RE: about "query time" (caching) +plus

[Darcy Kevin (FCA)]

You could turn on debugging, to be sure. Or, you could just dump your cache and 
see what's in it or not, expired or not. Anything lacking a valid, unexpired 
cache entry is going to require communication with the outside to resolve, 
which is going to introduce some measure of delay.


- Kevin


-Original Message-
From: Pol Hallen [mailto:bin...@fuckaround.org] 
Sent: Monday, September 19, 2016 6:14 PM
To: Darcy Kevin (FCA); bind-users@lists.isc.org
Subject: Re: about "query time" (caching) +plus

how I audit if a query is resolved from my local DNS or by external DNS?

cheers!

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: about "query time" (caching)

[Pol Hallen]

not sure hwat you mean but likely
https://kb.isc.org/article/AA-01315/0/prefetch-performance-in-BIND-9.10.html


exactly what I looking for!

cheers!

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: about "query time" (caching)

[Reindl Harald]

Am 20.09.2016 um 00:12 schrieb Pol Hallen:

In the third case, the A records had expired from the cache (since the
TTL on those records is 300 seconds = 5 minutes), so your resolver
needed to fetch a fresh set from the yahoo.it nameservers -- the NS
records of which were most likely cached from the first lookup -- but
it didn't need to follow the referral chain all of the way down from
the root. 19 msec.


thanks Kevin, now it's clear

is there a way to keep update cache of queries users will do?


not sure hwat you mean but likely 
https://kb.isc.org/article/AA-01315/0/prefetch-performance-in-BIND-9.10.html


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: about "query time" (caching) +plus

[Pol Hallen]

how I audit if a query is resolved from my local DNS or by external DNS?

cheers!

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: about "query time" (caching)

[Pol Hallen]

In the third case, the A records had expired from the cache (since the TTL on 
those records is 300 seconds = 5 minutes), so your resolver needed to fetch a 
fresh set from the yahoo.it nameservers -- the NS records of which were most 
likely cached from the first lookup -- but it didn't need to follow the 
referral chain all of the way down from the root. 19 msec.


thanks Kevin, now it's clear

is there a way to keep update cache of queries users will do?

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: about "query time" (caching)

[Darcy Kevin (FCA)]

In the first case, your resolver probably had to resolve all levels of the 
hierarchy from the root all of the way down to the leaf node (root, .it, 
yahoo.it and then the leaf records). 96 msec.

In the second case, the answer was cached and so your resolver didn't have to 
talk to anything on the Internet at all. 1 msec.

In the third case, the A records had expired from the cache (since the TTL on 
those records is 300 seconds = 5 minutes), so your resolver needed to fetch a 
fresh set from the yahoo.it nameservers -- the NS records of which were most 
likely cached from the first lookup -- but it didn't need to follow the 
referral chain all of the way down from the root. 19 msec.

This all seems reasonable and expected, to me.


- Kevin
-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Pol 
Hallen
Sent: Monday, September 19, 2016 5:43 PM
To: bind-users@lists.isc.org
Subject: about "query time" (caching)

Hi all,

I'm struggling about "query time" :-/
Using bind 9.9.5, I configurated it as caching proxy:

dig yahoo.it @192.168.1.212
[...]
96msec

second time:

dig yahoo.it @192.168.1.212
[...]
1msec

seems it works but: if I waiting (ie 5 minutes) and I re-run same command, 
"query time" was increased:

19msec

why? If the record "yahoo.it" is inside cache why after 5 minutes "query time" 
is 19msec?

thanks all for help!

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: lookout timesouts

[Mark Andrews]

In message 

about "query time" (caching)

[Pol Hallen]

Hi all,

I'm struggling about "query time" :-/
Using bind 9.9.5, I configurated it as caching proxy:

dig yahoo.it @192.168.1.212
[...]
96msec

second time:

dig yahoo.it @192.168.1.212
[...]
1msec

seems it works but: if I waiting (ie 5 minutes) and I re-run same 
command, "query time" was increased:


19msec

why? If the record "yahoo.it" is inside cache why after 5 minutes "query 
time" is 19msec?


thanks all for help!

