel example_log{
   file "/var/log/named/example.log" versions 3 size 2m;
   severity info;
   print-severity yes;
   print-time yes;
   print-category yes;
 };
 category default{
  example_log;
 };
};
//
// required zone for recursive queries
//
zone "." {
  type hint;
  file "named.root";
};
//
//
// Set up all zones for the data center
//
//
zone "itinfrastructures.net" in{
  type master;
  file "master.itinfrastructures.net";
};
zone "vrcontracting.com" in{
  type master;
  file "master.vrcontracting.com";
};
zone "vosslerangus.com" in{
  type master;
  file "master.vosslerangus.com";
};
zone "vosslerranch.com" in{
  type master;
  file "master.vosslerranch.com";
};
//
// required local host domain
//
zone "localhost" in{
  type master;
  file "master.localhost";
  allow-update{none;};
};
//
// localhost reverse map
//
zone "0.0.127.in-addr.arpa" in{
      type master;
  file "localhost.rev";
  allow-update{none;};
};
//
//
// The publically addressable IP space reverse records
//
//
zone "183.19.72.IN-ADDR.ARPA" in{
  type master;
  file "72.19.183.rev";
};
//
//
// All reverse maps for all 9 VLANs
//
//
// reverse map for class C 192.168.1.0
zone "1.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.1.rev";
};
// reverse map for class C 192.168.2.0
zone "2.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.2.rev";
};
// reverse map for class C 192.168.3.0
zone "3.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.3.rev";
};
// reverse map for class C 192.168.4.0
zone "4.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.4.rev";
};
// reverse map for class C 192.168.5.0
zone "5.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.5.rev";
};
// reverse map for class C 192.168.6.0
zone "6.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.6.rev";
};
// reverse map for class C 192.168.7.0
zone "7.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.7.rev";
};
// reverse map for class C 192.168.8.0
zone "8.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.8.rev";
};
// reverse map for class C 192.168.9.0
zone "9.168.192.IN-ADDR.ARPA" in{
  type master;
  file "192.168.9.rev";
};
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 30416814
The text files you uploaded show two pieces of data:  the localhost inverse file is incorrect and that several zones loaded.

Can you verify that bind is not running "ps awx|grep named"?

Fix "localhost.rev"

I would expect it to look something like this:

$TTL    86400
@       IN      SOA     localhost. root.localhost.  (
                                      2010041001 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
        IN      NS      localhost.
1       IN      PTR     localhost.


'cat /etc/init.d/bind9'

Are you running bind as root or as a non-priv account like 'named'?
0
 

Author Comment

by:jvossler
ID: 30429633
Here is the localhost.rev file I have been using

$TTL    24h
;
; reverse localhost definition
;
localhost.       IN      SOA     localhost. root.localhost.  (
            2008090810      ; serial number
            4h                        ; refresh slaves
            1h                        ; retry interval
            10w                  ; slave life time
            30m                  ; negative cache TTL
      )

        IN      NS      localhost.
1       IN      PTR     localhost.


There is no named process running and the rdnc.pid file is zero length.

Right now I am attempting to start the process as root.

0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 30513778
I'd like to you try to start named (get the date/time first).  After attempt:

  grep named /var/log/named/example.log | grep "MMM DD hh:mm"

The log file data at the time of starting named, should give us more information.
0
 

Author Comment

by:jvossler
ID: 30523663
the file /var/log/named/example.log is an empty file. Attempting to start bind9 via "/etc/init.d/bind9 start" does not add any lines to this file.

0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 30528764
Under this section:

logging{
  channel example_log{


Add this:
      syslog daemon;

Then we'll see if we can capture data in the specified log file or the messages file.
0
 

Author Comment

by:jvossler
ID: 30623087
I am getting output in the messages file, as I posted earlier.

