# BIND server failure

## LC76

Hi all, I've got a curious one here. I've been running BIND 9 on a server for years and now all of a sudden, whenever it's asked to answer a query for my locally-hosted web sites, it comes back with a server failure. All the local machines on the network have no trouble querying it for DNS transactions for sites in the outside world, it's just failing on queries to my own domains. I haven't changed the configuration at all, it's chrooted,

```
/etc/bind on /chroot/dns/etc/bind type none (rw,bind)

/var/bind on /chroot/dns/var/bind type none (rw,bind)

/var/log/named on /chroot/dns/var/log/named type none (rw,bind)

```

there are no log files or messages generated for named anywhere, named-checkconf and  named-checkzone report no errors, and if I run the host  command, it looks like it can't find any of the zone files:

```
 host fred.net

Host fred.net not found: 2(SERVFAIL)
```

Yet all the symlinks follow through when you step through them manually.

Can anyone shed some light on what's going on?

----------

## pa4wdh

Would you mind to share your bind config with us?

----------

## LC76

 *pa4wdh wrote:*   

> Would you mind to share your bind config with us?

 

Sure.

```
/*

 * Refer to the named.conf(5) and named(8) man pages, and the documentation

 * in /usr/share/doc/bind-9 for more details.

 * Online versions of the documentation can be found here:

 * http://www.isc.org/software/bind/documentation

 *

 * If you are going to set up an authoritative server, make sure you

 * understand the hairy details of how DNS works. Even with simple mistakes,

 * you can break connectivity for affected parties, or cause huge amounts of

 * useless Internet traffic.

 */

acl "xfer" {

   /* Deny transfers by default except for the listed hosts.

    * If we have other name servers, place them here.

    */

   none;

};

/*

 * You might put in here some ips which are allowed to use the cache or

 * recursive queries

 */

acl "trusted" {

   127.0.0.0/8;

   192.168.1.0/24;

   192.168.2.0/24;

   192.168.3.0/24;

   192.168.4.0/24;

   ::1/128;

};

options {

   directory "/var/bind";

   pid-file "/var/run/named/named.pid";

   /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */

   //bindkeys-file "/etc/bind/bind.keys";

   listen-on-v6 { ::1; };

   listen-on { 127.0.0.1; 192.168.1.2; };

   allow-query {

      /*

       * Accept queries from our "trusted" ACL.  We will

       * allow anyone to query our master zones below.

       * This prevents us from becoming a free DNS server

       * to the masses.

       */

      trusted;

   };

   allow-query-cache {

      /* Use the cache for the "trusted" ACL. */

      trusted;

   };

   allow-recursion {

      /* Only trusted addresses are allowed to use recursion. */

      trusted;

   };

   allow-transfer {

      /* Zone tranfers are denied by default. */

      none;

   };

   allow-update {

      /* Don't allow updates, e.g. via nsupdate. */

      none;

   };

   /*

   * If you've got a DNS server around at your upstream provider, enter its

   * IP address here, and enable the line below. This will make you benefit

   * from its cache, thus reduce overall DNS traffic in the Internet.

   *

   * Uncomment the following lines to turn on DNS forwarding, and change

   *  and/or update the forwarding ip address(es):

   */

/*

//   forward first;

//   forwarders {

   //   123.123.123.123;   // Your ISP NS

   //   124.124.124.124;   // Your ISP NS

   //   4.2.2.1;      // Level3 Public DNS

   //   4.2.2.2;      // Level3 Public DNS

//      8.8.8.8;      // Google Open DNS

//      8.8.4.4;      // Google Open DNS

//   };

*/

   //dnssec-enable yes;

   //dnssec-validation yes;

   /*

    * As of bind 9.8.0:

    * "If the root key provided has expired,

    * named will log the expiration and validation will not work."

    */

   //dnssec-validation auto;

   /* if you have problems and are behind a firewall: */

   //query-source address * port 53;

};

/*

logging {

   channel default_log {

      file "/var/log/named/named.log" versions 5 size 50M;

      print-time yes;

      print-severity yes;

      print-category yes;

   };

   category default { default_log; };

   category general { default_log; };

};

*/

include "/etc/bind/rndc.key";

controls {

   inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };

};

view "internal" {

   match-clients { 127.0.0.1; 192.168.1.0/24; 192.168.2.0/24; 192.168.3.0/24; 192.168.4.0/24; };

   recursion yes;

      zone "." IN {

         type hint;

         file "named.root";

      };

      zone "localhost" IN {

         type master;

         file "pri/localhost.zone";

         allow-update { none; };

         notify no;

      };

      zone "127.in-addr.arpa" IN {

         type master;

         file "pri/127.zone";

         allow-update { none; };

         notify no;

      };

      zone "fred.net" {

         type master;

         notify no;

         file "pri/external/fred.net.zone";

      };

}

     

view "external" {

   allow-query { any; };

   allow-recursion { localhost; };

//   match-clients { any; };

//   recursion no;

      zone "." IN {

         type hint;

         file "named.root";

      };

      zone "localhost" IN {

         type master;

         file "pri/localhost.zone";

         allow-update { none; };

         notify no;

      };

      zone "127.in-addr.arpa" IN {

         type master;

         file "pri/127.zone";

         allow-update { none; };

         notify no;

      };

      zone "fred.net" {

      type master;

         notify yes;

         // allow transfers to slave DNS

         allow-transfer { 208.79.240.3; 208.79.241.3; };

         file "pri/external/fred.net.zone";

      };

};

```

----------

## pa4wdh

That looks good.

