Ubuntu
bind9 package

I have a problem in DNS (bind9)

Asked by Gulab Pasha

I have recently configured DNS service in my server, when ever i try to start it gives an error.

#/etc/init.d/bind9 restart
 * Stopping domain name service... bind9
rndc: connect failed: 127.0.0.1#953: connection refused
   ...done.
 * Starting domain name service... bind9
   ...fail!

Syslog error,

May 4 12:47:49 sfdlabs named[23866]: starting BIND 9.6.1-P2 -u bind -t /var/lib/named
May 4 12:47:49 sfdlabs named[23866]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' 'CXXFLAGS=-g -O2' 'FFLAGS=-g -O2'
May 4 12:47:49 sfdlabs named[23866]: adjusted limit on open files from 1024 to 1048576
May 4 12:47:49 sfdlabs named[23866]: found 4 CPUs, using 4 worker threads
May 4 12:47:49 sfdlabs named[23866]: using up to 4096 sockets
May 4 12:47:49 sfdlabs named[23866]: loading configuration from '/etc/bind/named.conf'
May 4 12:47:49 sfdlabs named[23866]: none:0: open: /etc/bind/named.conf: permission denied
May 4 12:47:49 sfdlabs named[23866]: loading configuration: permission denied
May 4 12:47:49 sfdlabs named[23866]: exiting (due to fatal error)
May 4 12:47:49 sfdlabs kernel: [1542760.915286] type=1503 audit(1272957469.765:38): operation="open" pid=23869 parent=23865 profile="/usr/sbin/named" requested_mask="r::" denied_mask="r::" fsuid=107 ouid=107 name="/var/lib/named/etc/bind/named.conf"

Looking forward to your support

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu bind9 Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Philip Muškovac (yofel) said : 		#1

If I'm not entirely mistaken this sounds like an apparmor rejection message for /var/lib/named/etc/bind/named.conf (which doesn't exist here) Did you create that file or tell bind9 to look for such a file? If yes, you need to edit /etc/apparmor.d/usr.sbin.named approprietly or apparmor will believe the application was hacked (or whatever)

Revision history for this message
Stephen Day (sd) said : 		#2

It might be as the log says, a simple permission error.

/etc/bind/named.conf should be owned by root, have group bind, and permissions 644.

Try:
sudo chown root:bind /etc/bind/named.conf /var/lib/named/etc/bind/named.conf
sudo chmod 644 /etc/bind/named.conf /var/lib/named/etc/bind/named.conf

Ignore any 'No such file or directory' errors.

Try starting bind again.

Revision history for this message
Gulab Pasha (gulabpasha) said : 		#3

Hi,

Thanks for your reply, after applying

sudo chown root:bind /etc/bind/named.conf /var/lib/named/etc/bind/named.conf
sudo chmod 644 /etc/bind/named.conf /var/lib/named/etc/bind/named.conf

Still i have the same issue, Please find the below error log and file permissions output.

Syslog error output.

May 6 09:51:43 sfdlabs named[5443]: starting BIND 9.6.1-P2 -u bind -t /var/lib/named
May 6 09:51:43 sfdlabs named[5443]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS=' 'CXXFLAGS=-g -O2' 'FFLAGS=-g -O2'
May 6 09:51:43 sfdlabs named[5443]: adjusted limit on open files from 1024 to 1048576
May 6 09:51:43 sfdlabs named[5443]: found 4 CPUs, using 4 worker threads
May 6 09:51:43 sfdlabs named[5443]: using up to 4096 sockets
May 6 09:51:43 sfdlabs named[5443]: loading configuration from '/etc/bind/named.conf'
May 6 09:51:43 sfdlabs named[5443]: none:0: open: /etc/bind/named.conf: permission denied
May 6 09:51:43 sfdlabs named[5443]: loading configuration: permission denied
May 6 09:51:43 sfdlabs named[5443]: exiting (due to fatal error)
May 6 09:51:43 sfdlabs kernel: [1704994.457772] type=1503 audit(1273119703.309:47): operation="open" pid=5447 parent=5442 profile="/usr/sbin/named" requested_mask="::r" denied_mask="::r" fsuid=107 ouid=0 name="/var/lib/named/etc/bind/named.conf"