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: replicate a whole master

[Mukund Sivaraman]

On Mon, Sep 19, 2016 at 04:40:17PM +0100, Tony Finch wrote:
> /dev/rob0  wrote:
> >
> > If you're thinking that you can do this replication to improve DNS
> > performance, you're right, it will do that.  But it certainly will
> > not scale (if it's even possible to get axfr/ixfr), and it won't
> > handle modern CDN systems properly.
> 
> BIND 9.10 and later will keep popular domains in the cache by prefetching
> them if they are looked up shortly before they will expire. So trying to
> keep local copies of popular zones is less helpful than it used to be.
> 
> (Unfortunately the prefetch option isn't mentioned in the HISTORY file so
> I had to dig through the CHANGES to remind myself when it was introduced!)

There's an attempt to make it go one step further by refreshing whole
zones in the cache:

https://github.com/muks/dnsrefresh

It needs another section to be completed before upload, possibly in time
for IETF-97.

Mukund


signature.asc
Description: PGP signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RPZ on forwarder not working when forwarder is slave

[Brock Sides]

I'm attempting to set up a response policy zone on a pair of forwarders
running BIND, version 9.8.1 on the master for the zone, and version 9.9.5
on the slave.

The forwarding requests are coming from a pair of Microsoft DNS servers,
running Server 2012.

If the Microsoft DNS server is configured to forward to the master, the
clients get the correct responses, e.g. "evil.example.com" resolves to
127.0.0.1, just as I have it set up in the zone file for the RPZ. However,
if the Microsoft DNS server is configured to use the slave server as a
forwarder, the client gets an NXDOMAIN response.

Clients that query the BIND servers (master or slave) directly get the
correct 127.0.0.1 response.

I've confirmed that changing the slave into a master for the RPZ fixes the
problem.

It seems like the Microsoft DNS servers for some reason don't regard the
BIND server configured as a slave as authoritative, but I'm not sure why
that might be.

Any thoughts?

--
Brock Sides
philar...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: replicate a whole master

[Victoria Risk]

> On Sep 19, 2016, at 8:40 AM, Tony Finch  wrote:
> 
> /dev/rob0  wrote:
>> 
>> If you're thinking that you can do this replication to improve DNS
>> performance, you're right, it will do that.  But it certainly will
>> not scale (if it's even possible to get axfr/ixfr), and it won't
>> handle modern CDN systems properly.
> 
> BIND 9.10 and later will keep popular domains in the cache by prefetching
> them if they are looked up shortly before they will expire. So trying to
> keep local copies of popular zones is less helpful than it used to be.
> 
> (Unfortunately the prefetch option isn't mentioned in the HISTORY file so
> I had to dig through the CHANGES to remind myself when it was introduced!)
> 

We do have a matrix that shows when significant new features were added. Of 
course not every change is on there, but pre-fetch is.

https://kb.isc.org/article/AA-01310/109/BIND9-Significant-Features-Matrix.html

> Tony.
> -- 
> f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
> Tyne, West Dogger: Northerly 4 or 5. Slight. Occasional rain. Moderate or
> good, occasionally poor.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

Victoria Risk
Internet Systems Consortium
vi...@isc.org




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: replicate a whole master

[Tony Finch]

/dev/rob0  wrote:
>
> If you're thinking that you can do this replication to improve DNS
> performance, you're right, it will do that.  But it certainly will
> not scale (if it's even possible to get axfr/ixfr), and it won't
> handle modern CDN systems properly.

BIND 9.10 and later will keep popular domains in the cache by prefetching
them if they are looked up shortly before they will expire. So trying to
keep local copies of popular zones is less helpful than it used to be.

(Unfortunately the prefetch option isn't mentioned in the HISTORY file so
I had to dig through the CHANGES to remind myself when it was introduced!)

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Tyne, West Dogger: Northerly 4 or 5. Slight. Occasional rain. Moderate or
good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: replicate a whole master

[/dev/rob0]

On Mon, Sep 19, 2016 at 03:51:17PM +0200, Pol Hallen wrote:
> dig yahoo.it @192.168.1.212
> 
> query is 38ms, second query is 1msec
> 
> Can I replicate a whole internet primary dns to have on my bind in 
> local network all domains name updated?

"Internet primary dns", are you referring to the .it top-level 
domain, or the yahoo.it. zone?

In either case the answer is the same: if you can find a server which 
allows axfr/ixfr, yes, you can configure the zone as a slave zone.

