OpenWrt Forum Archive

Topic: bind not accessable from wan interface

The content of this topic has been archived on 6 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
perazim
3 May 2017, 14:15

This is a Ubiquiti Router Station with 15.05.1.

Installed and configured bind packages as per wiki instructions. dnsmasq has the dns part disabled by port= 0.

PCs plugged into the LAN ports are assigned the bind server dns and work as expected. I confirm that it is bind that is resolving the requests and not dnsmasq.

The problem arises when I try to use bind from the WAN side as it appears that the dns traffic is blocked to/from the WAN port. I have added an entry in the firewall port forwards to forward TCP/UDP port 53 but this seems to have no affect.

Have I missed something?

Thanks in advance,

Perazim

Post #2
eduperez
3 May 2017, 16:02

If the DNS server is running in the router, you do not need to forward the port but to open it; in case of doubt, post your "firewall" config here.

Post #3
perazim
4 May 2017, 11:25

Here are the traffic rules after I dropped the port forward and opened port 53 for bind on the router. Still no access. Something else blocking this?

Thanks,

Perazim

Firewall - Traffic Rules
Traffic rules define policies for packets traveling between different zones, for example to reject traffic between certain hosts or to open WAN ports on the router.
Traffic Rules
Name    Match    Action    Enable    Sort    
                   
Allow-DHCP-Renew
   
IPv4-UDP
From any host in wan
To any router IP at port 68 on this device
   
Accept input
   
============================================
Allow DNS Queries to BIND
   
IPv4-TCP, UDP
From any host in wan
To any router IP at port 53 on this device
   
Accept input
============================================   
   
Allow-Ping
   
IPv4-ICMP with type echo-request
From any host in wan
To any router IP on this device
   
Accept input
   
   
Allow-IGMP
   
IPv4-IGMP
From any host in wan
To any router IP on this device
   
Accept input
   
   
Allow-DHCPv6
   
IPv6-UDP
From IP range fe80::/10 in wan with source port 547
To IP range fe80::/10 at port 546 on this device
   
Accept input
   
   
Allow-MLD
   
IPv6-ICMP with types 130/0, 131/0, 132/0, 143/0
From IP range fe80::/10 in wan
To any router IP on this device
   
Accept input
   
   
Allow-ICMPv6-Input
   
IPv6-ICMP with types echo-request, echo-reply, destination-unreachable, packet-too-big, time-exceeded, bad-header, unknown-header-type, router-solicitation, neighbour-solicitation, router-advertisement, neighbour-advertisement
From any host in wan
To any router IP on this device
   
Accept input and limit to 1000 pkts. per second
   
   
Allow-ICMPv6-Forward
   
IPv6-ICMP with types echo-request, echo-reply, destination-unreachable, packet-too-big, time-exceeded, bad-header, unknown-header-type
From any host in wan
To any host in any zone
   
Accept forward and limit to 1000 pkts. per second
   
   
-
   
Any IPSEC-ESP
From any host in wan
To any host in lan
   
Accept forward
   
   
-
   
Any UDP
From any host in wan
To any host, port 500 in lan
   
Accept forward

Post #4
eduperez
4 May 2017, 11:55

So far, that seems good to me. You can enable logging, both on the firewall and the DNS server, and see where are the packets being dropped. And use one of those online "port check" utilities to confirm that the port is indeed open. On the other hand, some ISPs block traffic to some ports (25 and 53 are quite popular) on residential connections.

Post #5
perazim
5 May 2017, 10:30

First, some more info: This is a Ubiquiti Routerstation with Openwrt 15.05.1 built with Image Maker using the default packages plus the bind packages and nano. It is located at a ISP itself behind a NAT firewall provided by a Zyxel router. The BIND is configured without any zones just to handle all the dns traffic on a wireless network with approx 125 customers.

The dns functions work fine from the LAN side with the dns queries upstream going out and returning over the WAN side.

