Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎10-23-2020 10:01 AM

Article Id 189673

Technical Note: Invalid domains cause named service to fail

Description
Adding an “.” To the start of a domain in the allowed domains list will cause named-chroot service to fail. In an HA environment this can trigger a failover event to occur.

Example:

'.data.microsoft.com'


> service named-chroot status
Redirecting to /bin/systemctl status named-chroot.service
● named-chroot.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2020-10-20 13:32:16 EDT; 18s ago
  Process: 6036 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
  Process: 3832 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 6485 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=1/FAILURE)
Main PID: 3834 (code=exited, status=0/SUCCESS)

Oct 20 13:32:16 atlas.supportlab.fortinac.com bash[6485]: zones.common:12: zone '.data.microsoft.com': is not a valid name
Oct 20 13:32:16 atlas.supportlab.fortinac.com bash[6485]: zones.common:12: zone '.data.microsoft.com': is not a valid name


Scope
Version:  8.x

Solution
Workaround:  Remove any domains that lead with a “.” from the Allowed Domains List.

1. In the UI navigate to System > Settings > Control > Allowed Domains
2. Select the domain and click Delete
3. Once all incorrect domains are deleted, click Save
4. In the appliance CLI, verify the named service is running. Type
service named-chroot status

Example:
> service named-chroot status
Redirecting to /bin/systemctl status named-chroot.service
● named-chroot.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2020-10-20 13:33:48 EDT; 4min 31s ago
  Process: 6036 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
  Process: 7014 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 7011 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 7016 (named)
   Memory: 363.4M
   CGroup: /system.slice/named-chroot.service
           └─7016 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot


5. Re-add the domains removed, ensuring they do not head with a "."
6. Click Save

Note: Clicking save on the allowed domains page will restart the named-chroot service.


Solution:  Addressed in version 8.8.3.


ID 0672073


Labels:
2516
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.