|
FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Best way to check if freebsd server is running a nameserver service/daemon
Hi everyone,
I recently was assigned a project that requires me to fix up a FreeBSD webserver. I'm new to FreeBSD in general. One of the issues with the webserver is a very broad DNS issue. The domains that the client owns all point back to the webserver for their nameserver. As far as I can tell, it isn't running one, but I'm not 100% sure on this. To complicate matters worse, the admin that came before me had no clue what he was doing, so even if the server is running a nameserver... it cannot be trusted. What's the best way for me figure out if the server is in fact running a nameserver daemon? I have root access to the server via SSH. Thanks for all of your help. |
|
||||
Check if the program 'named' is running and listening. I don't know off the top of my head if /etc/rc.d/named supports the status command or not (rc(8)), but finding out if it is running the hardway is still easy.
I'm not familiar with any of the dns/ apps in ports, so I can't say what name they would run under; but I'm sure someone here would point it out. --- Code:
$ ps xa | grep named ... is named running? $ cat /var/run/named/pid ... does the pid file exist? $ netstat -n -p udp | grep 53 ... is anything listening on the usual port?
__________________
My Journal Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''. Last edited by TerryP; 6th November 2008 at 12:47 AM. Reason: more info, for those not familiar with *nix / -p typo fix |
|
|||
Actually that was what I was looking for. Thanks so much.
Now I have to fix this godforsaken install of named. Lots of work to be done. |
|
|||
A nameserver will LISTEN on both UDP and TCP.
Code:
$ ssh j65nko@192.168.222.10 'netstat -an -f inet' Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) ip 0 0 *.* *.* 1 Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 192.168.222.10.22 192.168.222.20.3160 ESTABLISHED tcp 0 0 192.168.222.10.53 *.* LISTEN tcp 0 0 127.0.0.1.587 *.* LISTEN tcp 0 0 127.0.0.1.25 *.* LISTEN tcp 0 0 *.22 *.* LISTEN tcp 0 0 127.0.0.1.8021 *.* LISTEN Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) udp 0 0 10.0.0.200.30510 213.206.97.167.123 udp 0 0 10.0.0.200.14501 80.101.175.193.123 udp 0 0 192.168.222.10.123 *.* udp 0 0 192.168.222.10.53 *.* udp 0 0 *.514 *.*
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
j65nko, thanks for that. It definitely helps.
Now I have to deal with domains that aren't resolving and a nameserver that is not being slaved to properly by the rest of the world. Joy! |
|
|||
I would not monitor the service internally. If it is mission critical server, think about situations when the box itself is down, local connection problem, firewall misconfiguration...
To get a fairly accurate result, the services should be monitored with cron from more than 2 remote servers. You can buy hosting package with SSH access, otherwise, there are some websites that offer cron service without any charge. If you wanna get a best result from monitoring, consider the following aspects when writting monitoring script: - It is running and status is ok, but is the result returned correct? - Does it take long to response? ...
__________________
...then the God created man... Last edited by bsddaemon; 6th November 2008 at 12:40 AM. |
|
|||
Quote:
We'll probably use the namservers at the datacenter that the website is hosted in (nac.net). |
|
|||
DNS master<->slave communication is the other case where TCP is being used. In case you run a packet filter, make sure that you allow both UDP and TCP.
Many problems relating to nameserver configuration issues are caused by the fact that the most popular nameserver BIND is a single monolithic program, that implements two totally different types of nameservers
It is a recommended practice to separate these two roles even if you are using BIND. See http://www.isc.org/pubs/tn/isc-tn-2002-2.html On my local network I am using DJBDNS, which has two separate programs for these two roles: tinydns is the authoritative one, dnscache is the caching recursive resolver. They both run on a single box where the NIC has two IP addresses. dnscache listens on 192.168.222.10, while tinydns binds to 192.168.222.11. So I can directly query tinydns, which is the authoritative nameserver for my local domain utp.xnet. An example query Code:
$ dig +norecurse -t mx utp.xnet @192.168.222.11 ; <<>> DiG 9.3.4 <<>> +norecurse -t mx utp.xnet @192.168.222.11 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21326 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; QUESTION SECTION: ;utp.xnet. IN MX ;; ANSWER SECTION: utp.xnet. 604800 IN MX 0 mail.utp.xnet. ;; AUTHORITY SECTION: utp.xnet. 259200 IN NS ns1.utp.xnet. ;; ADDITIONAL SECTION: mail.utp.xnet. 604800 IN A 192.168.222.10 ns1.utp.xnet. 259200 IN A 192.168.222.11 ;; Query time: 2 msec ;; SERVER: 192.168.222.11#53(192.168.222.11) ;; WHEN: Thu Nov 6 02:15:34 2008 ;; MSG SIZE rcvd: 97 In your case I would recommend to follow http://www.isc.org/pubs/tn/isc-tn-2002-2.html. That way you can easily first debug your authoritative nameservers and the master-slave stuff. Second step would be to do either a manual recursive trace starting from the DNS root servers, or even easier by using http://www.squish.net/dnscheck/ his will check whether caching recursive resolvers get the proper referral to your authoritative nameserver(s).
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Good VPN service? | guitarscn | Off-Topic | 2 | 15th December 2009 08:55 AM |
Running your own web server | JMJ_coder | General software and network | 28 | 13th February 2009 01:15 AM |
Running Pure 64-Bits On FreeBSD. | MetalHead | FreeBSD General | 4 | 21st October 2008 04:59 AM |
freeBSD router running openospfd with failover using ifstated | dk_netsvil | Guides | 0 | 21st May 2008 05:26 PM |
Anyone running an OpenBSD email server ? | roundkat | OpenBSD General | 9 | 10th May 2008 03:08 AM |