Second, from the WAN side, I ran nmap -v -sT -sU 192.168.1.21 (WAN ip). It showed ALL ports closed.

I tried adding config for bind logging but got nowhere.

Here is the current /etc/config/firewall:


config rule
    option name 'Allow-DHCP-Renew'
    option src 'wan'
    option proto 'udp'
    option dest_port '68'
    option target 'ACCEPT'
    option family 'ipv4'

config rule
    option target 'ACCEPT'
    option src 'wan'
    option proto 'tcp udp'
    option dest_port '53'
    option name 'Allow DNS Queries to BIND'
    option family 'ipv4'

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-IGMP'
    option src 'wan'
    option proto 'igmp'
    option family 'ipv4'
    option target 'ACCEPT'

config rule
    option name 'Allow-DHCPv6'
    option src 'wan'
    option proto 'udp'
    option src_ip 'fe80::/10'
    option src_port '547'
    option dest_ip 'fe80::/10'
    option dest_port '546'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-MLD'
    option src 'wan'
    option proto 'icmp'
    option src_ip 'fe80::/10'
    list icmp_type '130/0'
    list icmp_type '131/0'
    list icmp_type '132/0'
    list icmp_type '143/0'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Input'
    option src 'wan'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    list icmp_type 'router-solicitation'
    list icmp_type 'neighbour-solicitation'
    list icmp_type 'router-advertisement'
    list icmp_type 'neighbour-advertisement'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option name 'Allow-ICMPv6-Forward'
    option src 'wan'
    option dest '*'
    option proto 'icmp'
    list icmp_type 'echo-request'
    list icmp_type 'echo-reply'
    list icmp_type 'destination-unreachable'
    list icmp_type 'packet-too-big'
    list icmp_type 'time-exceeded'
    list icmp_type 'bad-header'
    list icmp_type 'unknown-header-type'
    option limit '1000/sec'
    option family 'ipv6'
    option target 'ACCEPT'

config rule
    option src 'wan'
    option dest 'lan'
    option proto 'esp'
    option target 'ACCEPT'

config rule
    option src 'wan'
    option dest 'lan'
    option dest_port '500'
    option proto 'udp'
    option target 'ACCEPT'

config defaults
    option syn_flood '1'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'

config zone
    option name 'lan'
    list network 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'

config zone
    option name 'wan'
    list network 'wan'
    list network 'wan6'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'

config forwarding
    option src 'lan'
    option dest 'wan'

config include
    option path '/etc/firewall.user'

I didn't find and way to understand howto turn on firewall logging.

So, if the firewall is configured correctly, the only things I can think of is possibly a new system wide feature to block all inbound WAN traffic that I don't know about or the bind server is not answering requests from the WAN which I would find hard to understand as both the LAN and WAN ip address for BIND is 192.168.2.1.

This now leads me to ask the question: If the DHCP(ZYXEL) assigned IP for the WAN is 192.168.1.21 and the static LAN IP for the router is 192.168.2.1, how does this open port rule listed about connect these two? Wouldn't the ACCEPT rule simple allow the traffic in but not remap it to the 192.168.2.1 IP address?

Thanks for the help,

Perazim

Post #6
eduperez
5 May 2017, 12:52
perazim wrote:

[...]both the LAN and WAN ip address for BIND is 192.168.2.1[...]

perazim wrote:

[...]If the DHCP(ZYXEL) assigned IP for the WAN is 192.168.1.21 and the static LAN IP for the router is 192.168.2.1, how does this open port rule listed about connect these two?[...]

What does that exactly mean? Have you configured BIND to listen only to the LAN interface? Why not both?

Post #7
perazim
8 May 2017, 09:10

Over the weekend, I discovered at least part of the problem.

Firewall/General Settings/Input was set to Reject. This is factory default. Set it to Accept and the SSH access works after I entered a port forward for port 22.

DNS access initially worked with a port forward for port 53. It was a port forward that was needed not a port open. After I moved to a different location this morning, it stopped working so I am still troubleshooting today.

