Re: DNS Server sizing guide?

2018-03-28 Thread Grant Taylor via bind-users 

On 03/28/2018 08:31 PM, Blason R wrote:
Right now I have around 27 zones added in DNS but that is with 
direct zones NO RPZ. And my config is 4 vCPU 8Gb RAM its running well 
and around 700 users


:-)

The only concern thing for me is I may need to re-write all my scripts 
to load those zones in RPZ format hence wondering if RPZ can really help 
me in boosting performance of my server and how much?


Because if you see with my current config I may be running 40% of the 
resources;  with RPZ if I am achieving 30-35% then re-writing complete 
stuff for that 5% does not entice me. If the difference is noticeable 
lets say 20% then probably I can start of with that.


Take a look at RPZ, as it offers more than just performance gains.  You 
can do lots of interesting things with RPZ, including filtering on the 
QNAME or the returned IP address, or a number of other things.


Hence wanted to know from community if they have ever tried such thing 
before? and if so would really appreciate if they can share their 
observations.


I don't know.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Server sizing guide?

2018-03-28 Thread Blason R 
Agree!!

Right now I have around 27 zones added in DNS but that is with direct
zones NO RPZ. And my config is 4 vCPU 8Gb RAM its running well and around
700 users

The only concern thing for me is I may need to re-write all my scripts to
load those zones in RPZ format hence wondering if RPZ can really help me in
boosting performance of my server and how much?

Because if you see with my current config I may be running 40% of the
resources;  with RPZ if I am achieving 30-35% then re-writing complete
stuff for that 5% does not entice me. If the difference is noticeable lets
say 20% then probably I can start of with that.

Hence wanted to know from community if they have ever tried such thing
before? and if so would really appreciate if they can share their
observations.

On Thu, Mar 29, 2018 at 2:16 AM, Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:

> On 03/28/2018 12:51 AM, Blason R wrote:
>
>> Interesting I didn't know that. Let me dig in..can I have few examples
>> please?
>>
>
> RPZ zones are effectively standard zones.  The only difference is that the
> CNAME record is used to convey information to the RPZ engine (? is that an
> accurate description ?) that special action should be taken.
>
> I have messed with a project where I donwload newly registered domains
> daily and build an RPZ zone.  The intention is that I can make it appear as
> if domains registered within the last 1 / 7 / 14 / 28 days do not exist on
> my personal DNS server.  The records look like the following:
>
> example.com CNAME   .
> *.example.com   CNAME   .
> example.net CNAME   .
> *.example.net   CNAME   .
> example.org CNAME   .
> *.example.org   CNAME   .
>
> As you can see, this is really two records per domain.  One for the domain
> w/o any subordinates, and one for the domain subordinates.
>
> I've been collecting newly registered domains for ~4 months and here's the
> number for each month thusfar.
>
> 2017-12:  2,110,518   (Started collecting December 3rd.)
> 2018-01:  2,932,808
> 2018-02:  3,040,718
> 2018-03:  3,010,168   (Still missing a few days.)
>
> I did test all of December's records in a single RPZ zone file, and they
> worked okay.  I only say okay because it took close to a minute for named
> to start up and my naive OS's start up script coughted up a fur ball after
> 30 seconds.  named was quite happy if I gave it an additional 30 secones.
>
> Note:  This was running on a 1.6 GHz AMD Dual-Core E-350 APU w/ 8 GB of
> memory.  More power efficient than a server. ¯\_(ツ)_/¯
>
>
>
>
> --
> Grant. . . .
> unix || die
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Server sizing guide?

2018-03-28 Thread Grant Taylor via bind-users 

On 03/28/2018 12:51 AM, Blason R wrote:
Interesting I didn't know that. Let me dig in..can I have few examples 
please?


RPZ zones are effectively standard zones.  The only difference is that 
the CNAME record is used to convey information to the RPZ engine (? is 
that an accurate description ?) that special action should be taken.


I have messed with a project where I donwload newly registered domains 
daily and build an RPZ zone.  The intention is that I can make it appear 
as if domains registered within the last 1 / 7 / 14 / 28 days do not 
exist on my personal DNS server.  The records look like the following:


example.com CNAME   .
*.example.com   CNAME   .
example.net CNAME   .
*.example.net   CNAME   .
example.org CNAME   .
*.example.org   CNAME   .

As you can see, this is really two records per domain.  One for the 
domain w/o any subordinates, and one for the domain subordinates.


I've been collecting newly registered domains for ~4 months and here's 
the number for each month thusfar.


2017-12:  2,110,518   (Started collecting December 3rd.)
2018-01:  2,932,808
2018-02:  3,040,718
2018-03:  3,010,168   (Still missing a few days.)

I did test all of December's records in a single RPZ zone file, and they 
worked okay.  I only say okay because it took close to a minute for 
named to start up and my naive OS's start up script coughted up a fur 
ball after 30 seconds.  named was quite happy if I gave it an additional 
30 secones.


Note:  This was running on a 1.6 GHz AMD Dual-Core E-350 APU w/ 8 GB of 
memory.  More power efficient than a server. ¯\_(ツ)_/¯




--
Grant. . . .
unix || die




smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Server sizing guide?

2018-03-28 Thread Tony Finch 
Blason R  wrote:

> Interesting I didn't know that. Let me dig in..can I have few examples
> please?

Check out https://dnsrpz.info/

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/  -  I xn--zr8h punycode
Viking, North Utsire, South Utsire, Northeast Forties: Southeasterly 6 to gale
8, occasionally severe gale 9 except in North Utsire. Rough or very rough.
Occasional sleet. Good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Server sizing guide?

2018-03-27 Thread Blason R 
Interesting I didn't know that. Let me dig in..can I have few examples
please?

On Wed, Mar 28, 2018, 9:36 AM Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:

> On 03/27/2018 08:54 PM, Blason R wrote:
> > Is there any DNS sizing guide available? I have created a sinkhole
> > server which is catering around 25 - 30 zones loaded with 4 CPU
> > and 8 GB RAM. I am daily adding around 1-5k of zones.
>
> I don't have an answer to your question.  But I do wonder why you are
> loading individual zones instead of leveraging a Response Policy Zone
> with the QNAMEs that you want to filter.  It's my understanding that
> BIND will be more efficient that way.
>
>
>
> --
> Grant. . . .
> unix || die
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Server sizing guide?

2018-03-27 Thread Grant Taylor via bind-users 

On 03/27/2018 08:54 PM, Blason R wrote:
Is there any DNS sizing guide available? I have created a sinkhole 
server which is catering around 25 - 30 zones loaded with 4 CPU 
and 8 GB RAM. I am daily adding around 1-5k of zones.


I don't have an answer to your question.  But I do wonder why you are 
loading individual zones instead of leveraging a Response Policy Zone 
with the QNAMEs that you want to filter.  It's my understanding that 
BIND will be more efficient that way.




--
Grant. . . .
unix || die




smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Server sizing guide?

2018-03-27 Thread PANG J. 
My server once ran about 200,000 zones on a VPS with 4GB RAM, 2 vCores, 
BIND powered.


Running tests against them is good.
https://www.nominum.com/measurement-tools/


On 2018/3/28 星期三 AM 10:54, Blason R wrote:

Hi,

Is there any DNS sizing guide available? I have created a sinkhole 
server which is catering around 25 - 30 zones loaded with 4 CPU 
and 8 GB RAM. I am daily adding around 1-5k of zones.


I need to know how do I calculate the resources consumed by BIND server? 
I mean if this DNS server is catering to 500 users and to amy be 5000 
users how much RAM/CPU should be allocated?


TIA


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Server goofiness

2016-02-05 Thread John Wobus 
I agree that it could be the NAT firewall: some firewalls have features to
network-address-translate the answer portion of DNS responses.
Or with bind “views" (or “RRL") you could deliberately make it give
differing answers, but you’d know.

The firewall documentation might help.
Or you can test whether it’s the firewall by doing a norecursion dig from 
outside the
firewall from a known IP while doing a tcpdump on port 53
to/from the client IP on the server.  Then you can prove bind is producing what
you expect.  But if the FW is set to address-translate in both directions,
its more of a challenge to focus such a packet capture.  If the server also has
a FW configuration including NAT, that could be doing it as well.

John Wobus
Cornell University IT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Server goofiness

2016-02-04 Thread Reindl Harald 



Am 04.02.2016 um 22:01 schrieb Mike Hoskins (michoski):

Do you really want to return RFC1918 to the Internet?  Not the end of
the world, but some consider it unnecessary information disclosure.  :-)


funny to read that from a @cisco.com sender when all the DNS mangeling 
in the last deacde i have seen where from Cisco routers up to 2HE 
devices which are for sure not homeuer hardware :-)




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Server goofiness

2016-02-04 Thread Mike Hoskins (michoski) 
Do you really want to return RFC1918 to the Internet?  Not the end of the 
world, but some consider it unnecessary information disclosure.  :-)

I've seen this on various WAN/fw/router used at home over the years (arris, 
cisco, linksys, etc) and unlike the commands Reindal shared which are geared 
more toward SOHO/enterprise (e.g. IOS) you might need to look around your 
"gateway" settings.  This can have various names, but is usually a check-box 
under lan/wan/firewall/advanced settings vs basic setup.  Hopefully you can 
find something there which will be obvious (googling for the manual for your 
exact device should help).

hth

From: 
mailto:bind-users-boun...@lists.isc.org>> on 
behalf of David Hornsby mailto:dav...@carolinaky.com>>
Date: Thursday, February 4, 2016 at 3:29 PM
To: "bind-users@lists.isc.org" 
mailto:bind-users@lists.isc.org>>
Subject: DNS Server goofiness

I am having an issue with an authoritative dns server that sits behind a nat. I 
have replicated this problem on two different servers on different versions of 
bind which is why I am now perplexed. In the zone file the LAN address of the 
server has an A record. When the server is queried directly from the LAN, the 
server replies with its LAN address. Just as expected. However when the record 
is queried from through the fw the server replies with its public ip address. 
Which I can only guess it's getting by doing a reverse on the NS record that 
pointed it there in the first place??? This only happens on the record with an 
IP address which matches the server's lan address.

$nslookup dc01 192.168.1.254
Server: 192.168.1.254
Address: 192.168.1.254#53

Name: dc01.home.carolinaky.com
Address: 192.168.1.254

$ nslookup dc01 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: dc01.home.carolinaky.com
Address: 69.133.101.121

I'm confused.

Thanks,
David
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Server goofiness

2016-02-04 Thread Reindl Harald 


Am 04.02.2016 um 21:29 schrieb David Hornsby:

I am having an issue with an authoritative dns server that sits behind a
nat. I have replicated this problem on two different servers on
different versions of bind which is why I am now perplexed. In the zone
file the LAN address of the server has an A record. When the server is
queried directly from the LAN, the server replies with its LAN address.
Just as expected. However when the record is queried from through the fw
the server replies with its public ip address. Which I can only guess
it's getting by doing a reverse on the NS record that pointed it there
in the first place??? This only happens on the record with an IP address
which matches the server's lan address.


i bet it's a cisco crap which is doing NAT

https://lists.isc.org/pipermail/bind-users/2014-June/093353.html

no ip nat service alg udp dns
no ip nat service alg tcp dns



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dns server is attacked

2010-02-03 Thread Makara 
Hi Mark,

Thank you every much for you help. I can solve the problem now.

On Thu, Feb 4, 2010 at 7:52 AM, Mark Andrews  wrote:

>
> In message ,
> Makara writes:
> > Hi,
> >
> > I'm dns administrator, please give me an excuse if it's not the right
> place
> > to ask the question. My dns server is attacked, below are the log
>
> You are not being attacked.  The zone 26.178.115.in-addr.arpa is
> delegated to you but you are not configured to serve it.
>
> 26.178.115.in-addr.arpa. 86400  IN  NS  ns01.digi.com.kh.
> 26.178.115.in-addr.arpa. 86400  IN  NS  ns02.digi.com.kh.
>
> You are seeing other nameservers performing reverse lookups on the
> address in 26.178.115.in-addr.arpa.  This will usually be because
> you made a connection to a service which uses these servers for
> reverse DNS lookups for access control or just logging where the
> request came from.
>
> Either remove the delegation or serve the 26.178.115.in-addr.arpa zone.
>
> Mark
>
> > Feb  4 06:26:29 ns01 named[7791]: client 204.194.238.15#42502:
> query (cache) > '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb
> 4 06:26:29 ns01 named[7791]: client 196.14.64.145#54363: query
> (cache) > '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4
> 06:26:29 ns01 named[7791]: client 66.33.216.129#58386: query (cache)
> > '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29
> ns01 named[7791]: client 62.141.32.3#10049: query (cache) >
> '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
> named[7791]: client 203.220.10.226#27558: query (cache) >
> '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
> named[7791]: client 117.102.98.253#4696: query (cache) >
> '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
> named[7791]: client 208.69.34.8#52506: query (cache) >
> '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
> named[7791]: client 64.27.31.126#23550: query (cache) >
> '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
> named[7791]: client 195.25.5.65#49345: query (cache) >
> '110.25.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
> named[7791]: client 208.65.201.98#20322: query (cache) >
> '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
> named[7791]: client 82.108.95.210#2104: query (cache) >
> '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
> named[7791]: client 65.39.178.17#53701: query (cache) >
> '200.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
> named[7791]: FORMERR resolving ' > ns1.pendingrenewaldeletion.com//IN
> ':
> 205.178.190.51#53 > Feb  4 06:26:29 ns01 named[7791]: unexpected
> RCODE (REFUSED) resolving ' > cheappaintballgunstore.com/A/IN':
> 74.53.26.66#53 > Feb  4 06:26:29 ns01 named[7791]: client
> 85.115.52.190#24528: query (cache) > '118.26.178.115.in-addr.arpa/PTR/IN'
> denied > Feb  4 06:26:29 ns01 named[7791]: client 83.103.75.172#19067:
> query (cache) > '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb
> 4 06:26:29 ns01 named[7791]: client 66.119.189.138#63190: query
> (cache) > '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4
> 06:26:29 ns01 named[7791]: client 194.206.126.15#49858: query (cache)
> > '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29
> ns01 named[7791]: client 72.232.214.226#10860: query (cache) >
> '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
> named[7791]: FORMERR resolving ' > ns2.pendingrenewaldeletion.com//IN
> ':
> 205.178.190.51#53 > Feb  4 06:26:29 ns01 named[7791]: client
> 83.243.8.6#26089: query (cache) > '118.26.178.115.in-addr.arpa/PTR/IN'
> denied > Feb  4 06:26:29 ns01 named[7791]: client 97.64.179.210#19383:
> query (cache) > '200.26.178.115.in-addr.arpa/PTR/IN' denied > Feb
> 4 06:26:29 ns01 named[7791]: client 81.4.88.10#24179: query (cache)
> > '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29
> ns01 named[7791]: client 66.33.216.208#8796: query (cache) >
> '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
> named[7791]: client 66.119.189.138#34887: query (cache) >
> '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
> named[7791]: client 208.67.219.11#39638: query (cache) >
> '118.26.178.115.in-addr.arpa/PTR/IN' denied > > > I'm using BIND
> 9.3.3rc2, any idea or advise how to solve the problem? it's >
> response so slow and some time is not response > -- > The person
> who loves others will also be loved.  -- Mark Andrews, ISC 1 Seymour
> St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742
> INTERNET: ma...@isc.org
>