I'm trying to figure out why you don't get any logs, BIND logs are usually quite informative. Is syslog running? You've commented out your logging configuration which means is falls back to it's default, which is syslog.

My guess would be that there's some reason why BIND isn't loading your fred.net zone file, would you mind sharing it's contents?

----------

## LC76

Sure. This is a typical zone file. As I said, all of this has been working flawlessly for years, and then it just... ceased to proceed, as they say. No updates have ever been done on this particular server.

```
; Zone file for mydomain.net

;

$ttl 38400

mydomain.net.   IN   SOA   ns1.mydomain.net. webmaster.mydomain.net. (

         2019060902

         8H

         2H

         4W

         1D )

; Internet Addresses

mydomain.net.            IN    A        123.100.025.240

www.mydomain.net.          IN    CNAME    mydomain.net.

groupware.mydomain.net.       IN    CNAME    mydomain.net.

; Machine Addresses

ns1.mydomain.net.         IN    A        123.100.025.240

                            IN    HINFO      Compaq_DL380 Gentoo

ns1.rollernet.us.         IN    A         208.79.240.3

ns2.rollernet.us.         IN    A         208.79.241.3

mailbot.mydomain.net.       IN    A           123.100.025.240

                            IN    HINFO      Compaq_DL380 Gentoo

mail2.rollernet.us.         IN    A         208.79.241.2   

; Name Servers

mydomain.net.              IN    NS       ns1.mydomain.net.

                     IN    NS      ns1.rollernet.us.            

                     IN    NS      ns2.rollernet.us.            

; Mail Servers               

mydomain.net.              IN    MX    10   mailbot.mydomain.net.

                     IN    MX    20   mail2.rollernet.us.

; SPF Record for domain

mydomain.net.            IN    TXT    "v=spf1 mx ~all"

; SPF Record for mail host 

mailbot.mydomain.net.       IN    TXT     "v=spf1 a ~all"

; Reverse DNS entry

240.025.100.123.in-addr.arpa.      IN    PTR   mailbot.mydomain.net.

```

----------

## pa4wdh

While the syntax is correct, this doesn't seem like a valid zone file for fred.net: It doesn't contain any record for the fred.net domain. Are you sure you sent the correct file?

Given this file, I understand why it doesn't work, i'm actually surprised it has worked. There are records for mydomain.net and rollernet.us and even a reverse record, none of which match the fred.net domain. What would you expect to be resolvable within the fred.net domain?

----------

## LC76

Well, for "mydomain", replace that with "fred". I've just replaced the names to remove anything confidential.

----------

## pa4wdh

I've installed BIND (version 9.16.8 was available from portage), and tried to load your files, replacing "mydomain" with "fred".

I had to make some changes to make it work:

In your bind configuration is missing a ; after te closing bracket for the internal view. Maybe it's a copy/paste error when you copied it to the forums, because bind didn't start at all.

In your zone data, the IP addresses are written as 123.100.025.240 and bind didn't like the 0 in 025. It logged:

21-Feb-2021 11:02:46.469 dns_rdata_fromtext: /etc/bind/fred.net:11: near '123.100.025.240': bad dotted quad

When I changed the IP address to 123.100.25.240 bind did load the zone file and the "fred.net" domain started working.

It still didn't like the out-of-zone data:

21-Feb-2021 12:15:30.490 /etc/bind/fred.net:18: ignoring out-of-zone data (ns1.rollernet.us)

21-Feb-2021 12:15:30.490 /etc/bind/fred.net:19: ignoring out-of-zone data (ns2.rollernet.us)

21-Feb-2021 12:15:30.490 /etc/bind/fred.net:22: ignoring out-of-zone data (mail2.rollernet.us)

21-Feb-2021 12:15:30.490 /etc/bind/fred.net:40: ignoring out-of-zone data (240.025.100.123.in-addr.arpa)

If these records are valuable for you i suggest to move them to their appropriate zones.

----------

## LC76

[quote="pa4wdh"]I've installed BIND (version 9.16.8 was available from portage), and tried to load your files, replacing "mydomain" with "fred".

I need to mention that the domain names and addresses are fictional in order to protect the innocent. However it remains that everything was working for years, and then suddenly stopped, without any upgrades or modifications, and that's what stumped me.

----------

## pa4wdh

I do know that from version to version BIND can become more picky on the files you're feeding it. It's usually a good thing, since it ensures the files are syntactically correct which gives a more reliable result.

A wild guess at what might have happened:

1) A bind version that accepted your files was running

2) With an update BIND program on disk has changed to a version that doesn't accept the files, and it was not restarted (so the running version was still working and you didn't notice the change)

3) For some reason much later in time BIND process was restarted, now starting the one that didn't accept your files

Does that seem plausible?

To be honest, I'm more worried about that fact that you didn't get log info. As you can see from my post it gave good hints to point out what was wrong, if you had the logs i'm sure you could have found and fixed the problems too.

----------

