Re: daemon warning
Stewart, Larry C Sr CTR DISA JITC (US) larry.c.stewart@mail.mil wrote: I have configured the Solaris service admin to run /nithr/sbin/named -t /dns -u dnsuser when I start the dns server now since I have upgraded to 9.10.0-P2 I get a daemon notice that it is unable to set the effective uid to 0: Not Owner logged in my /var/adm/messages that I never received before. I think this warning happens either when named tries to write its pid file or its session key file, which are the only times that I can find when it would try to set its euid to 0. (When writing those files named temporarily drops privileges, calling seteuid(0) to raise them again, and it permanently drops privileges a bit later.) So my guess is you are not starting named as root? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Humber: Northwest backing southwest 3 or 4. Slight, becoming moderate for a time in northeast. Mainly fair. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: daemon warning
Correct, so is there some negative impact I can expect or is it just a log entry I can ignore? Larry Stewart, CISSP, CCNA Contractor - ManTech Network Engineer Office: 520-538-4227 DSN: 879-4227 Cell phone: 520-227-8251 larry.c.stewart@mail.mil -Original Message- From: Tony Finch [mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony Finch Sent: Tuesday, July 01, 2014 4:26 AM To: Stewart, Larry C Sr CTR DISA JITC (US) Cc: bind-users@lists.isc.org Subject: Re: daemon warning Stewart, Larry C Sr CTR DISA JITC (US) larry.c.stewart@mail.mil wrote: I have configured the Solaris service admin to run /nithr/sbin/named -t /dns -u dnsuser when I start the dns server now since I have upgraded to 9.10.0-P2 I get a daemon notice that it is unable to set the effective uid to 0: Not Owner logged in my /var/adm/messages that I never received before. I think this warning happens either when named tries to write its pid file or its session key file, which are the only times that I can find when it would try to set its euid to 0. (When writing those files named temporarily drops privileges, calling seteuid(0) to raise them again, and it permanently drops privileges a bit later.) So my guess is you are not starting named as root? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Humber: Northwest backing southwest 3 or 4. Slight, becoming moderate for a time in northeast. Mainly fair. Good. smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Error when using GeoIP
Hi I did compile 9.10 with --with-geoip , did the config as follows : In options geoip-directory /usr/share/GeoIP/GeoIP.dat; in zones acl US { geoip country US; }; view US { match-clients { US; }; //Once I add this it throws the error below *** include /etc/named.rfc1912.zones; include /etc/dk.sites.list; }; Once I add the match-clients line it throws the error below on starting : /etc/named.conf:47: no GeoIP database installed which can answer queries of type 'country' geoiplookup ip.ip.ip.ip works, so I doubt that is the issue, I did try geoip-directory /usr/share/GeoIP; instead of full path but that did not make any difference. Any hints ? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rate-limit and Facebook IP's
that's really interesting, also on the firewall rate-limiting new UDP connections to 30 per 2 seconds and client IP also catchs all day long several facebook IP's on both nameservers Firewall Rate-Control: SRC=69.171.247.119 DST=85.124.176.242 LEN=74 TOS=0x00 PREC=0x00 TTL=80 ID=65378 PROTO=UDP SPT=29558 DPT=53 LEN=54 Firewall Rate-Control: SRC=69.171.247.119 DST=85.124.176.242 LEN=74 TOS=0x00 PREC=0x00 TTL=80 ID=65379 PROTO=UDP SPT=65053 DPT=53 LEN=54 Firewall Rate-Control: SRC=69.171.247.119 DST=85.124.176.242 LEN=74 TOS=0x00 PREC=0x00 TTL=80 ID=65380 PROTO=UDP