SLES DHCP Dynamic DNS: Unable to add forward map…: not found

I have a SUSE Linux Enterprise Server 11.3 install running on Amazon EC2 based off the official AMI.

With DHCP and BIND configured (via yast) I’m having issues with Dynamic DNS.

When a client connects to the DHCP server I receive the error message:

Dec 31 04:26:41 ip-10-35-139-46 dhcpd: Unable to add forward map from XXXXXXX.containers.box to 192.168.2.8: not found

The DHCP and DNS servers are running on the same server, with the address 192.168.1.1 on a bridged interface connecting it to LXC’s. The LXC’s are set to DHCP off of 192.168.1.1. (and the DHCP logs would seem to confirm they’re working correctly, they have functional internet access currently and are assigned addresses by the DHCP server)

The DNS server is also seemingly functional based off of dig commands (pasted below)

I’m running ISC dhcp-server 4.2.4.P2 and Bind 9.9.3P2.

Any help would be greatly appreciated.

Thanks,
Todd

Pasting my resolv.conf, named.conf, and dhcpd.conf files.

resolv.conf

### /etc/resolv.conf file autogenerated by netconfig!
#
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
#     NETCONFIG_DNS_STATIC_SEARCHLIST
#     NETCONFIG_DNS_STATIC_SERVERS
#     NETCONFIG_DNS_FORWARDER
# or disable DNS configuration updates via netconfig by setting:
#     NETCONFIG_DNS_POLICY=''
#
# See also the netconfig(8) manual page and other documentation.
#
# Note: Manual change of this file disables netconfig too, but
# may get lost when this file contains comments or empty lines
# only, the netconfig settings are same with settings in this
# file and in case of a "netconfig update -f" call.
#
### Please remove (at least) this line when you modify the file!
search containers.box ec2.internal
nameserver 127.0.0.1
nameserver 192.168.1.1
nameserver 172.16.0.23

dhcpd.conf

option domain-name "containers.box";
option domain-name-servers 192.168.1.1;
option routers 192.168.1.1;
default-lease-time 14400;
include "/etc/named.d/ToddKey";
ddns-update-style interim;
ignore client-updates;
ddns-updates on;
subnet 192.168.0.0 netmask 255.255.0.0 {
  range 192.168.2.1 192.168.2.250;
  default-lease-time 14400;
  max-lease-time 172800;
  zone private.lan. { primary 192.168.1.1; key ToddKey; }
  zone 168.192.in-addr.arpa. { primary 192.168.1.1; key ToddKey; }

named.conf

# Copyright (c) 2001-2004 SuSE Linux AG, Nuernberg, Germany.
# All rights reserved.
#
# Author: Frank Bodammer, Lars Mueller <lmuelle@suse.de>
#
# /etc/named.conf
#
# This is a sample configuration file for the name server BIND 9.  It works as
# a caching only name server without modification.
#
# A sample configuration for setting up your own domain can be found in
# /usr/share/doc/packages/bind/sample-config.
#
# A description of all available options can be found in
# /usr/share/doc/packages/bind/misc/options.

options {

        # The directory statement defines the name server's working directory

        directory "/var/lib/named";

        # Write dump and statistics file to the log subdirectory.  The
        # pathenames are relative to the chroot jail.

        dump-file "/var/log/named_dump.db";
        statistics-file "/var/log/named.stats";

        # The forwarders record contains a list of servers to which queries
        # should be forwarded.  Enable this line and modify the IP address to
        # your provider's name server.  Up to three servers may be listed.

        #forwarders { 192.0.2.1; 192.0.2.2; };

        # Enable the next entry to prefer usage of the name server declared in
        # the forwarders section.

        #forward first;

        # The listen-on record contains a list of local network interfaces to
        # listen on.  Optionally the port can be specified.  Default is to
        # listen on all interfaces found on your system.  The default port is
        # 53.

        #listen-on port 53 { 127.0.0.1; };

        # The listen-on-v6 record enables or disables listening on IPv6
        # interfaces.  Allowed values are 'any' and 'none' or a list of
        # addresses.

        listen-on-v6 { any; };

        # The next three statements may be needed if a firewall stands between
        # the local server and the internet.

        #query-source address * port 53;
        #transfer-source * port 53;
        #notify-source * port 53;

        # The allow-query record contains a list of networks or IP addresses
        # to accept and deny queries from. The default is to allow queries
        # from all hosts.