One caveat: because you are not one of the published NS for that 
zone, you are not going to receive notifies when the zone data is 
changed.  You can ask the zone owner to add you to the also-notify 
list, but in neither case are you likely to get that.

> Is 38ms an acceptable results?

I checked from my well-connected server in Alabama USA, and I got 
372ms, almost ten times your result.  Of course that query was 
probably trans-Atlantic, so that adds a bit of latency.

If you're thinking that you can do this replication to improve DNS 
performance, you're right, it will do that.  But it certainly will 
not scale (if it's even possible to get axfr/ixfr), and it won't 
handle modern CDN systems properly.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: replicate a whole master

[Pol Hallen]

Huh?


are you sure you want to replicate whole server?
Are you sure you know what that means?


mhmh... now I'm not sure :-'
what does entail this?

thanks

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: replicate a whole master

[Matus UHLAR - fantomas]

On 19.09.16 15:51, Pol Hallen wrote:

dig yahoo.it @192.168.1.212

query is 38ms, second query is 1msec

Can I replicate a whole internet primary dns to have on my bind in 
local network all domains name updated?


are you sure you want to replicate whole server?
Are you sure you know what that means?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: lookout timesouts

[G.W. Haywood]

Hi there,

On Mon, 19 Sep 2016, bind-users-requ...@lists.isc.org wrote:


We have a customer who has their own cache server, but in the
afternoons before they close up for the day, they commit off-site
backups, this process takes them about 90 mins, anyone trying to use
the internet in this time fails 99.9% of the time ...
Is there a named.conf setting we can suggest they use on their cache
server that perseveres and waits a little longer for answers to send
to their client machines?


If I was going there, I wouldn't start from here.  (Old Irish joke:).

The backup system needs more thought.  It could be done automatically
when everyone has gone home.  Its bandwith usasge could be throttled.
The traffic could be 'shaped'.  Take a look at 'BackupPC' for example.
Way OT for this list though.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

replicate a whole master

[Pol Hallen]

Hi all :-)

dig yahoo.it @192.168.1.212

query is 38ms, second query is 1msec

Can I replicate a whole internet primary dns to have on my bind in local 
network all domains name updated?


Is 38ms an acceptable results?

thanks for help

Pol

dig yahoo.it @192.168.1.212

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> yahoo.it @192.168.1.212
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38206
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 5, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;yahoo.it.  IN  A

;; ANSWER SECTION:
yahoo.it.   126 IN  A   77.238.184.24
yahoo.it.   126 IN  A   106.10.212.24
yahoo.it.   126 IN  A   212.82.102.24
yahoo.it.   126 IN  A   74.6.50.24
yahoo.it.   126 IN  A   98.137.236.24

;; AUTHORITY SECTION:
it. 161844  IN  NS  nameserver.cnr.it.
it. 161844  IN  NS  a.dns.it.
it. 161844  IN  NS  m.dns.it.
it. 161844  IN  NS  dns.nic.it.
it. 161844  IN  NS  r.dns.it.

;; ADDITIONAL SECTION:
a.dns.it.   161844  IN  A   194.0.16.215
a.dns.it.   161844  IN  2001:678:12:0:194:0:16:215
m.dns.it.   161844  IN  A   217.29.76.4
m.dns.it.   161844  IN  2001:1ac0:0:200:0:a5d1:6004:2
r.dns.it.   161844  IN  A   193.206.141.46
r.dns.it.   161844  IN  2001:760::::ca
dns.nic.it. 161844  IN  A   192.12.192.5
nameserver.cnr.it.  161844  IN  A   194.119.192.34

;; Query time: 38 msec
;; SERVER: 192.168.1.212#53(192.168.1.212)
;; WHEN: Mon Sep 19 15:49:17 CEST 2016
;; MSG SIZE  rcvd: 384

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND-RPZ and Views

[Tony Finch]

Tom  wrote:
>
> What is the supported/preferred way for implementing slave-rpz's in views?
> I want to achieve, that view1 has a different policy-configuration (passthru,
> given, nxdomain..) than the ones configured in view2 using the same
> slave-rpz-files. If not obligatory, I would not synchronize/transfer the
> slave-zone again...just for the view2.