Apr  8 20:30:36 fw1 named[4036]: starting BIND 9.6.1-P2 -u bind
Apr  8 20:30:36 fw1 named[4036]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' 'CXXFLAGS=-g -O2' 'FFLAGS=-g -O2'
Apr  8 20:30:36 fw1 named[4036]: adjusted limit on open files from 1024 to 1048576
Apr  8 20:30:36 fw1 named[4036]: found 8 CPUs, using 8 worker threads
Apr  8 20:30:36 fw1 named[4036]: using up to 4096 sockets
Apr  8 20:30:36 fw1 named[4036]: loading configuration from '/etc/bind/named.conf'
Apr  8 20:30:36 fw1 named[4036]: using default UDP/IPv4 port range: [1024, 65535]
Apr  8 20:30:36 fw1 named[4036]: using default UDP/IPv6 port range: [1024, 65535]
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface lo, 127.0.0.1#53
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface eth0, 72.19.183.2#53
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface eth1, 192.168.1.1#53
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface eth2, 192.168.2.1#53
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface eth3, 192.168.3.10#53
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface eth4, 192.168.4.1#53
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface eth5, 192.168.5.1#53
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface eth6, 192.168.6.1#53
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface eth7, 192.168.7.1#53
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface eth8, 192.168.8.1#53
Apr  8 20:30:36 fw1 named[4036]: listening on IPv4 interface eth9, 192.168.9.1#53
Apr  8 20:30:36 fw1 named[4036]: could not configure root hints from 'named.root': permission denied
Apr  8 20:30:36 fw1 named[4036]: loading configuration: permission denied
Apr  8 20:30:36 fw1 named[4036]: exiting (due to fatal error)
Apr  8 20:30:36 fw1 kernel: [206981.178545] type=1503 audit(1268105436.188:25): operation="open" pid=4045 parent=4035 profile="/usr/sbin/named" requested_mask="::r" denied_mask="::r" fsuid=103 ouid=0 name="/var/dns/named.root"



I also have similar output in the kern.log and the syslog

0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 30623384
ps -Af | grep named

ls -ld /var/dns
ls -l /var/dns
0
 

Author Comment

by:jvossler
ID: 30625437
Here is the output you requested.

I have tried various permissions from the current 644 to 777 on named.root but the error does not change.

fw1:/var/dns> ps -Af | grep named

root     14618 14612  0 08:15 pts/0    00:00:00 grep named

fw1:/var/dns> ls -ld /var/dns

drwxrwxrwx 2 root root 4096 2010-03-08 21:18 /var/dns

fw1:/var/dns> ls -l /var/dns

total 124

drwxrwxrwx  2 root root 4096 2010-03-08 21:18 .

drwxr-xr-x 15 root root 4096 2004-10-12 16:42 ..