Disregard the earlier ramblings as I started down a rabbit hole.

The Bind server answers on all router network interfaces as I have not changed the defaults.

Thanks,

Perazim

Post #8
perazim
9 May 2017, 09:16

Update: I have isolated the remaining troubles to named and that they are intermittent. I restarted named and found the following in syslog:

(more comments after log)

Tue May  9 08:04:55 2017 daemon.notice named[1397]: available at https://www.isc.org/support
Tue May  9 08:04:55 2017 daemon.notice named[1397]: ----------------------------------------------------
Tue May  9 08:04:55 2017 daemon.info named[1397]: using 1 UDP listener per interface
Tue May  9 08:04:55 2017 daemon.info named[1397]: using up to 4096 sockets
Tue May  9 08:04:55 2017 daemon.notice named[1313]: exiting
Tue May  9 08:04:55 2017 daemon.info named[1397]: loading configuration from '/etc/bind/named.conf'
Tue May  9 08:04:56 2017 daemon.info named[1397]: using default UDP/IPv4 port range: [32768, 61000]
Tue May  9 08:04:56 2017 daemon.info named[1397]: using default UDP/IPv6 port range: [32768, 61000]
Tue May  9 08:04:56 2017 daemon.info named[1397]: listening on IPv4 interface lo, 127.0.0.1#53
Tue May  9 08:04:56 2017 daemon.info named[1397]: listening on IPv4 interface eth0, 192.168.1.18#53
Tue May  9 08:04:56 2017 daemon.info named[1397]: listening on IPv4 interface br-lan, 192.168.2.1#53
Tue May  9 08:04:56 2017 daemon.info named[1397]: generating session key for dynamic DNS
Tue May  9 08:04:56 2017 daemon.info named[1397]: sizing zone task pool based on 5 zones
Tue May  9 08:04:56 2017 daemon.info named[1397]: set up managed keys zone for view _default, file 'managed-keys.bind'
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 10.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 16.172.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 17.172.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 18.172.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 19.172.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 20.172.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 21.172.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 22.172.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 23.172.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 24.172.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 25.172.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 26.172.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 27.172.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 28.172.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 29.172.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 30.172.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 31.172.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 168.192.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 64.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 65.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 66.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 75.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 76.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 77.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 78.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 79.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 80.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 81.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 82.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 83.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 84.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 85.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 86.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 87.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 88.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 89.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 90.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 91.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 92.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 93.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 94.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 95.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 96.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 97.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 98.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 99.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 100.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 101.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 102.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 103.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 104.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 105.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 106.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 107.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 108.