root@sfdlabs:~# /etc/init.d/bind9 restart
 * Stopping domain name service... bind9
rndc: connect failed: 127.0.0.1#953: connection refused
   ...done.
 * Starting domain name service... bind9
   ...fail!
root@sfdlabs:~# cd /etc/bind/
root@sfdlabs:/etc/bind# ls -l
total 52
-rw-r--r-- 1 bind bind 237 2009-08-20 03:30 db.0
-rw-r--r-- 1 bind bind 271 2009-08-20 03:30 db.127
-rw-r--r-- 1 bind bind 237 2009-08-20 03:30 db.255
-rw-r--r-- 1 bind bind 353 2009-08-20 03:30 db.empty
-rw-r--r-- 1 bind bind 270 2009-08-20 03:30 db.local
-rw-r--r-- 1 bind bind 2940 2009-08-20 03:30 db.root
-rw-r--r-- 1 root bind 583 2010-05-04 13:39 named.conf
-rw-r--r-- 1 bind bind 490 2009-08-20 03:30 named.conf.default-zones
-rw-r--r-- 1 bind bind 581 2010-05-04 13:39 named.conf.local
-rw-r--r-- 1 bind bind 570 2010-05-04 13:39 named.conf.options
-rw-r----- 1 bind bind 77 2010-05-04 10:29 rndc.key
drwxr-sr-x 2 root bind 4096 2010-05-04 13:40 zones
-rw-r--r-- 1 bind bind 1317 2009-08-20 03:30 zones.rfc1918
root@sfdlabs:/etc/bind#

Revision history for this message
Philip Muškovac (yofel) said : 		#4

Did you check if it's an apparmor issue? To test it run
sudo ln -s /etc/apparmor.d/usr.sbin.named /etc/apparmor.d/disable/
and try to start it again

If that helps:
run
sudo rm /etc/apparmor.d/disable/usr.sbin.named
as completely disabling the profile might be a security issue
and please edit the /etc/apparmor.d/usr.sbin.named file to fit your needs.

Revision history for this message
Gulab Pasha (gulabpasha) said : 		#5

Hi Philip,

Unfortunately I'm still receiving the same error after following the steps provided by you.

Looking forward to your more support.

Thanks,
Gulab Pasha

Revision history for this message
Philip Muškovac (yofel) said : 		#6

hm, something I forgot that might be needed:
after disabling the named profile you might need to restart apparmor, or in this case it might be better to just test it with apparmor stopped completely. Try
sudo service apparmor stop
and then try to start named again.

Revision history for this message
Gulab Pasha (gulabpasha) said : 		#7

Hi Philip,

Unfortunately after following all steps I'm still facing the same issue.

root@sfdlabs:~# sudo service apparmor restart
 * Reloading AppArmor profiles
Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox-3.5
   ...done.
root@sfdlabs:~# service apparmor stop
 * Unloading AppArmor profiles
   ...done.
root@sfdlabs:~# service apparmor start
 * Starting AppArmor profiles
Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox-3.5
   ...done.
root@sfdlabs:~# /etc/init.d/bind9 start
 * Starting domain name service... bind9
   ...fail!
root@sfdlabs:~# /etc/init.d/bind9 restart
 * Stopping domain name service... bind9
rndc: connect failed: 127.0.0.1#953: connection refused
   ...done.
 * Starting domain name service... bind9
   ...fail!

Looking forward to your support
Thanks,

Revision history for this message
Philip Muškovac (yofel) said : 		#8

what I meant was start bind9 while apparmor was stopped:
sudo service apparmor stop && sudo service bind9 start

Can you help with this problem?

Provide an answer of your own, or ask Gulab Pasha for more information if necessary.

To post a message you must log in.