Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 1670 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS Proxy agent problems

floppyraid

I've had this happen now twice and I'm scratching my head.

 

Sophos UTM SG210 9.700-5

6 VLANs use the Sophos for DNS. The forwarders on the Sophos point back to domain controllers. Usually everything 'just works' but twice now I've had an issue where when you look at the packet filter logs you see devices on one subnet having their traffic dropped/blocked when trying to hit the Sophos VLAN IP on port 53. When looking at DNS Proxy live log you see BIND trying to restart itself over and over, and failing:

2020:02:17-10:59:16 cyph-bhm01 named[14430]: loading configuration from '//etc/named.conf'
2020:02:17-10:59:16 cyph-bhm01 named[14430]: //etc/named.conf:343: zone 'cunknown-1': already exists previous definition: //etc/named.conf:203
2020:02:17-10:59:16 cyph-bhm01 named[14430]: loading configuration: failure
2020:02:17-10:59:16 cyph-bhm01 named[14430]: exiting (due to fatal error)

 

When this happens I have to ssh in and delete the duplicate 'cunknown-1' entry in:

/var/sec/chroot-bind/etc/named.conf

 

and then restart BIND with:

/var/mdw/scripts/named restart

 

 

After that BIND loads properly and all VLANs can use the Sophos as their DNS resolver

The firewall has been rebooted but the problem persists. In both cases I've left the first entry on like 203 alone and deleted the duplicated entry on like 343. There is also another 'unknown' on line 287 that doesn't appear to break anything:

 

 


line 203:
    zone "cunknown-1." IN {
                    type master;
                    file "static/cunknown-1..zone";
                    check-names ignore;
                    allow-update { none; };
    };


line 287:
    zone "cunknown-1.unknown" IN {
                    type master;
                    file "static/cunknown-1.unknown.zone";
                    check-names ignore;
                    allow-update { none; };
    };


line  343:
    zone "cunknown-1" IN {
                    type master;
                    file "static/cunknown-1.zone";
                    check-names ignore;
                    allow-update { none; };
    };

 

I've done some google-fu but my skills are weak. I was unable to find any explicit matches with this error on Sophos UTM



This thread was automatically locked due to age.
  • 0

    Hi  

    If you have a valid support license, I'd request you to create a case with Sophos Support to identify the root cause of the issue since it looks like something or some manual DNS entries causing the DNS service to restart.

    Also, have you checked the selfmon.log at the time when the issue occurs? What does it say? 

    Regards

    Jaydeep

  • 0 in reply to Jaydeep

    Jaydeep,

     

    Thanks for the reply. The device does have an active support subscription I just figured I'd toss the question here before starting a ticket.

     

    Here are the DNS Proxy and the Self Monitoring logs:

     

    --------------


    2020:02:14-16:57:39 cyph-bhm01 named[12182]: clients-per-query decreased to 12
    2020:02:14-17:14:24 cyph-bhm01 named[12182]: REFUSED unexpected RCODE resolving 'sy.eu.angsrvr.com/A/IN': 205.251.193.20#53
    2020:02:14-17:14:24 cyph-bhm01 named[12182]: REFUSED unexpected RCODE resolving 'sy.eu.angsrvr.com/A/IN': 205.251.198.73#53
    2020:02:14-17:14:24 cyph-bhm01 named[12182]: REFUSED unexpected RCODE resolving 'sy.eu.angsrvr.com/A/IN': 205.251.195.248#53
    2020:02:14-17:14:25 cyph-bhm01 named[12182]: REFUSED unexpected RCODE resolving 'sy.eu.angsrvr.com/A/IN': 205.251.196.193#53
    2020:02:14-17:17:39 cyph-bhm01 named[12182]: clients-per-query decreased to 11
    2020:02:14-17:59:57 cyph-bhm01 named[6933]: starting BIND 9.11.3 (Extended Support Version) <id:a375815>
    2020:02:14-17:59:57 cyph-bhm01 named[6933]: running on Linux x86_64 3.12.74-0.327535988.gc5bb1a9-smp64 #1 SMP Wed Jul 3 10:39:28 UTC 2019
    2020:02:14-17:59:57 cyph-bhm01 named[6933]: built with '--prefix=/' '--sbindir=/usr/sbin' '--with-randomdev=/dev/urandom' '--with-libxml2=no' '--without-idn' '--disable-libbind' '--without-kame' 'CFLAGS=-march=i686 -mtune=i686 -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g'
    2020:02:14-17:59:57 cyph-bhm01 named[6933]: running as: named -4
    2020:02:14-17:59:57 cyph-bhm01 named[6933]: ----------------------------------------------------
    2020:02:14-17:59:57 cyph-bhm01 named[6933]: BIND 9 is maintained by Internet Systems Consortium,
    2020:02:14-17:59:57 cyph-bhm01 named[6933]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
    2020:02:14-17:59:57 cyph-bhm01 named[6933]: corporation.  Support and training for BIND 9 are
    2020:02:14-17:59:57 cyph-bhm01 named[6933]: available at https://www.isc.org/support
    2020:02:14-17:59:57 cyph-bhm01 named[6933]: ----------------------------------------------------
    2020:02:14-17:59:57 cyph-bhm01 named[6933]: adjusted limit on open files from 4096 to 1048576
    2020:02:14-17:59:57 cyph-bhm01 named[6933]: found 1 CPU, using 1 worker thread
    2020:02:14-17:59:57 cyph-bhm01 named[6933]: using 1 UDP listener per interface
    2020:02:14-17:59:57 cyph-bhm01 named[6933]: using up to 4096 sockets
    2020:02:14-17:59:57 cyph-bhm01 named[6933]: loading configuration from '//etc/named.conf'
    2020:02:14-17:59:57 cyph-bhm01 named[6933]: //etc/named.conf:343: zone 'cunknown-1': already exists previous definition: //etc/named.conf:203
    2020:02:14-17:59:57 cyph-bhm01 named[6933]: loading configuration: failure
    2020:02:14-17:59:57 cyph-bhm01 named[6933]: exiting (due to fatal error)
    2020:02:14-18:00:29 cyph-bhm01 named[7342]: starting BIND 9.11.3 (Extended Support Version) <id:a375815>
    2020:02:14-18:00:29 cyph-bhm01 named[7342]: running on Linux x86_64 3.12.74-0.327535988.gc5bb1a9-smp64 #1 SMP Wed Jul 3 10:39:28 UTC 2019
    2020:02:14-18:00:29 cyph-bhm01 named[7342]: built with '--prefix=/' '--sbindir=/usr/sbin' '--with-randomdev=/dev/urandom' '--with-libxml2=no' '--without-idn' '--disable-libbind' '--without-kame' 'CFLAGS=-march=i686 -mtune=i686 -fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g'
    2020:02:14-18:00:29 cyph-bhm01 named[7342]: running as: named -4
    2020:02:14-18:00:29 cyph-bhm01 named[7342]: ----------------------------------------------------
    2020:02:14-18:00:29 cyph-bhm01 named[7342]: BIND 9 is maintained by Internet Systems Consortium,
    2020:02:14-18:00:29 cyph-bhm01 named[7342]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
    2020:02:14-18:00:29 cyph-bhm01 named[7342]: corporation.  Support and training for BIND 9 are
    2020:02:14-18:00:29 cyph-bhm01 named[7342]: available at https://www.isc.org/support
    2020:02:14-18:00:29 cyph-bhm01 named[7342]: ----------------------------------------------------
    2020:02:14-18:00:29 cyph-bhm01 named[7342]: adjusted limit on open files from 4096 to 1048576
    2020:02:14-18:00:29 cyph-bhm01 named[7342]: found 1 CPU, using 1 worker thread
    2020:02:14-18:00:29 cyph-bhm01 named[7342]: using 1 UDP listener per interface
    2020:02:14-18:00:29 cyph-bhm01 named[7342]: using up to 4096 sockets
    2020:02:14-18:00:29 cyph-bhm01 named[7342]: loading configuration from '//etc/named.conf'
    2020:02:14-18:00:29 cyph-bhm01 named[7342]: //etc/named.conf:343: zone 'cunknown-1': already exists previous definition: //etc/named.conf:203
    2020:02:14-18:00:29 cyph-bhm01 named[7342]: loading configuration: failure
    2020:02:14-18:00:29 cyph-bhm01 named[7342]: exiting (due to fatal error)
    2020:02:14-18:01:01 cyph-bhm01 named[7386]: starting BIND 9.11.3 (Extended Support Version) <id:a375815>