-rw-r--r--  1 root root  319 2010-03-08 21:18 127.0.0.rev

-rw-r--r--  1 root root  670 2010-03-01 20:35 192.168.1.rev

-rw-r--r--  1 root root  720 2010-03-01 20:35 192.168.2.rev

-rw-r--r--  1 root root  797 2010-03-01 20:35 192.168.3.rev

-rw-r--r--  1 root root  721 2010-03-01 20:35 192.168.4.rev

-rw-r--r--  1 root root  875 2010-03-01 20:35 192.168.5.rev

-rw-r--r--  1 root root  971 2010-03-01 20:35 192.168.6.rev

-rw-r--r--  1 root root  664 2010-03-01 20:35 192.168.7.rev

-rw-r--r--  1 root root  686 2010-03-01 20:35 192.168.8.rev

-rw-r--r--  1 root root 1010 2010-03-01 20:35 192.168.9.rev

-rw-r--r--  1 root root  857 2010-03-01 20:35 72.19.183.rev

-rwxr-xr-x  1 root root 1248 2010-03-01 20:35 arp-file

-rwxr-xr-x  1 root root  406 2010-03-04 05:47 get.named.root

-rw-r--r--  1 root root  319 2010-03-01 20:35 localhost.rev

-rw-r--r--  1 root root 7002 2010-03-01 20:35 master.itinfrastructures.net

-rw-r--r--  1 root root  306 2010-03-01 20:35 master.localhost

-rw-r--r--  1 root root  620 2010-03-01 20:35 master.vosslerangus.com

-rw-r--r--  1 root root  620 2010-03-01 20:35 master.vosslerranch.com

-rw-r--r--  1 root root  601 2010-03-01 20:35 master.vrcontracting.com

-rw-r--r--  1 root root 2938 2010-03-08 20:37 named.root

-rw-r--r--  1 root root 2938 2010-03-01 20:35 named.root.0202201004:07

-rw-r--r--  1 root root 2938 2010-03-01 20:35 named.root.0208200904:07

-rw-r--r--  1 root root 2938 2010-03-01 20:35 named.root.0702200911:44

-rw-r--r--  1 root root 2876 2010-03-01 20:35 named.root.20080809

-rw-r--r--  1 root root 2938 2010-03-01 20:35 named.root.new

-rw-r--r--  1 root root 2938 2010-03-01 20:35 named.root.orig

-rw-r--r--  1 root root  159 2010-03-01 20:35 named.stats

-rwxrwxrwx  1 root root    0 2010-03-08 21:01 rndc.pid

-rwxr-xr-x  1 root root   49 2010-03-01 20:35 update

fw1:/var/dns>
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 30626979
Which named.conf are you using?  The one in /etc/bind/?
0
 

Author Comment

by:jvossler
ID: 30627785
Yes,

I am using the named.conf that is in /etc/bind.  The named.conf that is in the /var/dns directory was just a copy from the Solaris system I am migrating from. If you think it is causing an issue it can be deleted.

0
 

Author Comment

by:jvossler
ID: 30627989
Looks like I already deleted the named.conf that was in /var/dns.

A search on the system for all named.conf files found only the single file in /etc/bind.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 30631335
You're running selinux, yes?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 30633703
ls -Z /var/dns

ls -Z /etc/bind/named.conf

cat /var/dns/named.root
0
 

Author Comment

by:jvossler
ID: 30633740
I am running ubuntu 9.10 server and I have NOT installed selinux
0
 

Author Comment

by:jvossler
ID: 30634626
I have a cron job that downloads the named.root periodically.

Here is the output you requested.

fw1:/var/dns> ls -Z /var/dns

? .             ? 192.168.9.rev             ? named.root.0202201004:07

? ..             ? 72.19.183.rev             ? named.root.0208200904:07

? 127.0.0.rev       ? arp-file                   ? named.root.0702200911:44

? 192.168.1.rev  ? get.named.root             ? named.root.20080809

? 192.168.2.rev  ? localhost.rev             ? named.root.new

? 192.168.3.rev  ? master.itinfrastructures.net  ? named.root.orig

? 192.168.4.rev  ? master.localhost             ? named.stats

? 192.168.5.rev  ? master.vosslerangus.com       ? rndc.pid

? 192.168.6.rev  ? master.vosslerranch.com       ? update

? 192.168.7.rev  ? master.vrcontracting.com

? 192.168.8.rev  ? named.root


fw1:/var/dns> ls -Z /etc/bind/named.conf

? /etc/bind/named.conf


fw1:/var/dns> cat /var/dns/named.root

;       This file holds the information on root name servers needed to

;       initialize cache of Internet domain name servers

;       (e.g. reference this file in the "cache  .  <file>"

;       configuration file of BIND domain name servers).

;

;       This file is made available by InterNIC

;       under anonymous FTP as

;           file                /domain/db.cache

;           on server           FTP.INTERNIC.NET

;       -OR-                    RS.INTERNIC.NET

;

;       last update:    Dec 12, 2008

;       related version of root zone:   2008121200

;

; formerly NS.INTERNIC.NET

;

.                        3600000  IN  NS    A.ROOT-SERVERS.NET.

A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4

A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:BA3E::2:30

;

; FORMERLY NS1.ISI.EDU

;

.                        3600000      NS    B.ROOT-SERVERS.NET.

B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201

;

; FORMERLY C.PSI.NET

;

.                        3600000      NS    C.ROOT-SERVERS.NET.

C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12

;

; FORMERLY TERP.UMD.EDU

;

.                        3600000      NS    D.ROOT-SERVERS.NET.

D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90

;

; FORMERLY NS.NASA.GOV

;

.                        3600000      NS    E.ROOT-SERVERS.NET.

E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10

;

; FORMERLY NS.ISC.ORG

;

.                        3600000      NS    F.ROOT-SERVERS.NET.

F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241

F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2F::F

;

; FORMERLY NS.NIC.DDN.MIL

;

.                        3600000      NS    G.ROOT-SERVERS.NET.

G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4

;

; FORMERLY AOS.ARL.ARMY.MIL

;

.                        3600000      NS    H.ROOT-SERVERS.NET.

H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53

H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::803F:235

;

; FORMERLY NIC.NORDU.NET

;

.                        3600000      NS    I.ROOT-SERVERS.NET.

I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17

;

; OPERATED BY VERISIGN, INC.

;

.                        3600000      NS    J.ROOT-SERVERS.NET.

J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30

J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:C27::2:30

;

; OPERATED BY RIPE NCC

;

.                        3600000      NS    K.ROOT-SERVERS.NET.

K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129

K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7FD::1

;

; OPERATED BY ICANN

;

.                        3600000      NS    L.ROOT-SERVERS.NET.

L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42

L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:3::42  

;

; OPERATED BY WIDE

;

.                        3600000      NS    M.ROOT-SERVERS.NET.

M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33

M.ROOT-SERVERS.NET.      3600000      AAAA  2001:DC3::35

; End of File

fw1:/var/dns>
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 30640222
Let's start with this -- as root (bind presumed to be the group name for user bind):

chown -R root:bind /var/dns

chmod 750 /var/dns

chown root:bind <configuration, hints and zone db/rev files>

chmod 640 /var/dns/named.root
0
 

Author Comment

by:jvossler
ID: 30652427
From /etc/group

bind:x:108:


From /etc/passwd

bind:x:103:108::/var/cache/bind:/bin/false


I performed the commands you suggested but got the same results and log messages when I attempted to start bind9


0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 30652901
change the login directory for user 'bind' to /var/dns

cp /etc/bind/named.conf /var/dns/
mv /etc/bind/named.conf /etc/bind/named.conf.prod
ln -s /etc/bind/named.conf /var/dns/named.conf
0
 

Author Comment

by:jvossler
ID: 30654375
I changed the home directory for bind to /var/dns

I copied and then moved the named.conf and set up the symbolic link via "ln -s /var/dns/named.conf /etc/bind/named.conf "

When attempting to start bind9 I get a permissions problem opening /etc/bind/named.conf  I tried it with the /var/dns/named.conf at owner root:root and later with root:bind



0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 30660131
chown root:bind /etc/bind/named.conf

chown root:bind /var/dns/named.conf

Your link statement is incorrect.  You want named.conf in /var/dns and a link in /etc/bind/:

ls -l /etc/bind/named.conf should look something like this:

lrwxrwxrwx 1 root bind XX Apr 13 hh:mm /etc/bind/named.conf -> /var/dns/named.conf
0
 

Author Comment

by:jvossler
ID: 30717502
I did move the file to /var/dns and the link existed in /etc/bind

The ln statement you put the target first and then the link name.  From the man page

 ln [OPTION]... [-T] TARGET LINK_NAME   (1st form)
In the 1st form, create a link to TARGET with the name LINK_NAME.

I am getting permission denied for accessing the /etc/bind/named.conf file


fw1:/etc/bind> ls -l /etc/bind
total 28
drwxr-sr-x   2 root bind 4096 2010-04-13 14:22 .
drwxr-xr-x 103 root root 4096 2010-04-14 05:51 ..
-rw-r--r--   1 root bind 4321 2010-03-08 21:19 named.bak
lrwxrwxrwx   1 root bind   19 2010-04-13 14:22 named.conf -> /var/dns/named.conf
-rw-r--r--   1 root bind 4148 2010-01-08 14:17 named.conf.orig
-rw-r--r--   1 root bind  202 2010-03-08 21:00 rndc.conf
fw1:/etc/bind> ls -l /var/dns
total 132
drwxr-x---  2 root bind 4096 2010-04-13 14:20 .
drwxr-xr-x 15 root root 4096 2004-10-12 16:42 ..
-rw-r--r--  1 root bind  319 2010-03-08 21:18 127.0.0.rev
-rw-r--r--  1 root bind  670 2010-03-01 20:35 192.168.1.rev
-rw-r--r--  1 root bind  720 2010-03-01 20:35 192.168.2.rev
-rw-r--r--  1 root bind  797 2010-03-01 20:35 192.168.3.rev
-rw-r--r--  1 root bind  721 2010-03-01 20:35 192.168.4.rev
-rw-r--r--  1 root bind  875 2010-03-01 20:35 192.168.5.rev
-rw-r--r--  1 root bind  971 2010-03-01 20:35 192.168.6.rev
-rw-r--r--  1 root bind  664 2010-03-01 20:35 192.168.7.rev
-rw-r--r--  1 root bind  686 2010-03-01 20:35 192.168.8.rev
-rw-r--r--  1 root bind 1010 2010-03-01 20:35 192.168.9.rev
-rw-r--r--  1 root bind  857 2010-03-01 20:35 72.19.183.rev
-rwxr-xr-x  1 root bind 1248 2010-03-01 20:35 arp-file
-rwxr-xr-x  1 root bind  406 2010-03-04 05:47 get.named.root
-rw-r--r--  1 root bind  319 2010-03-01 20:35 localhost.rev
-rw-r--r--  1 root bind 7002 2010-03-01 20:35 master.itinfrastructures.net
-rw-r--r--  1 root bind  306 2010-03-01 20:35 master.localhost
-rw-r--r--  1 root bind  620 2010-03-01 20:35 master.vosslerangus.com
-rw-r--r--  1 root bind  620 2010-03-01 20:35 master.vosslerranch.com
-rw-r--r--  1 root bind  601 2010-03-01 20:35 master.vrcontracting.com
-rw-r--r--  1 root bind 4321 2010-04-13 14:20 named.conf
-rw-r-----  1 root bind 2938 2010-03-08 20:37 named.root
-rw-r--r--  1 root bind 2938 2010-03-01 20:35 named.root.0202201004:07
-rw-r--r--  1 root bind 2938 2010-03-01 20:35 named.root.0208200904:07
-rw-r--r--  1 root bind 2938 2010-03-01 20:35 named.root.0702200911:44
-rw-r--r--  1 root bind 2876 2010-03-01 20:35 named.root.20080809
-rw-r--r--  1 root bind 2938 2010-03-01 20:35 named.root.new
-rw-r--r--  1 root bind 2938 2010-03-01 20:35 named.root.orig
-rw-r--r--  1 root bind  159 2010-03-01 20:35 named.stats
-rwxrwxrwx  1 root bind    0 2010-03-08 21:01 rndc.pid
-rwxr-xr-x  1 root bind   49 2010-03-01 20:35 update
fw1:/etc/bind>
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 30721017
ls -ld /etc/bind
ls -ld /var/dns
ls -l /usr/sbin/named
  should be -> chmod 755 /usr/sbin/named

With named running as user 'bind', no selinux, no chroot and directories, files owned by group bind and user bind allowed to run /usr/sbin/named, you should not have permissions errors.

Verify the above ownership and then run as and let me know what the logs say:

/usr/sbin/named -c /var/dns/named.conf  -u bind
0
 

Author Comment

by:jvossler
ID: 30727343
Here is the output you requested, along with the log file output from the named command