SPT=27469 DPT=53 LEN=54 Firewall Rate-Control: SRC=69.171.247.119 DST=85.124.176.242 LEN=74 TOS=0x00 PREC=0x00 TTL=80 ID=65381 PROTO=UDP SPT=9288 DPT=53 LEN=54 Firewall Rate-Control: SRC=69.171.247.119 DST=85.124.176.242 LEN=74 TOS=0x00 PREC=0x00 TTL=80 ID=65382 PROTO=UDP SPT=41241 DPT=53 LEN=54 Firewall Rate-Control: SRC=173.252.100.115 DST=85.124.176.242 LEN=74 TOS=0x00 PREC=0x00 TTL=80 ID=50076 PROTO=UDP SPT=44395 DPT=53 LEN=54 Firewall Rate-Control: SRC=173.252.100.115 DST=85.124.176.242 LEN=77 TOS=0x00 PREC=0x00 TTL=80 ID=50077 PROTO=UDP SPT=49631 DPT=53 LEN=57 Firewall Rate-Control: SRC=173.252.100.113 DST=85.124.176.242 LEN=74 TOS=0x00 PREC=0x00 TTL=80 ID=20024 PROTO=UDP SPT=15272 DPT=53 LEN=54 Firewall Rate-Control: SRC=173.252.100.113 DST=85.124.176.242 LEN=74 TOS=0x00 PREC=0x00 TTL=80 ID=20025 PROTO=UDP SPT=10473 DPT=53 LEN=54 Firewall Rate-Control: SRC=173.252.100.115 DST=85.124.176.242 LEN=74 TOS=0x00 PREC=0x00 TTL=80 ID=50078 PROTO=UDP SPT=47769 DPT=53 LEN=54 Am 30.06.2014 14:22, schrieb Reindl Harald: am i the only one facing all day long serveral facebook networks hit RRL on both nameservers? for me there are only two options to explain that: * facebook is too dumb to cache responses (TTL a day) * that's part of a well distributed amplification trying not make much noise on the single involved servers interesting that this is ongoing for many months 30-Jun-2014 13:24:31.717 rate-limit: limit NODATA responses to 69.171.248.0/24 for ns1.thelounge.net IN (1abd134b) 30-Jun-2014 13:25:32.184 rate-limit: stop limiting NODATA responses to 69.171.248.0/24 for ns1.thelounge.net IN (1abd134b) 30-Jun-2014 13:30:29.153 rate-limit: limit NODATA responses to 173.252.74.0/24 for tethys.thelounge.net IN (1b619c65) 30-Jun-2014 13:31:29.149 rate-limit: stop limiting NODATA responses to 173.252.74.0/24 for tethys.thelounge.net IN (1b619c65) 30-Jun-2014 13:37:12.845 rate-limit: limit NODATA responses to 173.252.113.0/24 for ns1.thelounge.net IN (1abd134b) 30-Jun-2014 13:38:12.035 rate-limit: stop limiting NODATA responses to 173.252.113.0/24 for ns1.thelounge.net IN (1abd134b) 30-Jun-2014 13:39:21.736 rate-limit: limit NODATA responses to 173.252.77.0/24 for ns2.thelounge.net IN (1abd134c) 30-Jun-2014 13:39:21.738 rate-limit: limit NODATA responses to 173.252.77.0/24 for arrakis.thelounge.net IN (2041b582) 30-Jun-2014 13:39:21.873 rate-limit: limit NODATA responses to 173.252.77.0/24 for ns1.thelounge.net IN (1abd134b) 30-Jun-2014 13:40:22.792 rate-limit: stop limiting NODATA responses to 173.252.77.0/24 for arrakis.thelounge.net IN (2041b582) 30-Jun-2014 13:40:22.792 rate-limit: stop limiting NODATA responses to 173.252.77.0/24 for ns1.thelounge.net IN (1abd134b) 30-Jun-2014 13:40:23.131 rate-limit: stop limiting NODATA responses to 173.252.77.0/24 for ns2.thelounge.net IN (1abd134c) 30-Jun-2014 14:00:35.542 rate-limit: limit NODATA responses to 31.13.99.0/24 for ns1.thelounge.net IN (1abd134b) 30-Jun-2014 14:01:36.564 rate-limit: stop limiting NODATA responses to 31.13.99.0/24 for ns1.thelounge.net IN (1abd134b) 30-Jun-2014 14:16:55.318 rate-limit: limit NODATA responses to 173.252.102.0/24 for ns1.thelounge.net IN (1abd134b) 30-Jun-2014 14:16:55.328 rate-limit: limit NODATA responses to 173.252.102.0/24 for ns2.thelounge.net IN (1abd134c) signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: daemon warning
Stewart, Larry C Sr CTR DISA JITC (US) larry.c.stewart@mail.mil wrote: Correct, so is there some negative impact I can expect or is it just a log entry I can ignore? If you aren't getting any Could not open... warnings as well then you are probably OK. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Dover, Wight, Portland, Plymouth: East or northeast 4 or 5, occasionally 6 at first. Slight or moderate. Showers. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Error when using GeoIP
