Re: [CentOS] Bind config question, centos 5.10

2014-08-16 Thread Gardner Bell 
On 15 August 2014 12:05, Chuck Campbell campb...@accelinc.com wrote:

 I must have something mis-configured in my bond setup. Things are working,
 but
 I'm getting TONS of this sort of stuff in my log:

 +2001:502:ad09::4#53: 1 Time(s)
 network unreachable resolving 'kns1.kuwaitnet.net/A/IN':
 +2001:503:231d::2:30#53: 1 Time(s)
 network unreachable resolving 'kns1.kuwaitnet.net/A/IN':
 +2001:503:a83e::2:30#53: 1 Time(s)
 network unreachable resolving 'kns1.kuwaitnet.net//IN':
 +2001:503:231d::2:30#53: 1 Time(s)
 network unreachable resolving 'kns1.kuwaitnet.net//IN':
 +2001:503:a83e::2:30#53: 1 Time(s)
 network unreachable resolving 'kns2.kuwaitnet.net/A/IN':
 +2001:503:231d::2:30#53: 1 Time(s)
 network unreachable resolving 'kns2.kuwaitnet.net/A/IN':
 +2001:503:a83e::2:30#53: 1 Time(s)
 network unreachable resolving 'kns2.kuwaitnet.net//IN':
 +2001:503:231d::2:30#53: 1 Time(s)
 network unreachable resolving 'kns2.kuwaitnet.net//IN':
 +2001:503:a83e::2:30#53: 1 Time(s)
 network unreachable resolving 'kns3.kuwaitnet.net/A/IN':
 +2001:503:231d::2:30#53: 1 Time(s)
 network unreachable resolving 'kns3.kuwaitnet.net/A/IN':
 +2001:503:a83e::2:30#53: 1 Time(s)
 network unreachable resolving 'kns3.kuwaitnet.net//IN':
 +2001:503:231d::2:30#53: 1 Time(s)

 I'm not sure where to look. it may be the any in the named.conf lines
 below,
 but I'm not sure.
 My named.conf looks like this:
 options {
 listen-on port 53 { 127.0.0.1; any; };
 #   listen-on-v6 port 53 { ::1; };
 directory   /var/named;
 dump-file   /var/named/data/cache_dump.db;
 statistics-file /var/named/data/named_stats.txt;
 memstatistics-file /var/named/data/named_mem_stats.txt;

 // Those options should be used carefully because they disable port
 // randomization
 // query-sourceport 53;
 // query-source-v6 port 53;

 allow-query { localhost; any; };
 allow-query-cache { localhost; any; };
 #   allow-query { localhost; };
 #   allow-query-cache { localhost; };
 };
 logging {
 channel default_debug {
 file data/named.run;
 severity dynamic;
 };
 };
 view localhost_resolver {
 match-clients  { localhost; any; };
 match-destinations { localhost; any; };
 #   match-clients  { localhost; };
 #   match-destinations { localhost; };
 recursion yes;
 include /etc/named.rfc1912.zones;
 };

 --
 ACCEL Services, Inc.| Specialists in Gravity, Magnetics |  (713)993-0671
 ph.
 |   and Integrated Interpretation   |  (713)993-0608
 fax
 448 W. 19th St. #325|Since 1992 |  (713)306-5794
 cell
  Houston, TX, 77008 |  Chuck Campbell   |
 campb...@accelinc.com
 |  President  Senior Geoscientist  |

  Integration means more than having all the maps at the same scale!


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

 Have you tried starting the bind daemon with -4, or IPv4 only?


-- 
Gardner Bell
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Bind config question, centos 5.10

2014-08-16 Thread David Beveridge 
I cannot see your firewall rules, so I maybe on the wrong track here, but...
It's not really a good idea to be running a recursive name server that is
open to the world (any;)
Your server is trying to resolve something for a client that could be
anyone.
This kind of error appears when the domain being looked up is unreachable
or delegated to the wrong name servers.

If you are not able to block incoming requests from external sources in
your firewall,
you can do it in the bind config.

eg
allow-query-cache {
clients;
};

allow-transfer {
my_networks;
};

allow-recursion {
clients;
};
};

acl clients {

127.0.0.1;
::1;

//private
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;

//public
203.0.113.0/24;
198.51.100.0/24;
2001:db8::/32;
}

acl my_networks {
192.0.2.0/24;
}


Of course these kind of queries might still come from your clients anyway,
but good practice is to not provide a open recursive name server unless you
really mean too.
see https://www.us-cert.gov/ncas/alerts/TA13-088A



On Sat, Aug 16, 2014 at 2:05 AM, Chuck Campbell campb...@accelinc.com
wrote:

 I must have something mis-configured in my bond setup. Things are working,
 but
 I'm getting TONS of this sort of stuff in my log:

 +2001:502:ad09::4#53: 1 Time(s)
 network unreachable resolving 'kns1.kuwaitnet.net/A/IN':
 +2001:503:231d::2:30#53: 1 Time(s)
 network unreachable resolving 'kns1.kuwaitnet.net/A/IN':
 +2001:503:a83e::2:30#53: 1 Time(s)
 network unreachable resolving 'kns1.kuwaitnet.net//IN':
 +2001:503:231d::2:30#53: 1 Time(s)
 network unreachable resolving 'kns1.kuwaitnet.net//IN':
 +2001:503:a83e::2:30#53: 1 Time(s)
 network unreachable resolving 'kns2.kuwaitnet.net/A/IN':
 +2001:503:231d::2:30#53: 1 Time(s)
 network unreachable resolving 'kns2.kuwaitnet.net/A/IN':
 +2001:503:a83e::2:30#53: 1 Time(s)
 network unreachable resolving 'kns2.kuwaitnet.net//IN':
 +2001:503:231d::2:30#53: 1 Time(s)
 network unreachable resolving 'kns2.kuwaitnet.net//IN':
 +2001:503:a83e::2:30#53: 1 Time(s)
 network unreachable resolving 'kns3.kuwaitnet.net/A/IN':
 +2001:503:231d::2:30#53: 1 Time(s)
 network unreachable resolving 'kns3.kuwaitnet.net/A/IN':
 +2001:503:a83e::2:30#53: 1 Time(s)
 network unreachable resolving 'kns3.kuwaitnet.net//IN':
 +2001:503:231d::2:30#53: 1 Time(s)

 I'm not sure where to look. it may be the any in the named.conf lines
 below,
 but I'm not sure.
 My named.conf looks like this:
 options {
 listen-on port 53 { 127.0.0.1; any; };
 #   listen-on-v6 port 53 { ::1; };
 directory   /var/named;
 dump-file   /var/named/data/cache_dump.db;
 statistics-file /var/named/data/named_stats.txt;
 memstatistics-file /var/named/data/named_mem_stats.txt;

 // Those options should be used carefully because they disable port
 // randomization
 // query-sourceport 53;
 // query-source-v6 port 53;

 allow-query { localhost; any; };
 allow-query-cache { localhost; any; };
 #   allow-query { localhost; };
 #   allow-query-cache { localhost; };
 };
 logging {
 channel default_debug {
 file data/named.run;
 severity dynamic;
 };
 };
 view localhost_resolver {
 match-clients  { localhost; any; };
 match-destinations { localhost; any; };
 #   match-clients  { localhost; };
 #   match-destinations { localhost; };
 recursion yes;
 include /etc/named.rfc1912.zones;
 };

 --
 ACCEL Services, Inc.| Specialists in Gravity, Magnetics |  (713)993-0671
 ph.
 |   and Integrated Interpretation   |  (713)993-0608
 fax
 448 W. 19th St. #325|Since 1992 |  (713)306-5794
 cell
  Houston, TX, 77008 |  Chuck Campbell   |
 campb...@accelinc.com
 |  President  Senior Geoscientist  |

  Integration means more than having all the maps at the same scale!


 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Bind config question, centos 5.10

2014-08-15 Thread Chuck Campbell 
I must have something mis-configured in my bond setup. Things are working, but
I'm getting TONS of this sort of stuff in my log:

+2001:502:ad09::4#53: 1 Time(s)
network unreachable resolving 'kns1.kuwaitnet.net/A/IN':
+2001:503:231d::2:30#53: 1 Time(s)
network unreachable resolving 'kns1.kuwaitnet.net/A/IN':
+2001:503:a83e::2:30#53: 1 Time(s)
network unreachable resolving 'kns1.kuwaitnet.net//IN':
+2001:503:231d::2:30#53: 1 Time(s)
network unreachable resolving 'kns1.kuwaitnet.net//IN':
+2001:503:a83e::2:30#53: 1 Time(s)
network unreachable resolving 'kns2.kuwaitnet.net/A/IN':
+2001:503:231d::2:30#53: 1 Time(s)
network unreachable resolving 'kns2.kuwaitnet.net/A/IN':
+2001:503:a83e::2:30#53: 1 Time(s)
network unreachable resolving 'kns2.kuwaitnet.net//IN':
+2001:503:231d::2:30#53: 1 Time(s)
network unreachable resolving 'kns2.kuwaitnet.net//IN':
+2001:503:a83e::2:30#53: 1 Time(s)
network unreachable resolving 'kns3.kuwaitnet.net/A/IN':
+2001:503:231d::2:30#53: 1 Time(s)
network unreachable resolving 'kns3.kuwaitnet.net/A/IN':
+2001:503:a83e::2:30#53: 1 Time(s)
network unreachable resolving 'kns3.kuwaitnet.net//IN':
+2001:503:231d::2:30#53: 1 Time(s)

I'm not sure where to look. it may be the any in the named.conf lines below,
but I'm not sure.
My named.conf looks like this:
options {
listen-on port 53 { 127.0.0.1; any; };
#   listen-on-v6 port 53 { ::1; };
directory   /var/named;
dump-file   /var/named/data/cache_dump.db;
statistics-file /var/named/data/named_stats.txt;
memstatistics-file /var/named/data/named_mem_stats.txt;

// Those options should be used carefully because they disable port
// randomization
// query-sourceport 53;
// query-source-v6 port 53;

allow-query { localhost; any; };
allow-query-cache { localhost; any; };
#   allow-query { localhost; };
#   allow-query-cache { localhost; };
};
logging {
channel default_debug {
file data/named.run;
severity dynamic;
};
};
view localhost_resolver {
match-clients  { localhost; any; };
match-destinations { localhost; any; };
#   match-clients  { localhost; };
#   match-destinations { localhost; };
recursion yes;
include /etc/named.rfc1912.zones;
};

-- 
ACCEL Services, Inc.| Specialists in Gravity, Magnetics |  (713)993-0671 ph.
|   and Integrated Interpretation   |  (713)993-0608 fax
448 W. 19th St. #325|Since 1992 |  (713)306-5794 cell
 Houston, TX, 77008 |  Chuck Campbell   | campb...@accelinc.com
|  President  Senior Geoscientist  |

 Integration means more than having all the maps at the same scale!

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos