(network unreachable) error in my server logs

Question

I'm getting lots of network unreachable lines in my Centos' messages log file. They seem they can't resolve to certain addresses which I do not have any ideas why my server has to resolve to them in the first place. Could anyone let me know the origin of such error? Am I under an attack?

Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving './NS/IN': 2001:503:ba3e::2:30#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 2001:500:48::1#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 2001:4f8:0:2::19#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/A/IN': 2001:500:2f::f#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/AAAA/IN': 2001:500:2f::f#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/A/IN': 2001:500:1::803f:235#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/AAAA/IN': 2001:500:1::803f:235#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/A/IN': 2001:503:c27::2:30#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/AAAA/IN': 2001:503:c27::2:30#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'ns.isc.afilias-nst.info/A/IN': 2001:500:1a::1#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 2001:4f8:0:2::20#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'dlv.isc.org/DNSKEY/IN': 2001:500:60::29#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'ns1.isc.ultradns.net/A/IN': 2001:7fd::1#53
Oct 23 11:39:03 server named[1585]: error (network unreachable) resolving 'ns1.isc.ultradns.net/AAAA/IN': 2001:7fd::1#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'ns2.isc.ultradns.net/A/IN': 2610:a1:1014::e8#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'pdns196.ultradns.org/A/IN': 2001:500:e::1#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'pdns196.ultradns.org/AAAA/IN': 2001:500:e::1#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'pdns196.ultradns.org/A/IN': 2001:500:40::1#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'pdns196.ultradns.org/AAAA/IN': 2001:500:40::1#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'pdns196.ultradns.org/AAAA/IN': 2001:502:4612::e8#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'pdns196.ultradns.info/AAAA/IN': 2610:a1:1016::e8#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'pdns196.ultradns.info/A/IN': 2610:a1:1016::e8#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'pdns196.ultradns.co.uk/AAAA/IN': 2610:a1:1017::e8#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'pdns196.ultradns.biz/A/IN': 2610:a1:1015::e8#53
Oct 23 11:39:04 server named[1585]: error (network unreachable) resolving 'pdns196.ultradns.com/AAAA/IN': 2001:502:f3ff::e8#53
Oct 23 11:39:04 server named[1585]: client 93.113.174.225#46368: query (cache) 'adobe.com/A/IN' denied
Oct 23 11:39:04 server named[1585]: client 93.113.174.225#23736: query (cache) 'adobe.com/A/IN' denied
Oct 23 11:39:04 server lfd[1196]: SYSLOG check [Lga6AZUNsgZGaVQX]

By the way, my named.conf's options are as below if they are of any help:

options {
    //listen-on port 53 { 127.0.0.1; };
        //listen-on-v6 port 53 { ::1; };
        directory   "/var/named";
        dump-file   "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        //allow-query     { localhost; };
        allow-recursion { localnets; };

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

Please help!

can you post snippets from the log file in your question, showing the messages you are seeing? — Fegnoid, Oct 23 '14 at 10:12
are you using a bind DNS server? if so you may need to change it to only use IPv4 by adding to the bind startup, edit `/etc/sysconfig/named` and add the line `OPTIONS="-4"` then restart the bind server — Fegnoid, Oct 23 '14 at 10:18
Yes, I do. I'll check that. But why do I see that in my log file just recently? — developer, Oct 23 '14 at 10:25

score 40 · Accepted Answer · edited Apr 24 '15 at 18:23

40

All of the addresses are IPv6. Seems an IPv6 issue, you probably have no IPv6 networking configured. Disable IPv6 suport in Bind:

Edit /etc/sysconfig/named and set:

OPTIONS="-4"

Then restart bind:

service named restart

(from http://crashmag.net/disable-ipv6-lookups-with-bind-on-rhel-or-centos)

Are you under attack? I don't think you've been compromised. Those messages can be normal depending on what services you are running (anyhow, any server is always under some attempt of attack, people scans the internet trying exploits on every server).

edited Apr 24 '15 at 18:23

gene_wood

533
6
15

answered Oct 23 '14 at 10:19

jjmontes

3,387
2
19
27

Hi. The fact is I did not have these alerts till yesterday. I mean, it started yesterday all of a sudden. What's more, I think it is one way or another responsible to my server's heavy load yesterday. Still I have this question: why, for instance, my server wants to connect to adobe.com? There are no elements on my site or server having to do with adobe. – developer Oct 23 '14 at 11:03
Hey, i tried this but when i try to restart dns server i am getting this message: http://prntscr.com/cdxz2e Do you have an idea about that? – Tolgay Toklar Sep 04 '16 at 08:39
The file is /etc/default/bind9 on Ubuntu/Debian; add "-4" to OPTIONS – ArunasR Jan 02 '18 at 11:40
The file is /etc/default/named on Debian GNU/Linux 11 (bullseye) – n3ko Oct 07 '22 at 18:57

score 16 · Answer 2 · answered Feb 08 '16 at 15:57

It may be worth noting that in Debian Jessie with systemd, the -4 option in /etc/default/bind9 may be ignored. See bug #767798.

In that case, you need to modify the systemd bind9.service file:

Move bind9.service to avoid it being overwritten on updates

cd /etc/systemd
find . -name "bind*" -delete
cp /lib/systemd/system/bind9.service system/

Edit system/bind9.service to use the options in /etc/default/bind9.

$EDITOR system/bind9.service

Add EnvironmentFile=-/etc/default/bind9 and modify ExecStart to include $OPTIONS. (I remove -u bind, because on Debian, it is already included in $OPTIONS)

Make sure to keep the -f option needed for systemd. See this diff for an example:

# diff -u1 /lib/systemd/system/bind9.service /etc/systemd/system/bind9.service 
--- /lib/systemd/system/bind9.service   2015-12-14 21:12:28.000000000 +0100
+++ /etc/systemd/system/bind9.service   2016-02-08 15:34:59.634891951 +0100
@@ -6,3 +6,4 @@
 [Service]
-ExecStart=/usr/sbin/named -f -u bind
+EnvironmentFile=-/etc/default/bind9
+ExecStart=/usr/sbin/named -f $OPTIONS
 ExecReload=/usr/sbin/rndc reload

And finally

systemctl reenable bind9.service
service bind9 restart

Note, that the mentioned bug has been fixed by now and in recent Debian, you can just again only edit `/etc/default/bind9` — Elrond, Oct 11 '18 at 11:42

score 5 · Answer 3 · answered Oct 17 '16 at 07:40

5

For ubuntu order than 16.04: sudo vi /etc/default/bind9

OPTIONS="-4 -u bind"

answered Oct 17 '16 at 07:40

petertc

2,500
1
15
10

2

Don't know why this answer was downvoted, I have 14.04.5 and the config file is indeed in a different location than in jjmontes answer. Okwap's answer is a valid addition right? – Moolie Apr 26 '17 at 17:06

score 3 · Answer 4 · answered Oct 23 '14 at 14:46

3

The problem is caused by an update to BIND in Centos, it tries to use IPv6 as well as IPv4.

Best way to fix it is either use IPv6 or configure bind to only use IPv4

in /etc/named.conf set

OPTIONS="-4"

This will stop it using IPv6 on start up and restart DNS

service named restart

answered Oct 23 '14 at 14:46

Fegnoid

540
2
4

Hi. Thanks for replying. I have already disabled IPV6 by following the tutorial here. http://wiki.centos.org/FAQ/CentOS6#head-d47139912868bcb9d754441ecb6a8a10d41781df Do I need to apply the above change as well? – developer Oct 23 '14 at 14:55

score 3 · Answer 5 · edited Jun 08 '15 at 18:42

Nice options, I realized that this log appears when you use the named.root servers provided by www.internic.net/zones because some of this servers doesn't have online IPv6 interfaces.

What I did was to work with the forwarders stanza in my named.conf file and this log didn't appear anymore or at least so far.

Here is part my of my named.conf file. As you can see, I commented out the Zone Hints Section. And other stanzas because I'm working on a particular setup.

// Start the options clauses
options {
        listen-on-v6 {
                none;
                };
        listen-on port 53 {
                127.0.0.1;
                192.168.1.0/24;
                };
        directory "/var/named";
//      tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
        version "Not Currently Available";
        auth-nxdomain yes;
        empty-zones-enable no;
        notify no;
        forwarders {
                208.67.220.220;
                208.67.222.222;
                };
        allow-query {
                127.0.0.1;
                192.168.1.0/24;
                };
        allow-recursion {
                127.0.0.1;
                192.168.1.0/24;
                };
        allow-transfer {
                none;
                };
        };
// Zone Clauses
// Root Servers to allow Recursion
//zone "." {
// Zone Clauses
// Root Servers to allow Recursion
//zone "." {
//      type hint;
//      file "named.root";
//      };

I think that, as a way of dealing with not having global IPv6 connectivity, the `-4` option makes much more sense rather than entirely changing how BIND operates. Unless of course there was some reason why using forwarders was desirable in the first place. — Håkan Lindqvist, Jun 08 '15 at 18:51

score 2 · Answer 6 · answered May 08 '17 at 01:19

For me the problem caused by this message was a little more serious. When the server is disconnected from the internet you get many of these per second. If you are disconnected for a long time they can fill up the disk.

The obvious solution is to turn this particular message off, not just for IPv6 as mentioned in the other solutions but for all protocols. You can't turn off a particular message in bind, so this is as close as you can get:

logging {
    category lame-servers { default_debug; quiet_syslog; };
    channel quiet_syslog { severity notice; syslog daemon; };
};

Jonathan Wheeler · Answer 7 · 2022-03-02T23:24:23.417

If you simply want to mute these messages (without disabling IPv6), place in /etc/bind/named.conf.local:

logging {
    category lame-servers { null; };
};

Alternatively, if you just want to keep these messages out of the syslog, and place them in a separate log instead, you can do something like:

logging {
    channel "lame-servers" {
        file "/var/log/named/lame-servers.log"
            versions 3 size 30M suffix timestamp;
        severity dynamic;
        print-category no;
        print-severity yes;
        print-time iso8601-utc;  # iso8601, iso8601-utc, local, <boolean>
    };
    category lame-servers { "lame-servers"; default_debug; };
};

For more information, refer to the BIND 9 Configuration Reference - 4.2.9. logging Statement Grammar.

(network unreachable) error in my server logs

7 Answers7

Linked