named and its hourly reports

Ian Smith smithi at nimnet.asn.au
Tue Jul 15 12:39:12 UTC 2008 

On Tue, 15 Jul 2008, jonathan michaels wrote:
 > On Tue, Jul 15, 2008 at 08:27:33PM +1000, Ian Smith wrote:
 > > On Tue, 15 Jul 2008 12:22:06 +1000 jonathan michaels <jlm at caamora.com.au> wrote:
 > > 
 > >  > named now reports hourly
 > >  > 
 > >  > Jul 15 06:55:10 hid named[617]: could not listen on UDP socket: permission denied
 > >  > Jul 15 06:55:10 hid named[617]: creating IPv4 interface tun0 failed; interface ignored
 > >  > Jul 15 07:55:10 hid named[617]: could not listen on UDP socket: permission denied
 > >  > Jul 15 07:55:10 hid named[617]: creating IPv4 interface tun0 failed; interface ignored
 > >  > Jul 15 08:55:10 hid named[617]: could not listen on UDP socket: permission denied
 > >  > Jul 15 08:55:10 hid named[617]: creating IPv4 interface tun0 failed; interface ignored
 > >  > Jul 15 09:55:10 hid named[617]: could not listen on UDP socket: permission denied
 > >  > Jul 15 09:55:10 hid named[617]: creating IPv4 interface tun0 failed; interface ignored
 > >  > 
 > >  > i've tried teh hand book, even muddled my way through google, teh only
 > >  > reference that has surfaced is a pointer to the fact the this error
 > >  > message is because named is running in a sandbox ??? d'ont know when
 > >  > that happened but freebsd now runs named from a sandbox ..
 > > 
 > > By default .. you don't have to, but it's a very good idea these days.
 > > 
 > >  > this machine is a router/gateway and old 486 with a small scsi hdd that
 > >  > is rapidly filling up from this and others, to my mind silly error
 > >  > messages.
 > >  > 
 > >  > is there some way to fix thins, is it a hard error, can i run named not
 > >  > in a sandbox, i'm also seeing other errors that seem (to my mind) to be
 > >  > related to this, but i am not sure so i'm keeping my mouth shut untill
 > >  > i can work it out and find teh real culprit ..
 > > 
 > > Jonathan, I don't think not running named in a sandbox would help here. 
 > 
 > after i got yuri post earlier i started to do some reading and
 > it all making sence now and so does the sandbox stuff .. si it
 > is staying.

Good.

 > > As Yuri pointed out, named is scanning all interfaces, default hourly. 
 > 
 > this is teh thing i'm having trouble with, why is named scaning
 > anything ??

By default it listens on all interfaces on the box, so it tries to
discover new ones, stop listening on any that have disappeared etc.

 > i've got two secondaries (my isp and a friend) for
 > caamora.com.au, it was easy in bind v4, but not so with the new
 > v8/9 config .. everything and teh kitchen sink gets defined. i
 > am working my way through it, its a bit of hard going for me.

Yes there are a zillion options, but you can just allow defaults for
most.  The installed named.conf, plus your zone/s, does for many people,
but interfaces that can come and go, like tuns, need special attention. 

In this case, you will want to override the default listen-on { * };  To
quote from my ever-handy http://localhost/bind9ref/Bv9ARM.ch06.html ..

"the listen-on option will cause the server to not accept queries on any
of the machine's addresses which do not match the list." and "If no
listen-on is specified, the server will listen on port 53 on all
interfaces." 

 > > I had a related problem on this laptop, with the same error messages -
 > > after a suspend/resume the (pccard) interface wasn't coming up quickly
 > > enough to beat named's (then overdue) interface scan, so named wouldn't
 > > bind to that interface.  I fixed that by running the following script
 [..]

 > thanks, but i don't think this will help here, the machine is a
 > permanently connected dialup ppp (now userland ppp, formerly
 > kernel pppd). so it just sits there doing its thing untill teh
 > ocasion thunderstorm <grin> or freebsd fallover, stuff happens. 

Even with a static IP address, tun0 may not be UP when 'stuff happens'.
Anyway, you probably don't want to answer queries directed to your ppp
interface address .. 139.130.something I expect .. but only to your
listed nameserver address on this box, gw.caamora.com.au I guess?

 > > However there are perhaps better ways to tackle this, depending on which
 > > interface/s you *need* to have named listening on.  If you need named to
 > > listen on the adddress of tun0 (pppoe, I suppose?) then you may need to
 > 
 > this is teh bit i am failing to understand, why is named
 > scaning tun0, what is it looking for .. it should be obvious,
 > but sorry i am not making sence of this.

It's just looking for existence, likely UP-ness, so it can be 'helpful'
by answering DNS queries coming in on any connected interface.  In this
case, you probably want it to listen on the listed IP address of your
nameserver, on localhost, and perhaps to any internal network address to
boxes you're routing for, with or without NAT .. 

 > i read teh 'listen-on' bit in dns&bind ed5 (after yuri tip off)
 > and trying to workout if bind is using this 'listen-on' is it
 > looking for internal dns queries or looking for stuff coming in
 > from teh outside for the getting of domain transfer infromation
 > for teh secondaries, umm slave servers out there, as mentioned
 > earlier teh isp dns server and teh 'friend dns server' i am not
 > quite clear on where that information goes in teh new scheme of
 > things ??

listen-on is for ordinary DNS queries, from inside and outside, to your
listed nameserver/s.  You may want to look at options 'query-source
address' (ie what IP address outbound/upstream queries are sourced from) 
and to specify the connection address to your secondaries - say hi to
Sue - possibly look at transfer-source and notify-source .. but if your
zone transfers are working ok you won't need to bother with them.

 > > do something like the above whenever ppp connects, or reconnects, from a
 > > suitable up-script for ppp.  The disadvantage is clearing named's cache.
 > 
 > > If on the other hand you only need named listening on other interface/s
 > > than tun0, use the 'listen on { $address; };' option/s to specify the
 > > address/es to listen on.  The default is '*', the addresses associated
 > > with each interface, as 'sockstat -4 | grep named' will show.  Don't
 > > forget to include a 'listen on { 127.0.0.1; }' if you want localhost.

Do try the sockstat, as it does illustrate named's view of the world ..

 > >  > some pointers would be most appreciated .. i've been struggling with
 > >  > this for aover a year now and do not know where else to go ??
 > > 
 > > You could have come here a year ago :)
 > 
 > fortress jonathan says it all i guess ,, but slowly i'm coming
 > to my sences .. grin. thanks ian yuri et al
 > 
 > thanks guys.....

No worries.  I'm still trying to kill a 10 y.o. 2.2.6 system myself :)

(do you really still have QNX and OS9 boxes running?)  

cheers, Ian

More information about the freebsd-questions mailing list