        #allow-query { 127.0.0.1; };

        # If notify is set to yes (default), notify messages are sent to other
        # name servers when the the zone data is changed.  Instead of setting
        # a global 'notify' statement in the 'options' section, a separate
        # 'notify' can be added to each zone definition.

        notify no;
        include "/etc/named.d/forwarders.conf";
};

# To configure named's logging remove the leading '#' characters of the
# following examples.
#logging {
#       # Log queries to a file limited to a size of 100 MB.
#       channel query_logging {
#               file "/var/log/named_querylog"
#                       versions 3 size 100M;
#               print-time yes;                 // timestamp log entries
#       };
#       category queries {
#               query_logging;
#       };
#
#       # Or log this kind alternatively to syslog.
#       channel syslog_queries {
#               syslog user;
#               severity info;
#       };
#       category queries { syslog_queries; };
#
#       # Log general name server errors to syslog.
#       channel syslog_errors {
#               syslog user;
#               severity error;
#       };
#       category default { syslog_errors;  };
#
#       # Don't log lame server messages.
#       category lame-servers { null; };
#};

# The following zone definitions don't need any modification.  The first one
# is the definition of the root name servers.  The second one defines
# localhost while the third defines the reverse lookup for localhost.

zone "." in {
        type hint;
        file "root.hint";
};

zone "localhost" in {
        type master;
        file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" in {
        type master;
        file "127.0.0.zone";
};

# Include the meta include file generated by createNamedConfInclude.  This
# includes all files as configured in NAMED_CONF_INCLUDE_FILES from
# /etc/sysconfig/named

include "/etc/named.conf.include";
zone "private.lan" in {
        file "dyn/private.lan";
        type master;
        allow-update { key ToddKey; };
        allow-transfer { any; };
};
logging {
        category default { log_syslog; };
        channel log_syslog { syslog; };
};
zone "168.192.in-addr.arpa" in {
        allow-update { key ToddKey; };
        allow-transfer { any; };
        file "dyn/168.192.in-addr.arpa";
        type master;
};

# You can insert further zone records for your own domains below or create
# single files in /etc/named.d/ and add the file names to
# NAMED_CONF_INCLUDE_FILES.
# See /usr/share/doc/packages/bind/README.SUSE for more details.

As well as the system log of BIND starting:

