[Pdns-users] How to debug / log more info about: pdns operation not permitted.

Stijn Jonker sjcjonker at sjc.nl
Sat Jun 18 23:02:13 UTC 2016 

Hi all,

small update below:

On 17 Jun 2016, at 13:43, Stijn Jonker wrote:

> Hi all,
>
> On 16 Jun 2016, at 7:19, Stijn Jonker wrote:
>
>> On 16 Jun 2016, at 1:56, bert hubert wrote:
>>
>>> On Wed, Jun 15, 2016 at 09:41:29PM -0400, Stijn Jonker wrote:
>>>> In my (small) home setup I have been running for a couple years 
>>>> pdns/pnds-recursor. The pdns with the gmysql backend.
>>>>
>>>> Initially on ubuntu and recently on Centos7. In both instances I 
>>>> receive these, as shown below, syslog messages a couple times a 
>>>> day.
>>>>
>>>> Jun 15 04:59:04 emani pdns[2228]: Unable to send a packet to our 
>>>> recursing backend: Operation not permitted
>>>
>>> From when this happened historically, it was always iptables related 
>>> on Linux.
>>
>> I do run iptables, via the shorewall script/tool, however it allows 
>> the lo interface:
>>
>
> I ran tcpdump for both port 53 and 54 on the ethernet and lo interface 
> trying to find a pattern, but I couldn't. Is there any other way of 
> tackling this, besides running in debug mode?
>
> If not I'll run pdns in debug mode for 24 hours and see if I can find 
> a pattern.

The query log didn't show anything that could cause it either. I now 
added some rules to the shorewall setup in /etc/shorewall/start not 
track port 54/udp on lo, and 53/udp on any interface. The example on the 
tuning page for pdns, but added three lines for 53/udp as in my setup it 
also routes/forwards.

iptables -I OUTPUT -p udp --sport 53 -j ACCEPT
iptables -I FORWARD -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -p udp --sport 53 -j ACCEPT

The same for the lo interface:
iptables -t raw -I OUTPUT -o lo -p udp --dport 54 -j NOTRACK
iptables -t raw -I OUTPUT -o lo -p udp --sport 54 -j NOTRACK
iptables -t raw -I PREROUTING -i lo -p udp --dport 54 -j NOTRACK
iptables -t raw -I PREROUTING -i lo -p udp --sport 54 -j NOTRACK
iptables -I INPUT -i lo -p udp --dport 54 -j ACCEPT
iptables -I INPUT -i lo -p udp --sport 54 -j ACCEPT
iptables -I OUTPUT -o lo -p udp --dport 54 -j ACCEPT
iptables -I OUTPUT -o lo -p udp --sport 54 -j ACCEPT

Curious to see if this will fix it. Keep you informed.

Did some graphing in the mean time with Grafana frontend and the 
carbon-server option, max recursive queries are (don't laugh) 287 per 
reporting interval (default of 30 sec) :-) so it's not really load 
related, but it could still be the fix of course.

Stijn

More information about the Pdns-users mailing list