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 109.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 110.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 111.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 112.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 113.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 114.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 115.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 116.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 117.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 118.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 119.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 120.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 121.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 122.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 123.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 124.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 125.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 126.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 127.100.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 254.169.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: D.F.IP6.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 8.E.F.IP6.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 9.E.F.IP6.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: A.E.F.IP6.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: B.E.F.IP6.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: automatic empty zone: EMPTY.AS112.ARPA
Tue May  9 08:04:56 2017 daemon.info named[1397]: configuring command channel from '/etc/rndc.key'
Tue May  9 08:04:56 2017 daemon.notice named[1397]: couldn't add command channel 127.0.0.1#953: file not found
Tue May  9 08:04:56 2017 daemon.info named[1397]: configuring command channel from '/etc/rndc.key'
Tue May  9 08:04:56 2017 daemon.notice named[1397]: couldn't add command channel ::1#953: file not found
Tue May  9 08:04:56 2017 daemon.info named[1397]: managed-keys-zone: loaded serial 0
Tue May  9 08:04:56 2017 daemon.info named[1397]: zone 0.in-addr.arpa/IN: loaded serial 1
Tue May  9 08:04:56 2017 daemon.info named[1397]: zone 127.in-addr.arpa/IN: loaded serial 1
Tue May  9 08:04:56 2017 daemon.info named[1397]: zone localhost/IN: loaded serial 1
Tue May  9 08:04:56 2017 daemon.info named[1397]: zone 255.in-addr.arpa/IN: loaded serial 1
Tue May  9 08:04:56 2017 daemon.notice named[1397]: all zones loaded
Tue May  9 08:04:56 2017 daemon.notice named[1397]: running
Tue May  9 08:05:03 2017 daemon.info named[1397]: error (permission denied) resolving 'ns1-240.akam.net/A/IN': 2001:503:a83e::2:30#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns-1414.awsdns-48.org/A/IN': 2001:500:84::b#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns-1414.awsdns-48.org/AAAA/IN': 2001:500:84::b#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns-1306.awsdns-35.org/AAAA/IN': 2001:500:48::1#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns-1306.awsdns-35.org/AAAA/IN': 2001:500:e::1#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns-418.awsdns-52.com/AAAA/IN': 2600:9000:5300:3500::1#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns-418.awsdns-52.com/AAAA/IN': 2600:9000:5302:7400::1#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns-418.awsdns-52.com/AAAA/IN': 2600:9000:5304:b400::1#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns-1306.awsdns-35.org/AAAA/IN': 2600:9000:5300:a300::1#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'm.gtld-servers.net/AAAA/IN': 2001:500:126::30#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'm.gtld-servers.net/AAAA/IN': 2001:500:127::30#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns-795.awsdns-35.net/A/IN': 2600:9000:5303:2500::1#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns-795.awsdns-35.net/A/IN': 2600:9000:5307:a300::1#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns-235.awsdns-29.com/A/IN': 2600:9000:5302:5d00::1#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns-235.awsdns-29.com/AAAA/IN': 2600:9000:5302:5d00::1#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns-235.awsdns-29.com/A/IN': 2600:9000:5304:9d00::1#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns-235.awsdns-29.com/AAAA/IN': 2600:9000:5304:9d00::1#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns-235.awsdns-29.com/A/IN': 2600:9000:5300:1e00::1#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns-235.awsdns-29.com/AAAA/IN': 2600:9000:5300:1e00::1#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns1.first-ns.de/A/IN': 2001:500:1::53#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns1.first-ns.de/AAAA/IN': 2001:500:1::53#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'robotns2.second-ns.de/A/IN': 