Re: [DUP] Problemas com bind9 [era para ser: o bind ficou louco!]

Tobias Sette Wed, 13 Nov 2013 10:17:00 -0800

Creio que nao, P.J. Quais são?
Att,

Tobias
http://gnu.eti.br


-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM/G/H/IT/L/SS d?(--) s++:+ a-- C+++>++++ UL++>++++ P+ L+++>+++++ !E@ W+++
!N o? K- w !O !M@ !V@ PS PE-- !Y@ PGP t+ 5? X? R+ !tv b+ DI>+ !D@ G e- h+ r-- y?
------END GEEK CODE BLOCK------



Em 13 de novembro de 2013 14:23, P. J. <pjotam...@gmail.com> escreveu:
> Oi,
>
> Não estou me aprofundando no seu problema, mas tem uns comandos que vc
> pode debugar os arquivos de configurações do bind. Vc já tentou isso?
>
>
> Abs
>
> Em 13 de novembro de 2013 11:33, Tobias Sette <tobiase...@gmail.com> escreveu:
>> Olá. Obrigado pelo retorno.
>>
>> As requisições estão mesmo chegando incorretas no servidor (creio que
>> isso é o que está relacionado no link que mandei no primeiro post),
>> como isso pode acontecer?
>>
>> Voltei para a configuração inicial, onde o bind resolve uma zona e faz
>> cache. Aqui um log mais completo: http://paste.debian.net/65618/
>>
>> Um exemplo do que é retornado, mais ou menos, quando tento fazer um
>> ping pudim.com.br atraves de uma outra maquina que utiliza o servidor
>> dns:
>>
>> Nov 13 12:11:59 condado named[10680]: DNS format error from
>> 199.7.91.13#53 resolving ./NS: non-improving referral
>> Nov 13 12:11:59 condado named[10680]: error (FORMERR) resolving
>> './NS/IN': 199.7.91.13#53
>> Nov 13 12:11:59 condado named[10680]: DNS format error from
>> 192.228.79.201#53 resolving ./NS: non-improving referral
>> Nov 13 12:11:59 condado named[10680]: error (FORMERR) resolving
>> './NS/IN': 192.228.79.201#53
>> Nov 13 12:11:59 condado named[10680]: DNS format error from
>> 202.12.27.33#53 resolving ./NS: non-improving referral
>> Nov 13 12:11:59 condado named[10680]: error (FORMERR) resolving
>> './NS/IN': 202.12.27.33#53
>> Nov 13 12:11:59 condado named[10680]: DNS format error from
>> 128.63.2.53#53 resolving ./NS: non-improving referral
>> Nov 13 12:11:59 condado named[10680]: error (FORMERR) resolving
>> './NS/IN': 128.63.2.53#53
>> Nov 13 12:11:59 condado named[10680]: DNS format error from
>> 192.33.4.12#53 resolving ./NS: non-improving referral
>> Nov 13 12:11:59 condado named[10680]: error (FORMERR) resolving
>> './NS/IN': 192.33.4.12#53
>> Nov 13 12:12:01 condado named[10680]: DNS format error from
>> 192.5.5.241#53 resolving ./NS: non-improving referral
>> Nov 13 12:12:01 condado named[10680]: error (FORMERR) resolving
>> './NS/IN': 192.5.5.241#53
>> Nov 13 12:12:01 condado named[10680]: DNS format error from
>> 128.63.2.53#53 resolving ./NS: non-improving referral
>> Nov 13 12:12:01 condado named[10680]: error (FORMERR) resolving
>> './NS/IN': 128.63.2.53#53
>> Nov 13 12:12:01 condado named[10680]: DNS format error from
>> 192.112.36.4#53 resolving ./NS: non-improving referral
>> Nov 13 12:12:01 condado named[10680]: error (FORMERR) resolving
>> './NS/IN': 192.112.36.4#53
>> Nov 13 12:12:01 condado named[10680]: error (no valid RRSIG) resolving
>> '199.121.in-addr.arpa/DS/IN': 192.112.36.4#53