-- 
The person who loves others will also be loved.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dns server is attacked

2010-02-03 Thread Mark Andrews 

In message , 
Makara writes:
> Hi,
> 
> I'm dns administrator, please give me an excuse if it's not the right place
> to ask the question. My dns server is attacked, below are the log

You are not being attacked.  The zone 26.178.115.in-addr.arpa is
delegated to you but you are not configured to serve it.

26.178.115.in-addr.arpa. 86400  IN  NS  ns01.digi.com.kh.
26.178.115.in-addr.arpa. 86400  IN  NS  ns02.digi.com.kh.

You are seeing other nameservers performing reverse lookups on the
address in 26.178.115.in-addr.arpa.  This will usually be because
you made a connection to a service which uses these servers for
reverse DNS lookups for access control or just logging where the
request came from.
 
Either remove the delegation or serve the 26.178.115.in-addr.arpa zone.

Mark

> Feb  4 06:26:29 ns01 named[7791]: client 204.194.238.15#42502:
query (cache) > '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb
4 06:26:29 ns01 named[7791]: client 196.14.64.145#54363: query
(cache) > '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4
06:26:29 ns01 named[7791]: client 66.33.216.129#58386: query (cache)
> '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29
ns01 named[7791]: client 62.141.32.3#10049: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
named[7791]: client 203.220.10.226#27558: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
named[7791]: client 117.102.98.253#4696: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
named[7791]: client 208.69.34.8#52506: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
named[7791]: client 64.27.31.126#23550: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
named[7791]: client 195.25.5.65#49345: query (cache) >
'110.25.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
named[7791]: client 208.65.201.98#20322: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
named[7791]: client 82.108.95.210#2104: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
named[7791]: client 65.39.178.17#53701: query (cache) >
'200.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
named[7791]: FORMERR resolving ' > ns1.pendingrenewaldeletion.com//IN':
205.178.190.51#53 > Feb  4 06:26:29 ns01 named[7791]: unexpected
RCODE (REFUSED) resolving ' > cheappaintballgunstore.com/A/IN':
74.53.26.66#53 > Feb  4 06:26:29 ns01 named[7791]: client
85.115.52.190#24528: query (cache) > '118.26.178.115.in-addr.arpa/PTR/IN'
denied > Feb  4 06:26:29 ns01 named[7791]: client 83.103.75.172#19067:
query (cache) > '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb
4 06:26:29 ns01 named[7791]: client 66.119.189.138#63190: query
(cache) > '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4
06:26:29 ns01 named[7791]: client 194.206.126.15#49858: query (cache)
> '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29
ns01 named[7791]: client 72.232.214.226#10860: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
named[7791]: FORMERR resolving ' > ns2.pendingrenewaldeletion.com//IN':
205.178.190.51#53 > Feb  4 06:26:29 ns01 named[7791]: client
83.243.8.6#26089: query (cache) > '118.26.178.115.in-addr.arpa/PTR/IN'
denied > Feb  4 06:26:29 ns01 named[7791]: client 97.64.179.210#19383:
query (cache) > '200.26.178.115.in-addr.arpa/PTR/IN' denied > Feb
4 06:26:29 ns01 named[7791]: client 81.4.88.10#24179: query (cache)
> '118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29
ns01 named[7791]: client 66.33.216.208#8796: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
named[7791]: client 66.119.189.138#34887: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > Feb  4 06:26:29 ns01
named[7791]: client 208.67.219.11#39638: query (cache) >
'118.26.178.115.in-addr.arpa/PTR/IN' denied > > > I'm using BIND
9.3.3rc2, any idea or advise how to solve the problem? it's >
response so slow and some time is not response > -- > The person
who loves others will also be loved.  -- Mark Andrews, ISC 1 Seymour
St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742
INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Server

2009-10-07 Thread Kevin Darcy 

Agarwal Vivek-RNGB36 wrote:

Hi All

Im using a BIND 9.3. I have been asked to block the responses from some of the 
DNS Servers in the internet. Is there any way how can I do that

  
It's not clear what you're trying to do. Block *responses*? So, you're 
going to send these nameservers queries, but you don't want to see the 
responses (?) Why send them queries in the first place then? It would 
just be wasted traffic. Arguably, you might even be guilty of a Denial 
of Service attack.


If you want to prevent sending queries to specific nameservers, then the 
only way I know of to accomplish that within BIND is with individual 
"server" statements, specifying "bogus":


server a.b.c.d {
   bogus yes;
};

Alternatively, you could do this outside of BIND, using a firewall or 
similar device, specifically dropping outgoing packets to those 
destinations with the QR (Query Response) bit clear, or incoming packets 
from those sources with QR set to 1. This would focus the drops on query 
transactions initiated by your nameserver to those other "prohibited" 
nameservers.


If you want to block the ability of those nameservers to query *you*, 
then some of the other suggestions in this thread apply, e.g. null 
route, blackhole, allow-query, etc. Note that "blackhole" (and I suppose 
null-routing as well) affects both incoming and outgoing transactions, 
but can lead to undesirable behavior if the other side simply keeps 
timing out and retrying its queries. allow-query gives an unambiguous 
REFUSED response and is more likely to shut the other side up. But 
allow-query doesn't apply to outgoing queries, so you need to clarify 
exactly what it is that you're trying to accomplish.


Another option I'd consider for incoming queries is to set up a special 
view for the "prohibited" nameservers. You could then put anything you 
wanted in that view, e.g. an empty root zone, a wildcard pointing to 
some static web page, etc. But, again, it all depends on what you're 
trying to do...



- Kevin


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNS Server

2009-10-07 Thread Agarwal Vivek-RNGB36 
Thanks Yohann 

Regards
Vivek Aggarwal
+973-36583058 



-Original Message-
From: Yohann LEPAGE [mailto:yohann.lep...@laposte.fr] 
Sent: Wednesday, October 07, 2009 4:52 PM
To: Agarwal Vivek-RNGB36
Cc: bind-users@lists.isc.org
Subject: Re: DNS Server

Agarwal Vivek-RNGB36 a écrit :
> Thanks for the response . Iam using Linux box. The issue is the list 
> for blocking the DNS Servers is huge. Do you have much idea on bind 
> directive
> 
> Can anyone help me in bind directive. I v never used it

There is an example here[0], "7.1 Access Control Lists" :


// Set up an ACL named "bogusnets" that will block RFC1918 space, // which is 
commonly used in spoofing attacks.
acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 
10.0.0.0/8; // Set up an ACL called our-nets. Replace this with the real IP 
numbers.
acl our-nets { x.x.x.x/24; x.x.x.x/21; }; options { ...
...
allow-query { our-nets; };
allow-recursion { our-nets; };
...
blackhole { bogusnets; };
...
};
zone "example.com" {
type master;
file "m/example.com";
allow-query { any; };
};



[0] : https://www.isc.org/files/Bv9.3ARM.pdf


> Thanks
> 
> Regards
> Vivek Aggarwal
> +973-36583058
> 
> 
> 
> -Original Message-
> From: Todd Snyder [mailto:tsny...@rim.com]
> Sent: Wednesday, October 07, 2009 4:38 PM
> To: Agarwal Vivek-RNGB36; bind-users@lists.isc.org
> Subject: RE: DNS Server
> 
> There are a few approaches you could take, and it depends on what you are 
> trying to do.
> 
> If you are actually trying to block traffic to a specific server/servers, I'd 
> say use a firewall.  If you're running on a linux box, it's pretty easy:
> 
> http://www.cyberciti.biz/faq/howto-null-route-an-attackers-ip/
> 
> Failing that, I believe there is a bind directive (blackhole) that might do 
> what you want, but I've never looked into it.
> 
> Finally, if you are simply trying to block certain domains, you could load 
> them as master zones on your server and leave them blank.
> 
> Cheers,
> 
> Todd.
> 
> 
> 
> -Original Message-
> From: bind-users-boun...@lists.isc.org 
> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Agarwal 
> Vivek-RNGB36
> Sent: Wednesday, October 07, 2009 8:46 AM
> To: bind-users@lists.isc.org
> Subject: DNS Server
> 
> Hi All
> 
> Im using a BIND 9.3. I have been asked to block the responses from 
> some of the DNS Servers in the internet. Is there any way how can I do 
> that
> 
> Regards
> Vivek Aggarwal
> +973-36583058
> 
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
> -
> This transmission (including any attachments) may contain confidential 
> information, privileged material (including material protected by the 
> solicitor-client or other applicable privileges), or constitute non-public 
> information. Any use of this information by anyone other than the intended 
> recipient is prohibited. If you have received this transmission in error, 
> please immediately reply to the sender and delete this information from your 
> system. Use, dissemination, distribution, or reproduction of this 
> transmission by unintended recipients is not authorized and may be unlawful.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

--
La Poste\DISIT\ETU\IQI\INGS
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Server

2009-10-07 Thread Yohann LEPAGE 

Agarwal Vivek-RNGB36 a écrit :

Thanks for the response . Iam using Linux box. The issue is the list for 
blocking the DNS Servers is huge. Do you have much idea on bind directive

Can anyone help me in bind directive. I v never used it


There is an example here[0], "7.1 Access Control Lists" :


// Set up an ACL named "bogusnets" that will block RFC1918 space,
// which is commonly used in spoofing attacks.
acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 
224.0.0.0/3; 10.0.0.0/8; // Set up an ACL called our-nets. Replace this 
with the real IP numbers.

acl our-nets { x.x.x.x/24; x.x.x.x/21; };
options {
...
...
allow-query { our-nets; };
allow-recursion { our-nets; };
...
blackhole { bogusnets; };
...
};
zone "example.com" {
type master;
file "m/example.com";
allow-query { any; };
};



[0] : https://www.isc.org/files/Bv9.3ARM.pdf



Thanks

Regards
Vivek Aggarwal
+973-36583058 




-Original Message-
From: Todd Snyder [mailto:tsny...@rim.com] 
Sent: Wednesday, October 07, 2009 4:38 PM

To: Agarwal Vivek-RNGB36; bind-users@lists.isc.org
Subject: RE: DNS Server 


There are a few approaches you could take, and it depends on what you are 
trying to do.

If you are actually trying to block traffic to a specific server/servers, I'd 
say use a firewall.  If you're running on a linux box, it's pretty easy:

http://www.cyberciti.biz/faq/howto-null-route-an-attackers-ip/

Failing that, I believe there is a bind directive (blackhole) that might do 
what you want, but I've never looked into it.

Finally, if you are simply trying to block certain domains, you could load them 
as master zones on your server and leave them blank.

Cheers,

Todd.



-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Agarwal Vivek-RNGB36
Sent: Wednesday, October 07, 2009 8:46 AM
To: bind-users@lists.isc.org
Subject: DNS Server 


Hi All

Im using a BIND 9.3. I have been asked to block the responses from some of the 
DNS Servers in the internet. Is there any way how can I do that

Regards
Vivek Aggarwal
+973-36583058 



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

-
This transmission (including any attachments) may contain confidential 
information, privileged material (including material protected by the 
solicitor-client or other applicable privileges), or constitute non-public 
information. Any use of this information by anyone other than the intended 
recipient is prohibited. If you have received this transmission in error, 
please immediately reply to the sender and delete this information from your 
system. Use, dissemination, distribution, or reproduction of this transmission 
by unintended recipients is not authorized and may be unlawful.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



--
La Poste\DISIT\ETU\IQI\INGS
Post-scriptum La Poste

Ce message est confidentiel. Sous réserve de tout accord conclu par
écrit entre vous et La Poste, son contenu ne représente en aucun cas un
engagement de la part de La Poste. Toute publication, utilisation ou
diffusion, même partielle, doit être autorisée préalablement. Si vous
n'êtes pas destinataire de ce message, merci d'en avertir immédiatement
l'expéditeur.


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNS Server

2009-10-07 Thread Agarwal Vivek-RNGB36 
Thanks for the response . Iam using Linux box. The issue is the list for 
blocking the DNS Servers is huge. Do you have much idea on bind directive

Can anyone help me in bind directive. I v never used it

Thanks

Regards
Vivek Aggarwal
+973-36583058 



-Original Message-
From: Todd Snyder [mailto:tsny...@rim.com] 
Sent: Wednesday, October 07, 2009 4:38 PM
To: Agarwal Vivek-RNGB36; bind-users@lists.isc.org
Subject: RE: DNS Server 

There are a few approaches you could take, and it depends on what you are 
trying to do.

If you are actually trying to block traffic to a specific server/servers, I'd 
say use a firewall.  If you're running on a linux box, it's pretty easy:

http://www.cyberciti.biz/faq/howto-null-route-an-attackers-ip/

Failing that, I believe there is a bind directive (blackhole) that might do 
what you want, but I've never looked into it.

Finally, if you are simply trying to block certain domains, you could load them 
as master zones on your server and leave them blank.

Cheers,

Todd.



-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Agarwal Vivek-RNGB36
Sent: Wednesday, October 07, 2009 8:46 AM
To: bind-users@lists.isc.org
Subject: DNS Server 

Hi All

Im using a BIND 9.3. I have been asked to block the responses from some of the 
DNS Servers in the internet. Is there any way how can I do that

Regards
Vivek Aggarwal
+973-36583058 


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

-
This transmission (including any attachments) may contain confidential 
information, privileged material (including material protected by the 
solicitor-client or other applicable privileges), or constitute non-public 
information. Any use of this information by anyone other than the intended 
recipient is prohibited. If you have received this transmission in error, 
please immediately reply to the sender and delete this information from your 
system. Use, dissemination, distribution, or reproduction of this transmission 
by unintended recipients is not authorized and may be unlawful.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNS Server

2009-10-07 Thread Todd Snyder 
There are a few approaches you could take, and it depends on what you are 
trying to do.

If you are actually trying to block traffic to a specific server/servers, I'd 
say use a firewall.  If you're running on a linux box, it's pretty easy:

http://www.cyberciti.biz/faq/howto-null-route-an-attackers-ip/

Failing that, I believe there is a bind directive (blackhole) that might do 
what you want, but I've never looked into it.

Finally, if you are simply trying to block certain domains, you could load them 
as master zones on your server and leave them blank.

Cheers,

Todd.



-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Agarwal Vivek-RNGB36
Sent: Wednesday, October 07, 2009 8:46 AM
To: bind-users@lists.isc.org
Subject: DNS Server 

Hi All

Im using a BIND 9.3. I have been asked to block the responses from some of the 
DNS Servers in the internet. Is there any way how can I do that

Regards
Vivek Aggarwal
+973-36583058 


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

-
This transmission (including any attachments) may contain confidential 
information, privileged material (including material protected by the 
solicitor-client or other applicable privileges), or constitute non-public 
information. Any use of this information by anyone other than the intended 
recipient is prohibited. If you have received this transmission in error, 
please immediately reply to the sender and delete this information from your 
system. Use, dissemination, distribution, or reproduction of this transmission 
by unintended recipients is not authorized and may be unlawful.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting "host unreachable resolving" error

2009-09-22 Thread Barry Margolin 
In article ,
 Matus UHLAR - fantomas  wrote:

> On 21.09.09 19:26, Shi Jin wrote:
> > I've confirmed that the problem is firewall related. I've replaced my
> > current Untangle firewall with a simplest Linux NAT iptables firewall and
> > everything works perfectly, without any complains.
> 
> I'd say it was bad configuration, not necessarily a bad firewall. The
> tcpdump would help us, unless you are satisfied with using linux iptables...

Anyone want to bet that he has {query-source * port 53;} in his 
named.conf, and this is what the firewall was blocking?

-- 
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting "host unreachable resolving" error

2009-09-22 Thread Matus UHLAR - fantomas 
On 21.09.09 19:26, Shi Jin wrote:
> I've confirmed that the problem is firewall related. I've replaced my
> current Untangle firewall with a simplest Linux NAT iptables firewall and
> everything works perfectly, without any complains.

I'd say it was bad configuration, not necessarily a bad firewall. The
tcpdump would help us, unless you are satisfied with using linux iptables...
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting "host unreachable resolving" error

2009-09-21 Thread Shi Jin 
Thank you all.
I've confirmed that the problem is firewall related. I've replaced my current 
Untangle firewall with a simplest Linux NAT iptables firewall and everything 
works perfectly, without any complains.

Thank you very much for your kind help/suggestions.

Shi


  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting "host unreachable resolving" error

2009-09-21 Thread Kevin Darcy 
1) Confirm whether you need to forward at all. If you don't need to, 
then remove the forwarders entries and that should take care of the 
errors in your log.
2) If you *must* use forwarders, look at the part of the config that you 
didn't show us, and determine whether there is something there (e.g. 
query-source address and/or port, "server" stanza with an inappropriate 
TSIG key or EDNS buffer size, etc.) that is causing your packets 
destined for 216.171.238.66 to be dropped or rejected, by the target 
server or some intermediate device in between.


- Kevin

Shi Jin wrote:

Try
dig @216.171.238.66 hp.com
to see if the .66 host answers to your queries. Maybe you
got a wrong IP 
there? Try the same for .67, the other DNS.





Thank you very much.  I tried what you suggested and it seems that these two 
servers work perfectly. In fact, I can simply set my DNS to these two servers 
and have the internet names resolved without any problem. The only reason I run 
my own DNS server is to resolve the intranet names.


~$ dig @216.171.238.66 hp.com

; <<>> DiG 9.5.1-P2 <<>> @216.171.238.66 hp.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47923
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 6, ADDITIONAL: 6

;; QUESTION SECTION:
;hp.com.IN  A

;; ANSWER SECTION:
hp.com. 574 IN  A   15.216.110.140
hp.com. 574 IN  A   15.192.45.21
hp.com. 574 IN  A   15.192.45.22
hp.com. 574 IN  A   15.192.45.138
hp.com. 574 IN  A   15.192.45.139
hp.com. 574 IN  A   15.216.110.21
hp.com. 574 IN  A   15.200.2.21
hp.com. 574 IN  A   15.200.30.21
hp.com. 574 IN  A   15.200.30.22
hp.com. 574 IN  A   15.200.30.23
hp.com. 574 IN  A   15.200.30.24
hp.com. 574 IN  A   15.216.110.22
hp.com. 574 IN  A   15.216.110.139

;; AUTHORITY SECTION:
hp.com. 86374   IN  NS  ns6.hp.com.
hp.com. 86374   IN  NS  ns3.hp.com.
hp.com. 86374   IN  NS  ns4.hp.com.
hp.com. 86374   IN  NS  ns1.hp.com.
hp.com. 86374   IN  NS  ns5.hp.com.
hp.com. 86374   IN  NS  ns2.hp.com.

;; ADDITIONAL SECTION:
ns6.hp.com. 43600   IN  A   15.195.208.12
ns1.hp.com. 43600   IN  A   15.219.145.12
ns2.hp.com. 43600   IN  A   15.219.160.12
ns3.hp.com. 43600   IN  A   15.203.209.12
ns4.hp.com. 43600   IN  A   15.203.224.14
ns5.hp.com. 43600   IN  A   15.195.192.37

;; Query time: 2 msec
;; SERVER: 216.171.238.66#53(216.171.238.66)
;; WHEN: Mon Sep 21 14:59:25 2009
;; MSG SIZE  rcvd: 436


Can you see any problem there?
Thanks a lot.

Shi
--





  
___

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


  


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting "host unreachable resolving" error

2009-09-21 Thread Mark Andrews 

In message <865284.37771...@web36203.mail.mud.yahoo.com>, Shi Jin writes:
> 
> > "host unreachable" is one of the clearer error messages, so
> > you need
> > to do some digging. From the box that you've set up bind9
> > on you'll
> > need to use dig to query the ISP's name servers. If that
> > works, then
> > you'll have to use tcpdump on that box to find out what
> > named is doing.
> > 
> > Doug
> > 
> Thank you very much.
> Your suggestion to use "tcpdump" actually is very helpful. It clearly shows:
>  ICMP host 216.171.238.67 unreachable - admin prohibited, length 87

Yet you claim that dig to 216.171.238.67 works.  I think you need to provide
a full trace not the summary that a plain tcpdump gives.

Add  -Xvvv to the set of flags you used with tcpdump.

> So I think this most likely has to do with the firewall setup. Probably I 
> should enable ICMP redirect? Could anyone confirm? And
>  is this safe?
> 
> Thank you very much.
> Shi
> 
> 
>   
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting "host unreachable resolving" error

2009-09-21 Thread Shi Jin 

> "host unreachable" is one of the clearer error messages, so
> you need
> to do some digging. From the box that you've set up bind9
> on you'll
> need to use dig to query the ISP's name servers. If that
> works, then
> you'll have to use tcpdump on that box to find out what
> named is doing.
> 
> Doug
> 
Thank you very much.
Your suggestion to use "tcpdump" actually is very helpful. It clearly shows:
 ICMP host 216.171.238.67 unreachable - admin prohibited, length 87
So I think this most likely has to do with the firewall setup. Probably I 
should enable ICMP redirect? Could anyone confirm? And is this safe?

Thank you very much.
Shi


  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting "host unreachable resolving" error

2009-09-21 Thread Doug Barton 
Shi Jin wrote:
> Hi there,
> 
> I've setup a DNS server running bind9 in my LAN and set it up to ISP provided 
> DNS servers as the forwarders. Currently this DNS server works in the sense 
> both internal and external names are resolved without any problem. However, 
> for each DNS query, the syslog shows entries of 
> 
> dhcp-dns named[18638]: host unreachable resolving 'google.com/A/IN': 
> 216.171.238.66#53
> Where the IP 216.171.238.66 is the ISP provided DNS server. 

"host unreachable" is one of the clearer error messages, so you need
to do some digging. From the box that you've set up bind9 on you'll
need to use dig to query the ISP's name servers. If that works, then
you'll have to use tcpdump on that box to find out what named is doing.

You might also consider posting your entire named.conf file, and let
us know of any command line arguments you're using to start it with.
Also name and version number of your OS and exact version of named
wouldn't hurt.


Good luck,

Doug
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting "host unreachable resolving" error

2009-09-21 Thread Shi Jin 
> Try
> dig @216.171.238.66 hp.com
> to see if the .66 host answers to your queries. Maybe you
> got a wrong IP 
> there? Try the same for .67, the other DNS.
> 

Thank you very much.  I tried what you suggested and it seems that these two 
servers work perfectly. In fact, I can simply set my DNS to these two servers 
and have the internet names resolved without any problem. The only reason I run 
my own DNS server is to resolve the intranet names.


~$ dig @216.171.238.66 hp.com

; <<>> DiG 9.5.1-P2 <<>> @216.171.238.66 hp.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47923
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 6, ADDITIONAL: 6

;; QUESTION SECTION:
;hp.com.IN  A

;; ANSWER SECTION:
hp.com. 574 IN  A   15.216.110.140
hp.com. 574 IN  A   15.192.45.21
hp.com. 574 IN  A   15.192.45.22
hp.com. 574 IN  A   15.192.45.138
hp.com. 574 IN  A   15.192.45.139
hp.com. 574 IN  A   15.216.110.21
hp.com. 574 IN  A   15.200.2.21
hp.com. 574 IN  A   15.200.30.21
hp.com. 574 IN  A   15.200.30.22
hp.com. 574 IN  A   15.200.30.23
hp.com. 574 IN  A   15.200.30.24
hp.com. 574 IN  A   15.216.110.22
hp.com. 574 IN  A   15.216.110.139

;; AUTHORITY SECTION:
hp.com. 86374   IN  NS  ns6.hp.com.
hp.com. 86374   IN  NS  ns3.hp.com.
hp.com. 86374   IN  NS  ns4.hp.com.
hp.com. 86374   IN  NS  ns1.hp.com.
hp.com. 86374   IN  NS  ns5.hp.com.
hp.com. 86374   IN  NS  ns2.hp.com.

;; ADDITIONAL SECTION:
ns6.hp.com. 43600   IN  A   15.195.208.12
ns1.hp.com. 43600   IN  A   15.219.145.12
ns2.hp.com. 43600   IN  A   15.219.160.12
ns3.hp.com. 43600   IN  A   15.203.209.12
ns4.hp.com. 43600   IN  A   15.203.224.14
ns5.hp.com. 43600   IN  A   15.195.192.37

;; Query time: 2 msec
;; SERVER: 216.171.238.66#53(216.171.238.66)
;; WHEN: Mon Sep 21 14:59:25 2009
;; MSG SIZE  rcvd: 436


Can you see any problem there?
Thanks a lot.

Shi
--





  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server works but keep getting "host unreachable resolving" error

2009-09-21 Thread Michael Monnerie 
On Montag 21 September 2009 Shi Jin wrote:
> However, it looks to me like the ISP provided DNS server
> (216.171.238.66) was not able to resolve any of the names and all the
> resolving is done at the top level servers. Is my understanding
> correct?

Try
dig @216.171.238.66 hp.com
to see if the .66 host answers to your queries. Maybe you got a wrong IP 
there? Try the same for .67, the other DNS.

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660 / 415 65 31  .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net  Key-ID: 1C1209B4

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server can resolve some domains - BIND 9.4.2-P1

2009-03-03 Thread Sergio Moscoso 
Thank u for you response, i'll install the version that u recommend me, any
consideration to follow up?, also I've assume that the problem that i had
was for the general: error: socket: too many open  but finally i've
found that the domains that my server cannot resolve was for and ACL Bogon,
their IP's was in that list so my DNS cache cannot resolve, i'd like to
comment this, anyway I still have the errors so I'll update to the last
version, and I'll tell u as it were to me. Than u again.

sergei

PD. About the FD limits, it's setting as follows
set rlim_fd_max=65535
set rlim_fd_cur=32575

On Thu, Feb 26, 2009 at 1:49 PM, JINMEI Tatuya / 神明達哉  wrote:

> At Wed, 25 Feb 2009 12:27:29 -0800 (PST),
>  sergiot...@gmail.com wrote:
> >
> > I have a server installed, with Solaris 9 and BIND 9.4.2-P1, 1 week
> > ago, i began to receive some messages in the message logs:
> >
> > 25-Feb-2009 15:30:35.826 general: error: socket: too many open file
> > descriptors
> > 25-Feb-2009 15:30:35.827 general: error: socket: too many open file
> > descriptors
> > 25-Feb-2009 15:30:36.210 general: error: socket: too many open file
> > descriptors
> > 25-Feb-2009 15:30:36.228 general: error: socket: too many open file
> > descriptors
> >
> > I guess that's why my server is working abnormally right now and
> > cannot resolve some domains, i've read a lots of posts that there is a
> > patch for this issue, and also some people try to fix the problem
> > increasing the FTD_Size value, but i don't know what exactly can i
> > aply, could you help me please, because our dns server is the master
> > and it cannot be stay with this kind a problems a long time.
>
> 9.4.2-P1 has known scalability issues.  Please upgrade to 9.4.3-P1.
>
> ---
> JINMEI, Tatuya
> Internet Systems Consortium, Inc.
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server can resolve some domains - BIND 9.4.2-P1

2009-02-26 Thread Fr34k 
For Solaris9 kernal tunables, this may help:
http://docs.sun.com/app/docs/doc/816-7137/6md5pauj7?l=en&a=view

But note that in my experience BIND 9.4.x will not use these OS limits, but 
what how many FDs have compiled BIND with.

For our purposes, 9.5.1b2 worked great on Solaris9
We are now running 9.6.0-P1 (for us, 9.5 to 9.6 was easy).
There are some changes between 9.4.x and 9.5.x, which you should review on 
isc.org should you decide to upgrade.

Search this list archive for socket or file descriptor issue threads as all of 
this has been discussed before.



- Original Message 
From: Prabhat Rana 
To: Linux Addict 
Cc: sergiot...@gmail.com; comp-protocols-dns-b...@isc.org
Sent: Thursday, February 26, 2009 1:24:33 PM
Subject: Re: DNS server can resolve some domains - BIND 9.4.2-P1

Sorry. Yes I meant /etc/system file.


--- On Thu, 2/26/09, Linux Addict  wrote:

> From: Linux Addict 
> Subject: Re: DNS server can resolve some domains - BIND 9.4.2-P1
> To: prana9...@yahoo.com
> Cc: comp-protocols-dns-b...@isc.org, sergiot...@gmail.com
> Date: Thursday, February 26, 2009, 12:18 PM
> On Thu, Feb 26, 2009 at 1:11 PM, Prabhat Rana
>  wrote:
> 
> >
> > Also you may want to increase the File descriptor
> limits in /etc/service
> > file
> > *  Set File descriptor (FD) limits
> > set rlim_fd_max=
> >
> 
> Its /etc/system
> 
> 
> >
> >
> > --- On Thu, 2/26/09, JINMEI Tatuya / 神明達哉
>  wrote:
> >
> > > From: JINMEI Tatuya / 神明達哉
> 
> > > Subject: Re: DNS server can resolve some domains
> - BIND 9.4.2-P1
> > > To: comp-protocols-dns-b...@isc.org
> > > Cc: sergiot...@gmail.com
> > > Date: Thursday, February 26, 2009, 11:49 AM
> > > At Wed, 25 Feb 2009 12:27:29 -0800 (PST),
> > > sergiot...@gmail.com wrote:
> > > >
> > > > I have a server installed, with Solaris 9
> and BIND
> > > 9.4.2-P1, 1 week
> > > > ago, i began to receive some messages in the
> message
> > > logs:
> > > >
> > > > 25-Feb-2009 15:30:35.826 general: error:
> socket: too
> > > many open file
> > > > descriptors
> > > > 25-Feb-2009 15:30:35.827 general: error:
> socket: too
> > > many open file
> > > > descriptors
> > > > 25-Feb-2009 15:30:36.210 general: error:
> socket: too
> > > many open file
> > > > descriptors
> > > > 25-Feb-2009 15:30:36.228 general: error:
> socket: too
> > > many open file
> > > > descriptors
> > > >
> > > > I guess that's why my server is working
> abnormally
> > > right now and
> > > > cannot resolve some domains, i've read a
> lots of
> > > posts that there is a
> > > > patch for this issue, and also some people
> try to fix
> > > the problem
> > > > increasing the FTD_Size value, but i
> don't know
> > > what exactly can i
> > > > aply, could you help me please, because our
> dns server
> > > is the master
> > > > and it cannot be stay with this kind a
> problems a long
> > > time.
> > >
> > > 9.4.2-P1 has known scalability issues.  Please
> upgrade to
> > > 9.4.3-P1.
> > >
> > > ---
> > > JINMEI, Tatuya
> > > Internet Systems Consortium, Inc.
> > > ___
> > > bind-users mailing list
> > > bind-users@lists.isc.org
> > > https://lists.isc.org/mailman/listinfo/bind-users
> >
> >
> >
> >
> > ___
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >


      
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server can resolve some domains - BIND 9.4.2-P1

2009-02-26 Thread Prabhat Rana 
Sorry. Yes I meant /etc/system file.


--- On Thu, 2/26/09, Linux Addict  wrote:

> From: Linux Addict 
> Subject: Re: DNS server can resolve some domains - BIND 9.4.2-P1
> To: prana9...@yahoo.com
> Cc: comp-protocols-dns-b...@isc.org, sergiot...@gmail.com
> Date: Thursday, February 26, 2009, 12:18 PM
> On Thu, Feb 26, 2009 at 1:11 PM, Prabhat Rana
>  wrote:
> 
> >
> > Also you may want to increase the File descriptor
> limits in /etc/service
> > file
> > *  Set File descriptor (FD) limits
> > set rlim_fd_max=
> >
> 
> Its /etc/system
> 
> 
> >
> >
> > --- On Thu, 2/26/09, JINMEI Tatuya / 神明達哉
>  wrote:
> >
> > > From: JINMEI Tatuya / 神明達哉
> 
> > > Subject: Re: DNS server can resolve some domains
> - BIND 9.4.2-P1
> > > To: comp-protocols-dns-b...@isc.org
> > > Cc: sergiot...@gmail.com
> > > Date: Thursday, February 26, 2009, 11:49 AM
> > > At Wed, 25 Feb 2009 12:27:29 -0800 (PST),
> > > sergiot...@gmail.com wrote:
> > > >
> > > > I have a server installed, with Solaris 9
> and BIND
> > > 9.4.2-P1, 1 week
> > > > ago, i began to receive some messages in the
> message
> > > logs:
> > > >
> > > > 25-Feb-2009 15:30:35.826 general: error:
> socket: too
> > > many open file
> > > > descriptors
> > > > 25-Feb-2009 15:30:35.827 general: error:
> socket: too
> > > many open file
> > > > descriptors
> > > > 25-Feb-2009 15:30:36.210 general: error:
> socket: too
> > > many open file
> > > > descriptors
> > > > 25-Feb-2009 15:30:36.228 general: error:
> socket: too
> > > many open file
> > > > descriptors
> > > >
> > > > I guess that's why my server is working
> abnormally
> > > right now and
> > > > cannot resolve some domains, i've read a
> lots of
> > > posts that there is a
> > > > patch for this issue, and also some people
> try to fix
> > > the problem
> > > > increasing the FTD_Size value, but i
> don't know
> > > what exactly can i
> > > > aply, could you help me please, because our
> dns server
> > > is the master
> > > > and it cannot be stay with this kind a
> problems a long
> > > time.
> > >
> > > 9.4.2-P1 has known scalability issues.  Please
> upgrade to
> > > 9.4.3-P1.
> > >
> > > ---
> > > JINMEI, Tatuya
> > > Internet Systems Consortium, Inc.
> > > ___
> > > bind-users mailing list
> > > bind-users@lists.isc.org
> > > https://lists.isc.org/mailman/listinfo/bind-users
> >
> >
> >
> >
> > ___
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >


  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server can resolve some domains - BIND 9.4.2-P1

2009-02-26 Thread Linux Addict 
On Thu, Feb 26, 2009 at 1:11 PM, Prabhat Rana  wrote:

>
> Also you may want to increase the File descriptor limits in /etc/service
> file
> *  Set File descriptor (FD) limits
> set rlim_fd_max=
>

Its /etc/system


>
>
> --- On Thu, 2/26/09, JINMEI Tatuya / 神明達哉  wrote:
>
> > From: JINMEI Tatuya / 神明達哉 
> > Subject: Re: DNS server can resolve some domains - BIND 9.4.2-P1
> > To: comp-protocols-dns-b...@isc.org
> > Cc: sergiot...@gmail.com
> > Date: Thursday, February 26, 2009, 11:49 AM
> > At Wed, 25 Feb 2009 12:27:29 -0800 (PST),
> > sergiot...@gmail.com wrote:
> > >
> > > I have a server installed, with Solaris 9 and BIND
> > 9.4.2-P1, 1 week
> > > ago, i began to receive some messages in the message
> > logs:
> > >
> > > 25-Feb-2009 15:30:35.826 general: error: socket: too
> > many open file
> > > descriptors
> > > 25-Feb-2009 15:30:35.827 general: error: socket: too
> > many open file
> > > descriptors
> > > 25-Feb-2009 15:30:36.210 general: error: socket: too
> > many open file
> > > descriptors
> > > 25-Feb-2009 15:30:36.228 general: error: socket: too
> > many open file
> > > descriptors
> > >
> > > I guess that's why my server is working abnormally
> > right now and
> > > cannot resolve some domains, i've read a lots of
> > posts that there is a
> > > patch for this issue, and also some people try to fix
> > the problem
> > > increasing the FTD_Size value, but i don't know
> > what exactly can i
> > > aply, could you help me please, because our dns server
> > is the master
> > > and it cannot be stay with this kind a problems a long
> > time.
> >
> > 9.4.2-P1 has known scalability issues.  Please upgrade to
> > 9.4.3-P1.
> >
> > ---
> > JINMEI, Tatuya
> > Internet Systems Consortium, Inc.
> > ___
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server can resolve some domains - BIND 9.4.2-P1

2009-02-26 Thread Prabhat Rana 

Also you may want to increase the File descriptor limits in /etc/service file
*  Set File descriptor (FD) limits
set rlim_fd_max=


--- On Thu, 2/26/09, JINMEI Tatuya / 神明達哉  wrote:

> From: JINMEI Tatuya / 神明達哉 
> Subject: Re: DNS server can resolve some domains - BIND 9.4.2-P1
> To: comp-protocols-dns-b...@isc.org
> Cc: sergiot...@gmail.com
> Date: Thursday, February 26, 2009, 11:49 AM
> At Wed, 25 Feb 2009 12:27:29 -0800 (PST),
> sergiot...@gmail.com wrote:
> > 
> > I have a server installed, with Solaris 9 and BIND
> 9.4.2-P1, 1 week
> > ago, i began to receive some messages in the message
> logs:
> > 
> > 25-Feb-2009 15:30:35.826 general: error: socket: too
> many open file
> > descriptors
> > 25-Feb-2009 15:30:35.827 general: error: socket: too
> many open file
> > descriptors
> > 25-Feb-2009 15:30:36.210 general: error: socket: too
> many open file
> > descriptors
> > 25-Feb-2009 15:30:36.228 general: error: socket: too
> many open file
> > descriptors
> > 
> > I guess that's why my server is working abnormally
> right now and
> > cannot resolve some domains, i've read a lots of
> posts that there is a
> > patch for this issue, and also some people try to fix
> the problem
> > increasing the FTD_Size value, but i don't know
> what exactly can i
> > aply, could you help me please, because our dns server
> is the master
> > and it cannot be stay with this kind a problems a long
> time.
> 
> 9.4.2-P1 has known scalability issues.  Please upgrade to
> 9.4.3-P1.
> 
> ---
> JINMEI, Tatuya
> Internet Systems Consortium, Inc.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


  

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS server can resolve some domains - BIND 9.4.2-P1

2009-02-26 Thread JINMEI Tatuya / 神明達哉 
At Wed, 25 Feb 2009 12:27:29 -0800 (PST),
sergiot...@gmail.com wrote:
> 
> I have a server installed, with Solaris 9 and BIND 9.4.2-P1, 1 week
> ago, i began to receive some messages in the message logs:
> 
> 25-Feb-2009 15:30:35.826 general: error: socket: too many open file
> descriptors
> 25-Feb-2009 15:30:35.827 general: error: socket: too many open file
> descriptors
> 25-Feb-2009 15:30:36.210 general: error: socket: too many open file
> descriptors
> 25-Feb-2009 15:30:36.228 general: error: socket: too many open file
> descriptors
> 
> I guess that's why my server is working abnormally right now and
> cannot resolve some domains, i've read a lots of posts that there is a
> patch for this issue, and also some people try to fix the problem
> increasing the FTD_Size value, but i don't know what exactly can i
> aply, could you help me please, because our dns server is the master
> and it cannot be stay with this kind a problems a long time.

9.4.2-P1 has known scalability issues.  Please upgrade to 9.4.3-P1.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users