2001:dc3::35#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'robotns2.second-ns.de/AAAA/IN': 2001:dc3::35#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns1.first-ns.de/A/IN': 2001:dc3::35#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns1.first-ns.de/AAAA/IN': 2001:dc3::35#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'robotns2.second-ns.de/A/IN': 2001:7fe::53#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'robotns2.second-ns.de/AAAA/IN': 2001:7fe::53#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns1.first-ns.de/A/IN': 2001:7fe::53#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns1.first-ns.de/AAAA/IN': 2001:7fe::53#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns1.first-ns.de/A/IN': 2001:500:a8::e#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'robotns2.second-ns.de/A/IN': 2001:500:a8::e#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'robotns2.second-ns.de/AAAA/IN': 2001:500:a8::e#53
Tue May  9 08:05:05 2017 daemon.info named[1397]: error (permission denied) resolving 'ns1.first-ns.de/AAAA/IN': 2001:500:a8::e#53
Tue May  9 08:05:06 2017 daemon.info named[1397]: error (permission denied) resolving 'luci.subsignal.org/AAAA/IN': 2001:67c:192c::add:a3#53
Tue May  9 08:05:06 2017 daemon.info named[1397]: error (permission denied) resolving 'luci.subsignal.org/A/IN': 2001:67c:192c::add:a3#53
Tue May  9 08:05:06 2017 daemon.info named[1397]: error (permission denied) resolving 'ns1.your-server.de/A/IN': 2001:500:2f::f#53
Tue May  9 08:05:06 2017 daemon.info named[1397]: error (permission denied) resolving 'ns1.your-server.de/A/IN': 2001:503:c27::2:30#53
Tue May  9 08:05:06 2017 daemon.info named[1397]: error (permission denied) resolving 'ns1.your-server.de/A/IN': 2001:668:1f:11::105#53
Tue May  9 08:05:06 2017 daemon.info named[1397]: error (permission denied) resolving 'ns1.your-server.de/A/IN': 2001:67c:192c::add:b3#53
Tue May  9 08:05:06 2017 daemon.info named[1397]: error (permission denied) resolving 'ns1.your-server.de/A/IN': 2a01:4f8:0:a101::b:1#53
Tue May  9 08:05:06 2017 daemon.info named[1397]: error (permission denied) resolving 'z.nic.de/AAAA/IN': 2a02:568:121:6:2::2#53
Tue May  9 08:05:08 2017 daemon.info named[1397]: error (permission denied) resolving 'robotns2.second-ns.de/A/IN': 2001:503:ba3e::2:30#53
Tue May  9 08:05:08 2017 daemon.info named[1397]: error (permission denied) resolving 'robotns2.second-ns.de/AAAA/IN': 2001:503:ba3e::2:30#53
Tue May  9 08:05:12 2017 daemon.info named[1397]: error (permission denied) resolving 'ns1.first-ns.de/A/IN': 2001:67c:1011:1::53#53
Tue May  9 08:05:12 2017 daemon.info named[1397]: error (permission denied) resolving 'ns1.first-ns.de/A/IN': 2001:678:2::53#53
Tue May  9 08:05:12 2017 daemon.info named[1397]: error (permission denied) resolving 'ns1.first-ns.de/A/IN': 2a01:4f8:d0a:2006::2#53
Tue May  9 08:05:36 2017 daemon.info named[1397]: error (permission denied) resolving 'www.stevequayle.com.cdn.cloudflare.net/AAAA/IN': 2400:cb00:2049:1::c629:de83#53
Tue May  9 08:05:37 2017 daemon.notice named[1397]: DNS format error from 38.108.81.8#53 resolving www.kitconet.com/AAAA for client 192.168.2.164#40830: Name kitconet.com (SOA) not subdomain of zone www.kitconet.com -- invalid response
Tue May  9 08:05:37 2017 daemon.info named[1397]: error (FORMERR) resolving 'www.kitconet.com/AAAA/IN': 38.108.81.8#53
Tue May  9 08:05:37 2017 daemon.notice named[1397]: DNS format error from 8.21.40.8#53 resolving www.kitconet.com/AAAA for client 192.168.2.164#40830: Name kitconet.com (SOA) not subdomain of zone www.kitconet.com -- invalid response
Tue May  9 08:05:37 2017 daemon.info named[1397]: error (FORMERR) resolving 'www.kitconet.com/AAAA/IN': 8.21.40.8#53
Tue May  9 08:05:39 2017 daemon.info named[1397]: error (permission denied) resolving 'support.mozilla.org/A/IN': 2001:500:f::1#53
Tue May  9 08:05:39 2017 daemon.info named[1397]: error (permission denied) resolving 'support.mozilla.org/AAAA/IN': 2001:500:f::1#53
Tue May  9 08:05:39 2017 daemon.info named[1397]: error (permission denied) resolving 'sumo.external.zlb.scl3.mozilla.com/A/IN': 2001:503:231d::2:30#53



Seems as though there is a permissions problem with named. These dns requests producing the errors are coming from a machine connected to the LAN using openwrt named as a dns server.

Thanks,

Perazim

Post #9
perazim
9 May 2017, 09:48

The named configuration set the temp files are to /tmp. I changed this to /tmp/bind, created the directory and restarted bind. The errors remain.

Perazim

Post #10
perazim
10 May 2017, 08:41

I have filed a package bug report #4345 on this issue.

Post #11
perazim
26 May 2017, 08:57

As per suggestion from developer, I have built from trunk. This produces the same results as with chaos-calmer which is bind producing file permissions errors in syslog.

Perazim

The discussion might have continued from here.