    --------------



    2020:02:14-00:31:06 cyph-bhm01 selfmonng[4507]: I check Failed increment ntpd_running counter 1 - 3
    2020:02:14-03:31:08 cyph-bhm01 selfmonng[4507]: I check Failed increment ntpd_running counter 1 - 3
    2020:02:14-17:25:07 cyph-bhm01 selfmonng[4507]: I check Failed increment dbus_running counter 1 - 3
    2020:02:14-17:25:12 cyph-bhm01 selfmonng[4507]: I check Failed increment dbus_running counter 2 - 3
    2020:02:14-17:25:17 cyph-bhm01 selfmonng[4507]: W check Failed increment dbus_running counter 3 - 3
    2020:02:14-17:25:17 cyph-bhm01 selfmonng[4507]: [INFO-146] Dbus (application device bus) system daemon not running - restarted
    2020:02:14-17:25:17 cyph-bhm01 selfmonng[4507]: W NOTIFYEVENT Name=dbus_running Level=INFO Id=146 sent
    2020:02:14-17:25:17 cyph-bhm01 selfmonng[4507]: W triggerAction: 'cmd'
    2020:02:14-17:25:17 cyph-bhm01 selfmonng[4507]: W actionCmd(+):  '/etc/init.d/dbus restart'
    2020:02:14-17:25:17 cyph-bhm01 selfmonng[4507]: W child returned status: exit='0' signal='0'
    2020:02:14-17:59:35 cyph-bhm01 selfmonng[4440]: T Selfmonitor Daemon successfully started
    2020:02:14-17:59:35 cyph-bhm01 selfmonng[4440]: T Loading Selfmonitoring Checks complete  new=93 failed=0 retained=0 dropped=0
    2020:02:14-17:59:45 cyph-bhm01 selfmonng[4440]: I check Failed increment pluto_running counter 1 - 15<30>Feb 14 17:59:45 selfmonng[4440]: I check Failed increment starter_running counter 1 - 3
    2020:02:14-17:59:45 cyph-bhm01 selfmonng[4440]: I check Failed increment named_running counter 1 - 3
    2020:02:14-17:59:50 cyph-bhm01 selfmonng[4440]: I check Failed increment named_running counter 2 - 3
    2020:02:14-17:59:55 cyph-bhm01 selfmonng[4440]: W check Failed increment named_running counter 3 - 3
    2020:02:14-17:59:55 cyph-bhm01 selfmonng[4440]: [INFO-119] Named not running - restarted
    2020:02:14-17:59:55 cyph-bhm01 selfmonng[4440]: W NOTIFYEVENT Name=named_running Level=INFO Id=119 sent
    2020:02:14-17:59:55 cyph-bhm01 selfmonng[4440]: W triggerAction: 'cmd'
    2020:02:14-17:59:55 cyph-bhm01 selfmonng[4440]: W actionCmd(+):  '/var/mdw/scripts/named restart'
    2020:02:14-17:59:57 cyph-bhm01 selfmonng[4440]: W child returned status: exit='1' signal='0'
    2020:02:14-18:00:02 cyph-bhm01 selfmonng[4440]: I check Failed increment named_running counter 1 - 3
    2020:02:14-18:00:05 cyph-bhm01 selfmonng[4440]: T read config file '/etc/selfmonng.conf'
    2020:02:14-18:00:07 cyph-bhm01 selfmonng[4440]: I check Failed increment named_running counter 2 - 3
    2020:02:14-18:00:12 cyph-bhm01 selfmonng[4440]: W check Failed increment named_running counter 3 - 3
    2020:02:14-18:00:12 cyph-bhm01 selfmonng[4440]: W NOTIFYEVENT Name=named_running Level=INFO Id=119 suppressed
    2020:02:14-18:00:12 cyph-bhm01 selfmonng[4440]: W triggerAction: 'cmd'
    2020:02:14-18:00:12 cyph-bhm01 selfmonng[4440]: W actionCmd(-):  '/var/mdw/scripts/named restart'
    2020:02:14-18:00:17 cyph-bhm01 selfmonng[4440]: I check Failed increment named_running counter 1 - 3
    2020:02:14-18:00:22 cyph-bhm01 selfmonng[4440]: I check Failed increment named_running counter 2 - 3
    2020:02:14-18:00:27 cyph-bhm01 selfmonng[4440]: W check Failed increment named_running counter 3 - 3
    2020:02:14-18:00:27 cyph-bhm01 selfmonng[4440]: W NOTIFYEVENT Name=named_running Level=INFO Id=119 suppressed
    2020:02:14-18:00:27 cyph-bhm01 selfmonng[4440]: W triggerAction: 'cmd'
    2020:02:14-18:00:27 cyph-bhm01 selfmonng[4440]: W actionCmd(+):  '/var/mdw/scripts/named restart'
    2020:02:14-18:00:29 cyph-bhm01 selfmonng[4440]: W child returned status: exit='1' signal='0'
    2020:02:14-18:00:34 cyph-bhm01 selfmonng[4440]: I check Failed increment named_running counter 1 - 3
    2020:02:14-18:00:39 cyph-bhm01 selfmonng[4440]: I check Failed increment named_running counter 2 - 3
    2020:02:14-18:00:44 cyph-bhm01 selfmonng[4440]: W check Failed increment named_running counter 3 - 3
    2020:02:14-18:00:44 cyph-bhm01 selfmonng[4440]: W NOTIFYEVENT Name=named_running Level=INFO Id=119 suppressed
    2020:02:14-18:00:44 cyph-bhm01 selfmonng[4440]: W triggerAction: 'cmd'
    2020:02:14-18:00:44 cyph-bhm01 selfmonng[4440]: W actionCmd(-):  '/var/mdw/scripts/named restart'

  • 0 in reply to floppyraid

    Hi  

    I'd recommend to create a case with Sophos Support. You may find coredumps for named (DNS) service under /var/storage/cores, if so, please create a case with Sophos support to identify the issue.

    Regards

    Jaydeep

  • 0

    Does changing your configuration to that recommended in DNS best practice give you a better result?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML