[Pdns-users] How to debug / log more info about: pdns operation not permitted.

Stijn Jonker sjcjonker at sjc.nl
Fri Jun 17 17:43:15 UTC 2016

Hi all,

On 16 Jun 2016, at 7:19, Stijn Jonker wrote:

> On 16 Jun 2016, at 1:56, bert hubert wrote:
>> On Wed, Jun 15, 2016 at 09:41:29PM -0400, Stijn Jonker wrote:
>>> In my (small) home setup I have been running for a couple years 
>>> pdns/pnds-recursor. The pdns with the gmysql backend.
>>> Initially on ubuntu and recently on Centos7. In both instances I 
>>> receive
>>> these, as shown below, syslog messages a couple times a day.  The 
>>> total
>>> amount of queries is low, as it's a home network.
>>> Jun 15 04:12:03 emani pdns[2228]: Unable to send a packet to our 
>>> recursing backend: Operation not permitted
>>> Jun 15 04:59:04 emani pdns[2228]: Unable to send a packet to our 
>>> recursing backend: Operation not permitted
>>> A google and maillist search turned up some "Unable to send packet" 
>>> but none with the reason "Operation not permitted"
>> From when this happened historically, it was always iptables related 
>> on
>> Linux.
>> Can you double check if you might have an iptables rule that could be
>> involved? Note that iptables needs an explicit rule to know -i lo is 
>> ok!

> I do run iptables, via the shorewall script/tool, however it allows 
> the lo interface:

> But then I would expect an iptables log entry as well. Based on the 
> above config. It's not in the logs. The query which would trigger this 
> error, can one expect it to be first received by pdns on port 53, and 
> for a domain for which pdns is not authoritative? I'll run a tcpdump 
> for the next day or so then for port 53 (tcp+udp) and try to match the 
> timestamps otherwise and see if I can reproduce based on the query.

I ran tcpdump for both port 53 and 54 on the ethernet and lo interface 
trying to find a pattern, but I couldn't. Is there any other way of 
tackling this, besides running in debug mode?

If not I'll run pdns in debug mode for 24 hours and see if I can find a 
Would "loglevel 9" and "log-dns-queries yes" in a separate log do it? Or 
should I investigate the "don't use" control-console?


More information about the Pdns-users mailing list