[Pdns-users] How to debug / log more info about: pdns operation not permitted.
Stijn Jonker
sjcjonker at sjc.nl
Thu Jun 16 11:19:31 UTC 2016
On 16 Jun 2016, at 1:56, bert hubert wrote:
> On Wed, Jun 15, 2016 at 09:41:29PM -0400, Stijn Jonker wrote:
>> Hi all,
>>
>> In my (small) home setup I have been running for a couple years
>> pdns/pnds-recursor. The pdns with the gmysql backend.
>>
>> Initially on ubuntu and recently on Centos7. In both instances I
>> receive
>> these, as shown below, syslog messages a couple times a day. The
>> total
>> amount of queries is low, as it's a home network.
>>
>> Jun 15 04:12:03 emani pdns[2228]: Unable to send a packet to our
>> recursing backend: Operation not permitted
>> Jun 15 04:59:04 emani pdns[2228]: Unable to send a packet to our
>> recursing backend: Operation not permitted
>>
>> A google and maillist search turned up some "Unable to send packet"
>> but none with the reason "Operation not permitted"
>
> From when this happened historically, it was always iptables related
> on
> Linux.
>
> I can't explain why this would be an intermittent error though.
>
> Can you double check if you might have an iptables rule that could be
> involved? Note that iptables needs an explicit rule to know -i lo is
> ok!
>
Hi Bert,
I do run iptables, via the shorewall script/tool, however it allows the
lo interface:
[root at emani ~]# iptables -L INPUT -xvn
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
2010021 663456860 net2fw all -- eth0 * 0.0.0.0/0
0.0.0.0/0
16651 1140248 ovpn2fw all -- tun0 * 0.0.0.0/0
0.0.0.0/0
334986 83138338 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix "FW:INPUT:REJECT:"
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0 [goto]
[root at emani ~]# iptables -L OUTPUT -xvn
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
1846783 1246599737 fw2net all -- * eth0 0.0.0.0/0
0.0.0.0/0
15843 2025141 fw2ovpn all -- * tun0 0.0.0.0/0
0.0.0.0/0
335062 83143594 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix "FW:OUTPUT:REJECT:"
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0 [goto]
Except in the forward chain, but I don't expect that to be the issue:
[root at emani ~]# iptables -L FORWARD -xvn
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
475342 590046990 net_frwd all -- eth0 * 0.0.0.0/0
0.0.0.0/0
419773 69020670 ovpn_frwd all -- tun0 * 0.0.0.0/0
0.0.0.0/0
0 0 Reject all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix "FW:FORWARD:REJECT:"
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0 [goto]
But then I would expect an iptables log entry as well. Based on the
above config. It's not in the logs. The query which would trigger this
error, can one expect it to be first received by pdns on port 53, and
for a domain for which pdns is not authoritative? I'll run a tcpdump for
the next day or so then for port 53 (tcp+udp) and try to match the
timestamps otherwise and see if I can reproduce based on the query.
Thx,
Stijn
--
Yours Sincerely / Met Vriendelijke groet,
Stijn Jonker
SJCJonker at SJC.nl
More information about the Pdns-users
mailing list