asked on
How do I make BIND clean up after itself when a zone is removed from it via RNDC from a master server?
Hello.
I have a Master/Slave DNS setup using Bind9 and RNDC on Centos7. It is working properly and zones are being replicated from the master server to the slave server when created. When a zone is deleted from the master, the RNDC command deletes the zone from the .nzf file correctly, however the actual zone file containing the records is left on the slave servers forever. Is there a way to make BIND clean up after itself for all discovered zone files which arent defined in slave .nzf file? I should clarify that I don't have the option to edit the rndc commands which are fired from the master server as it is not in my control. So maybe a script that would crawl the conf file daily and remove any zone files in /var/named/ which are not referenced in the .nzf file?
Thanks
I have a Master/Slave DNS setup using Bind9 and RNDC on Centos7. It is working properly and zones are being replicated from the master server to the slave server when created. When a zone is deleted from the master, the RNDC command deletes the zone from the .nzf file correctly, however the actual zone file containing the records is left on the slave servers forever. Is there a way to make BIND clean up after itself for all discovered zone files which arent defined in slave .nzf file? I should clarify that I don't have the option to edit the rndc commands which are fired from the master server as it is not in my control. So maybe a script that would crawl the conf file daily and remove any zone files in /var/named/ which are not referenced in the .nzf file?
Thanks
Linux* CentOSDNS
Last Comment
Chad Killion
ASKER
Arnold, from what I understand the "rndc delzone -clean" does exactly what I am looking for, but the problem is that the master server isn't under my control, so I don't have the ability to change the way rndc delzone is called. So what you are explaining above would be exactly what I am looking for. Some sort of daily cron job which would craw my /var/named/3bf305731dd2630
The deletion is daily straight forward
/usr/bin/find /var/named/pendingdelete -mtime -182 -exec rm {} \;
Another option you could periodically, check the age of the Nzf files.
What is the setup on the master to add zones?
Check the named log or messages log files if any to see if your side records a delzone request at which point you can trigger the move file event.
Which she'll scripting are you familiar comfortable with?
I'd as you seem to be inclined would implement this on the master as it should be.
I suspect those who implemented the setup excluded the clean option likely out of experience when an errand processing error issued too many deletes.
Another option is to list /var/named zone Files older then 30
-mtime -30
Then use dig to query the master
dig @maser axfr zonename
The above will either return zone info or confirm zone is not available.
A second check IMHO that should be run is whether root servers reflect the slave server as part if no records...
Only then move the zone file to pendingdelete
/usr/bin/find /var/named/pendingdelete -mtime -182 -exec rm {} \;
Another option you could periodically, check the age of the Nzf files.
What is the setup on the master to add zones?
Check the named log or messages log files if any to see if your side records a delzone request at which point you can trigger the move file event.
Which she'll scripting are you familiar comfortable with?
I'd as you seem to be inclined would implement this on the master as it should be.
I suspect those who implemented the setup excluded the clean option likely out of experience when an errand processing error issued too many deletes.
Another option is to list /var/named zone Files older then 30
-mtime -30
Then use dig to query the master
dig @maser axfr zonename
The above will either return zone info or confirm zone is not available.
A second check IMHO that should be run is whether root servers reflect the slave server as part if no records...
Only then move the zone file to pendingdelete
ASKER
The master server is running Plesk (a web hosting platform which also includes DNS.) Their implementation typically calls for the plesk server to also be the master server for the DNS zone files, but in my case I would rather use standalone DNS servers and only use the Plesk interface to allow our customers to edit their zones in a web interface. Their system is fairly locked down and doesn't allow me to do much other than make it work the way I currently have. I do see the "delzone" commands come into my /var/log/messages log on my DNS servers, so a trigger from that would be a good way to move the zones to /var/named/pendingdelete. I am a Windows guy, so vbscript is what I know. However I have done some python scripting and simple bash scripts in linux in the past, but this is beyond my scope of knowledge. If there was a responsible way to look at the /var/log/messages log file on my DNS servers and trigger a "move to pending delete" each time a zone is deleted, that would be perfect. If not, I would think just scanning the /var/named directory for all zone files and making some sort of an array object and then compare that to each line of the 3bf305731dd26307.nzf file which holds the definition, and move each file which doesn't exist in 3bf305731dd26307.nzf anymore to /var/named/pendingdelete?
If fail2ban is present, you can let THAT follow the logfile.
Then add a rule to the config to Fire a "block" script when a delzone request is reported.
The block script can then localy delete the zone.
Fail2ban parser line will also pickup the data you want if needed.
(This might need some tweaking as the regular Regular Expressions are for picking up IP addresses.)
Then add a rule to the config to Fire a "block" script when a delzone request is reported.
The block script can then localy delete the zone.
Fail2ban parser line will also pickup the data you want if needed.
(This might need some tweaking as the regular Regular Expressions are for picking up IP addresses.)
Check whether you are running syslog or rsyslog to handle the events.
Rsyslog can match patterns and trigger on even.
Another option if you have syslog, is to have the processing as part of the logrotation process, though that is susseptible to performing a delete after an error.
I.e. Sonething caused zebra.com to get a delete notice. A say later, the error is corrected, the zone is added back.
At the end of the week when the log has rotated, the processing script sees the delete notice, moving the zone file.
Try the following, check the age of existing zones.
Then try issue
Rndc reload zone
Does the date on the file gets updated.
You could use that to refresh zones, moving zones older than 45 days to pending delete.
The location of the pending delete inside the path would require the use of grep to exclude zone from pending delete..
It may require the use of sed or similar to strip out domain name from the filename..
Cd /var/named
find /var/named -mtime -30 -mtime +90 |grep -v 'pendindelete' | while read a; do
echo "working on zone $a"
rndc reload $a
done
Rsyslog can match patterns and trigger on even.
Another option if you have syslog, is to have the processing as part of the logrotation process, though that is susseptible to performing a delete after an error.
I.e. Sonething caused zebra.com to get a delete notice. A say later, the error is corrected, the zone is added back.
At the end of the week when the log has rotated, the processing script sees the delete notice, moving the zone file.
Try the following, check the age of existing zones.
Then try issue
Rndc reload zone
Does the date on the file gets updated.
You could use that to refresh zones, moving zones older than 45 days to pending delete.
The location of the pending delete inside the path would require the use of grep to exclude zone from pending delete..
It may require the use of sed or similar to strip out domain name from the filename..
Cd /var/named
find /var/named -mtime -30 -mtime +90 |grep -v 'pendindelete' | while read a; do
echo "working on zone $a"
rndc reload $a
done
ASKER
if I run "service rsyslog status" I get a return that it is active, so I would say that is running. I will need more help with a working script if possible as this is beyond what i can pull off in bash. If i were in vbscript I would simply:
- Read each filename into a variable in the /var/named path excluding those files and directories i don't care about
- Open /var/named/3bf305731dd2630
- start loop through array of file names from step 1
- Search /var/named/3bf305731dd2630
- If exists, move on
- Else move that file to /deletepending
- End of loop
Then at some interval I will delete old files in /deletepending. Can this be easily done in bash?
- Read each filename into a variable in the /var/named path excluding those files and directories i don't care about
- Open /var/named/3bf305731dd2630
- start loop through array of file names from step 1
- Search /var/named/3bf305731dd2630
- If exists, move on
- Else move that file to /deletepending
- End of loop
Then at some interval I will delete old files in /deletepending. Can this be easily done in bash?
The script is after the fact,
Using a rsyslog config to handle events
Named is the program message Delzone pass the message to a script that will parse extracting the zone.
https://askubuntu.com/questions/186592/how-do-i-configure-rsyslog-to-send-logs-from-a-specific-program-to-a-remote-sysl
Have not used bind in a while, when a XP e is added, does it show up in named.conf or in included configs.
Pkease post a snippet of data in the nzf file.
Nzf supposed to contain the list of domains and their status, subordinate?
Using a rsyslog config to handle events
Named is the program message Delzone pass the message to a script that will parse extracting the zone.
https://askubuntu.com/questions/186592/how-do-i-configure-rsyslog-to-send-logs-from-a-specific-program-to-a-remote-sysl
Have not used bind in a while, when a XP e is added, does it show up in named.conf or in included configs.
Pkease post a snippet of data in the nzf file.
Nzf supposed to contain the list of domains and their status, subordinate?
ASKER
I think maybe you are thinking I want to fire off the removal of the stale zone with the delzone pass from RNDC. That would be OK, but I don't care if I only run this script like once a day or once a week. I am just trying to prevent the directory from filling up with data files for zones which have long been gone. My last DNS server was used for 11 years and there are literally thousands of zones which we are no longer authoratative for. Just trying to prevent that. Doesn't have to be complicated, just crawl the /var/named/3bf305731dd2630
Then if I do an "ls" from /var/named I get the following:
So in this case if we ran the script, I would exclude the following: zones.reverse, 3bf305731dd26307.nzf , and the 3 directories and consider everything else a valid dns zone. Then running the script would move the following zones to /var/named/deletepending:
Those 2 files should be moved because they don't appear in the 3bf305731dd26307.nzf. How can I accomplish this with a bash script? I don't need any monitoring of the /var/log/messages file to do this as far as I can tell because I don't care that it happens in relation to a delzone command, just once per day. Thanks!
zone "domain.com" { type slave; file "domain.com"; masters { 192.168.88.66; }; };
zone "domain-2.us" { type slave; file "domain-2.us"; masters { 192.168.88.67; }; };
zone "domain-3.com" { type slave; file "domain-3.com"; masters { 192.168.88.68; }; };
zone "plesktest123.tld" { type slave; file "plesktest123.tld"; masters { 192.168.88.69; }; };
zone "domain-4.com" { type slave; file "domain-4.com"; masters { 192.168.88.69; }; };
zone "domain-5.coop" { type slave; file "domain-5.coop"; masters { 192.168.88.69; }; };
Then if I do an "ls" from /var/named I get the following:
[ data ]
[ dynamic ]
[ slaves ]
3bf305731dd26307.nzf
domain.com
domain-2.us
qwe.qwe
domain-3.com
testing12345.com
domain-4.com
plesktest123.tld
domain-5.coop
zones.reverse
So in this case if we ran the script, I would exclude the following: zones.reverse, 3bf305731dd26307.nzf , and the 3 directories and consider everything else a valid dns zone. Then running the script would move the following zones to /var/named/deletepending:
qwe.qwe
testing12345.com
Those 2 files should be moved because they don't appear in the 3bf305731dd26307.nzf. How can I accomplish this with a bash script? I don't need any monitoring of the /var/log/messages file to do this as far as I can tell because I don't care that it happens in relation to a delzone command, just once per day. Thanks!
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Forgot the top 2 lines of the script...sorry:
namedir="/var/named"
scriptdir="/var/named/script"
glad that you found a solution.
Hm. That script only moves them to ./deletepending,, it does not remove them from the system.
ASKER
Noci- right. This was deemed safer than just deleting the files. I can go by once a quarter or whatever and clear this directory of any files older than X days.
You could use a cron job that will go through the named.con and the zone based confi depending on your settings. And move files that are no longer in the config to a pending delete area.
The pending delete area will have either the same or a bother cron that will go through and delete zones that are older than six months....
Commonly in a master, slave setup, there is a pushes the new configuration of zones. If memory serves, rndc only issues reconfigure, reload to trigger the rereading of the local config.