Ali Jawad alijaw...@gmail.com wrote: acl US { geoip country US; }; view US { match-clients { US; }; //Once I add this it throws the error below }; /etc/named.conf:47: no GeoIP database installed which can answer queries of type 'country' This is a bug in 9.10.0 which will be fixed in 9.10.1. Until then there is a patch: https://lists.isc.org/pipermail/bind-users/2014-May/093083.html The workaround is to put the geoip country directive in the match-clients clause itself rather than going via a named acl. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Southeast Rockall, Malin: Variable 4, becoming southwesterly 5 to 7, perhaps gale 8 later. Slight or moderate, becoming moderate or rough later. Rain later. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: daemon warning
So I logged in as the user that I normally start named with and I get the following error: Named: chroot(): Not owner Larry Stewart, CISSP, CCNA Contractor - ManTech Network Engineer Office: 520-538-4227 DSN: 879-4227 Cell phone: 520-227-8251 larry.c.stewart@mail.mil -Original Message- From: Tony Finch [mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony Finch Sent: Tuesday, July 01, 2014 7:43 AM To: Stewart, Larry C Sr CTR DISA JITC (US) Cc: bind-users@lists.isc.org Subject: RE: daemon warning Stewart, Larry C Sr CTR DISA JITC (US) larry.c.stewart@mail.mil wrote: Correct, so is there some negative impact I can expect or is it just a log entry I can ignore? If you aren't getting any Could not open... warnings as well then you are probably OK. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Dover, Wight, Portland, Plymouth: East or northeast 4 or 5, occasionally 6 at first. Slight or moderate. Showers. Moderate or good. smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: daemon warning
deamons binding privileged ports should be started as root because they have some tasks to do before drop privileges Am 01.07.2014 16:55, schrieb Stewart, Larry C Sr CTR DISA JITC (US): So I logged in as the user that I normally start named with and I get the following error: Named: chroot(): Not owner -Original Message- From: Tony Finch [mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony Finch Sent: Tuesday, July 01, 2014 7:43 AM To: Stewart, Larry C Sr CTR DISA JITC (US) Cc: bind-users@lists.isc.org Subject: RE: daemon warning Stewart, Larry C Sr CTR DISA JITC (US) larry.c.stewart@mail.mil wrote: Correct, so is there some negative impact I can expect or is it just a log entry I can ignore? If you aren't getting any Could not open... warnings as well then you are probably OK. signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: daemon warning
Ok so that was not a good troubleshooting technique, was trying to determine what did not have the correct permissions and thus causing the warning. I guess I will go ahead and run it the way I have been for the last 5 years, unless I find it is causing me problems. Larry Stewart, CISSP, CCNA Contractor - ManTech Network Engineer Office: 520-538-4227 DSN: 879-4227 Cell phone: 520-227-8251 larry.c.stewart@mail.mil -Original Message- From: Tony Finch [mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony Finch Sent: Tuesday, July 01, 2014 8:05 AM To: Stewart, Larry C Sr CTR DISA JITC (US) Cc: bind-users@lists.isc.org Subject: RE: daemon warning Stewart, Larry C Sr CTR DISA JITC (US) larry.c.stewart@mail.mil wrote: So I logged in as the user that I normally start named with and I get the following error: Named: chroot(): Not owner You need to start named as root for it to be able to chroot. (Unless Solaris has some cunning fine-grained privilege feature I don't know about.) Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Shannon: Northeast 4 or 5, becoming variable 3, then southwest 5 to 7 later. Slight or moderate, becoming rough later in north. Rain later. Good, occasionally poor later. smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rate-limit and Facebook IP's
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 2014-07-01 at 16:45 +0200, Reindl Harald wrote: 30-Jun-2014 13:24:31.717 rate-limit: limit NODATA responses to 69.171.248.0/24 for ns1.thelounge.net IN (1abd134b) I also see the rate limiting kicking in for facebook ranges. I should setup a tcpdump filter to log all the queries from those ranges. 31.13.99.0/24 69.171.248.0/24 173.252.74.0/24 173.252.77.0/24 173.252.102.0/24 173.252.113.0/24 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlOy0zEACgkQL6j7milTFsFZ6wCfYeq/mF40Ys5dta2Eo0KMi4yv PioAnjJ2fTmOHJnHY39BxxkSzgf+iiyl =ZyxB -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rate-limit and Facebook IP's
Am 01.07.2014 17:27, schrieb Carl Byington: On Tue, 2014-07-01 at 16:45 +0200, Reindl Harald wrote: 30-Jun-2014 13:24:31.717 rate-limit: limit NODATA responses to 69.171.248.0/24 for ns1.thelounge.net IN (1abd134b) I also see the rate limiting kicking in for facebook ranges. I should setup a tcpdump filter to log all the queries from those ranges. 31.13.99.0/24 69.171.248.0/24 173.252.74.0/24 173.252.77.0/24 173.252.102.0/24 173.252.113.0/24 feedback appreciated for a amplification attack that's too few and unlikely someone asks for NS/A records instead ANY - my only explaination is that facebook tries to find servers which are vulerable to amplification attacks and not rate-limiting as i started with RRL those hits leaded to raise my limits and if i am right their tests make things worser, god knows how many admins raise their limits because that noise and making things worser than needed :-( signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: daemon warning
You need to start named as root for it to be able to chroot. (Unless Solaris has some cunning fine-grained privilege feature I don't know about.) On 01.07.14 15:18, Stewart, Larry C Sr CTR DISA JITC (US) wrote: Ok so that was not a good troubleshooting technique, was trying to determine what did not have the correct permissions and thus causing the warning. I guess I will go ahead and run it the way I have been for the last 5 years, unless I find it is causing me problems. For now we have to trust BIND it will properly bind(), chroot() and drop privileges... does anyone know if there's a way to leave these (dropping privileges) to other programs, so BIND and similar apps won't have to implement this on their own? ... on Linux or other OSes? (taking care about security of a small program should be easier) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Where do you want to go to die? [Microsoft] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: daemon warning
Am 01.07.2014 17:46, schrieb Matus UHLAR - fantomas: You need to start named as root for it to be able to chroot. (Unless Solaris has some cunning fine-grained privilege feature I don't know about.) On 01.07.14 15:18, Stewart, Larry C Sr CTR DISA JITC (US) wrote: Ok so that was not a good troubleshooting technique, was trying to determine what did not have the correct permissions and thus causing the warning. I guess I will go ahead and run it the way I have been for the last 5 years, unless I find it is causing me problems. For now we have to trust BIND it will properly bind(), chroot() and drop privileges... does anyone know if there's a way to leave these (dropping privileges) to other programs, so BIND and similar apps won't have to implement this on their own? ... on Linux or other OSes? (taking care about security of a small program should be easier) in theory http://www.freedesktop.org/software/systemd/man/systemd.socket.html that way systemd opens the socket before the daemon is started which could happen even on-demand and so the systemd-unit could start the service process from the begin with a low privileged user - *but* not sure how to deal with chroot in that context however, we restrict most services like below, giving them only needed capabilities and make /etc and /usr read-only which greatly improves security PrivateTmp=true TimeoutSec=25 Restart=always RestartSec=1 CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT ReadOnlyDirectories=/etc ReadOnlyDirectories=/usr InaccessibleDirectories=/boot InaccessibleDirectories=/home InaccessibleDirectories=/root signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Error when using GeoIP
Hi Tony I did try match-clients {geoip country US; }; but that yielded the same error. Which is weird, I did actually submit the bug with the above patch in RC2 and inline worked at the time . Will try the patch, let me know if you have input on the match-clients please. As I did already build the RPM to be deployed across my servers, and it will save me some time. Thanks On Tue, Jul 1, 2014 at 4:52 PM, Tony Finch d...@dotat.at wrote: Ali Jawad alijaw...@gmail.com wrote: acl US { geoip country US; }; view US { match-clients { US; }; //Once I add this it throws the error below }; /etc/named.conf:47: no GeoIP database installed which can answer queries of type 'country' This is a bug in 9.10.0 which will be fixed in 9.10.1. Until then there is a patch: https://lists.isc.org/pipermail/bind-users/2014-May/093083.html The workaround is to put the geoip country directive in the match-clients clause itself rather than going via a named acl. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Southeast Rockall, Malin: Variable 4, becoming southwesterly 5 to 7, perhaps gale 8 later. Slight or moderate, becoming moderate or rough later. Rain later. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Error when using GeoIP
Hi Jeremy Thanks for chipping in. Usual as ever. So I did actually use geoip-directory /usr/share/GeoIP; and ls of that dir is [root@uk etc]# ls -lart /usr/share/GeoIP/ -rw-r--r-- 1 root root 1206078 Jul 1 10:08 GeoIP.dat The output from the logs is Jul 1 14:38:56 uk named[1795]: using /usr/share/GeoIP as GeoIP directory Jul 1 14:38:56 uk named[1795]: GeoIP Country (IPv4) (type 1) DB not available Jul 1 14:38:56 uk named[1795]: GeoIP Country (IPv6) (type 12) DB not available Jul 1 14:38:56 uk named[1795]: GeoIP City (IPv4) (type 2) DB not available Jul 1 14:38:56 uk named[1795]: GeoIP City (IPv4) (type 6) DB not available Jul 1 14:38:56 uk named[1795]: GeoIP City (IPv6) (type 30) DB not available Jul 1 14:38:56 uk named[1795]: GeoIP City (IPv6) (type 31) DB not available Jul 1 14:38:56 uk named[1795]: GeoIP Region (type 3) DB not available Jul 1 14:38:56 uk named[1795]: GeoIP Region (type 7) DB not available Jul 1 14:38:56 uk named[1795]: GeoIP ISP (type 4) DB not available Jul 1 14:38:56 uk named[1795]: GeoIP Org (type 5) DB not available Jul 1 14:38:56 uk named[1795]: GeoIP AS (type 9) DB not available Jul 1 14:38:56 uk named[1795]: GeoIP Domain (type 11) DB not available Jul 1 14:38:56 uk named[1795]: GeoIP NetSpeed (type 10) DB not available On Tue, Jul 1, 2014 at 8:33 PM, Jeremy C. Reed jr...@isc.org wrote: geoip-directory /usr/share/GeoIP/GeoIP.dat; Should be a directory. in zones acl US { geoip country US; }; view US { match-clients { US; }; //Once I add this it throws the error below *** include /etc/named.rfc1912.zones; include /etc/dk.sites.list; }; Once I add the match-clients line it throws the error below on starting : /etc/named.conf:47: no GeoIP database installed which can answer queries of type 'country' geoiplookup ip.ip.ip.ip works, so I doubt that is the issue, I did try geoip-directory /usr/share/GeoIP; instead of full path but that did not make any difference. Any hints ? Look at logs please. Do you have an initializing GeoIP Country line? Like: 30-Apr-2014 22:11:17.908 initializing GeoIP Country (IPv4) (type 1) DB Double-check that /usr/share/GeoIP/ is correct and that you have the correct database(s) there. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Error when using GeoIP
