Bug#490371: bind9 - fails requests if it is not able to bind a socket but does not log anything

[Bastian Blank]

Package: bind9
Version: 1:9.3.4-2etch3
Severity: normal

Since the last security update, all non cached queries returns server
failure. The server only have IPv4 connectivity and goes through NAT to
speak with the outside.

| ; <<>> DiG 9.5.0 <<>> heise.de aaaa
| ;; global options:  printcmd
| ;; Got answer:
| ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24948
| ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
| 
| ;; QUESTION SECTION:
| ;heise.de.                      IN      AAAA
| 
| ;; Query time: 192 msec
| ;; SERVER: 10.42.4.18#53(10.42.4.18)
| ;; WHEN: Fri Jul 11 21:41:28 2008
| ;; MSG SIZE  rcvd: 26

It needed some time to find the problem. bind was not able to bind the port for
outgoing requests but does not log anything about that.

| Jul 11 20:25:38 service named[1327]: starting BIND 9.3.4-P1.1 -u bind
| Jul 11 20:25:38 service named[1327]: found 1 CPU, using 1 worker thread
| Jul 11 20:25:38 service named[1327]: loading configuration from 
'/etc/bind/named.conf'
| Jul 11 20:25:38 service named[1327]: listening on IPv4 interface lo, 
127.0.0.1#53
| Jul 11 20:25:38 service named[1327]: listening on IPv4 interface eth0, 
10.42.4.18#53
| Jul 11 20:25:38 service named[1327]: command channel listening on 
127.0.0.1#953
| Jul 11 20:25:38 service named[1327]: command channel listening on ::1#953
| Jul 11 20:25:38 service named[1327]: zone 0.in-addr.arpa/IN: loaded serial 1
| Jul 11 20:25:38 service named[1327]: zone 42.10.in-addr.arpa/IN: loaded 
serial 1
| Jul 11 20:25:38 service named[1327]: zone 127.in-addr.arpa/IN: loaded serial 1
| Jul 11 20:25:38 service named[1327]: zone 255.in-addr.arpa/IN: loaded serial 1
[...]
| Jul 11 20:25:38 service named[1327]: zone localhost/IN: loaded serial 1
| Jul 11 20:25:38 service named[1327]: running
| Jul 11 20:25:48 service kernel: eth0: no IPv6 routers present
| Jul 11 20:25:56 service kernel: audit(1215807956.613:3): avc:  denied  { 
name_bind } for  pid=1328 comm="named" src=24589 
scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:port_t:s0 
tclass=udp_socket
| Jul 11 20:25:56 service kernel: audit(1215807956.617:4): avc:  denied  { 
name_bind } for  pid=1328 comm="named" src=25601 
scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:port_t:s0 
tclass=udp_socket
| Jul 11 20:27:28 service named[1327]: shutting down: flushing changes
| Jul 11 20:27:28 service named[1327]: stopping command channel on 127.0.0.1#953
| Jul 11 20:27:28 service named[1327]: stopping command channel on ::1#953
| Jul 11 20:27:28 service named[1327]: no longer listening on 127.0.0.1#53
| Jul 11 20:27:28 service named[1327]: no longer listening on 10.42.4.18#53
| Jul 11 20:27:28 service named[1327]: exiting

Bastian

-- 
Conquest is easy. Control is not.
                -- Kirk, "Mirror, Mirror", stardate unknown

signature.asc
Description: Digital signature