Re: file descriptor exceeds limit
On 6/19/15, 4:07 PM, bind-users-boun...@lists.isc.org on behalf of /dev/rob0 bind-users-boun...@lists.isc.org on behalf of r...@gmx.co.uk wrote: On Fri, Jun 19, 2015 at 02:55:23PM -0500, I wrote: On Thu, Jun 18, 2015 at 11:11:16PM +, Mike Hoskins (michoski) wrote: snip Note that connection tracking can be a problem upstream as well, for the same reasons as described in the article. I would still turn off conntrack for UDP DNS upstream, unless you're using DNAT (yuck.) Oh ... hahaha ... I missed the @cisco.com, so I don't suppose you're using Linux on your upstream routers. :) The same idea applies regardless of implementation, of course. Quite alright... In past lives yes, and perhaps even internally at times (more often OpenBSD and pf)...though I won't admit that. ;-D Regardless, all input is welcome. I'll check out the KB article. I have sat for hours with the network team making sure their gear isn't touching my DNS packets in any perverted ways, but it's always good to triple check. Thanks! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: file descriptor exceeds limit
On Fri, Jun 19, 2015 at 02:55:23PM -0500, I wrote: On Thu, Jun 18, 2015 at 11:11:16PM +, Mike Hoskins (michoski) wrote: snip Note that connection tracking can be a problem upstream as well, for the same reasons as described in the article. I would still turn off conntrack for UDP DNS upstream, unless you're using DNAT (yuck.) Oh ... hahaha ... I missed the @cisco.com, so I don't suppose you're using Linux on your upstream routers. :) The same idea applies regardless of implementation, of course. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec validation issue
Eray Aslan writes: On Thu, Jun 18, 2015 at 07:26:28PM -0700, Carl Byington wrote: On Fri, 2015-06-19 at 11:10 +1000, Mark Andrews wrote: To use the keys in /etc/named.iscdlv.key set dnssec-validation auto; New centos rpms at http://www.five-ten-sg.com/mapper/bind with a default named.conf that should actually work. With the root zone and most TLDs signed, I do not think it makes sense to use DLV anymore. While a typical DNSSEC resolver configuration has DLV enabled, I personally make the effort to disable it. Furthermore, the whole dlv register is going to disappear in 2017 as announced at https://www.isc.org/blogs/dlv/. jaap ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: file descriptor exceeds limit
Am 19.06.2015 um 18:44 schrieb Mike Hoskins (michoski): I suppose the only way to avoid any intermediate firewalls would be to place everything you run on a LAN segment hanging directly off your router/Internet drop with host based firewalls well, if the router is from Cisco and has NAt enabled there are dns ALG's breaking zone-transfers in several ways been there done that until forced the ISP to never ever ship a default Cisco deivce to us signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
#service named restart fails with a weird message
Hey Gurus, When I try to restart named, it fails with the following message: [root@new-dns2 ~]# service named restart Stopping named:[ OK ] Starting named: Error in named configuration: /etc/named.conf:3: missing ';' before '}' /etc/named.conf:11: missing ';' before '}' [FAILED] [root@new-dns2 ~]# And here is what my simple named.conf looks like: [root@new-dns2 ~]# cat /etc/named.conf options { directory /var/named; allow-recursion {207.151.36.0/24; 206.117.117.0/24}; }; zone 0.0.127.in-addr.arpa { type master; file db.127.0.0 }; [root@new-dns2 ~]# What am I doing wrong? Can you please assist? Many thanks in advance and have a nice day. Regards, Samad Agha ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: #service named restart fails with a weird message
Semicolons! You need one for the second ip range in your list, and you need one after the zone file for your localhost zone. The error message really does tell you what you need in this case ;-) The config you pasted only has nine lines, so I'm assuming that the last error really is on line 8/9 and something got lost in posting to the list. John On Fri, Jun 19, 2015 at 2:12 PM, Samad Agha samad.agha2...@gmail.com wrote: Hey Gurus, When I try to restart named, it fails with the following message: [root@new-dns2 ~]# service named restart Stopping named:[ OK ] Starting named: Error in named configuration: /etc/named.conf:3: missing ';' before '}' /etc/named.conf:11: missing ';' before '}' [FAILED] [root@new-dns2 ~]# And here is what my simple named.conf looks like: [root@new-dns2 ~]# cat /etc/named.conf options { directory /var/named; allow-recursion {207.151.36.0/24; 206.117.117.0/24}; }; zone 0.0.127.in-addr.arpa { type master; file db.127.0.0 }; [root@new-dns2 ~]# What am I doing wrong? Can you please assist? Many thanks in advance and have a nice day. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: #service named restart fails with a weird message
On Fri, 19 Jun 2015, Samad Agha wrote: Error in named configuration: /etc/named.conf:3: missing ';' before '}' Look on line 3 /etc/named.conf:11: missing ';' before '}' Look on line 11 options { directory /var/named; allow-recursion {207.151.36.0/24; 206.117.117.0/24}; Add a semicolon before the } to end the list of networks. }; zone 0.0.127.in-addr.arpa { type master; file db.127.0.0 Add missing semicolon at the end of that line. };___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: file descriptor exceeds limit
On Thu, Jun 18, 2015 at 11:11:16PM +, Mike Hoskins (michoski) wrote: On 6/18/15, 7:09 PM, Stuart Browne stuart.bro...@bomboratech.com.au wrote: Just wondering. You mention you're using RHEL6; are you also getting messages in 'dmesg' about connection tracking tables being full? You may need some 'NOTRACK' rules in your iptables. Just following along, for the record... On our side, iptables is completely disabled. We do that sort of thing upstream on dedicated firewalls. There is a Knowledge Base article about this: https://kb.isc.org/article/AA-01183/ Note that connection tracking can be a problem upstream as well, for the same reasons as described in the article. I would still turn off conntrack for UDP DNS upstream, unless you're using DNAT (yuck.) Just now getting time to reply to Cathy...more detail on that there. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: file descriptor exceeds limit
On 6/19/15, 1:16 PM, bind-users-boun...@lists.isc.org on behalf of Reindl Harald bind-users-boun...@lists.isc.org on behalf of h.rei...@thelounge.net wrote: Am 19.06.2015 um 18:44 schrieb Mike Hoskins (michoski): I suppose the only way to avoid any intermediate firewalls would be to place everything you run on a LAN segment hanging directly off your router/Internet drop with host based firewalls well, if the router is from Cisco and has NAt enabled there are dns ALG's breaking zone-transfers in several ways been there done that until forced the ISP to never ever ship a default Cisco deivce to us Over the years I've learned that trusting defaults is rarely sane, regardless of vendor. Having been involved in many discussions related to this sort of thing...I've sadly also learned that, much like BCP38, things which seem simple to fix from the outside often aren't. :-) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users