On Tue, 1 Jul 2014, Ali Jawad wrote: [root@uk etc]# ls -lart /usr/share/GeoIP/ -rw-r--r-- 1 root root 1206078 Jul 1 10:08 GeoIP.dat The output from the logs is Jul 1 14:38:56 uk named[1795]: using /usr/share/GeoIP as GeoIP directory Jul 1 14:38:56 uk named[1795]: GeoIP Country (IPv4) (type 1) DB not available Jul 1 14:38:56 uk named[1795]: GeoIP Country (IPv6) (type 12) DB not available You may want to try another database. I use GeoLiteCity.dat for testing. Make a symlink to it named /usr/share/GeoIP/GeoIP.dat Maybe your geoiplookup tools appears to work but is providing different results not identified as country? Does your geoiplookup output say GeoIP Country Edition? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Error when using GeoIP
Hi Jeremy Yes it does see the below [root@uk ~]# geoiplookup ip.ip.ip.ip GeoIP Country Edition: US, United States A bummer though, as I have purchased the Maxmind Country edition. When I did try to install GeoLiteCity.dat I got the error below file /usr/share/GeoIP/GeoIP.dat from install of geoip-geolite-2013.04-1.el6.noarch conflicts with file from package GeoIP-1.4.8-1.el6.x86_64 Is geoip-geolite not provided by maxmind ? Regards On Tue, Jul 1, 2014 at 8:56 PM, Jeremy C. Reed jr...@isc.org wrote: On Tue, 1 Jul 2014, Ali Jawad wrote: [root@uk etc]# ls -lart /usr/share/GeoIP/ -rw-r--r-- 1 root root 1206078 Jul 1 10:08 GeoIP.dat The output from the logs is Jul 1 14:38:56 uk named[1795]: using /usr/share/GeoIP as GeoIP directory Jul 1 14:38:56 uk named[1795]: GeoIP Country (IPv4) (type 1) DB not available Jul 1 14:38:56 uk named[1795]: GeoIP Country (IPv6) (type 12) DB not available You may want to try another database. I use GeoLiteCity.dat for testing. Make a symlink to it named /usr/share/GeoIP/GeoIP.dat Maybe your geoiplookup tools appears to work but is providing different results not identified as country? Does your geoiplookup output say GeoIP Country Edition? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Error when using GeoIP
Hi Ali On Tue, Jul 01, 2014 at 08:41:32PM +0200, Ali Jawad wrote: [root@uk etc]# ls -lart /usr/share/GeoIP/ -rw-r--r-- 1 root root 1206078 Jul 1 10:08 GeoIP.dat Though this is not the problem causing the failure: This filesize looks too large for it to be the current country database GeoIP.dat (~600KB) and too small to be the current city database GeoLiteCity.dat (~17MB). Please check if this database is correct. The output from the logs is Jul 1 14:38:56 uk named[1795]: using /usr/share/GeoIP as GeoIP directory Jul 1 14:38:56 uk named[1795]: GeoIP Country (IPv4) (type 1) DB not available This codepath reporting this error does a stat() call inside the GeoIP library to check if the corresponding file exists. The named process would need permission to access this directory. Check the permissions on /usr/share/GeoIP/, etc. Mukund ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Error when using GeoIP