Dec 31 04:35:09 ip-10-35-139-46 named[25012]: starting BIND 9.9.3-P2 -t /var/lib/named -u named
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: built with '--prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--localstatedir=/var' '--libdir=/usr/lib64' '--includedir=/usr/include/bind' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-openssl' '--enable-threads' '--with-libtool' '--enable-runidn' '--with-libxml2=/usr' '--with-gssapi' 'CFLAGS=-fmessage-length=0 -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -g -fno-strict-aliasing' 'LDFLAGS=-L/usr/lib64'
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: ----------------------------------------------------
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: BIND 9 is maintained by Internet Systems Consortium,
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: corporation.  Support and training for BIND 9 are
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: available at https://www.isc.org/support
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: ----------------------------------------------------
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: adjusted limit on open files from 8192 to 1048576
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: found 4 CPUs, using 4 worker threads
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: using 4 UDP listeners per interface
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: using up to 4096 sockets
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: loading configuration from '/etc/named.conf'
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: using default UDP/IPv4 port range: [1024, 65535]
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: using default UDP/IPv6 port range: [1024, 65535]
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: no IPv6 interfaces found
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: listening on IPv4 interface lo, 127.0.0.1#53
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: listening on IPv4 interface lo, 127.0.0.2#53
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: listening on IPv4 interface eth0, 10.35.139.46#53
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: listening on IPv4 interface br0, 192.168.1.1#53
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: generating session key for dynamic DNS
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: sizing zone task pool based on 5 zones
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: set up managed keys zone for view _default, file 'managed-keys.bind'
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 10.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 16.172.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 17.172.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 18.172.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 19.172.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 20.172.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 21.172.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 22.172.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 23.172.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 24.172.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 25.172.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 26.172.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 27.172.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 28.172.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 29.172.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 30.172.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 31.172.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 64.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 65.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 66.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 67.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 68.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 69.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 70.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 71.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 72.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 73.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 74.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 75.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 76.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 77.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 78.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 79.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 80.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 81.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 82.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 83.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 84.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 85.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 86.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 87.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 88.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 89.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 90.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 91.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 92.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 93.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 94.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 95.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 96.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 97.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 98.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 99.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 100.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 101.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 102.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 103.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 104.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 105.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 106.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 107.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 108.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 109.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 110.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 111.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 112.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 113.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 114.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 115.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 116.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 117.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 118.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 119.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 120.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 121.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 122.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 123.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 124.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 125.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 126.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 127.100.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 0.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 127.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 254.169.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: D.F.IP6.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 8.E.F.IP6.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 9.E.F.IP6.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: A.E.F.IP6.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: B.E.F.IP6.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: command channel listening on 127.0.0.1#953
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: managed-keys-zone: loaded serial 0
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: zone localhost/IN: loaded serial 42
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: zone 0.0.127.in-addr.arpa/IN: loaded serial 42
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: zone 168.192.in-addr.arpa/IN: loaded serial 2013123100
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: zone private.lan/IN: loaded serial 2013123100
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: all zones loaded
Dec 31 04:35:09 ip-10-35-139-46 named[25012]: running
Dec 31 04:36:12 ip-10-35-139-46 named[25012]: received control channel command 'reload'
Dec 31 04:36:12 ip-10-35-139-46 named[25012]: loading configuration from '/etc/named.conf'
Dec 31 04:36:12 ip-10-35-139-46 named[25012]: using default UDP/IPv4 port range: [1024, 65535]
Dec 31 04:36:12 ip-10-35-139-46 named[25012]: using default UDP/IPv6 port range: [1024, 65535]
Dec 31 04:36:12 ip-10-35-139-46 named[25012]: no IPv6 interfaces found
Dec 31 04:36:12 ip-10-35-139-46 named[25012]: sizing zone task pool based on 5 zones
Dec 31 04:36:12 ip-10-35-139-46 named[25012]: reloading configuration succeeded
Dec 31 04:36:12 ip-10-35-139-46 named[25012]: reloading zones succeeded
Dec 31 04:36:12 ip-10-35-139-46 named[25012]: all zones loaded
Dec 31 04:36:12 ip-10-35-139-46 named[25012]: running

And the full DHCP server log:

Dec 31 04:22:49 ip-10-35-139-46 dhcpd: Internet Systems Consortium DHCP Server 4.2.4-P2
Dec 31 04:22:49 ip-10-35-139-46 dhcpd: Copyright 2004-2012 Internet Systems Consortium.
Dec 31 04:22:49 ip-10-35-139-46 dhcpd: All rights reserved.
Dec 31 04:22:49 ip-10-35-139-46 dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Dec 31 04:22:49 ip-10-35-139-46 dhcpd: Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file
Dec 31 04:22:49 ip-10-35-139-46 dhcpd: Wrote 8 leases to leases file.
Dec 31 04:22:49 ip-10-35-139-46 dhcpd: Listening on LPF/br0/0e:a1:29:d9:32:41/192.168.0.0/16
Dec 31 04:22:49 ip-10-35-139-46 dhcpd: Sending on   LPF/br0/0e:a1:29:d9:32:41/192.168.0.0/16
Dec 31 04:22:49 ip-10-35-139-46 dhcpd: Sending on   Socket/fallback/fallback-net
Dec 31 04:26:40 ip-10-35-139-46 dhcpd: DHCPDISCOVER from 22:a1:31:2e:29:d9 (XXXXXXX) via br0
Dec 31 04:26:41 ip-10-35-139-46 dhcpd: DHCPOFFER on 192.168.2.8 to 22:a1:31:2e:29:d9 (XXXXXXX) via br0
Dec 31 04:26:41 ip-10-35-139-46 dhcpd: DHCPREQUEST for 192.168.2.8 (192.168.1.1) from 22:a1:31:2e:29:d9 (XXXXXXX) via br0
Dec 31 04:26:41 ip-10-35-139-46 dhcpd: DHCPACK on 192.168.2.8 to 22:a1:31:2e:29:d9 (XXXXXXX) via br0
Dec 31 04:26:41 ip-10-35-139-46 dhcpd: Unable to add forward map from XXXXXXX.containers.box to 192.168.2.8: not found

DNS Server dig test

dig google.com 192.168.1.1

; <<>> DiG 9.9.3-P2 <<>> google.com 192.168.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51212
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 13, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             127     IN      A       74.125.228.134
google.com.             127     IN      A       74.125.228.129
google.com.             127     IN      A       74.125.228.137
google.com.             127     IN      A       74.125.228.131
google.com.             127     IN      A       74.125.228.136
google.com.             127     IN      A       74.125.228.135
google.com.             127     IN      A       74.125.228.142
google.com.             127     IN      A       74.125.228.130
google.com.             127     IN      A       74.125.228.128
google.com.             127     IN      A       74.125.228.132
google.com.             127     IN      A       74.125.228.133

;; AUTHORITY SECTION:
.                       203245  IN      NS      a.root-servers.net.
.                       203245  IN      NS      g.root-servers.net.
.                       203245  IN      NS      h.root-servers.net.
.                       203245  IN      NS      k.root-servers.net.
.                       203245  IN      NS      b.root-servers.net.
.                       203245  IN      NS      f.root-servers.net.
.                       203245  IN      NS      c.root-servers.net.
.                       203245  IN      NS      i.root-servers.net.
.                       203245  IN      NS      l.root-servers.net.
.                       203245  IN      NS      m.root-servers.net.
.                       203245  IN      NS      j.root-servers.net.
.                       203245  IN      NS      e.root-servers.net.
.                       203245  IN      NS      d.root-servers.net.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 31 04:45:29 UTC 2013
;; MSG SIZE  rcvd: 426

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6633
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;192.168.1.1.                   IN      A

;; AUTHORITY SECTION:
.                       10800   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2013123001 1800 900 604800 86400

;; Query time: 10 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 31 04

ifconfig

br0       Link encap:Ethernet  HWaddr FE:C7:44:8A:7C:53
          inet addr:192.168.1.1  Bcast:192.168.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:820 (820.0 b)  TX bytes:830 (830.0 b)

eth0      Link encap:Ethernet  HWaddr 22:00:0A:23:8B:2E
          inet addr:10.35.139.46  Bcast:10.35.139.63  Mask:255.255.255.192
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:333542 errors:0 dropped:3 overruns:0 frame:0
          TX packets:271272 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:106476543 (101.5 Mb)  TX bytes:375013813 (357.6 Mb)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:399587 errors:0 dropped:0 overruns:0 frame:0
          TX packets:399587 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:380974099 (363.3 Mb)  TX bytes:380974099 (363.3 Mb)

vethqEZAM Link encap:Ethernet  HWaddr FE:C7:44:8A:7C:53
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:918 (918.0 b)  TX bytes:1244 (1.2 Kb)

Related:

Issues in monitoring apache tomcat server using Monit

I have installed Monit using the following command in Ubuntu Linux 12.04.1 server

sudo apt-get install monit

My main goal in using Monit is to restart my – MySQL and Apache tomcat services automatically when they are killed/stopped.

#Check and restart mysql service
check process mysqld with pidfile "/run/mysqld/mysqld.pid"
group database
start program = "/etc/init.d/mysql start"
stop program = "/etc/init.d/mysql stop"
if failed host 127.0.0.1 port 3306 protocol mysql then restart
if 5 restarts within 5 cycles then timeout

The above code works perfectly and Monit restarts MySQL service (when its killed/stopped).

I have actually configured tomcat as follows:
– Downloaded the tomcat zip and extracted to a particular location
– Configured this as my daemon service (and my tomcat server works properly).

As I don’t have pid file for this tomcat setup, I am planning to check tomcat’s status and start it using the following code:

#Check and restart tomcat service
check host tomcat with address 127.0.0.1
stop program = "/etc/init.d/tomcat stop"
start program = "/etc/init.d/tomcat start"
if failed port 8080 and protocol http
then start

However, I was unable to start tomcat successfully (when its killed). On investigating the Monit logs I found the following message:

[UTC Dec 24 12:08:23] error    : 'tomcat' failed, cannot open a connection to INET[127.0.0.1:8080] via TCP
[UTC Dec 24 12:08:23] info     : 'tomcat' start: /etc/init.d/tomcat

Through above logs, I found Monit is trying to start tomcat automatically for every particular time (when it finds tomcat service was killed). However, some inner conflicts stops this!

Other Information:

Tomcat server is properly running by using the port 8080:

netstat -an | grep 8080
tcp6       0      0 :::8080                 :::*                    LISTEN     
tcp6       0      0 127.0.0.1:8080          127.0.0.1:53582         TIME_WAIT  


ps -ef|grep tomcat
root     16237     1  9 12:10 ?        00:00:37 /usr/lib/jvm/java-6-oracle/bin/java -Djava.util.logging.config.file=/usr/share/apache-tomcat-7.0.40/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true -Dfile.encoding=UTF-8 -server -Xms1024m -Xmx1530m -XX:NewSize=512m -XX:MaxNewSize=1024m -XX:PermSize=512m -XX:MaxPermSize=1024m -Djava.endorsed.dirs=/usr/share/apache-tomcat-7.0.40/endorsed -classpath /usr/share/apache-tomcat-7.0.40/bin/bootstrap.jar:/usr/share/apache-tomcat-7.0.40/bin/tomcat-juli.jar -Dcatalina.base=/usr/share/apache-tomcat-7.0.40 -Dcatalina.home=/usr/share/apache-tomcat-7.0.40 -Djava.io.tmpdir=/usr/share/apache-tomcat-7.0.40/temp org.apache.catalina.startup.Bootstrap start
root     16851 16847  0 12:17 ?        00:00:00 sh -c su root -c ps\ \-ef\|grep\ tomcat 2>&1 2>/dev/null
root     16852 16851  0 12:17 ?        00:00:00 su root -c ps -ef|grep tomcat
root     16853 16852  0 12:17 ?        00:00:00 bash -c ps -ef|grep tomcat
root     16855 16853  0 12:17 ?        00:00:00 grep tomcat

Adding preferIPv4Addresses and preferIPv4Stack in catalina.sh file:

JAVA_OPTS="-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server -Xms1024m -Xmx1530m
-XX:NewSize=512m -XX:MaxNewSize=1024m -XX:PermSize=512m -XX:MaxPermSize=1024m -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true"

Monit log:

[UTC Dec 24 12:48:39] error    : 'tomcat' failed protocol test [HTTP] at INET[127.0.0.1:8080] via TCP -- HTTP: Error receiving data -- Resource temporarily unavailable

Can anyone please guide me on this?

Thank You.

Related:

Using IBM InfoSphere Guardium for monitoring and auditing IBM DB2 for i database activity

IBM® InfoSphere® Guardium® is an enterprise information audit and
protection solution that helps enterprises to protect and audit information
across a diverse set of relational and nonrelational data sources such as
Oracle, Teradata, IMS, VSAM, Microsoft® SharePoint, and IBM Netezza®, and IBM
DB2® for z/OS®, and DB2 for Linux, UNIX and Windows. With InfoSphere Guardium
V9.0, DB2 for i can now be included as a data source, enabling you to monitor
access through native interfaces and through SQL. This article provides a
brief overview of the InfoSphere Guardium architecture, describes how to
configure access (including best practices for performance), and describes how
to access data activity reports.

Related:

IBM i Access Client Solutions Linux Application Package

IBM i Access Client Solutions and the IBM i Access Client Solutions
Linux Application Package replaces iSeries Access for Linux and improves
greatly upon that experience. In this article, you can learn about the changes
included in the Linux Application Package: full 64-bit Open Database
Connectivity (ODBC) driver, 32-bit co-installable libraries, deb packages for
Debian-based Linux and more.

Related:

Discover OpenStack: The Identity component Keystone

This article presents the OpenStack Identity (Keystone) project,
explains how it fits into the overall architecture, and shows how it operates.
It illustrates the project with insight into what it takes to install,
configure, and use the components.

Related:

DevOps best practices, Part 2: Ensure robust and effective information security with DevOps

DevOps principles, well known for helping developers and operations to
work more effectively together, can be applied to information security, as
well. Learn how DevOps can improve information security by applying
industry-recognized best practices. Use the DevOps approach to keep systems
secure, to prevent system glitches, and to ensure uninterrupted
service.

Related:

Using JTOpen with Android to access IBM i

This article provides an overview of the two most recent additions to the IBM
Toolbox for Java and JTOpen offering. These new Java™ packages allow you to write native
applications for Android-based devices that need to interact with IBM i
servers.