I believe the only way to do this is to have duplicate copies of RPZ zones
which are used in multiple views.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Humber: Variable 3 or 4. Smooth or slight. Occasional rain. Moderate or good,
occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

lookout timesouts

[Nick Edwards]

Hi,

We have a customer who has their own cache server, but in the afternoons
before they close up for the day, they commit off-site backups, this
process takes them about 90 mins, anyone trying to use the internet in this
time fails 99.9% of the time due to DNS lookup errors, but if they use an
external DNS server, such as ours, it works - albeit slow but it does get a
response. The local DNS cache server operates fine and instant for their
private LAN, and pinging around their LAN is sub 1ms so the problem exists
when bind tries to go out to get answers for real hostnames. When  their
internet link is not fully utilized there is no problems.

The problem arose again today before the off-site backups when just one PC
got its message from Microsoft to grab the anniversary update, at 11
o'clock in the morning, strangely it did not fill their link, but the pps
must have been rampant because the DNS errors again failed when using their
local cache resolver server.

Is there a named.conf setting we can suggest they use on their cache server
that perseveres and waits a little longer for answers to send to their
client machines?
They are using bind 9.10.4-p2 with default settings from source package
along with options of -

directory "/opt/named";
allow-query { x; };
allow-query-cache { x; };
allow-transfer { xx; };


Thanks for any advice.
Nik
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

R: Postgresql 8.4 optimize heavy load

[Job]

Thank you to everybody and excuse me, first of all.
I wrote requests for postgresql (even if connected with Bind-DLZ) in the wrong 
Group!

Thank you!
Francesco



Da: Sten Carlsen [st...@s-carlsen.dk]
Inviato: domenica 18 settembre 2016 0.03
A: Job
Cc: bind-users@lists.isc.org
Oggetto: Re: Postgresql 8.4 optimize heavy load


You may want to explore the explain command and think about which indexes are 
missing.


-- 
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!" 





-- 
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!" 



-- 
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!" 
On 17 Sep 2016, at 23.23, Charles Elliott  wrote:


All these titles are available on Amazon.com, and most are inexpensive if
you buy them used:

Beginning PHP and PostgreSQL 8: From Novice to Professional (Beginning: From
Novice to Professional)
PostgreSQL 8 for Windows (Database Professional's Library)
Beginning PostgreSQL 8Sep 25, 2006
PostgreSQL 8 for Windows (Database (text only) by R.Blum2007
Hexa Marathon Guide: PostgreSQL CE 8 Silver: MCQ on PGCES-02Aug 18, 2015
(???)
Beginning PHP and PostgreSQL 8: From Novice to Professional (Beginning: From
Novice to Professional) 1st Edition...Mar 2, 2006
PostgreSQL 8.4 Official Documentation - Volume I. The SQL Language by The
PostgreSQL Global Development Group
PostgreSQL 8.4 Official Documentation - Volume II. Server Administration by
The PostgreSQL Global Development
PostgreSQL (2nd Edition) by Korry Douglas (2005-08-05) (Not cheap)
PostgreSQL Replication by Zoltan (Also expensive)
[(PostgreSQL 8 for Windows )] [Author: Richard Blum] [Mar-2007]

If Amazon (books) are searched with 'PostgreSQL High Performance' (w/o '
marks), a page of interesting titles result, but all of them relate to
PostgreSQL 9.  You could look at one from Amazon.com or at a local
(UNIVERSITY) library to see if any of it worked in PostgreSQL 8.4.

Charles Elliott


-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Job
Sent: Saturday, September 17, 2016 10:02 AM
To: bind-users@lists.isc.org
Subject: Postgresql 8.4 optimize heavy load

Hello,

i would please like to have some suggestions to optimize Postgres 8.4 for a
very heavy number of select (with join) queries.
The queries read data, very rarely they write.

Thank you!
Francesco
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND-RPZ and Views

[Tom]

Hi

What is the supported/preferred way for implementing slave-rpz's in views?
I want to achieve, that view1 has a different policy-configuration 
(passthru, given, nxdomain..) than the ones configured in view2 using 
the same slave-rpz-files. If not obligatory, I would not 
synchronize/transfer the slave-zone again...just for the view2.


Thank you.
Tom


On 09/16/2016 12:22 PM, Tony Finch wrote:

Anand Buddhdev  wrote:


In newer versions of BIND, you cannot share a writable file in different
views. This is a bad configurtion, and newer versions of BIND reject it.
Just use different file names.


To clarify, you couldn't in older versions of BIND either! It would cause
weird data corruption problems.

Tony.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users