Hi Mukund This is the paid version of the DB, tailing that file states GEO-106 20140624 Build 1 Copyright (c) 2014 MaxMind Inc All Rights Reserved As said it does work with the geoiplookup tool. seLinux is disabled and permissions for files are default on a fresh system..see below for GeoIP dir under /usr/share drwxr-xr-x2 root root 4096 Jul 1 10:11 GeoIP BUT You sent me the right direction, I am chrooting my named server, so naturally the location bind is looking is /var/named/chroot/usr/share/GeoIP not /usr/share/GeoIP So putting the GeoIP.dat file there actually worked !! Now I only have to edit the cronjob to copy the updated GeoIP.dat file to the chroot when Maxmind updates. Thanks ! Regards On Tue, Jul 1, 2014 at 9:16 PM, Mukund Sivaraman m...@isc.org wrote: Hi Ali On Tue, Jul 01, 2014 at 08:41:32PM +0200, Ali Jawad wrote: [root@uk etc]# ls -lart /usr/share/GeoIP/ -rw-r--r-- 1 root root 1206078 Jul 1 10:08 GeoIP.dat Though this is not the problem causing the failure: This filesize looks too large for it to be the current country database GeoIP.dat (~600KB) and too small to be the current city database GeoLiteCity.dat (~17MB). Please check if this database is correct. The output from the logs is Jul 1 14:38:56 uk named[1795]: using /usr/share/GeoIP as GeoIP directory Jul 1 14:38:56 uk named[1795]: GeoIP Country (IPv4) (type 1) DB not available This codepath reporting this error does a stat() call inside the GeoIP library to check if the corresponding file exists. The named process would need permission to access this directory. Check the permissions on /usr/share/GeoIP/, etc. Mukund ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: daemon warning
In message 53b2d903.4070...@thelounge.net, Reindl Harald writes: Am 01.07.2014 17:46, schrieb Matus UHLAR - fantomas: You need to start named as root for it to be able to chroot. (Unles s Solaris has some cunning fine-grained privilege feature I don't kno w about.) On 01.07.14 15:18, Stewart, Larry C Sr CTR DISA JITC (US) wrote: Ok so that was not a good troubleshooting technique, was trying to determine what did not have the correct permissions and thus causin g the warning. I guess I will go ahead and run it the way I have been fo r the last 5 years, unless I find it is causing me problems. For now we have to trust BIND it will properly bind(), chroot() and drop privileges... does anyone know if there's a way to leave these (dropping privilege s) to other programs, so BIND and similar apps won't have to implement thi s on their own? ... on Linux or other OSes? (taking care about security of a small program should be easier) in theory http://www.freedesktop.org/software/systemd/man/systemd.sock et.html that way systemd opens the socket before the daemon is started which could happen even on-demand and so the systemd-unit could start the service process from the begin with a low privileged user - *but* not sure how to deal with chroot in that context however, we restrict most services like below, giving them only needed capabilities and make /etc and /usr read-only which greatly improves security PrivateTmp=true TimeoutSec=25 Restart=always RestartSec=1 CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRI DE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT ReadOnlyDirectories=/etc ReadOnlyDirectories=/usr InaccessibleDirectories=/boot InaccessibleDirectories=/home InaccessibleDirectories=/root Firstly systemd is a poor match for a nameserver. A nameserver is not the type of service it is designed to start. Various OS's have different ways to let a unpriviledge process open reserved ports which is the primary reason for starting as root. Read your OS's documentation. For FreeBSD i have the following in /etc/sysctl.conf security.mac.portacl.port_high=1023 net.inet.ip.portrange.reservedlow=0 net.inet.ip.portrange.reservedhigh=0 security.mac.portacl.suser_exempt=1 security.mac.portacl.rules=uid:53:tcp:53,uid:53:udp:53 and can start named chroot'd using the following if I wish chroot -u bind -g bind /var/chroot/named /usr/sbin/named Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users