fw1:/etc/bind> ls -ld /etc/bind

drwxr-sr-x 2 root bind 4096 2010-04-13 14:22 /etc/bind


fw1:/etc/bind> ls -ld /var/dns

drwxr-x--- 2 root bind 4096 2010-04-13 14:20 /var/dns


fw1:/etc/bind> ls -l /usr/sbin/named

-rwxr-xr-x 1 root root 479768 2009-12-04 08:34 /usr/sbin/named


fw1:/etc/bind> /usr/sbin/named -c /var/dns/named.conf -u bind

fw1:/etc/bind>


syslog tail

Apr 14 07:43:03 fw1 named[15251]: starting BIND 9.6.1-P2 -c /var/dns/named.conf -u bind
Apr 14 07:43:03 fw1 named[15251]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' 'CXXFLAGS=-g -O2' 'FFLAGS=-g -O2'
Apr 14 07:43:03 fw1 named[15251]: adjusted limit on open files from 1024 to 1048576
Apr 14 07:43:03 fw1 named[15251]: found 8 CPUs, using 8 worker threads
Apr 14 07:43:03 fw1 named[15251]: using up to 4096 sockets
Apr 14 07:43:03 fw1 named[15251]: loading configuration from '/var/dns/named.conf'
Apr 14 07:43:03 fw1 kernel: [3354128.463996] type=1503 audit(1271252583.472:49): operation="open" pid=15260 parent=15250 profile="/usr/sbin/named" requested_mask="::r" denied_mask="::r" fsuid=103 ouid=0 name="/var/dns/named.conf"
Apr 14 07:43:03 fw1 named[15251]: none:0: open: /var/dns/named.conf: permission denied
Apr 14 07:43:03 fw1 named[15251]: loading configuration: permission denied
Apr 14 07:43:03 fw1 named[15251]: exiting (due to fatal error)



daemon.log tail output

Apr 14 07:43:03 fw1 named[15251]: starting BIND 9.6.1-P2 -c /var/dns/named.conf -u bind
Apr 14 07:43:03 fw1 named[15251]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' 'CXXFLAGS=-g -O2' 'FFLAGS=-g -O2'
Apr 14 07:43:03 fw1 named[15251]: adjusted limit on open files from 1024 to 1048576
Apr 14 07:43:03 fw1 named[15251]: found 8 CPUs, using 8 worker threads
Apr 14 07:43:03 fw1 named[15251]: using up to 4096 sockets
Apr 14 07:43:03 fw1 named[15251]: loading configuration from '/var/dns/named.conf'
Apr 14 07:43:03 fw1 named[15251]: none:0: open: /var/dns/named.conf: permission denied
Apr 14 07:43:03 fw1 named[15251]: loading configuration: permission denied
Apr 14 07:43:03 fw1 named[15251]: exiting (due to fatal error)

0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 30728641
Are you running apparmor?
0
 

Author Comment

by:jvossler
ID: 30731695
Yes. Apparmor is installed by default with Ubuntu since 8.10 (Intrepid). I am running 9.10 (Karmic)


Do I need to either disable apparmor or change the configuration?

0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 2000 total points
ID: 30732037
yes.  modify the configuration to allow bind user to run that app.
0
 

Author Comment

by:jvossler
ID: 30733856
I added a line in the usr.bin.named file under /etc/apparmor.d to include read-write access to /var/dns. I had to make it writable since the rndc.pid file is located there.

I also had to make the /var/dns directory group writable for group bind.


Would it be prudent to relocated the named.conf back to /etc/bind ?  And should I define the rndc.pid file to /etc/bind and remove the write permissions to /var/dns ?


All my previous Ubuntu work has been on 8.04 LTS, this has apparmor installed but not configured. So I am reading up on this subset of selinux.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 30734915
I run bind in a chroot and so, have links from the non-chroot files pointing to the chrooted files.  My pid is in the chrooted directory structure, as well.

So, your pid file in the standard pid location or within the /var/dns structure makes sense.

A link from /etc/bind/named.conf to /var/dns/named.conf also makes sense.

I prefer to follow standards for the installation and to be consistent across like platforms (i.e., Ubuntu installs).  I don't use Ubuntu and so cannot advise as to the best location for those files.
0
 

Author Comment

by:jvossler
ID: 30735275
Thank you for all your help. It's been a real education.
0
 

Author Closing Comment

by:jvossler
ID: 31761086
This expert stuck with me through a great deal of tedious trouble shooting. Quickly responded to every post and solved the problem.
0

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
This installment of Make It Better gives Media Temple customers the latest news, plugins, and tutorials to make their VPS hosting experience that much smoother.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Suggested Courses

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question