>> Nov 13 12:12:01 condado named[10680]: DNS format error from
>> 199.7.91.13#53 resolving ./NS: non-improving referral
>> Nov 13 12:12:01 condado named[10680]: error (FORMERR) resolving
>> './NS/IN': 199.7.91.13#53
>> Nov 13 12:12:01 condado named[10680]: validating @0xb4343fc0:
>> pudim.com.br A: bad cache hit (pudim.com.br/DS)
>> Nov 13 12:12:01 condado named[10680]: error (broken trust chain)
>> resolving 'pudim.com.br/A/IN': 199.7.91.13#53
>> Nov 13 12:12:01 condado named[10680]: DNS format error from
>> 192.33.4.12#53 resolving ./NS: non-improving referral
>> Nov 13 12:12:01 condado named[10680]: error (FORMERR) resolving
>> './NS/IN': 192.33.4.12#53
>> Nov 13 12:12:01 condado named[10680]: error (insecurity proof failed)
>> resolving '121.in-addr.arpa/DNSKEY/IN': 192.33.4.12#53
>> Nov 13 12:12:02 condado named[10680]: DNS format error from
>> 192.228.79.201#53 resolving ./NS: non-improving referral
>> Nov 13 12:12:02 condado named[10680]: error (FORMERR) resolving
>> './NS/IN': 192.228.79.201#53
>> Nov 13 12:12:02 condado named[10680]: error (insecurity proof failed)
>> resolving '121.in-addr.arpa/DNSKEY/IN': 192.228.79.201#53
>> Nov 13 12:12:02 condado named[10680]: DNS format error from
>> 192.203.230.10#53 resolving ./NS: non-improving referral
>> Nov 13 12:12:02 condado named[10680]: error (FORMERR) resolving
>> './NS/IN': 192.203.230.10#53
>> Nov 13 12:12:02 condado named[10680]: DNS format error from
>> 202.12.27.33#53 resolving ./NS: non-improving referral
>> Nov 13 12:12:02 condado named[10680]: error (FORMERR) resolving
>> './NS/IN': 202.12.27.33#53
>> Nov 13 12:12:02 condado named[10680]: DNS format error from
>> 192.58.128.30#53 resolving ./NS: non-improving referral
>> Nov 13 12:12:02 condado named[10680]: error (FORMERR) resolving
>> './NS/IN': 192.58.128.30#53
>> Nov 13 12:12:02 condado named[10680]: DNS format error from
>> 193.0.14.129#53 resolving ./NS: non-improving referral
>> Nov 13 12:12:02 condado named[10680]: error (FORMERR) resolving
>> './NS/IN': 193.0.14.129#53
>> Nov 13 12:12:02 condado named[10680]: DNS format error from
>> 198.41.0.4#53 resolving ./NS: non-improving referral
>> Nov 13 12:12:02 condado named[10680]: error (FORMERR) resolving
>> './NS/IN': 198.41.0.4#53
>> Nov 13 12:12:03 condado named[10680]: DNS format error from
>> 192.36.148.17#53 resolving ./NS: non-improving referral
>> Nov 13 12:12:03 condado named[10680]: error (FORMERR) resolving
>> './NS/IN': 192.36.148.17#53
>>
>> No final, fiz um teste utilizando outra conexão a internet. Funcionou
>> perfeitamente e os erros não apareceram no log:
>>
>> Nov 13 12:13:40 condado named[10680]: reloading configuration succeeded
>> Nov 13 12:13:40 condado named[10680]: any newly configured zones are now 
>> loaded
>> Nov 13 12:13:47 condado named[10680]: success resolving
>> '124.6.168.192.in-addr.arpa/PTR' (in '168.192.in-addr.arpa'?) after
>> reducing the advertised EDNS UDP packet size to 512 octets
>> Nov 13 12:13:47 condado named[10680]: client 192.168.5.2#20082: RFC
>> 1918 response from Internet for 124.6.168.192.in-addr.arpa
>> Nov 13 12:13:47 condado named[10680]: client 127.0.0.1#55232: RFC 1918
>> response from Internet for 124.6.168.192.in-addr.arpa
>> Nov 13 12:13:53 condado named[10680]: client 192.168.5.2#62313: RFC
>> 1918 response from Internet for 125.6.168.192.in-addr.arpa
>> Nov 13 12:13:53 condado named[10680]: client 127.0.0.1#42566: RFC 1918
>> response from Internet for 125.6.168.192.in-addr.arpa
>> Nov 13 12:13:58 condado named[10680]: client 192.168.5.2#56199: RFC
>> 1918 response from Internet for 126.6.168.192.in-addr.arpa
>> Nov 13 12:13:58 condado named[10680]: client 127.0.0.1#46159: RFC 1918
>> response from Internet for 126.6.168.192.in-addr.arpa
>> Nov 13 12:14:03 condado named[10680]: client 192.168.5.2#58960: RFC
>> 1918 response from Internet for 127.6.168.192.in-addr.arpa
>> Nov 13 12:14:03 condado named[10680]: client 127.0.0.1#60665: RFC 1918
>> response from Internet for 127.6.168.192.in-addr.arpa
>> Nov 13 12:14:08 condado named[10680]: client 192.168.5.2#23673: RFC
>> 1918 response from Internet for 128.6.168.192.in-addr.arpa
>> Nov 13 12:14:08 condado named[10680]: client 127.0.0.1#55972: RFC 1918
>> response from Internet for 128.6.168.192.in-addr.arpa
>> Nov 13 12:14:13 condado named[10680]: client 192.168.5.2#26559: RFC
>> 1918 response from Internet for 129.6.168.192.in-addr.arpa
>> Nov 13 12:14:13 condado named[10680]: client 127.0.0.1#50735: RFC 1918
>> response from Internet for 129.6.168.192.in-addr.arpa
>> Nov 13 12:14:18 condado named[10680]: client 192.168.5.2#62168: RFC
>> 1918 response from Internet for 130.6.168.192.in-addr.arpa
>> Nov 13 12:14:18 condado named[10680]: client 127.0.0.1#38353: RFC 1918
>> response from Internet for 130.6.168.192.in-addr.arpa
>>
>>
>> Att,
>>
>> Tobias
>> http://gnu.eti.br
>>
>> -----BEGIN GEEK CODE BLOCK-----
>> Version: 3.12
>> GCS/CM/G/H/IT/L/SS d?(--) s++:+ a-- C+++>++++ UL++>++++ P+ L+++>+++++ !E@ 
>> W+++
>> !N o? K- w !O !M@ !V@ PS PE-- !Y@ PGP t+ 5? X? R+ !tv b+ DI>+ !D@ G e- h+ 
>> r-- y?
>> ------END GEEK CODE BLOCK------
>>
>>
>>
>> Em 11 de novembro de 2013 14:11, Helio Loureiro
>> <he...@loureiro.eng.br> escreveu:
>>> Oi Tobias,
>>>
>>> Aparentemente vc tá mandando o reverso da sua rede 192.168.6.0/24 pro Google
>>> resolver (8.8.8.8) e, claro, isso não tá funcionando.
>>>
>>> O problema acima é resolver um IP como dns.  Parece que alguém mandou uma
>>> requisição errada.
>>>
>>> Já sobre o problema de cache, não tenho idéia, mas acho que esses logs podem
>>> não estar relacionados.  Então tente refazer o cache: service bind9
>>> force-reload.
>>>
>>> Abs,
>>> Helio Loureiro
>>> http://helio.loureiro.eng.br
>>> http://br.linkedin.com/in/helioloureiro
>>> http://twitter.com/helioloureiro
>>> http://gplus.to/helioloureiro
>>>
>>>
>>> Em 10 de novembro de 2013 22:33, Tobias Sette <tobiase...@gmail.com>
>>> escreveu:
>>>>
>>>> Olá. Tenho um servidor rodando debian wheezy e, dentre os serviços,
>>>> está o bind. De uns dias pra cá ele começou a apresentar problemas na
>>>> resolução de nomes, até parar tudo. A função dele é cache dns e
>>>> resolver uma zona interna.
>>>>
>>>> O principal erro, obtido em /var/log/daemon.log, é algo do tipo:
>>>>
>>>> Nov  8 19:37:23 condado named[282]: error (formerr) resolving
>>>> './NS/IN': 199.7.83.42#53
>>>>
>>>> Atualmente o bind está atuando apenas como redirecionador dns, e
>>>> ocorre esse erro (que tambem ocorria quando ele ainda estava
>>>> configurado como servidor dns):
>>>>
>>>> Nov  8 19:37:23 condado named[28290]: validating @0xb80859c0:
>>>> 117.6.168.192.in-addr.arpa PTR: bad cache hit
>>>> (168.192.in-addr.arpa/DS)
>>>> Nov  8 19:37:23 condado named[28290]: error (broken trust chain)
>>>> resolving '117.6.168.192.in-addr.arpa/
>>>> PTR/IN': 8.8.8.8#53
>>>>
>>>> Eu já tentei desabilitar o DNSSEC, atualizar a data/hora (que sempre
>>>> esteve certa, pois ha um daemon do ntp rodando), deletar os arquivos
>>>> /var/cache/bind/managed-keys.bind*, atualizar o arquivo
>>>> /etc/bind/bind.keys, tentar resolução dns usando dig +tcp, até que por
>>>> fim eu reinstalei o bind e... deu o mesmo erro. Até um segundo
>>>> servidor bind, na mesma rede, apresenta o erro, e ele esteve desligado
>>>> por uns dias.
>>>>
>>>> Por fim, o que me parece mais provável é ter um outro servidor DNS
>>>> transparente[0] em algum ponto da rede, mas não compreendi bem o que é
>>>> e como identificá-lo. Mesmo desligando tudo que eu pude o erro
>>>> persiste. Considerei a hipotese do erro estar relacionado ao provedor
>>>> de internet (já tive um bocado de problemas com ele), mas o
>>>> responsável técnico de lá nao identificou nada (geralmente leva um
>>>> tempo para descobrirem o problema).
>>>>
>>>> Enfim, agradeço qualquer ajuda.
>>>>
>>>> [0]
>>>> https://groups.google.com/forum/#!topic/comp.protocols.dns.bind/obLDHzNvhJY
>>>>
>>>>
>>>> Att,
>>>>
>>>> Tobias
>>>> http://gnu.eti.br
>>>>
>>>> -----BEGIN GEEK CODE BLOCK-----
>>>> Version: 3.12
>>>> GCS/CM/G/H/IT/L/SS d?(--) s++:+ a-- C+++>++++ UL++>++++ P+ L+++>+++++ !E@
>>>> W+++
>>>> !N o? K- w !O !M@ !V@ PS PE-- !Y@ PGP t+ 5? X? R+ !tv b+ DI>+ !D@ G e- h+
>>>> r-- y?
>>>> ------END GEEK CODE BLOCK------
>>>>
>>>>
>>>> --
>>>> To UNSUBSCRIBE, email to debian-user-portuguese-requ...@lists.debian.org
>>>> with a subject of "unsubscribe". Trouble? Contact
>>>> listmas...@lists.debian.org
>>>> Archive:
>>>> http://lists.debian.org/capqzhw77un0tzsokitnjfgy3l-f_znah7wtm4joetnsp5u9...@mail.gmail.com
>>>>
>>>
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-user-portuguese-requ...@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
>> Archive: 
>> http://lists.debian.org/capqzhw5zxtbeys8pntsq5vwxoftotwc_kpkcrhxqq4+unj...@mail.gmail.com
>>
>
>
>
> --
> |  .''`.   A fé não dá respostas. Só impede perguntas.
> | : :'  :
> | `. `'`
> |   `-   Je vois tout
>
>
> --
> To UNSUBSCRIBE, email to debian-user-portuguese-requ...@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
> Archive: 
> http://lists.debian.org/cacnf0phj+zgmr+gphkunfznohxnhb+sf3qnnbhtwzwppkuj...@mail.gmail.com
>


--
To UNSUBSCRIBE, email to debian-user-portuguese-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/capqzhw6vopewmo7hrzohqcakghzhtdpedh5bg-mqqrzsfsm...@mail.gmail.com

Re: [DUP] Problemas com bind9 [era para ser: o bind ficou louco!]

Responder a