Related:

Automated security testing with IBM Security AppScan Enterprise 8.7 and Selenium IDE

Learn how quality assurance testers seeking increased automation within the
software development life cycle can leverage IBM Security AppScan Enterprise
and the Selenium IDE browser plug-in for Firefox to include dynamic application security
testing in their functional tests.

Related:

Eliminate banner grabbing in Apache Tomcat

Banner grabbing is often the first step before a full-blown cyber attack, but
it’s easy to prevent. Learn how to secure your Apache Tomcat installation against version-based exploits by overriding the default parameters in your Server.xml and ServerInfo.properties files.

Related:

Windows GPO Software Restrictions Policy not working with %TEMP% variable

I’m trying to put in some meagre additional malware prevention measures, by restricting the execution of *.exe in a handful of locations — in particular, the temporary folders that various compression tools unzip to, when a user might choose to open an executable straight from a Zip file.

From the TechNet article, http://technet.microsoft.com/nl-nl/library/cc786941%28v=ws.10%29.aspx:

You can use environment variables in a path rule. Since path rules are evaluated in the client environment, the ability to use environment variables (for example, %Windir%) allows a rule to adapt to a particular user’s environment.

A path rule can incorporate the ? and * wildcards, allowing rules such as “*.vbs” to match all Visual Basic Script files. The following examples illustrate the use of wildcards:

  • “\DC-??\login$” matches \DC-01\login$, \DC-02\login$
  • “*\Windows” matches C:\Windows, D:\Windows, E:\Windows
  • “c:\win*” matches c:\winnt, c:\windows, c:\windir

I have these Path rules (which I have applied both singularly and in various combinations):

  • %APPDATA%\*.exe
  • %APPDATA%\*\*.exe
  • %LOCALAPPDATA%\*.exe
  • %LOCALAPPDATA%\*\*.exe
  • %TEMP%\*.exe
  • %TEMP%\7z*\*.exe
  • %TEMP%\wz*\*.exe
  • %TEMP%\Rar*\*.exe

…which theoretically should represent executables directly under the user’s temp folder, and executables in temp folders named in the manner that Winzip, WinRAR and 7-zip might name their temp folders (e.g. %TEMP%\7zSF20.tmp\the_file.exe).

The %APPDATA% and %LOCALAPPDATA% ones work; the %TEMP% ones don’t. Executables appear to be blocked under %TEMP% but this is only because, in a default setup, they also match the %LOCALAPPDATA%\*\*.exe rule (Temp is under AppData\Local, by default).

I had originally thought this was an issue with wildcards in partial folder names, but it appears this is specific to the use of the %TEMP% variable (hence the rewrite).

The two workarounds I have confirmed (and why I’d prefer not to use them) are:

  1. using %LOCALAPPDATA%\Temp in place of %TEMP%

    • Strictly speaking, this is not correct, as the %TEMP% variable can be set to differ from %LOCALAPPDATA%\Temp.
  2. using %HKEY_CURRENT_USER\Environment\TEMP%

    • Registry-based path rules seem to apply to all subfolders — I would prefer a slightly lighter touch (so I don’t have to go around whitelisting everything else)
    • Registry-based rules appear to be limited such that you cannot have anything more specific, e.g. %HKEY_CURRENT_USER\Environment\TEMP%\7z*\*.exe
      • I have since discovered %HKEY_CURRENT_USER\Environment\TEMP%7z* will get close (the \ between the variable and the subfolder should not be specified, and you can’t specify a filename mask afterwards)
    • It is also also technically incorrect, as this registry location only contains the value as it should be at the start of a process and not what it might be changed to during the course of that process — e.g. it would not apply if you opened a Command Prompt, issued SET TEMP=C:\ and ran the program from the prompt).

(For what it is worth, I have tried configuring the SRP in both the Computer and User sections of the GPO, both independently and simultaneously, in case one overwrote the other, or %TEMP% was resolved differently at Computer and User level.)

What’s so special about the %TEMP% variable that it would not apply here, whereas something like %LOCALAPPDATA%\Temp\\wz*\\*.exe would?


Update:

It appears that the limitation is specifically with the %TEMP% environment variable. I have edited the question, as such.

Related: