bind9 + dnscrypt-proxy >> Failed with result 'service-start-limit-hit'.

Alle weiteren Dienste, die nicht in die drei oberen Foren gehören.
Antworten
mgolbs
Beiträge: 259
Registriert: 22.03.2009 18:08:17
Wohnort: Tirschenreuth - Löbau

bind9 + dnscrypt-proxy >> Failed with result 'service-start-limit-hit'.

Beitrag von mgolbs » 12.02.2021 13:45:07

Hallo,

ich versuche einen bind9 mit dnscrypt-proxy aufzusetzen, scheitere aber an verschiedenen Fragen:

Code: Alles auswählen

root@ueberwachungs:/home/gosa# systemctl status dnscrypt-proxy.socket
● dnscrypt-proxy.socket
   Loaded: loaded (/etc/systemd/system/dnscrypt-proxy.socket; static; vendor preset: enabled)
   Active: active (listening) since Fri 2021-02-12 13:05:27 CET; 4s ago
   Listen: 127.0.2.1:53 (Stream)
           127.0.2.1:53 (Datagram)
    Tasks: 0 (limit: 856)
   Memory: 32.0K
   CGroup: /system.slice/dnscrypt-proxy.socket

Feb 12 13:05:27 ueberwachungs systemd[1]: Listening on dnscrypt-proxy.socket. 
oder

Code: Alles auswählen

root@ueberwachungs:/home/gosa# systemctl status dnscrypt-proxy.socket
● dnscrypt-proxy.socket
   Loaded: loaded (/etc/systemd/system/dnscrypt-proxy.socket; static; vendor preset: enabled)
   Active: inactive (dead) since Fri 2021-02-12 12:54:07 CET; 1min 14s ago
   Listen: 127.0.2.1:40 (Stream)
           127.0.2.1:40 (Datagram)

Feb 12 12:51:29 ueberwachungs systemd[1]: Listening on dnscrypt-proxy.socket.
Feb 12 12:54:07 ueberwachungs systemd[1]: dnscrypt-proxy.socket: Succeeded.
Feb 12 12:54:07 ueberwachungs systemd[1]: Closed dnscrypt-proxy.socket. 
mit

Code: Alles auswählen

root@ueberwachungs:/home/gosa# systemctl status bind9.service
● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2021-02-12 12:51:41 CET; 2min 1s ago
     Docs: man:named(8)
  Process: 490 ExecStart=/usr/sbin/named $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 510 (named)
    Tasks: 4 (limit: 856)
   Memory: 21.2M
   CGroup: /system.slice/bind9.service
           └─510 /usr/sbin/named -u bind

Feb 12 12:53:07 ueberwachungs named[510]: network unreachable resolving 'ns-291.awsdns-36.com/AAAA/IN': 2600:9000:5304:a400::1#53
Feb 12 12:53:07 ueberwachungs named[510]: network unreachable resolving 'ns-1680.awsdns-18.co.uk/A/IN': 2600:9000:5307:1600::1#53
Feb 12 12:53:07 ueberwachungs named[510]: network unreachable resolving 'ns-1680.awsdns-18.co.uk/A/IN': 2600:9000:5305:d500::1#53
Feb 12 12:53:07 ueberwachungs named[510]: network unreachable resolving 'ns-1289.awsdns-33.org/AAAA/IN': 2600:9000:5304:2400::1#53
Feb 12 12:53:07 ueberwachungs named[510]: network unreachable resolving 'ns-1289.awsdns-33.org/AAAA/IN': 2600:9000:5300:a100::1#53
Feb 12 12:53:07 ueberwachungs named[510]: network unreachable resolving 'ns-1289.awsdns-33.org/AAAA/IN': 2600:9000:5306:6100::1#53
Feb 12 12:53:07 ueberwachungs named[510]: network unreachable resolving 'ns-1289.awsdns-33.org/AAAA/IN': 2600:9000:5302:e300::1#53
Feb 12 12:53:07 ueberwachungs named[510]: connection refused resolving 'mairdumont.com/DS/IN': 127.0.2.1#53
Feb 12 12:53:08 ueberwachungs named[510]: network unreachable resolving 'ns-1680.awsdns-18.co.uk/AAAA/IN': 2600:9000:5307:1600::1#53
Feb 12 12:53:08 ueberwachungs named[510]: network unreachable resolving 'ns-1289.awsdns-33.org/A/IN': 2600:9000:5306:6100::1#53 
nach einem Systemstart habe ich aber:

Code: Alles auswählen

root@ueberwachungs:/home/gosa# systemctl status bind9.service
● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2021-02-12 13:02:31 CET; 1min 39s ago
     Docs: man:named(8)
  Process: 491 ExecStart=/usr/sbin/named $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 500 (named)
    Tasks: 4 (limit: 856)
   Memory: 20.3M
   CGroup: /system.slice/bind9.service
           └─500 /usr/sbin/named -u bind

Feb 12 13:02:53 ueberwachungs named[500]: network unreachable resolving 'anyns.pch.net/AAAA/IN': 2620:0:872::231:3#53
Feb 12 13:02:53 ueberwachungs named[500]: network unreachable resolving 'g.ntpns.org/AAAA/IN': 2620:95:4002::123#53
Feb 12 13:02:53 ueberwachungs named[500]: network unreachable resolving 'anyns.pch.net/A/IN': 2001:418:3f4::5#53
Feb 12 13:02:53 ueberwachungs named[500]: network unreachable resolving 'anyns.pch.net/AAAA/IN': 2001:418:3f4::5#53
Feb 12 13:02:53 ueberwachungs named[500]: connection refused resolving 'org/DS/IN': 127.0.2.1#53
Feb 12 13:02:53 ueberwachungs named[500]: connection refused resolving 'ntp.org/DS/IN': 127.0.2.1#53
Feb 12 13:02:53 ueberwachungs named[500]: network unreachable resolving 'ntp.org/DS/IN': 2001:500:48::1#53
Feb 12 13:02:53 ueberwachungs named[500]: connection refused resolving 'org/DNSKEY/IN': 127.0.2.1#53
Feb 12 13:04:04 ueberwachungs named[500]: connection refused resolving 'database.clamav.net/A/IN': 127.0.2.1#53
Feb 12 13:04:04 ueberwachungs named[500]: connection refused resolving 'database.clamav.net/AAAA/IN': 127.0.2.1#53
root@ueberwachungs:/home/gosa# systemctl status dnscrypt-proxy.socket
● dnscrypt-proxy.socket
   Loaded: loaded (/etc/systemd/system/dnscrypt-proxy.socket; static; vendor preset: enabled)
   Active: failed (Result: service-start-limit-hit) since Fri 2021-02-12 13:02:47 CET; 1min 28s ago
   Listen: 127.0.2.1:53 (Stream)
           127.0.2.1:53 (Datagram)

Feb 12 13:02:19 ueberwachungs systemd[1]: Listening on dnscrypt-proxy.socket.
Feb 12 13:02:47 ueberwachungs systemd[1]: dnscrypt-proxy.socket: Failed with result 'service-start-limit-hit'. 
Mein Problem besteht im Verständnis der:
forwarders {
127.0.2.1;
Wo mein dnscrypt-proxy.socket eigentlich anbieten sollte. Auf 127.0.2.1:53 sollte crypt DNS für lokalen bind8, bietet für clients dann auf 127.0.0.1:53 an, anbieten. Irgend wie beißt sich bind9 und dnscrypt-proxy am Port von 127.0.2.1:53. Wenn ich dnscrypt-proxy auf 127.0.2.1:40 laufen lasse habe ich den Fehler nicht. Aber dann kommuniziert mein bind9 doch nicht mehr über dnscrypt-proxy?

Code: Alles auswählen

   Listen: 127.0.2.1:40 (Stream)
           127.0.2.1:40 (Datagram)
root@ueberwachungs:/home/gosa# systemctl status bind9.service
● bind9.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2021-02-12 15:05:46 CET; 28s ago
Docs: man:named(8)
Process: 1339 ExecStart=/usr/sbin/named $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 1340 (named)
Tasks: 4 (limit: 856)
Memory: 8.7M
CGroup: /system.slice/bind9.service
└─1340 /usr/sbin/named -u bind

Feb 12 15:05:46 ueberwachungs named[1340]: managed-keys-zone: loaded serial 9
Feb 12 15:05:46 ueberwachungs named[1340]: zone 0.in-addr.arpa/IN: loaded serial 1
Feb 12 15:05:46 ueberwachungs named[1340]: zone 127.in-addr.arpa/IN: loaded serial 1
Feb 12 15:05:46 ueberwachungs named[1340]: zone 255.in-addr.arpa/IN: loaded serial 1
Feb 12 15:05:46 ueberwachungs named[1340]: zone localhost/IN: loaded serial 2
Feb 12 15:05:46 ueberwachungs named[1340]: all zones loaded
Feb 12 15:05:46 ueberwachungs named[1340]: running
Feb 12 15:05:46 ueberwachungs systemd[1]: Started BIND Domain Name Server.
Feb 12 15:05:53 ueberwachungs named[1340]: connection refused resolving './DNSKEY/IN': 127.0.2.1#53
Feb 12 15:05:53 ueberwachungs named[1340]: managed-keys-zone: Unable to fetch DNSKEY set '.': SERVFAIL
root@ueberwachungs:/home/gosa# systemctl status dnscrypt-proxy.socket
● dnscrypt-proxy.socket
Loaded: loaded (/etc/systemd/system/dnscrypt-proxy.socket; static; vendor preset: enabled)
Active: failed (Result: service-start-limit-hit) since Fri 2021-02-12 15:05:50 CET; 50s ago
Listen: 127.0.2.1:53 (Stream)
127.0.2.1:53 (Datagram)

Feb 12 15:05:26 ueberwachungs systemd[1]: Listening on dnscrypt-proxy.socket.
Feb 12 15:05:50 ueberwachungs systemd[1]: dnscrypt-proxy.socket: Failed with result 'service-start-limit-hit'.
root@ueberwachungs:/home/gosa#
und per

Code: Alles auswählen

systemctl disable dnscrypt-proxy.socket
systemctl enable dnscrypt-proxy.service
● dnscrypt-proxy.service - DNSCrypt client proxy
Loaded: loaded (/lib/systemd/system/dnscrypt-proxy.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2021-02-12 14:56:18 CET; 13s ago
Docs: https://github.com/jedisct1/dnscrypt-proxy/wiki
Process: 1151 ExecStart=/usr/sbin/dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml (code=exited, status=255/EXCEPTION)
Main PID: 1151 (code=exited, status=255/EXCEPTION)

Feb 12 14:56:17 ueberwachungs systemd[1]: Started DNSCrypt client proxy.
Feb 12 14:56:18 ueberwachungs dnscrypt-proxy[1151]: [2021-02-12 14:56:18] [NOTICE] Source [/var/cache/dnscrypt-proxy/public-resolvers.md] loaded
Feb 12 14:56:18 ueberwachungs dnscrypt-proxy[1151]: [2021-02-12 14:56:18] [NOTICE] dnscrypt-proxy 2.0.19
Feb 12 14:56:18 ueberwachungs dnscrypt-proxy[1151]: [2021-02-12 14:56:18] [FATAL] listen udp 127.0.2.1:53: bind: permission denied
Feb 12 14:56:18 ueberwachungs systemd[1]: dnscrypt-proxy.service: Main process exited, code=exited, status=255/EXCEPTION
Feb 12 14:56:18 ueberwachungs systemd[1]: dnscrypt-proxy.service: Failed with result 'exit-code'.
Feb 12 14:56:18 ueberwachungs systemd[1]: dnscrypt-proxy.service: Start request repeated too quickly.
Feb 12 14:56:18 ueberwachungs systemd[1]: dnscrypt-proxy.service: Failed with result 'exit-code'.
Feb 12 14:56:18 ueberwachungs systemd[1]: Failed to start DNSCrypt client proxy.
~
Was kann ich zur Lösung des Problems tun? Mir fehlt da das Verständnis des Problems im System. Über Tipps und Infos wäre ich dankbar.

Gruß Markus
Dem Überflüssigen nachlaufen, heißt das Wesentliche verpassen.
Jules Saliège

Antworten