Re: Preference of Master Name Servers

[Cathy Almond]

On 06/12/12 14:12, Matus UHLAR - fantomas wrote:
 On 05.12.12 17:28, David Hall wrote:
 Question 1:
 In our secondary / slave name servers we specify the master name
 servers in
 the normal manner:
 zone mysample.me.uk { type slave; file m/y/db.mysample.me.uk; masters {
 10.10.100.12; 10.10.101.12; 10.10.102.5; }; };
 What I have found is that the order of the master name servers does not
 matter and one is used at random. That name server is tried for all
 AXFR /
 IXFR attempts until it is unreachable.
 Is there a way to set a dedicated preference of which name servers to use
 first?
 
 No. all masters are treated equally. Do you know a reason why they should
 not? However, if slave received notify from a master, it prefers fetching
 from that master, afaik.
 
 Question 2:
 I am also seeing many entries in our logs that look like:
 Dec 4 10:28:49 mysys named[28103]: zone mysample.me.uk/IN: refresh: retry
 limit for master 10.10.101.12#53 exceeded (source 10.10.100.25#0)

 Does this mean that the master name server is unreachable? I have
 confirmed
 that it is reachable by UDP and TCP.
 Or does it mean that we are hitting one of our limits? Our current values
 are:
 serial-query-rate 500;
 transfers-out 300;
 transfers-in 300;
 transfers-per-ns 100;
 
 I would try increasing limits, starting with transfer-in.
 you can check in logs or via netstat (or packet dump), how many transfers
 were executed in parallel (to know which parameter to increase)
 
 Question 3:
 We have over 100,000 domains on the name servers. What we see is that
 once
 we start seeing many of these exceeded messages in the logs then our
 soa
 queries in progress will go up significantly and never goes back down.
 We have to shut down the name server and restart it, and then the soa
 queries in progress goes down to 0 or 1 and he exceeded messages go
 away.
 Has anyone had a similar problem? If so, how did you resolve this?
 
 with 100k of zones, you must increase limits. Or, use different technique
 for distributing changes, e.g. NOTIFY and increase the refresh (and retry)
 times to avoid useless timeouts.
 

Does this KB article help at all?

https://kb.isc.org/article/AA-00726/0/Tuning-your-BIND-configuration-effectively-for-zone-transfers-particularly-with-many-frequently-updated-zones.html

(It's one you'll need to register to see - but it's otherwise available
to all).


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind not forwarding all requests

[Romgo]

Hello,

I am currently running two bind9 server on Debian Squeeze.
 1:9.7.3.dfsg-1~squeeze8

Server 1 is internal dns server and serve some local zone. This server
should forward all unknown requests to our  public DNS server. So I
configured this server as follow :
/etc/bind/named.conf.options

  forward only;
forwarders {
  ip_server_2;
};


The second server is allowed to do DNS request on the internet, so there is
no forwarder configured.

The issue is that I see on my firewall that server1 is trying to do DNS
requests on DNS ROOT server.

Any idea why I do have this issue ? wrong configuration ?

Regards,
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind not forwarding all requests

[Ben Croswell]

It is probably related to forward first versus forward only. Forward first
is default but will fall back to no forwarding if the forwarders fail.
On Dec 7, 2012 12:06 PM, Romgo ro...@free.fr wrote:

 Hello,

 I am currently running two bind9 server on Debian Squeeze.
  1:9.7.3.dfsg-1~squeeze8

 Server 1 is internal dns server and serve some local zone. This server
 should forward all unknown requests to our  public DNS server. So I
 configured this server as follow :
 /etc/bind/named.conf.options

   forward only;
 forwarders {
   ip_server_2;
 };


 The second server is allowed to do DNS request on the internet, so there
 is no forwarder configured.

 The issue is that I see on my firewall that server1 is trying to do DNS
 requests on DNS ROOT server.

 Any idea why I do have this issue ? wrong configuration ?

 Regards,



 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind not forwarding all requests

[Romgo]

Yes that was my first idea by reading the documentation.
But has my configuration is clearly using forward only, I don't understand.

Could this be a bug ?




On 7 December 2012 18:10, Ben Croswell ben.crosw...@gmail.com wrote:

 It is probably related to forward first versus forward only. Forward first
 is default but will fall back to no forwarding if the forwarders fail.
 On Dec 7, 2012 12:06 PM, Romgo ro...@free.fr wrote:

 Hello,

 I am currently running two bind9 server on Debian Squeeze.
  1:9.7.3.dfsg-1~squeeze8

 Server 1 is internal dns server and serve some local zone. This server
 should forward all unknown requests to our  public DNS server. So I
 configured this server as follow :
 /etc/bind/named.conf.options

   forward only;
 forwarders {
   ip_server_2;
 };


 The second server is allowed to do DNS request on the internet, so there
 is no forwarder configured.

 The issue is that I see on my firewall that server1 is trying to do DNS
 requests on DNS ROOT server.

 Any idea why I do have this issue ? wrong configuration ?

 Regards,



 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Getting RPZ statistics

[Howard, Christopher Bryan]

I recently (as of 2 days ago) enabled RPZ on all of my name servers.  I 
currently use rndc stats, perl, and SNMP to make certain global stats 
available to our network monitoring system to make charts (number of queries 
across all views and such).  I'd like to do the same for just the RPZ zone so I 
can get an idea of how many queries are getting handled by RPZ itself.

I added zone-statistics yes; to the RPZ zone, and the statistics file showed 
the header for that zone, but then there were no stats there.  I enabled the 
zone-statistics for a regular zone and it provided stats as expected.  Here's 
what my stats file looks like with zone-statistics enabled in the RPZ zone and 
one other zone for comparison.

++ Per Zone Query Statistics ++
[utc.edu (view: view1)]
  3 queries resulted in successful answer
  9 queries resulted in authoritative answer
  2 queries resulted in nxrrset
  4 queries resulted in NXDOMAIN
[rpz (view: view2)]
[rpz (view: view1)]

My assumption is that since the RPZ zone is special it therefore can't keep 
track of stats.  Is this the case or am I overlooking something obvious?

I guess I could CNAME all the RPZ records to a single host in a separate domain 
and then do zone-statistics on that one zone, but that's kinda dirty.

-Christopher

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Getting RPZ statistics

[Vernon Schryver]

 From: Howard, Christopher Bryan christopher-how...@utc.edu

 I recently (as of 2 days ago) enabled RPZ on all of my name servers.  I cur=
 rently use rndc stats, perl, and SNMP to make certain global stats availa=
 ble to our network monitoring system to make charts (number of queries acro=
 ss all views and such).  I'd like to do the same for just the RPZ zone so I=
  can get an idea of how many queries are getting handled by RPZ itself.

In a useless sense probably not intended, the number of queries
handled by RPZ is the same as the number of queries handled by
the normal zones in the views with response-policy{} statements,
because all queries are tested against the policy zones.

The short answer to the likely intended question is that there are
no RPZ specific statistics.  One might want the number of responses
rewritten according to each policy zone, but those statistics don't
exist.  I agree that the idea is worth thinking about.

Recent versions of the BIND9 RPZ code has improved logging.  On DNS
servers that are not too busy, it might be possible to synthesize
useful RPZ statistics with awk/perl/whatever applied to the RPZ log
category.


Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Getting RPZ statistics

[John Hascall]

We point our DNS-RPZ records at a server (here-be-dragons)
that records connections at that point.  Also the webserver
listening there sends back either and image or javascript+html
which explains to the user the reason they are not seeing the
webpage they expect.

The web server gives us a convenient way to gather statistics
on which client machines are attempting to access which
bad hosts.

One of the stats we generate each night is the ten machines
which accessed the here-be-dragons server the most, which we
send to the help desk so they can let the person know their
machine is probably infected with malware.

John
---
John Hascall, j...@iastate.edu
Team Lead, NIADS (Network Infrastructure, Authentication  Directory Services)
IT Services, The Iowa State University of Science and Technology

 --===6413295337217726361==
 Content-Language: en-US
 Content-Type: multipart/alternative;
   boundary=_000_0601178566817C499DF95E59CF72205D853A4DUTCMBX2utctenness_

 
 --_000_0601178566817C499DF95E59CF72205D853A4DUTCMBX2utctenness_
 Content-Type: text/plain; charset=us-ascii
 Content-Transfer-Encoding: quoted-printable
 
 I recently (as of 2 days ago) enabled RPZ on all of my name servers.  I cur=
 rently use rndc stats, perl, and SNMP to make certain global stats availa=
 ble to our network monitoring system to make charts (number of queries acro=
 ss all views and such).  I'd like to do the same for just the RPZ zone so I=
  can get an idea of how many queries are getting handled by RPZ itself.
 
 I added zone-statistics yes; to the RPZ zone, and the statistics file sho=
 wed the header for that zone, but then there were no stats there.  I enable=
 d the zone-statistics for a regular zone and it provided stats as expecte=
 d.  Here's what my stats file looks like with zone-statistics enabled in th=
 e RPZ zone and one other zone for comparison.
 
 ++ Per Zone Query Statistics ++
 [utc.edu (view: view1)]
   3 queries resulted in successful answer
   9 queries resulted in authoritative answer
   2 queries resulted in nxrrset
   4 queries resulted in NXDOMAIN
 [rpz (view: view2)]
 [rpz (view: view1)]
 
 My assumption is that since the RPZ zone is special it therefore can't ke=
 ep track of stats.  Is this the case or am I overlooking something obvious?
 
 I guess I could CNAME all the RPZ records to a single host in a separate do=
 main and then do zone-statistics on that one zone, but that's kinda dirty.
 
 -Christopher
 
 
 --_000_0601178566817C499DF95E59CF72205D853A4DUTCMBX2utctenness_
 Content-Type: text/html; charset=us-ascii
 Content-ID: 65511fa01bdc6743bba57a4c6b520...@mail.tennessee.edu
 Content-Transfer-Encoding: quoted-printable
 
 html
 head
 meta http-equiv=3DContent-Type content=3Dtext/html; charset=3Dus-ascii=
 
 /head
 body style=3Dword-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
 e-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-fami=
 ly: Calibri, sans-serif; 
 divI recently (as of 2 days ago) enabled RPZ on all of my name servers. =
 nbsp;I currently use quot;rndc statsquot;, perl, and SNMP to make certain=
  global stats available to our network monitoring system to make charts (nu=
 mber of queries across all views and such). nbsp;I'd
  like to do the same for just the RPZ zone so I can get an idea of how many=
  queries are getting handled by RPZ itself./div
 div
 divbr
 /div
 divI added quot;zone-statistics yes;quot; to the RPZ zone, and the stat=
 istics file showed the header for that zone, but then there were no stats t=
 here. nbsp;I enabled the zone-statistics for a quot;regularquot; zone an=
 d it provided stats as expected. nbsp;Here's what my stats file
  looks like with zone-statistics enabled in the RPZ zone and one other zone=
  for comparison./div
 divbr
 /div
 div
 div#43;#43; Per Zone Query Statistics #43;#43;/div
 div[utc.edu (view: view1)]/div
 divnbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; 3 queri=
 es resulted in successful answer/div
 divnbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; 9 queri=
 es resulted in authoritative answer/div
 divnbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; 2 queri=
 es resulted in nxrrset/div
 divnbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; 4 queri=
 es resulted in NXDOMAIN/div
 div[rpz (view: view2)]/div
 div[rpz (view: view1)]/div
 /div
 divbr
 /div
 divMy assumption is that since the RPZ zone is quot;specialquot; it the=
 refore can't keep track of stats. nbsp;Is this the case or am I overlookin=
 g something obvious?/div
 divbr
 /div
 divI guess I could CNAME all the RPZ records to a single host in a separa=
 te domain and then do zone-statistics on that one zone, but that's kinda di=
 rty./div
 divbr
 /div
 div-Christopher/div
 br
 /div
 /body
 /html
 
 --_000_0601178566817C499DF95E59CF72205D853A4DUTCMBX2utctenness_--