[11:36] <Aison`> It looks like I have some kind of ddos attack to my DNS servers
[11:37] <Aison`> both ubuntu bind9 servers keep segfaulting after many thousend of requests
[11:37] <Aison`> see here: https://dpaste.org/SX29#L16
[11:37] <Aison`> maybe I can block the IP with fail2ban somehow?
[11:37] <Aison`> BIND 9.16.1-Ubuntu (Stable Release) <id:d497c32>
[11:41] <sdeziel> Aison`: are you using the latest bind9 version: 1:9.16.1-0ubuntu2.2
[11:42] <Aison`> yes
[11:44] <sdeziel> Aison`: OK good. Could you run a tcpdump capture of the traffic leading to a crash? If you could attach it along with the crash dump to a LP bug, I'm sure it could help having the problem fixed
[11:48] <Aison`> :( now it stopped crashing
[11:48] <sdeziel> https://bind9.readthedocs.io/en/v9_16_5/notes.html#notes-for-bind-9-16-5 show a few assertion failures were fixed since the 9.16.1 release
[11:55] <Aison`> I can not reproduce the sefault
[11:56] <Aison`> it's just "luck" when it happens
[12:45] <RoyK> Aison`: IIRC, installing the -dbg package will allow the crash to be dumped through gdb, but not sure if everyhing is automatic
[13:30] <Aison`> RoyK, there is not dbg for bind
[13:31] <Aison`> sdeziel, how can I tcpdump the whole udp53 traffic to a file? I can not google it right now ;)
[13:33] <RoyK> tshark tshark -f "udp and port 53"
[13:34] <RoyK> without the first tshark ;)
[13:34] <RoyK> tshark is the new tcpdump
[13:35] <sdeziel> Aison`: otherwise: tcpdump -w /tmp/dns.pcap -ni $iface port 53
[13:36] <sdeziel> Aison`: DNS also happens on TCP/53 so I'd capture both
[18:26] <Ussat> OK, so this is on Ubuntu 18.04, andone want to take a look and lend a hand with a syslog-ng issue ? https://pastebin.com/EV7km0QW\
[18:27] <oerheks> Page not found.
[18:27] <oerheks> use paste.ubuntu.com :-D
[18:28] <sarnold> it's https://pastebin.com/EV7km0QW
[18:29] <sarnold> and it requires rather more syslog knowledge than I've got
[18:32] <oerheks> oh i see, hit the enter+\
[18:34] <sarnold> hehe, yeah, I saw the contents just a few minutes earlier from another shared channel earlier and knew that it worked :) hehe
[18:34] <oerheks> i'll remember that ..
[19:50] <RoyK> just don't use pastebin dot com - it's a spmmer - there are several places that are better to use. I stick to paste.debian.net, but that's just me
[19:58] <Ussat> ...fine whatever
[19:58] <Ussat> I have never had an issue with pastebin
[20:00] <RoyK> it's just that it sucks and it dumps ads on you if you mention it to a stranger
[20:04] <Aison> hello i'm still fighting with my ISC DHCP Server who tries to access LDAP for name resolving
[20:05] <Aison> sadly apparmor is blocking this call
[20:05] <sarnold> Aison: pastebin your DENIED lines?
[20:06] <Aison> this is dmesg: [2946488.790491] audit: type=1400 audit(1597781143.428:28280): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/dhcpd" name="run/slapd-inetserv.socket" pid=1121070 comm="isc-worker0000" requested_mask="wr" denied_mask="wr" fsuid=110 ouid=0
[20:07] <sarnold> Aison: you'll need to add 'flags=(attach_disconnected)' to your profile, check /etc/apparmor.d/ for a few examples
[20:07] <Aison> here the profile from apparmor dhcp: https://paste.ubuntu.com/p/Gkv4jsxcjx/
[20:08] <Aison> I added lines beginning at 29
[20:08] <Aison> sarnold, ok
[20:22] <Aison> and dhcpd tries to access also /proc/sys/net/ipv4/ip_local_port_range?
[20:26] <sdeziel> sounds reasonable to me