Re: file descriptor exceeds limit

2015-06-19 Thread Mike Hoskins (michoski) 
On 6/19/15, 4:07 PM, bind-users-boun...@lists.isc.org on behalf of
/dev/rob0 bind-users-boun...@lists.isc.org on behalf of r...@gmx.co.uk
wrote:


On Fri, Jun 19, 2015 at 02:55:23PM -0500, I wrote:
 On Thu, Jun 18, 2015 at 11:11:16PM +,
Mike Hoskins (michoski) wrote:
snip
 Note that connection tracking can be a problem upstream as well,
 for the same reasons as described in the article.  I would still
 turn off conntrack for UDP DNS upstream, unless you're using DNAT
 (yuck.)

Oh ... hahaha ... I missed the @cisco.com, so I don't suppose you're
using Linux on your upstream routers. :)

The same idea applies regardless of implementation, of course.


Quite alright...  In past lives yes, and perhaps even internally at times
(more often OpenBSD and pf)...though I won't admit that.  ;-D

Regardless, all input is welcome.  I'll check out the KB article.  I have
sat for hours with the network team making sure their gear isn't
touching my DNS packets in any perverted ways, but it's always good to
triple check.

Thanks!

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: file descriptor exceeds limit

2015-06-19 Thread /dev/rob0 
On Fri, Jun 19, 2015 at 02:55:23PM -0500, I wrote:
 On Thu, Jun 18, 2015 at 11:11:16PM +,
Mike Hoskins (michoski) wrote:
snip
 Note that connection tracking can be a problem upstream as well, 
 for the same reasons as described in the article.  I would still 
 turn off conntrack for UDP DNS upstream, unless you're using DNAT 
 (yuck.)

Oh ... hahaha ... I missed the @cisco.com, so I don't suppose you're 
using Linux on your upstream routers. :)

The same idea applies regardless of implementation, of course.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec validation issue

2015-06-19 Thread Jaap Akkerhuis 
 Eray Aslan writes:

  On Thu, Jun 18, 2015 at 07:26:28PM -0700, Carl Byington wrote:
   On Fri, 2015-06-19 at 11:10 +1000, Mark Andrews wrote:
To use the keys in /etc/named.iscdlv.key set dnssec-validation
auto;
   New centos rpms at http://www.five-ten-sg.com/mapper/bind with a default
   named.conf that should actually work.
  
  With the root zone and most TLDs signed, I do not think it makes sense
  to use DLV anymore.  While a typical DNSSEC resolver configuration has
  DLV enabled, I personally make the effort to disable it.

Furthermore, the whole dlv register is going to disappear in 2017
as announced at https://www.isc.org/blogs/dlv/.

jaap
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: file descriptor exceeds limit

2015-06-19 Thread Reindl Harald 



Am 19.06.2015 um 18:44 schrieb Mike Hoskins (michoski):

I suppose the only way to avoid any intermediate firewalls would be to
place everything you run on a LAN segment hanging directly off your
router/Internet drop with host based firewalls


well, if the router is from Cisco and has NAt enabled there are dns 
ALG's breaking zone-transfers in several ways been there done that 
until forced the ISP to never ever ship a default Cisco deivce to us




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

#service named restart fails with a weird message

2015-06-19 Thread Samad Agha 
Hey Gurus,
When I try to restart named, it fails with the following message:

[root@new-dns2 ~]# service named restart
Stopping named:[  OK  ]
Starting named:
Error in named configuration:
/etc/named.conf:3: missing ';' before '}'
/etc/named.conf:11: missing ';' before '}'
   [FAILED]
[root@new-dns2 ~]#

And here is what my simple named.conf looks like:

[root@new-dns2 ~]# cat /etc/named.conf
options {
 directory /var/named;
allow-recursion {207.151.36.0/24; 206.117.117.0/24};
 };

zone 0.0.127.in-addr.arpa {
type master;
file db.127.0.0
};
[root@new-dns2 ~]#

What am I doing wrong? Can you please assist?

Many thanks in advance and have a nice day.

Regards,
Samad Agha
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: #service named restart fails with a weird message

2015-06-19 Thread John Miller 
Semicolons!  You need one for the second ip range in your list, and you
need one after the zone file for your localhost zone.  The error message
really does tell you what you need in this case ;-)  The config you pasted
only has nine lines, so I'm assuming that the last error really is on line
8/9 and something got lost in posting to the list.

John

On Fri, Jun 19, 2015 at 2:12 PM, Samad Agha samad.agha2...@gmail.com
wrote:

 Hey Gurus,
 When I try to restart named, it fails with the following message:

 [root@new-dns2 ~]# service named restart
 Stopping named:[  OK  ]
 Starting named:
 Error in named configuration:
 /etc/named.conf:3: missing ';' before '}'
 /etc/named.conf:11: missing ';' before '}'
[FAILED]
 [root@new-dns2 ~]#

 And here is what my simple named.conf looks like:

 [root@new-dns2 ~]# cat /etc/named.conf
 options {
  directory /var/named;
 allow-recursion {207.151.36.0/24; 206.117.117.0/24};
  };

 zone 0.0.127.in-addr.arpa {
 type master;
 file db.127.0.0
 };
 [root@new-dns2 ~]#

 What am I doing wrong? Can you please assist?

 Many thanks in advance and have a nice day.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: #service named restart fails with a weird message

2015-06-19 Thread Jeremy C. Reed 
On Fri, 19 Jun 2015, Samad Agha wrote:

 Error in named configuration:
 /etc/named.conf:3: missing ';' before '}'

Look on line 3

 /etc/named.conf:11: missing ';' before '}'

Look on line 11

 options {
  directory /var/named;
     allow-recursion {207.151.36.0/24; 206.117.117.0/24};

Add a semicolon before the } to end the list of networks.

  };
  
 zone 0.0.127.in-addr.arpa {
     type master;
     file db.127.0.0

Add missing semicolon at the end of that line.

 };___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: file descriptor exceeds limit

2015-06-19 Thread /dev/rob0 
On Thu, Jun 18, 2015 at 11:11:16PM +,
   Mike Hoskins (michoski) wrote:
 On 6/18/15, 7:09 PM, Stuart Browne 
 stuart.bro...@bomboratech.com.au wrote:
 
 Just wondering.  You mention you're using RHEL6; are you also 
 getting messages in 'dmesg' about connection tracking tables being 
 full?  You may need some 'NOTRACK' rules in your iptables.
 
 Just following along, for the record...  On our side, iptables
 is completely disabled.  We do that sort of thing upstream on 
 dedicated firewalls.

There is a Knowledge Base article about this:
https://kb.isc.org/article/AA-01183/

Note that connection tracking can be a problem upstream as well, for 
the same reasons as described in the article.  I would still turn off 
conntrack for UDP DNS upstream, unless you're using DNAT (yuck.)

 Just now getting time to reply to Cathy...more detail on that
 there.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: file descriptor exceeds limit

2015-06-19 Thread Mike Hoskins (michoski) 
On 6/19/15, 1:16 PM, bind-users-boun...@lists.isc.org on behalf of Reindl
Harald bind-users-boun...@lists.isc.org on behalf of
h.rei...@thelounge.net wrote:


Am 19.06.2015 um 18:44 schrieb Mike Hoskins (michoski):
 I suppose the only way to avoid any intermediate firewalls would be to
 place everything you run on a LAN segment hanging directly off your
 router/Internet drop with host based firewalls

well, if the router is from Cisco and has NAt enabled there are dns
ALG's breaking zone-transfers in several ways been there done that
until forced the ISP to never ever ship a default Cisco deivce to us


Over the years I've learned that trusting defaults is rarely sane,
regardless of vendor.

Having been involved in many discussions related to this sort of
thing...I've sadly also learned that, much like BCP38, things which seem
simple to fix from the outside often aren't.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users