RE: DNS - slaving the root zone
On Sun, 19 Feb 2012 at 01:14:47, Doug Barton wrote: On 02/18/2012 03:23, Damien Fleuriot wrote: On 2/18/12 12:57 AM, Doug Barton wrote: To clarify, almost universally the opposition to the idea centers around the problems of users who enable this method, and then don't notice if something changes/breaks, resulting in a stale zone (or zones, depending on what you choose to slave). I have always acknowledged that this is a valid concern, just not one that I think overwhelms the virtues of doing the slaving in the first place. Could you elaborate on the something changes/breaks, admin doesn't notice, results in a stale zone bit ? Most commonly whatever auth. server the user is axfr'ing from suddenly stops offering that ability. [snip] I'm just done converting from named.root to slaving the root, I checked which servers allow axfr (at least for me...) and added them all as masters. Multiple masters would substantially decrease the risk of stale zones, yes? I have attached the relevant portion of my config, maybe it's useful. Also, I was wondering, now that I slave . and arpa, is it still beneficial to retain the 'empty zones' that fall within those or are they redundant? I figure they are, as the comments say 'Serving the following zones locally will prevent any queries for these zones leaving your network and going to the root name servers.' and now my server *is* the root as far as it knows. Thanks. -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote relevant replies in correspondence. named.conf Description: Binary data ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS - slaving the root zone
On 02/19/2012 10:39, Terrence Koeman wrote: I'm just done converting from named.root to slaving the root, I checked which servers allow axfr (at least for me...) and added them all as masters. Given that some of the root server operators don't really like people doing this routinely it would be net.friendlier to list the ICANN servers first. They are just as up to date as the live root servers. Multiple masters would substantially decrease the risk of stale zones, yes? Yes. Also, I was wondering, now that I slave . and arpa, is it still beneficial to retain the 'empty zones' that fall within those or are they redundant? They are not redundant, and yes, they are still beneficial. Doug -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS - slaving the root zone
On 2/18/12 12:57 AM, Doug Barton wrote: To clarify, almost universally the opposition to the idea centers around the problems of users who enable this method, and then don't notice if something changes/breaks, resulting in a stale zone (or zones, depending on what you choose to slave). I have always acknowledged that this is a valid concern, just not one that I think overwhelms the virtues of doing the slaving in the first place. Could you elaborate on the something changes/breaks, admin doesn't notice, results in a stale zone bit ? I fail to see the circumstances under which that could happen. The method currently in comments in /etc/namedb/named.conf suggests servers generously provided by ICANN that are dedicated to allowing AXFR of various infrastructure zones. (Note, ICANN does not necessarily endorse the idea of slaving these zones for resolvers, but I do have their permission to include these servers in our named.conf.) That alleviates one of the other criticisms of slaving these zones, as it presents no load on the actual root servers at all. So in short, this is an excellent idea, I've been doing it/recommending it for years, and assuming you have the knowledge/ability to keep your resolvers up to date (and/or you're tracking our named.conf where I do it for you) then it's totally safe to do. Indeed, been deleting the traditional hint file based . zone for a while and using the slaving mechanism for over a year already, works fine enough for us. You have me somewhat worried with the bit about something breaking though, thus the call for details ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS - slaving the root zone
On 02/18/2012 03:23, Damien Fleuriot wrote: On 2/18/12 12:57 AM, Doug Barton wrote: To clarify, almost universally the opposition to the idea centers around the problems of users who enable this method, and then don't notice if something changes/breaks, resulting in a stale zone (or zones, depending on what you choose to slave). I have always acknowledged that this is a valid concern, just not one that I think overwhelms the virtues of doing the slaving in the first place. Could you elaborate on the something changes/breaks, admin doesn't notice, results in a stale zone bit ? Most commonly whatever auth. server the user is axfr'ing from suddenly stops offering that ability. I fail to see the circumstances under which that could happen. I tend to agree, which is why I weight this particular objection pretty low. If you don't notice failed axfrs, you've already got deeper problems. :) To be fair however, there are a lot of people who believe (rightly or wrongly) that resolving DNS should be a fire and forget service. Those of us who do this for a living know that this was never true, and DNSSEC makes that even less true. However, if you happen to be one of those people, this method is not for you. Indeed, been deleting the traditional hint file based . zone for a while and using the slaving mechanism for over a year already, works fine enough for us. I'm glad to hear that. Makes me feel that my efforts in this area have been worthwhile. You have me somewhat worried with the bit about something breaking though, thus the call for details ;) Understood. You don't seem to be the type of operator who is likely to run afoul here, FWIW. Doug -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS - slaving the root zone
On Fri, Feb 17, 2012 at 02:41:57PM +0100, Damien Fleuriot wrote: Hello list, Jeremy, Doug, We're currently having a discussion on the FRnOG mailing list regarding the laughable announcement of an attack on the DNS root servers by Anonymous. I've kinda hijacked the thread to ask whether people slave the root zone or not, and why if not. Active poster, renowned blogger and AFNIC worker Stephane Bortzmeyer pointed out that it might not be a good idea and submitted the following discussion from 2007 as reference: http://lists.freebsd.org/pipermail/freebsd-current/2007-August/075895.html Do you still believe slaving the root zone to be a bad idea ? The important thread (IMO) is actually here: https://lists.dns-oarc.net/pipermail/dns-operations/2007-July/thread.html#1804 These are the people you should be asking this question to given the announcement. Folks like Paul Vixie and David Conrad. Also, just a tip: given that at an old job I dealt with DoS and DDoS attacks on our infrastructure on a near-daily basis (advice to public: never run a public IRC server on a major network), I wouldn't be so quick to dismiss the claim as laughable. Folks can bring up the distribution of all the root servers, anycast, etc. all they want, but nobody truly knows how distributed the DDoS will be. Sit back and think about that one for a little while, let it stew in your mind. Rest assured, if what is being proposed turns out to be accomplished, you will be quite surprised at how many large Fortune 500 companies and financial organisations are impacted by it. I can't go into details, but I can assure you with utmost certainty that many of them rely on Internet transit for very important transactions -- most of which use DNS-based lookups for all sorts of things. Given the state of IT in general these days, chances are very few companies have thought ahead in this case. Though DNS may not simply break 100% (duh), failed lookups and oddities occurring all over the place would be likely. If you've ever worked at a large corporation, you'll know how easy it is for people to incorrectly assess reasons for outages -- it wouldn't surprise me if it took said companies 24-48 hours to figure out what was truly the root cause. TL;DR -- don't be hasty when it comes to threats on the Internet on such a large scale. It's amazing the infrastructure we have today works at all anyway. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS - slaving the root zone
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/17/2012 05:41, Damien Fleuriot wrote: Hello list, Jeremy, Doug, We're currently having a discussion on the FRnOG mailing list regarding the laughable announcement of an attack on the DNS root servers by Anonymous. Given their success at their previous endeavors, I wouldn't call it laughable. Even if they are unsuccessful at taking down all of the root servers, if *your* particular part of the Internet gets knocked down, that's pretty important to you, right? OTOH, I think that actually doing what they state they want to do will be very difficult, and not likely to produce the results that they believe it will. However, unlike some in the DNS/Security communities I do not intend to outline the deficiencies in their plan, lest they take advantage of the opportunity to improve it. :) I've kinda hijacked the thread to ask whether people slave the root zone or not, and why if not. Well there is no secret that I (and many others) think it's a good idea. Active poster, renowned blogger and AFNIC worker Stephane Bortzmeyer pointed out that it might not be a good idea and submitted the following discussion from 2007 as reference: http://lists.freebsd.org/pipermail/freebsd-current/2007-August/075895.html I know Stephane professionally, and I respect his opinion about many topics. On this topic we disagree. Do you still believe slaving the root zone to be a bad idea ? I never thought it was a bad idea. I've been suggesting that people do it for years. :) To clarify, almost universally the opposition to the idea centers around the problems of users who enable this method, and then don't notice if something changes/breaks, resulting in a stale zone (or zones, depending on what you choose to slave). I have always acknowledged that this is a valid concern, just not one that I think overwhelms the virtues of doing the slaving in the first place. The method currently in comments in /etc/namedb/named.conf suggests servers generously provided by ICANN that are dedicated to allowing AXFR of various infrastructure zones. (Note, ICANN does not necessarily endorse the idea of slaving these zones for resolvers, but I do have their permission to include these servers in our named.conf.) That alleviates one of the other criticisms of slaving these zones, as it presents no load on the actual root servers at all. So in short, this is an excellent idea, I've been doing it/recommending it for years, and assuming you have the knowledge/ability to keep your resolvers up to date (and/or you're tracking our named.conf where I do it for you) then it's totally safe to do. hth, Doug - -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJPPumEAAoJEFzGhvEaGryE5PUH/RmKV4VLjj+iaThsP3BMsN6M hapYkYUCLeCjPRcN1mhHuR8sjIZ+NV/UUs7MtBxxKzPkeQQx65vmY1pDD66BPIFA qAFix/BqUbpYoBKLwkPkVMCEF7JCpJ5D8r+4EedybLvxzivpbdzROrPhyOHBinTB 5hxYUfb1t1peY23C4pk3+3k9kSFm0A1lF0JhNCdsvXTl8nZF1LiCChllwN7S//mH F1jAPHqNtxi+//LzFY913yCHtNrOi2PJT+iiKBBbJxgnr5+HvzdhXATPWEzB1AZE nDZcc5+zETiFKeTn/zyk4FXoWskcgkYeOfLY1ka+afe6djWsZDb5q8GKVpThgJQ= =EmJF -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS
On Sun, Jan 01, 2012 at 04:26:38PM -0800, Waitman Gobble wrote: You have to have your nameserver listed with internic (for .com and .net - ie, your nameserver has to show up in the NAMESERVER whois (note: different than DOMAIN whois) on http://www.internic.net/whois.html) and also for each This is exactly the point I missed. At that opportunity I searched in all places except in the right one. Waitman I am very grateful. Walter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS
On Sun, Jan 01, 2012 at 04:26:38PM -0800, Waitman Gobble wrote: Yes, you can run BIND on the same FreeBSD machine as your web server. You have to have your nameserver listed with internic (for .com and .net - ie, your nameserver has to show up in the NAMESERVER whois (note: different than DOMAIN whois) on http://www.internic.net/whois.html) and also for each TLD you want to provide service for (ie, .org, .mobi, etc etc) . If you are using opensrs it's pretty simple to list your nameserver with local and foreign tlds, but with other Registrars - you'd have to check into the details. It's generally easier to use a local domain for the nameservers (ie, ns1.example.mobi for .mobi domains.) but it is also possible to use foreign nameservers (ie, ns1.example.com to resolve www.example.mobi - is considered foreign) Waitman Bothering you again Waitman, Now after refreshing my memory (it happened one year ago) I could remember that I did register the nameservers. I found the option in my registar to add to some domain i.e. mydomain.com the entries ns1.mydomain.com, etc. I think that the problem I had was related with the IPs. The VPS provider gave me just two, and AFAIK each name server needs its own dedicated IP. Now I can remember that I asked to their support team and they answered me that the nameservers could perfectly share the IP with the domains. Could be that the reason I don't get the thing working? Walter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS
Now after refreshing my memory (it happened one year ago) I could remember that I did register the nameservers. I found the option in my registar to add to some domain i.e. mydomain.com the entries ns1.mydomain.com, etc. I think that the problem I had was related with the IPs. The VPS provider gave me just two, and AFAIK each name server needs its own dedicated IP. Now I can remember that I asked to their support team and they answered me that the nameservers could perfectly share the IP with the domains. Could be that the reason I don't get the thing working? Walter Hello, You /can/ have a nameserver with same IP as www. And you /can/ multihome your NIC with multiple IP on same machine, ie, www.example.com 192.168.0.131 and 192.168.0.132 (if you want, optional extra address for www) ns1.example.com 192.168.0.131 ns2.example.com 192.168.0.132 Waitman ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS
On Mon, Jan 02, 2012 at 11:06:39AM -0800, Waitman Gobble wrote: Hello, You /can/ have a nameserver with same IP as www. And you /can/ multihome your NIC with multiple IP on same machine, ie, www.example.com 192.168.0.131 and 192.168.0.132 (if you want, optional extra address for www) ns1.example.com 192.168.0.131 ns2.example.com 192.168.0.132 Waitman I thought I've isolated the problem. God is playing with me like in The Truman Show :-). Well, the next time I get a dedicated server I will try again. Many thanks Waitman Walter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS
On Sun, Jan 1, 2012 at 12:20 PM, Daniel Lewis innervisionnetw...@gmail.comwrote: Im new to freebsd 8.2 and the unix world. How do i setup dns to support my domain Hi Daniel, You probably want to use ISC bind in /usr/ports/dns I recommend you read the O'Reilly book DNS and BIND. Basic process - Install and configure bind. If possible set up on two or more machines/ip. IMHO it's less hassle to set up duplicate masters and rsync changes from your 'main' install instead of setting up master/slave configurations. create zone file for your domain, ie $TTL 86400 example.com.IN SOA ns1.example.com. n...@example.com. ( 2012010210 28800 7200 1209600 86400 ) example.com.NS ns1.example.com. example.com.NS ns2.example.com. example.com.MX 0 mail.example.com. example.com.A 192.168.0.133 www.example.com.A 192.168.0.133 * IN CNAME www.example.com. cname is good for people who enjoy making typos like and ww add your domain zone file to named.conf, ie zone example.com IN { type master; file example.com.hosts; }; reload nameserver rndc reload export your nameservers to root ns, this process varies for registrar - look for use my own nameserver or create nameservers based on domain in your registrar help docs. Maybe you can contact internic/nsi directly instead (?). Back in the old days users just spread around copies of the hosts file. Have fun. Waitman Gobble San Jose California USA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS
On Sun, Jan 1, 2012 at 2:54 PM, Robert Huff roberth...@rcn.com wrote: Walter Alejandro Iglesias writes: Time ago I made the attempt to setup my own DNS in the same machine I had my web server running. DNS was the only thing I was not able to automatically update in the system with my scripts each time a new customer purchased a service. It would be wonderful for me if you or anyone here at least confirm me if it is really possible. What is possible - updating using scripts, or running BIND on the same machine as a web server (presumably Apache)? While I'm sure someone has written them, I don't know of any scripts that will update (whatever that means) BIND configuration files that are included either as part of the base system or as ports. However, running BIND and Apache is certainly possible - the machine I'm typing this on does exactly that. Robert Huff I agree with Robert, it's generally no problem, at least technically, to run BIND on the same machine. (Unless in certain situations I can think of at the moment) you are running your httpd server on a non-public network behind a firewall, doing certain things with NAT on the router, or running httpd on a private machine that only gets traffic from a public-facing cache/proxy like squid. These situations don't rule out use but could cause 'looping' or otherwise cause problems depending on how your network and name system is setup. It is better to have more than one machine running name services, if possible. Also a good idea to prohibit zone transfers and recursive lookups, or at least limit very carefully. You should be able to set up a zone update thing for your customers, just keep TTL somewhat short, and update your serial # in the zone so that external caches will pull the updates (using date and/or time is probably best.) And you probably don't want the daemon/nobody httpd user fooling around with the zone files or named process directly so it's best to set a signal in your script like 'touch /tmp/updatebind' or something and have a cron job check for the 'signal'. Waitman ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS
On Sun, Jan 01, 2012 at 05:54:59PM -0500, Robert Huff wrote: Walter Alejandro Iglesias writes: Time ago I made the attempt to setup my own DNS in the same machine I had my web server running. DNS was the only thing I was not able to automatically update in the system with my scripts each time a new customer purchased a service. It would be wonderful for me if you or anyone here at least confirm me if it is really possible. What is possible - updating using scripts, or running BIND on the same machine as a web server (presumably Apache)? While I'm sure someone has written them, I don't know of any scripts that will update (whatever that means) BIND configuration files that are included either as part of the base system or as ports. However, running BIND and Apache is certainly possible - the machine I'm typing this on does exactly that. Robert Huff I wrote a bunch of sh scripts to update sendmail, apache, add system users, etc. Those scripts were executed by cron. I wrote a simple php client panel too. So, the sh scripts read the data from mysql (I wrote those scripts originally in Slackware and more late I left unfinished its migration to freebsd) and updated the system. For updating BIND I meant that the scripts (using sed) add zones in the zone files and restart bind, in the same way they add new virtual server entries in httpd.conf and restart apache. Sure, like you say, it is possible running BIND and Apache. But, is it possible|convenient that the name server reside in the same machine that host (with apache) the domain names served by it? Perhaps you find stupid my question, but believe me, I am lost :-). Or to simplify the question, what is needed to run a DNS? What I know: Edit the zone files. Run bind. Register the names ns1.mysite.com, ns2..., (some trick here?) Obviously adding them to the registrar of the domains served. Walter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS
On Sun, Jan 01, 2012 at 03:24:59PM -0800, Waitman Gobble wrote: On Sun, Jan 1, 2012 at 2:54 PM, Robert Huff roberth...@rcn.com wrote: Walter Alejandro Iglesias writes: Time ago I made the attempt to setup my own DNS in the same machine I had my web server running. DNS was the only thing I was not able to automatically update in the system with my scripts each time a new customer purchased a service. It would be wonderful for me if you or anyone here at least confirm me if it is really possible. What is possible - updating using scripts, or running BIND on the same machine as a web server (presumably Apache)? While I'm sure someone has written them, I don't know of any scripts that will update (whatever that means) BIND configuration files that are included either as part of the base system or as ports. However, running BIND and Apache is certainly possible - the machine I'm typing this on does exactly that. Robert Huff I agree with Robert, it's generally no problem, at least technically, to run BIND on the same machine. (Unless in certain situations I can think of at the moment) you are running your httpd server on a non-public network behind a firewall, doing certain things with NAT on the router, or running httpd on a private machine that only gets traffic from a public-facing cache/proxy like squid. These situations don't rule out use but could cause 'looping' or otherwise cause problems depending on how your network and name system is setup. It is better to have more than one machine running name services, if possible. Also a good idea to prohibit zone transfers and recursive lookups, or at least limit very carefully. You should be able to set up a zone update thing for your customers, just keep TTL somewhat short, and update your serial # in the zone so that external caches will pull the updates (using date and/or time is probably best.) And you probably don't want the daemon/nobody httpd user fooling around with the zone files or named process directly so it's best to set a signal in your script like 'touch /tmp/updatebind' or something and have a cron job check for the 'signal'. Waitman Thanks Waitman, The true is I am a bit lost, perhaps (here is late, 00:54) I am a bit hungry and tired :-). I will dinner, sleep and tomorrow morning with a fresh mind I will reread carefully this last message. I'll buy the book you advised too. Walter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS
Sure, like you say, it is possible running BIND and Apache. But, is it possible|convenient that the name server reside in the same machine that host (with apache) the domain names served by it? Perhaps you find stupid my question, but believe me, I am lost :-). Or to simplify the question, what is needed to run a DNS? What I know: Edit the zone files. Run bind. Register the names ns1.mysite.com, ns2..., (some trick here?) Obviously adding them to the registrar of the domains served. Walter Yes, you can run BIND on the same FreeBSD machine as your web server. You have to have your nameserver listed with internic (for .com and .net - ie, your nameserver has to show up in the NAMESERVER whois (note: different than DOMAIN whois) on http://www.internic.net/whois.html) and also for each TLD you want to provide service for (ie, .org, .mobi, etc etc) . If you are using opensrs it's pretty simple to list your nameserver with local and foreign tlds, but with other Registrars - you'd have to check into the details. It's generally easier to use a local domain for the nameservers (ie, ns1.example.mobi for .mobi domains.) but it is also possible to use foreign nameservers (ie, ns1.example.com to resolve www.example.mobi - is considered foreign) Waitman ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS
Walter Alejandro Iglesias writes: Perhaps you find stupid my question, but believe me, I am lost :-). Where you are now, so once were most of us. :-) Sure, like you say, it is possible running BIND and Apache. But, is it possible|convenient that the name server reside in the same machine that host (with apache) the domain names served by it? Possible: I'm doing it. Convenient? Depends on what you consider convenient The machine in question only serves a few zones, and only changes its IP occesionally. When it does, I have a script which will change the config file for sshd, and another which changes most (but not all) settings for bind. Elapsed time (assuming I remember all the bits): 5 minutes, plus a re-boot and checking the numbers. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: DNS
Hello, I've been using FreeBSD as a local nameserver (with my own .local domains!) for quite some time. FreeBSD comes with a name server already installed; you don't need to get it from the ports, although I'm not sure what difference it makes. The one that comes with FreeBSD can be enabled with named_enable=YES in /etc/rc.conf. The configuration files are in /etc/namedb/. Getting a book about BIND really helps learning it. The examples are especially useful. BIND can be a little daunting to learn, but it all clicks in the end. If you want to use BIND for mass hosting, you can consider hooking BIND up to MySQL or a similar database. I haven't personally tried it, so I cannot vouch for it to work. It may be what you're looking for, though. You can have a look at this link: http://mysql-bind.sourceforge.net/. Hopefully, this helps. Sincerely, Kevin Zheng ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS config help
On 02/11/2011 20:52, AN wrote: I have a question about how to configure DNS. My local network is 10.x, and I sometimes need to connect to a remote VPN. My question is how do I configure BIND to forward queries to a different server only for a specific domain. This sounds like a job for a static-stub domain. That's a fairly new feature in BIND, so you may well need to install bind98 from ports. See the documentation here: http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#zone_statement_grammar When I am connected to the VPN, vpn.example.com, I want queries for anything going to example.com to go a specific DNS, and everything else on 10.x to go to my regular DNS. Please let me know if I need to provide more info. Thanks in advance for any help. Hmmm I don't think you're going to have much fun at all if you try and modify your named configuration depending on whether your VPN is up or not. DNS TTLs are generally of the order of days -- that should be taken as a measure of the minimum time that should go between restarts of a recursive DNS (ideally, and as a long term average). Better to just fail the lookup when the VPN is down. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: DNS config help
On 11/3/11 8:51 AM, Matthew Seaman wrote: On 02/11/2011 20:52, AN wrote: I have a question about how to configure DNS. My local network is 10.x, and I sometimes need to connect to a remote VPN. My question is how do I configure BIND to forward queries to a different server only for a specific domain. This sounds like a job for a static-stub domain. That's a fairly new feature in BIND, so you may well need to install bind98 from ports. See the documentation here: http://ftp.isc.org/isc/bind9/cur/9.8/doc/arm/Bv9ARM.ch06.html#zone_statement_grammar You can simply create a forward zone. If this should only apply to your VPN clients, then create a view that matches only their IP, for example: acl trusted { 127.0.0.1; ::1; 192.168.0.0/24; }; view internal_in in { match-clients { trusted; }; recursion yes; additional-from-auth yes; additional-from-cache yes; zone . { type hint; file named.root; }; zone avocat-conseil.fr { type forward; forwarders { 192.168.252.252; }; forward only; }; }; I have the exact one setup here, allow me to explain. There's a server at my parents' office (wow this sounds so awkward, when I re-read it) that handles: - dhcp - dns - firewalling - smb shares - routing There's also a small VPN box that's, so to speak, outside our perimeter because it's an appliance and I have 0 level of control over it, it runs at 192.168.252.252 in its own separate VLAN and establishes a VPN with some law organization thingy, using an IP range of 172.30.* From the server, I route 172.30.* to the VPN box, and I also make that box authoritative for a few domains, including the one quoted above. I'm not certain what you're trying to accomplish, but this works like a charm here. When I am connected to the VPN, vpn.example.com, I want queries for anything going to example.com to go a specific DNS, and everything else on 10.x to go to my regular DNS. Please let me know if I need to provide more info. Thanks in advance for any help. Hmmm I don't think you're going to have much fun at all if you try and modify your named configuration depending on whether your VPN is up or not. DNS TTLs are generally of the order of days -- that should be taken as a measure of the minimum time that should go between restarts of a recursive DNS (ideally, and as a long term average). Better to just fail the lookup when the VPN is down. Actually, using a view that matches only the VPN's IP range would do the trick easily and efficiently. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS config help
On 03/11/2011 10:00, Damien Fleuriot wrote: You can simply create a forward zone. Actually, yes, that's a good idea too. Should have much the same effect and it's been available in BIND approximately forever. There's difference in the niggling details of how it all works, so worth experimenting with the different possibilities. When I am connected to the VPN, vpn.example.com, I want queries for anything going to example.com to go a specific DNS, and everything else on 10.x to go to my regular DNS. Please let me know if I need to provide more info. Thanks in advance for any help. Hmmm I don't think you're going to have much fun at all if you try and modify your named configuration depending on whether your VPN is up or not. DNS TTLs are generally of the order of days -- that should be taken as a measure of the minimum time that should go between restarts of a recursive DNS (ideally, and as a long term average). Better to just fail the lookup when the VPN is down. Actually, using a view that matches only the VPN's IP range would do the trick easily and efficiently. Views are a way of giving a different answer depending on who is asking the question -- how does that help the OP when he's always querying from within his 10.0.0.0/8 network? He's the client connecting to the VPN here. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: DNS config help
On 11/3/11 11:35 AM, Matthew Seaman wrote: On 03/11/2011 10:00, Damien Fleuriot wrote: Actually, using a view that matches only the VPN's IP range would do the trick easily and efficiently. Views are a way of giving a different answer depending on who is asking the question -- how does that help the OP when he's always querying from within his 10.0.0.0/8 network? He's the client connecting to the VPN here. I didn't understand his problem like that, my bad. I remember hearing at work that dnsmasq could do that, perhaps with a little bit of scripting. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS config help
It depends... some VPNs push routes, including default routes, and nameservers and search paths, but it's up to the client on how to handle it. Some of these will set /etc/resolv.conf, etc. What *kind* of VPN are you talking about? OpenVPN? PPTP? L2TP? I generally prefer dnscache to BIND, and the mechanism for selective resolution is straightforward. Some large companies, HP included, just publish internal (non-routable) addresses for hosts on their public servers, which solves the remote access DNS problem. - M On Wed, Nov 2, 2011 at 1:52 PM, AN a...@neu.net wrote: I have a question about how to configure DNS. My local network is 10.x, and I sometimes need to connect to a remote VPN. My question is how do I configure BIND to forward queries to a different server only for a specific domain. When I am connected to the VPN, vpn.example.com, I want queries for anything going to example.com to go a specific DNS, and everything else on 10.x to go to my regular DNS. Please let me know if I need to provide more info. Thanks in advance for any help. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS and file system messed up...
On 08/07/2011 23:04, Gary Kline wrote: On Fri, Jul 08, 2011 at 10:01:45AM +0100, Matthew Seaman wrote: Date: Fri, 08 Jul 2011 10:01:45 +0100 From: Matthew Seaman m.sea...@infracaninophile.co.uk Subject: Re: DNS and file system messed up... To: freebsd-questions@freebsd.org On 08/07/2011 08:25, Doug Hardie wrote: On 7 July 2011, at 22:58, Gary Kline wrote: Jul 7 10:16:33 ethic named[54366]: none:0: open: /etc/named.conf: file not found Jul 7 10:17:56 ethic named[54371]: starting BIND 9.3.6-P1 -c /var/named/etc/namedb/named.conf The first one that fails is looking for /etc/named.conf. The second one shows its in /var/named/etc/named/named.conf Those are different locations. I suspect you have named_flags setup in rc.conf pointing to /etc/namedb/named.conf rather than the right location. Its also possible that its not set in rc.conf but defaults in either the rc script or /etc/rc.d/named. On my system it appears to default in /etc/rc.d/named. FreeBSD defaults to running named chrooted. /etc/namedb is actually a symbolic link: hi matthew, i found an in-depth post you wrote re mtree yesterday ( 07july ), but i figured it was over my head in resetting anything i might need to reset. i was going to write you offlist. decided to ask the entire list. % ls -la /etc/namedb lrwxr-xr-x 1 root wheel 21 Jul 6 06:24 /etc/namedb@ - /var/named/etc/namedb so the files referenced are in fact exactly the same file. However, the flags from the log extract don't look like the defaults to me. (I'm running the dns/bind98 port, and the equivalent info from the log line is '-t /var/named -u bind') i was using bind98 rather than the earlier bind9 which is out of date. but bind98 gave me troubles with the rndc.key and other, so i chose to go back with what worked. --first thing is to get this working with the older bind9. FWIW, both bind9's given me the same error and failure. i have walked thru the named script to the point where it creates the symlink. regardless, i cannot understand the error and failure messages. i only know that my kill -9 and my initialization by hand work. Gary, what named related settings do you have in /etc/rc.conf? You almost certainly don't need anything more than: named_enable=YES and perhaps syslogd_flags=-ss -l /var/named/var/run/log so named can log to the system syslog. Hmmm [c]. as you may have seen in my post to Doug H. i only have -- named_enable=YES named_program=/usr/local/sbin/named named_pidfile=/var/run/named/pid OK. The good news is that the configuration that works for the system built-in version of named will work for the dns/bind98 port with very minor changes, if any. First: where everything should live /etc/namedb/named.conf --- named's config file /etc/namedb/master --- zone files this server is master for /etc/namedb/slave --- zone files this server slaves from another master (rw by named) /etc/named/working --- named's working directory (rw by named) /etc/rndc.conf --- config file for rndc There are various other files and directories under /etc/namedb which you may or may not need depending on how you configure named; in any case, just leave them in their default locations and with the permissions the system gives them. (You can use mtree(8) to fix them up if necessary -- but that's a whole other posting) Now, although named defaults to running chrooted into /var/namedb, you don't need to mention that path explicitly anywhere in the config. In fact, you should think about the configuration as if there was no chrooting happening at all. Second: rc.conf settings named_enable=YES syslogd_flags=-ss -l /var/named/var/run/log should be all you need to use the built-in version of named. Third: rndc configuration Generate a new rndc key and a config file by: # rndc-confgen /etc/named/rndc.conf This should create a new file /etc/namedb/rndc.conf preconfigured to work with the named instance on the localhost. Look at the text of the file -- commented out there's a chunk of stuff to copy into named.conf So let's do that. If the file contains: # key rndc-key { # algorithm hmac-md5; # secret 0ABCDE123+45+67890==; # }; # # controls { # inet 127.0.0.1 port 953 # allow { 127.0.0.1; } keys { rndc-key; }; # }; Then copy that without the '#' quotes into named.conf In fact, I find it helps to add a control for access to ::1 as well. So add this text to /etc/namedb/named.conf: key rndc-key { algorithm hmac-md5; secret 0ABCDE123+45+67890==; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; }; inet ::1 port 953 allow { ::1; } keys { rndc-key; }; }; Fourth: set up named.conf As I don't no much about the config you want, I'm going to have to keep this to generalities. In the options section you should
Re: DNS and file system messed up...
On Jul 8, 2011, at 9:54 PM, Gary Kline wrote: On Fri, Jul 08, 2011 at 07:27:12AM -0600, Dan Busarow wrote: Gary, add named_flags=-c /etc/namedb/named.conf to /etc/rc.conf. Or change /etc/namedb/named.conf to the /var version if you like/there is no symlink. Dan Dan! I think you fixed something. I haven't figured this out yet, and would be grateful if you could decode this in /var/log/messages:: Jul 8 20:39:32 ethic named[83003]: stopping command channel on :: 1#953 Jul 8 20:39:32 ethic named[83003]: exiting Jul 8 20:39:37 ethic named[84090]: starting BIND 9.3.6-P1 -c /etc/namedb/named.conf -t /var/named -u bind Jul 8 20:39:37 ethic named[84090]: none:0: open: /etc/rndc.key: file not found Gary, Theres probably an /etc/rc.conf line to fix these but what I always do is simply symlink /etc/namedb/rndc.key to /etc/rndc.key # ln -s /etc/namedb/rndc.key /etc/rndc.key I actually use rndc.conf on my systems but I think the names and files are interchangeable. Dan Jul 8 20:39:37 ethic named[84090]: couldn't add command channel 127.0.0.1#953: file not found Jul 8 20:39:37 ethic named[84090]: none:0: open: /etc/rndc.key: file not found Jul 8 20:39:37 ethic named[84090]: couldn't add command channel :: 1#953: file not found Jul 8 20:39:37 ethic named[84090]: the working directory is not writable Jul 8 20:39:37 ethic named[84090]: running This, after I added your named_flags line into /etc/rc.conf. Where I get lost is *what* gives me that none:0 lines?? I see the same or worse err when I drop in bind98. IIRC, named does run, but the messages log is fulll of rndc.key error messages that I just cannot understand. _Now_, having dropped in your named_flags line, I am seeing something similar. I haved grepped thru the entire /etc/ tree and haven't found anything that explains where I messed up Ideas? thanks to you or anybody else onlist. gary ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS and file system messed up...
On Sat, Jul 09, 2011 at 07:49:43AM -0600, Dan Busarow wrote: Date: Sat, 9 Jul 2011 07:49:43 -0600 From: Dan Busarow d...@buildingonline.com Subject: Re: DNS and file system messed up... To: Gary Kline kl...@thought.org Cc: freebsd-questions@freebsd.org, Gary Kline kl...@magnesium.net X-Mailer: Apple Mail (2.753.1) On Jul 8, 2011, at 9:54 PM, Gary Kline wrote: On Fri, Jul 08, 2011 at 07:27:12AM -0600, Dan Busarow wrote: Gary, add named_flags=-c /etc/namedb/named.conf to /etc/rc.conf. Or change /etc/namedb/named.conf to the /var version if you like/there is no symlink. Dan Dan! I think you fixed something. I haven't figured this out yet, and would be grateful if you could decode this in /var/log/messages:: Jul 8 20:39:32 ethic named[83003]: stopping command channel on ::1#953 Jul 8 20:39:32 ethic named[83003]: exiting Jul 8 20:39:37 ethic named[84090]: starting BIND 9.3.6-P1 -c /etc/namedb/named.conf -t /var/named -u bind Jul 8 20:39:37 ethic named[84090]: none:0: open: /etc/rndc.key: file not found Gary, Theres probably an /etc/rc.conf line to fix these but what I always do is simply symlink /etc/namedb/rndc.key to /etc/rndc.key # ln -s /etc/namedb/rndc.key /etc/rndc.key I actually use rndc.conf on my systems but I think the names and files are interchangeable. Dan No joy. I just tried that from /etc: lrwxr-xr-x 1 root wheel21 Jul 9 11:18 namedb - /var/named/etc/namedb lrwxr-xr-x 1 root wheel20 Jul 9 11:17 rndc.key - /etc/namedb/rndc.key and I find the same warnings/complainnts as earlier. The good news, still, is that bin9 works. But I still get a lookup error from the -questions list in /var/log/maillog, so nothing is getting thru to the list from here at thought.org. FWIW: Yesterday, I got the latest 7.3 upgrade and compiled it. I habe NOT yet installed anything new because the last thing i want to do is lose my own link with the real world . :-) * 0.5 your thoughts what I should try next, please? gary Jul 8 20:39:37 ethic named[84090]: couldn't add command channel 127.0.0.1#953: file not found Jul 8 20:39:37 ethic named[84090]: none:0: open: /etc/rndc.key: file not found Jul 8 20:39:37 ethic named[84090]: couldn't add command channel ::1#953: file not found Jul 8 20:39:37 ethic named[84090]: the working directory is not writable Jul 8 20:39:37 ethic named[84090]: running This, after I added your named_flags line into /etc/rc.conf. Where I get lost is *what* gives me that none:0 lines?? I see the same or worse err when I drop in bind98. IIRC, named does run, but the messages log is fulll of rndc.key error messages that I just cannot understand. _Now_, having dropped in your named_flags line, I am seeing something similar. I haved grepped thru the entire /etc/ tree and haven't found anything that explains where I messed up Ideas? thanks to you or anybody else onlist. gary ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix Journey Toward the Dawn, E-Book: http://www.thought.org The 8.51a release of Jottings: http://jottings.thought.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS and file system messed up...
On Sat, Jul 09, 2011 at 09:14:21AM +0100, Matthew Seaman wrote: Date: Sat, 09 Jul 2011 09:14:21 +0100 From: Matthew Seaman m.sea...@infracaninophile.co.uk Subject: Re: DNS and file system messed up... To: Gary Kline kl...@thought.org CC: freebsd-questions@freebsd.org On 08/07/2011 23:04, Gary Kline wrote: On Fri, Jul 08, 2011 at 10:01:45AM +0100, Matthew Seaman wrote: Date: Fri, 08 Jul 2011 10:01:45 +0100 From: Matthew Seaman m.sea...@infracaninophile.co.uk Subject: Re: DNS and file system messed up... To: freebsd-questions@freebsd.org On 08/07/2011 08:25, Doug Hardie wrote: On 7 July 2011, at 22:58, Gary Kline wrote: Jul 7 10:16:33 ethic named[54366]: none:0: open: /etc/named.conf: file not found Jul 7 10:17:56 ethic named[54371]: starting BIND 9.3.6-P1 -c /var/named/etc/namedb/named.conf The first one that fails is looking for /etc/named.conf. The second one shows its in /var/named/etc/named/named.conf Those are different locations. I suspect you have named_flags setup in rc.conf pointing to /etc/namedb/named.conf rather than the right location. Its also possible that its not set in rc.conf but defaults in either the rc script or /etc/rc.d/named. On my system it appears to default in /etc/rc.d/named. FreeBSD defaults to running named chrooted. /etc/namedb is actually a symbolic link: hi matthew, i found an in-depth post you wrote re mtree yesterday ( 07july ), but i figured it was over my head in resetting anything i might need to reset. i was going to write you offlist. decided to ask the entire list. % ls -la /etc/namedb lrwxr-xr-x 1 root wheel 21 Jul 6 06:24 /etc/namedb@ - /var/named/etc/namedb so the files referenced are in fact exactly the same file. However, the flags from the log extract don't look like the defaults to me. (I'm running the dns/bind98 port, and the equivalent info from the log line is '-t /var/named -u bind') i was using bind98 rather than the earlier bind9 which is out of date. but bind98 gave me troubles with the rndc.key and other, so i chose to go back with what worked. --first thing is to get this working with the older bind9. FWIW, both bind9's given me the same error and failure. i have walked thru the named script to the point where it creates the symlink. regardless, i cannot understand the error and failure messages. i only know that my kill -9 and my initialization by hand work. Gary, what named related settings do you have in /etc/rc.conf? You almost certainly don't need anything more than: named_enable=YES and perhaps syslogd_flags=-ss -l /var/named/var/run/log so named can log to the system syslog. Hmmm [c]. as you may have seen in my post to Doug H. i only have -- named_enable=YES named_program=/usr/local/sbin/named named_pidfile=/var/run/named/pid OK. The good news is that the configuration that works for the system built-in version of named will work for the dns/bind98 port with very minor changes, if any. First: where everything should live /etc/namedb/named.conf --- named's config file /etc/namedb/master --- zone files this server is master for /etc/namedb/slave --- zone files this server slaves from another master (rw by named) /etc/named/working --- named's working directory (rw by named) /etc/rndc.conf --- config file for rndc There are various other files and directories under /etc/namedb which you may or may not need depending on how you configure named; in any case, just leave them in their default locations and with the permissions the system gives them. (You can use mtree(8) to fix them up if necessary -- but that's a whole other posting) Now, although named defaults to running chrooted into /var/namedb, you don't need to mention that path explicitly anywhere in the config. In fact, you should think about the configuration as if there was no chrooting happening at all. Second: rc.conf settings named_enable=YES syslogd_flags=-ss -l /var/named/var/run/log should be all you need to use the built-in version of named. Third: rndc configuration Generate a new rndc key and a config file by: # rndc-confgen /etc/named/rndc.conf This should create a new file /etc/namedb/rndc.conf preconfigured to work with the named instance on the localhost. Look at the text of the file -- commented out there's a chunk of stuff to copy into named.conf So let's do that. If the file contains: # key rndc-key { # algorithm hmac-md5; # secret 0ABCDE123+45+67890==; # }; # # controls { # inet 127.0.0.1 port 953 # allow { 127.0.0.1; } keys { rndc-key; }; # }; Then copy that without the '#' quotes into named.conf In fact, I find it helps to add a control for access to ::1 as well. So add this text to /etc/namedb
Re: DNS and file system messed up...
On 7 July 2011, at 22:58, Gary Kline wrote: Jul 7 10:16:33 ethic named[54366]: none:0: open: /etc/named.conf: file not found Jul 7 10:17:56 ethic named[54371]: starting BIND 9.3.6-P1 -c /var/named/etc/namedb/named.conf The first one that fails is looking for /etc/named.conf. The second one shows its in /var/named/etc/named/named.conf Those are different locations. I suspect you have named_flags setup in rc.conf pointing to /etc/namedb/named.conf rather than the right location. Its also possible that its not set in rc.conf but defaults in either the rc script or /etc/rc.d/named. On my system it appears to default in /etc/rc.d/named.___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS and file system messed up...
On 08/07/2011 08:25, Doug Hardie wrote: On 7 July 2011, at 22:58, Gary Kline wrote: Jul 7 10:16:33 ethic named[54366]: none:0: open: /etc/named.conf: file not found Jul 7 10:17:56 ethic named[54371]: starting BIND 9.3.6-P1 -c /var/named/etc/namedb/named.conf The first one that fails is looking for /etc/named.conf. The second one shows its in /var/named/etc/named/named.conf Those are different locations. I suspect you have named_flags setup in rc.conf pointing to /etc/namedb/named.conf rather than the right location. Its also possible that its not set in rc.conf but defaults in either the rc script or /etc/rc.d/named. On my system it appears to default in /etc/rc.d/named. FreeBSD defaults to running named chrooted. /etc/namedb is actually a symbolic link: % ls -la /etc/namedb lrwxr-xr-x 1 root wheel 21 Jul 6 06:24 /etc/namedb@ - /var/named/etc/namedb so the files referenced are in fact exactly the same file. However, the flags from the log extract don't look like the defaults to me. (I'm running the dns/bind98 port, and the equivalent info from the log line is '-t /var/named -u bind') Gary, what named related settings do you have in /etc/rc.conf? You almost certainly don't need anything more than: named_enable=YES and perhaps syslogd_flags=-ss -l /var/named/var/run/log so named can log to the system syslog. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: DNS and file system messed up...
On Jul 8, 2011, at 3:01 AM, Matthew Seaman wrote: On 08/07/2011 08:25, Doug Hardie wrote: On 7 July 2011, at 22:58, Gary Kline wrote: Jul 7 10:16:33 ethic named[54366]: none:0: open: /etc/ named.conf: file not found Jul 7 10:17:56 ethic named[54371]: starting BIND 9.3.6-P1 -c / var/named/etc/namedb/named.conf The first one that fails is looking for /etc/named.conf. The second one shows its in /var/named/etc/named/named.conf Those are different locations. I suspect you have named_flags setup in rc.conf pointing to /etc/namedb/named.conf rather than the right location. Its also possible that its not set in rc.conf but defaults in either the rc script or /etc/rc.d/named. On my system it appears to default in /etc/rc.d/named. FreeBSD defaults to running named chrooted. /etc/namedb is actually a symbolic link: % ls -la /etc/namedb lrwxr-xr-x 1 root wheel 21 Jul 6 06:24 /etc/namedb@ - /var/named/etc/namedb so the files referenced are in fact exactly the same file. Actually /etc/named.conf is NOT the same as /etc/namedb/named.conf ergo it is not the same as /var/named/etc/ namedb/named.conf Gary, add named_flags=-c /etc/namedb/named.conf to /etc/rc.conf. Or change /etc/namedb/named.conf to the /var version if you like/there is no symlink. Dan However, the flags from the log extract don't look like the defaults to me. (I'm running the dns/bind98 port, and the equivalent info from the log line is '-t /var/named -u bind') Gary, what named related settings do you have in /etc/rc.conf? You almost certainly don't need anything more than: named_enable=YES and perhaps syslogd_flags=-ss -l /var/named/var/run/log so named can log to the system syslog. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS and file system messed up...
On Fri, Jul 08, 2011 at 12:25:34AM -0700, Doug Hardie wrote: Date: Fri, 8 Jul 2011 00:25:34 -0700 From: Doug Hardie bc...@lafn.org Subject: Re: DNS and file system messed up... To: Gary Kline kl...@thought.org Cc: FreeBSD Mailing List freebsd-questions@freebsd.org X-Mailer: Apple Mail (2.1084) On 7 July 2011, at 22:58, Gary Kline wrote: Jul 7 10:16:33 ethic named[54366]: none:0: open: /etc/named.conf: file not found Jul 7 10:17:56 ethic named[54371]: starting BIND 9.3.6-P1 -c /var/named/etc/namedb/named.conf The first one that fails is looking for /etc/named.conf. The second one shows its in /var/named/etc/named/named.conf Those are different locations. I suspect you have named_flags setup in rc.conf pointing to /etc/namedb/named.conf rather than the right location. Its also possible that its not set in rc.conf but defaults in either the rc script or /etc/rc.d/named. On my system it appears to default in /etc/rc.d/named. Hm.. i understand most of this. grep -r from /etc found something i've never uderstood. chroot stuff. to me, root is always / and root's home is /rrot. I've never dug deeper. here is the named stuff in /etc/defaults dir: named_enable=NO # Run named, the DNS server (or NO). named_program=/usr/sbin/named # Path to named, if you want a different one. #named_flags=-c /etc/namedb/named.conf # Uncomment for named not in /usr/sbin named_pidfile=/var/run/named/pid # Must set this in named.conf as well named_uid=bind# User to run named as named_chrootdir=/var/named# Chroot directory (or not to auto-chroot it) named_chroot_autoupdate=YES # Automatically install/update chrooted # components of named. See /etc/rc.d/named. named_symlink_enable=YES # Symlink the chrooted pid file in my /etc/rc.conf file are the 3 named lines: named_enable=YES named_program=/usr/local/sbin/named named_pidfile=/var/run/named/pid I dont see anything here that could be messing me up unless by using the default lines, something is going waaay South. Lastly, has the /etc/rc.d/named script changed in the past year or two? thankee -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix Journey Toward the Dawn, E-Book: http://www.thought.org The 8.51a release of Jottings: http://jottings.thought.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS and file system messed up...
On Fri, Jul 08, 2011 at 10:01:45AM +0100, Matthew Seaman wrote: Date: Fri, 08 Jul 2011 10:01:45 +0100 From: Matthew Seaman m.sea...@infracaninophile.co.uk Subject: Re: DNS and file system messed up... To: freebsd-questions@freebsd.org On 08/07/2011 08:25, Doug Hardie wrote: On 7 July 2011, at 22:58, Gary Kline wrote: Jul 7 10:16:33 ethic named[54366]: none:0: open: /etc/named.conf: file not found Jul 7 10:17:56 ethic named[54371]: starting BIND 9.3.6-P1 -c /var/named/etc/namedb/named.conf The first one that fails is looking for /etc/named.conf. The second one shows its in /var/named/etc/named/named.conf Those are different locations. I suspect you have named_flags setup in rc.conf pointing to /etc/namedb/named.conf rather than the right location. Its also possible that its not set in rc.conf but defaults in either the rc script or /etc/rc.d/named. On my system it appears to default in /etc/rc.d/named. FreeBSD defaults to running named chrooted. /etc/namedb is actually a symbolic link: hi matthew, i found an in-depth post you wrote re mtree yesterday ( 07july ), but i figured it was over my head in resetting anything i might need to reset. i was going to write you offlist. decided to ask the entire list. % ls -la /etc/namedb lrwxr-xr-x 1 root wheel 21 Jul 6 06:24 /etc/namedb@ - /var/named/etc/namedb so the files referenced are in fact exactly the same file. However, the flags from the log extract don't look like the defaults to me. (I'm running the dns/bind98 port, and the equivalent info from the log line is '-t /var/named -u bind') i was using bind98 rather than the earlier bind9 which is out of date. but bind98 gave me troubles with the rndc.key and other, so i chose to go back with what worked. --first thing is to get this working with the older bind9. FWIW, both bind9's given me the same error and failure. i have walked thru the named script to the point where it creates the symlink. regardless, i cannot understand the error and failure messages. i only know that my kill -9 and my initialization by hand work. Gary, what named related settings do you have in /etc/rc.conf? You almost certainly don't need anything more than: named_enable=YES and perhaps syslogd_flags=-ss -l /var/named/var/run/log so named can log to the system syslog. Hmmm [c]. as you may have seen in my post to Doug H. i only have -- named_enable=YES named_program=/usr/local/sbin/named named_pidfile=/var/run/named/pid Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix Journey Toward the Dawn, E-Book: http://www.thought.org The 8.51a release of Jottings: http://jottings.thought.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS and file system messed up...
On Fri, Jul 08, 2011 at 07:27:12AM -0600, Dan Busarow wrote: Date: Fri, 8 Jul 2011 07:27:12 -0600 From: Dan Busarow d...@buildingonline.com Subject: Re: DNS and file system messed up... To: freebsd-questions@freebsd.org X-Mailer: Apple Mail (2.753.1) On Jul 8, 2011, at 3:01 AM, Matthew Seaman wrote: On 08/07/2011 08:25, Doug Hardie wrote: On 7 July 2011, at 22:58, Gary Kline wrote: Jul 7 10:16:33 ethic named[54366]: none:0: open: /etc/named.conf: file not found Jul 7 10:17:56 ethic named[54371]: starting BIND 9.3.6-P1 -c /var/named/etc/namedb/named.conf The first one that fails is looking for /etc/named.conf. The second one shows its in /var/named/etc/named/named.conf Those are different locations. I suspect you have named_flags setup in rc.conf pointing to /etc/namedb/named.conf rather than the right location. Its also possible that its not set in rc.conf but defaults in either the rc script or /etc/rc.d/named. On my system it appears to default in /etc/rc.d/named. FreeBSD defaults to running named chrooted. /etc/namedb is actually a symbolic link: % ls -la /etc/namedb lrwxr-xr-x 1 root wheel 21 Jul 6 06:24 /etc/namedb@ - /var/named/etc/namedb so the files referenced are in fact exactly the same file. Actually /etc/named.conf is NOT the same as /etc/namedb/named.conf ergo it is not the same as /var/named/etc/namedb/named.conf Gary, add named_flags=-c /etc/namedb/named.conf to /etc/rc.conf. Or change /etc/namedb/named.conf to the /var version if you like/there is no symlink. Dan Dan! I think you fixed something. I haven't figured this out yet, and would be grateful if you could decode this in /var/log/messages:: Jul 8 20:39:32 ethic named[83003]: stopping command channel on ::1#953 Jul 8 20:39:32 ethic named[83003]: exiting Jul 8 20:39:37 ethic named[84090]: starting BIND 9.3.6-P1 -c /etc/namedb/named.conf -t /var/named -u bind Jul 8 20:39:37 ethic named[84090]: none:0: open: /etc/rndc.key: file not found Jul 8 20:39:37 ethic named[84090]: couldn't add command channel 127.0.0.1#953: file not found Jul 8 20:39:37 ethic named[84090]: none:0: open: /etc/rndc.key: file not found Jul 8 20:39:37 ethic named[84090]: couldn't add command channel ::1#953: file not found Jul 8 20:39:37 ethic named[84090]: the working directory is not writable Jul 8 20:39:37 ethic named[84090]: running This, after I added your named_flags line into /etc/rc.conf. Where I get lost is *what* gives me that none:0 lines?? I see the same or worse err when I drop in bind98. IIRC, named does run, but the messages log is fulll of rndc.key error messages that I just cannot understand. _Now_, having dropped in your named_flags line, I am seeing something similar. I haved grepped thru the entire /etc/ tree and haven't found anything that explains where I messed up Ideas? thanks to you or anybody else onlist. gary However, the flags from the log extract don't look like the defaults to me. (I'm running the dns/bind98 port, and the equivalent info from the log line is '-t /var/named -u bind') Gary, what named related settings do you have in /etc/rc.conf? You almost certainly don't need anything more than: named_enable=YES and perhaps syslogd_flags=-ss -l /var/named/var/run/log so named can log to the system syslog. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix Journey Toward the Dawn, E-Book: http://www.thought.org The 8.51a release of Jottings: http://jottings.thought.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS and file system messed up...
On Thu, Jul 07, 2011 at 06:00:42PM +, Gary Kline wrote: Date: Thu, 7 Jul 2011 18:00:42 + From: Gary Kline kl...@magnesium.net Subject: DNS and file system messed up... To: FreeBSD Mailing List freebsd-questions@FreeBSD.ORG Guys, I'd be much obliged to learn why /etc/rc.named start fails. This has been going on for months. For some reason freebsd.org doesn't recognize part of my domain, so I'm writing from my backup site, magnesium net. I did *somrthing* that keeps /etc/rc.d/named from working correctly. On the second line below the ^+, you'll see a none:0:/etc/named.conf from messages. The only way I can exec bind9 is by first doing a kill -9, then explicitly starting named and then, with the -c switch , aiming it at my *real* named.conf. I don't want to finish my new/latest install of 7.3 until I understand this screwup. Nobody has any clues to the capture output? I'm surprised. -g # sh /etc/rc.d/named start Starting named. + # tail /var/log/messages Jul 7 10:16:33 ethic named[54366]: starting BIND 9.3.6-P1 -t /var/named -u bind Jul 7 10:16:33 ethic named[54366]: none:0: open: /etc/named.conf: file not found Jul 7 10:16:33 ethic named[54366]: loading configuration: file not found Jul 7 10:16:33 ethic named[54366]: exiting (due to fatal error) # tail /var/log/messages # kill -9 `head -1 /var/run/named/pid` # /usr/local/sbin/named -c /var/named/etc/namedb/named.conf Jul 7 10:17:56 ethic named[54371]: starting BIND 9.3.6-P1 -c /var/named/etc/namedb/named.conf Jul 7 10:17:56 ethic named[54371]: command channel listening on 127.0.0.1#953 Jul 7 10:17:56 ethic named[54371]: command channel listening on ::1#953 Jul 7 10:17:56 ethic named[54371]: running + -- Gary Kline Seattle BSD Users' Group (seabug) | kl...@magnesium.net Thought Unlimited Org's Alternate Email Site http://www.magnesium.net/~kline To live is not a necessity; but to live honorably...is a necessity. -Kant -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix Journey Toward the Dawn, E-Book: http://www.thought.org The 8.51a release of Jottings: http://jottings.thought.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS Administrator - Kenya
On Sun, Apr 03, 2011 at 06:57:27PM +0300, Kenneth Parit wrote: Hello, I look forward to becoming the DNS Administrator for my country Kenya. It is impossible to download FreeBSD 8.2 from any of the mirror sites due to disconnections. Since I am contactable any day/time of the year and skilled in DNS setup, kindly email me the latest stable FreeBSD to be installed on Mac Pro (Model 1,1). The following specs: why don't you buy a cd set from the FreeBSD Mall and have it posted to you, then you will be supporting the project as well as putting those DNS skills to good use. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS Administrator - Kenya
On Sun, Apr 3, 2011 at 18:57, Kenneth Parit kennethpa...@gmail.com wrote: Hello, I look forward to becoming the DNS Administrator for my country Kenya. It is impossible to download FreeBSD 8.2 from any of the mirror sites due to disconnections. Since I am contactable any day/time of the year and skilled in DNS setup, kindly email me the latest stable FreeBSD to be installed on Mac Pro (Model 1,1). The following specs: - Dual-Core Intel Xeon - Processor speed 2 GHz - 4 core (2 processors) - L2 Cache (per processor) - 4MB - Memory - 1GB - Bus Speed - 1.33 GHz - Boot ROM Version - MP11.005C.B04 - SMC Version - 1.7f6 - Serial Number - CK6350U0UPZ - Intel - ESB2 AHCI - Speed - 3.0 Gigabit - Capacity - 150 GB - DNS Server address 41.212.3.2, 212.165.130.9 Please keep in mind that FreeBSD is alittle overwhelming though my passion in learning is equally high. Include all installation and configuration information required. Many thanks. Kind regards Kenneth Parit +254 752 776675 Hello Parit, Please contact me on any of the two numbers appearing in my signature text. You will get FreeBSD 8.2 DVD from me. You can find me at Wilson Airport, If you find FreeBSD a little overwhelming, I am a phone call (or even an e-mail away) if you need help. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Damn!! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS Administrator - Kenya
On 3 April 2011 18:10, Odhiambo Washington odhia...@gmail.com wrote: On Sun, Apr 3, 2011 at 18:57, Kenneth Parit kennethpa...@gmail.com wrote: Hello, I look forward to becoming the DNS Administrator for my country Kenya. It is impossible to download FreeBSD 8.2 from any of the mirror sites due to disconnections. Since I am contactable any day/time of the year and skilled in DNS setup, kindly email me the latest stable FreeBSD to be installed on Mac Pro (Model 1,1). The following specs: - Dual-Core Intel Xeon - Processor speed 2 GHz - 4 core (2 processors) - L2 Cache (per processor) - 4MB - Memory - 1GB - Bus Speed - 1.33 GHz - Boot ROM Version - MP11.005C.B04 - SMC Version - 1.7f6 - Serial Number - CK6350U0UPZ - Intel - ESB2 AHCI - Speed - 3.0 Gigabit - Capacity - 150 GB - DNS Server address 41.212.3.2, 212.165.130.9 Please keep in mind that FreeBSD is alittle overwhelming though my passion in learning is equally high. Include all installation and configuration information required. Many thanks. Kind regards Kenneth Parit +254 752 776675 Hello Parit, Please contact me on any of the two numbers appearing in my signature text. You will get FreeBSD 8.2 DVD from me. You can find me at Wilson Airport, If you find FreeBSD a little overwhelming, I am a phone call (or even an e-mail away) if you need help. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Damn!! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org alternatively try one of the torrents, it should survive disconnections far better than ftp etc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS Administrator - Kenya
alternatively try one of the torrents, it should survive disconnections far better than ftp etc Yes, try the torrents. I don't seed them for nothing. This is probably one of the best ways to get FreeBSD. Here they are: http://torrents.freebsd.org:8080/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS Resolution
I ran into a similar situation where the ns was behind a Juniper SRX doing NAT. Said Juniper had a smart DNS piece (ALG) that does special stuff on DNS packets; max record length, special NAT, etc. I had to disable the DNS ALG to fix the problem. If your ns is behind a NATing device, start there. Or, if you can run tcpdump on the ns, or before it hits a fw/NAT - ensure the reply packets have the proper IP in them as they leave the ns. - Original Message - From: owner-freebsd-questi...@freebsd.org owner-freebsd-questi...@freebsd.org To: freebsd-questions@freebsd.org freebsd-questions@freebsd.org Sent: Fri Nov 19 18:50:33 2010 Subject: DNS Resolution I have a weird DNS problem I am hoping someone can help me with. I have server running FBSD 8.0. /etc/resolv.conf is set to use my ISP's DNS servers for name resolution. If run dig @ns3.socket.net .yyy. the INTERNAL ip address of the server is returned. If I run d...@ns3.socket.net .yyy. axfr, the correct information for the entire zone is returned. I am only noticing problems with .yyy.. All other names seem to resolve correctly. Any suggestions would be greatly appreciated. Thanks, Jay ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS Resolution
On Friday, November 19, 2010 07:25:10 pm Gary Gatten wrote: I ran into a similar situation where the ns was behind a Juniper SRX doing NAT. Said Juniper had a smart DNS piece (ALG) that does special stuff on DNS packets; max record length, special NAT, etc. I had to disable the DNS ALG to fix the problem. If your ns is behind a NATing device, start there. Or, if you can run tcpdump on the ns, or before it hits a fw/NAT - ensure the reply packets have the proper IP in them as they leave the ns. Thanks for the quick response. I think this is a problem with a piece of equipment I do not have access to. The only difference between the site experiencing the problem and the other sites I maintain is the router. If I redirect DNS queries to other sites, everything works as expected. Thanks for your help. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS not working since May 6 2010
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/05/2010 21:40:02, Jonathan Chen wrote: I've got a small DNS server on my home network, and ever since May 6, 2010 (co-incidentally DNSSEC root sign day), lookups on freebsd.org have started failing. eg: Uh, the DURZ was installed on j.root; the last one of the root servers to get it. Besides, .org was DNSSEC signed way back in June 2009. That is not causing your problem here. ~,8:36am dig www.freebsd.org a ; DiG 9.6.1-P3 www.freebsd.org a ;; global options: +cmd ;; connection timed out; no servers could be reached Lookups on other domains still appear to work, Google, OpenBSD, NetBSD, etc. Is anyone else seeing this? How do I fix it? Works fine here: % dig +short www.freebsd.org a 69.147.83.33 Hmmm DNS for freebsd.org is provided by ISC. They had a fibre break yesterday -- no idea whether it could have affected resolving freebsd.org but it's worth trying again now its all been repaired. Otherwise, you need to work out why the DNS lookup is failing. That means turning up the logging on your recursive server and hunting for clues. Probably the biggest cause of DNS problems at the moment are firewalls that do not handle large UDP packets properly and that interfere with the EDNS and/or fall-back to TCP algorithms used. You can test that using: https://www.dns-oarc.net/oarc/services/replysizetest Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvjyQUACgkQ8Mjk52CukIzpGQCfXqIAySAfR/zH7lo2beKvfHs+ Zd8An3QMXUrUQgec0ftbgS/5aTcTEKX3 =xuja -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS not working since May 6 2010
On Fri, May 07, 2010 at 09:02:13AM +0100, Matthew Seaman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/05/2010 21:40:02, Jonathan Chen wrote: I've got a small DNS server on my home network, and ever since May 6, 2010 (co-incidentally DNSSEC root sign day), lookups on freebsd.org have started failing. eg: Uh, the DURZ was installed on j.root; the last one of the root servers to get it. Besides, .org was DNSSEC signed way back in June 2009. That is not causing your problem here. Hmm, I ran across an DNSSEC article in The Register, which lead me to: http://labs.ripe.net/content/testing-your-resolver-dns-reply-size-issues Working thru' it, I tweaked my named.conf's edns-udp-size option and it started working again. So it looks like it was related to the final set of root servers being enabled. Cheers. -- Jonathan Chen j...@chen.org.nz -- When all else fails, RTFM ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS problems at thought.org
On Sat, 12 Dec 2009 19:25:43 -0800, Gary Kline kl...@thought.org wrote: On Sun, Dec 13, 2009 at 12:29:30AM +0200, Giorgos Keramidas wrote: You have some serious DNS issues with your current setup. I think you should start by: 1) *Removing* from the NS records of your domain the name servers that are not necessary (the celestial.com ones). 2) *Updating* the NS list of the same domain at the DNS registrar you are using to use ns1.thought.org and ns1.localhostservices.net. 3) Checking the firewall settings at ns1.thought.org to see why it does not respond to queries. Jon just got home ansd mailed me about my secondaries. With what he said, or tired to explain, and what you have below, the picture is pretty clear. Jon think I need to drop the ns2.secondary.com secondaries and others that are not consistent. Some point to aristotle; others to ethic. Yes, that makes perfect sense. It's the main reason why I wrote step 1 in the above list. When you *do* update the NS listing through your DNS registration service, point it _only_ at name servers that really have a valid copy of your zone files and are set up to serve as secondaries. After a while, when the changes propagate to all the name servers, your domain should work fine with bind (either the base-system or ports version). Thijngs may be happening. Since I have no webserver apps [GUI] I gave the gkg.net info to Jon and asked him to edit my files there. i use pfsense as my firewall. I'm still in learning mode about its fine points, but from what I understand, it points only to ethic ... I think in the past few days--two or three days. *Thanks* for filling in the blank spaces. No problem. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS Question
Chuck Swiger wrote: On Oct 23, 2009, at 10:31 AM, Matthew Seaman wrote: You aren't supposed to use CNAMES for anything found in other RR's; in particular, you should always use an A record with the hostnames used for nameservers (ie, have an NS record), because you are supposed to be using the canonical name rather than an alias. Errr? You mean the rule that NS and MX and SRV rdata must include an A record rather than a CNAME? That's true, but what does that have to do with web serving? Consider the case of redirects involving cnames; you end up with a lot of extra DNS traffic. The illegality mentioned further upthread is that you can't use a CNAME at a zone apex because of the 'CNAME and other data rule'[*] -- as there's always got to be SOA and NS records at the zone apex, if you want a web page at 'example.com' you'ld have to provide an A or record for it. Unless you're Verisign and have control over the nameservers for .com, this is almost certainly illegal: example.com. IN CNAME www.example.com On the other hand: www.example.com. IN CNAME example.com. is generally fine. It's generally fine, sure, but almost never ideal. You don't save traffic by using CNAMEs instead of A records PS: It's odd where google pulls up references to fairly canonical docs, sometimes. I'm not sure I even recognize ua, and I suspect I deal with two-letter ISO 3166 country names more than most folks do. Maybe Ukraine? :-) Of course it's Ukraine. .uk was already taken, even though the two letter iso-code for this country is officially .gb. We're in an exclusive club of two nations that generally don't use their official iso-code in the DNS. No prizes for guessing which the other one is. Shucks, how can you pull in Jeopardy references and then deny giving out prizes? Well, my guess would be ie, although people who speak Finnish and call their home Suomi might find fi odd, also Cheers, Matthew [*] Little known factoid, but there are two legal exceptions to the 'CNAME and other data' rule. You can have RRSIG or NSEC records at the same label as CNAME -- see RFC 4035. Obscure DNS trivia for 100, Alex... Regards, Just so everyone knows, having a domain with a CNAME at the top will hose your mail traffic. We tried it, and some servers delivered fine, others did not. Checking with dig +trace, and dns stuff, showed the problem. Just trying to get a MX record for mainstreetfin.com would fail. The record we had was, mainstreetfin.com CNAME website.elliemae.com And the problem is shown below. --- DNS Lookup: mainstreetfin.com MX record Searching for mainstreetfin.com MX record at a.root-servers.net [198.41.0.4]: Got referral to M.GTLD-SERVERS.NET. (zone: com.) [took 39 ms] Searching for mainstreetfin.com MX record at M.GTLD-SERVERS.NET. [192.55.83.30]: Got referral to ns2auth.tls.net. (zone: mainstreetfin.com.) [took 11 ms] Searching for mainstreetfin.com MX record at ns2auth.tls.net. [65.123.104.30]: Got CNAME of website.elliemae.com. and referral to k.root-servers.net [took 36 ms] Searching for website.elliemae.com MX record at g.root-servers.net [192.112.36.4]: Got referral to I.GTLD-SERVERS.NET. (zone: com.) [took 143 ms] Searching for website.elliemae.com MX record at I.GTLD-SERVERS.NET. [192.43.172.30]: Got referral to ns2.elliemae.net. (zone: elliemae.com.) [took 63 ms] Searching for website.elliemae.com MX record at ns2.elliemae.net. [63.241.88.21]: Timed out. Trying again. Searching for website.elliemae.com MX record at ns2.elliemae.net. [63.241.88.21]: Timed out. Trying again. Searching for website.elliemae.com MX record at ns1.elliemae.net. [216.35.165.21]: Reports that no MX records exist. [took 46 ms] Response: No MX records exist for website.elliemae.com. [Neg TTL=300 seconds] Details: ns1.elliemae.net. (an authoritative nameserver for elliemae.com.) says that there are no MX records for website.elliemae.com. The E-mail address in charge of the elliemae.com. zone is: hostmas...@elliemae.com. NOTE: One or more CNAMEs were encountered. mainstreetfin.com is really website.elliemae.com. So some mail servers never asked our authoritative servers what the MX record was. Interesting. DAve -- Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it. John Quincy Adams http://appleseedinfo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS Question
DAve wrote: Good morning. I have been asked by my co-workers and sales why I always create a A record for new domains we host instead of a CNAME. The issue I run into lately with some domains is that a client has a website with a industry host such as frank.relator.com and he wants to have DNS point www.frank.com to frank.relator.com with a CNAME. The client does not want an A record for frank.com. Somewhere, in a class far far away, I was taught a DNS zone had to have a A record to function properly. I can't seem to locate anything in the RFCs. Am I wrong? Yes, you're wrong. In terms of web service, you can use either an A record or a CNAME record to provide the address part of a site's URL[*]. As far as the web server is concerned, it looks for the 'Host=' line in the HTTP packet to decide what name-based VHOST to dispatch the query to internally, and doesn't necessarily do any DNS lookups at all. Web clients just do a gethostbyname(3) or getaddrinfo(3) call to resolve the site name into an IP, and anything supported by those (/etc/hosts, NIS, LDAP, DNS) will do the trick. In terms of the DNS a 'Zone' is a delegated block of the name space under a single administrative control. Typically with BIND this maps onto a single 'Zone file' containing all of the DNS resource records for the zone. The only records a zone *has* to have are: * 1 SOA record, with the zone serial number * Some number of NS records giving the nameservers for the zone. It's perfectly permissible to have a zone that doesn't contain any A records (or records) and in fact, reasonably common: reverse domains generally contain mostly PTR records. Cheers, Matthew [*] Possibly others, but A and CNAME are the vast majority. Being able to use SRV for webservers would be cool. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: DNS Question
Sean Cavanaugh wrote: Date: Fri, 23 Oct 2009 08:30:08 -0400 From: dave.l...@pixelhammer.com To: freebsd-questions@freebsd.org Subject: DNS Question Good morning. I have been asked by my co-workers and sales why I always create a A record for new domains we host instead of a CNAME. The issue I run into lately with some domains is that a client has a website with a industry host such as frank.relator.com and he wants to have DNS point www.frank.com to frank.relator.com with a CNAME. The client does not want an A record for frank.com. Somewhere, in a class far far away, I was taught a DNS zone had to have a A record to function properly. I can't seem to locate anything in the RFCs. Am I wrong? I think you are confusing basics of DNS records. you are partially correct in that a DNS zone needs an initial A record to be able to translate a name to an IP, but there is nothing wrong about setting up a CNAME to point to a record in a different zone instead. you just cannot do a zone that has a CNAME only that does not at some point to a valid A record. CNAMEs are forwarders only whereas A records are actual lookups. for proper way to set this up The A record would be assigned for the main name that you want to associate to an IP address. The CNAME record just relates a different name to that original name. this allows you to change the IP address of the server and only have to update the original A record instead of every DNS record for that server. for small number of vhosts, this would not really be an issue, but imagine if you were hosting a couple hundred vhosts from a single IP and then had to change that IP because you switched your ISP. It would take you a LONG time to update them if they were all A records, but only a couple of seconds if you had it properly set up as CNAME's www.bobshosting.com http://www.bobshosting.comA 192.168.0.1 www.vhost1.com http://www.vhost1.com CNAME www.bobshosting.com http://www.bobshosting.com. www.vhost2.com http://www.vhost2.com CNAME www.bobshosting.com http://www.bobshosting.com. www.vhost3.com http://www.vhost3.com CNAME www.bobshosting.com http://www.bobshosting.com. www.vhost4.com http://www.vhost4.com CNAME www.bobshosting.com http://www.bobshosting.com. -Sean All true, and I did not do a very good job of explaining it. My issue was that we have requests to use a CNAME for the domain record. Such as this. example.com CNAME otherdomain.com www.example.com CNAME otherdomain.com I was taught this was not good form, but allowed. I can deal with it. But what of having a SOA record for example.com, no A or CNAME record for the TLD example.com, only hosts such as www, ns1, ftp, etc. I tried it an it seems to work fine, but doesn't look proper to me. Then again I remember when CNAME were considered evil. DAve -- Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it. John Quincy Adams http://appleseedinfo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS Question
All true, and I did not do a very good job of explaining it. My issue was that we have requests to use a CNAME for the domain record. Such as this. example.com CNAME otherdomain.com www.example.com CNAME otherdomain.com I was taught this was not good form worse, it's illegal. , but allowed. I can deal with it. But what of having a SOA record for example.com, no A or CNAME record for the TLD example.com, only hosts such as www, ns1, ftp, etc. I tried it an it seems to work fine, but doesn't look proper to me. Then again I remember when CNAME were considered evil. CNAMEs are still evil, unless 1) no other solution exists and 2) the user knows how to use CNAMEs (rare). Len ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: DNS Question
All true, and I did not do a very good job of explaining it. My issue was that we have requests to use a CNAME for the domain record. Such as this. example.com CNAME otherdomain.com www.example.com CNAME otherdomain.com I was taught this was not good form worse, it's illegal. how is this illegal? CNAME rule: a node with a CNAME cannot contain any other records. for the node domain.tld: domain.tld. soa ... domain.tld. ns ... domain.tld. cname otherdomain.tld. this node has a CNAME and other data, so it's illegal, no matter what you want to do, or what makes sense to you, or what is convenient for you. Len ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS Question
Hi-- On Oct 23, 2009, at 9:18 AM, Sean Cavanaugh wrote: worse, it's illegal. how is this illegal? if you are residing your domain on a hosting service, this makes sense to me. Granted its bad form and should have an A record to the host for the main domain record, but if i had control over otherdomain.com and not example.com and had to change the IP address, example.com would be dead until i was able to reach the owner of that domain and have them change their DNS info. You aren't supposed to use CNAMES for anything found in other RR's; in particular, you should always use an A record with the hostnames used for nameservers (ie, have an NS record), because you are supposed to be using the canonical name rather than an alias. See: http://docstore.mik.ua/orelly/networking/sendmail/ch21_03.htm#SML2-CH-21-SECT-3-2 You might also find a discussion of webserver redirects and the like interesting: http://www.aitechsolutions.net/cname-serveralias-redirection.html Regards, -- -Chuck PS: It's odd where google pulls up references to fairly canonical docs, sometimes. I'm not sure I even recognize ua, and I suspect I deal with two-letter ISO 3166 country names more than most folks do. Maybe Ukraine? :-) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: DNS Question
how is this illegal? CNAME rule: a node with a CNAME cannot contain any other records. for the node domain.tld: domain.tld. soa ... domain.tld. ns ... domain.tld. cname otherdomain.tld. this node has a CNAME and other data, so it's illegal, no matter what you want to do, or what makes sense to you, or what is convenient for you. ah yes, forgot about that. you are correct on that line. -Sean ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS Question
Chuck Swiger wrote: Hi-- On Oct 23, 2009, at 9:18 AM, Sean Cavanaugh wrote: worse, it's illegal. how is this illegal? if you are residing your domain on a hosting service, this makes sense to me. Granted its bad form and should have an A record to the host for the main domain record, but if i had control over otherdomain.com and not example.com and had to change the IP address, example.com would be dead until i was able to reach the owner of that domain and have them change their DNS info. You aren't supposed to use CNAMES for anything found in other RR's; in particular, you should always use an A record with the hostnames used for nameservers (ie, have an NS record), because you are supposed to be using the canonical name rather than an alias. Errr? You mean the rule that NS and MX and SRV rdata must include an A record rather than a CNAME? That's true, but what does that have to do with web serving? The illegality mentioned further upthread is that you can't use a CNAME at a zone apex because of the 'CNAME and other data rule'[*] -- as there's always got to be SOA and NS records at the zone apex, if you want a web page at 'example.com' you'ld have to provide an A or record for it. Unless you're Verisign and have control over the nameservers for .com, this is almost certainly illegal: example.com. IN CNAME www.example.com On the other hand: www.example.com. IN CNAME example.com. is generally fine. PS: It's odd where google pulls up references to fairly canonical docs, sometimes. I'm not sure I even recognize ua, and I suspect I deal with two-letter ISO 3166 country names more than most folks do. Maybe Ukraine? :-) Of course it's Ukraine. .uk was already taken, even though the two letter iso-code for this country is officially .gb. We're in an exclusive club of two nations that generally don't use their official iso-code in the DNS. No prizes for guessing which the other one is. Cheers, Matthew [*] Little known factoid, but there are two legal exceptions to the 'CNAME and other data' rule. You can have RRSIG or NSEC records at the same label as CNAME -- see RFC 4035. Obscure DNS trivia for 100, Alex... -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: DNS Question
On Oct 23, 2009, at 10:31 AM, Matthew Seaman wrote: You aren't supposed to use CNAMES for anything found in other RR's; in particular, you should always use an A record with the hostnames used for nameservers (ie, have an NS record), because you are supposed to be using the canonical name rather than an alias. Errr? You mean the rule that NS and MX and SRV rdata must include an A record rather than a CNAME? That's true, but what does that have to do with web serving? Consider the case of redirects involving cnames; you end up with a lot of extra DNS traffic. The illegality mentioned further upthread is that you can't use a CNAME at a zone apex because of the 'CNAME and other data rule'[*] -- as there's always got to be SOA and NS records at the zone apex, if you want a web page at 'example.com' you'ld have to provide an A or record for it. Unless you're Verisign and have control over the nameservers for .com, this is almost certainly illegal: example.com. IN CNAME www.example.com On the other hand: www.example.com. IN CNAME example.com. is generally fine. It's generally fine, sure, but almost never ideal. You don't save traffic by using CNAMEs instead of A records PS: It's odd where google pulls up references to fairly canonical docs, sometimes. I'm not sure I even recognize ua, and I suspect I deal with two-letter ISO 3166 country names more than most folks do. Maybe Ukraine? :-) Of course it's Ukraine. .uk was already taken, even though the two letter iso-code for this country is officially .gb. We're in an exclusive club of two nations that generally don't use their official iso-code in the DNS. No prizes for guessing which the other one is. Shucks, how can you pull in Jeopardy references and then deny giving out prizes? Well, my guess would be ie, although people who speak Finnish and call their home Suomi might find fi odd, also Cheers, Matthew [*] Little known factoid, but there are two legal exceptions to the 'CNAME and other data' rule. You can have RRSIG or NSEC records at the same label as CNAME -- see RFC 4035. Obscure DNS trivia for 100, Alex... Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS Question
Also, MX needs to resolve to an A, not a CNAME.. If you are using mail on all these domains, use A records On Fri, Oct 23, 2009 at 10:19 AM, Sean Cavanaugh millenia2...@hotmail.com wrote: how is this illegal? CNAME rule: a node with a CNAME cannot contain any other records. for the node domain.tld: domain.tld. soa ... domain.tld. ns ... domain.tld. cname otherdomain.tld. this node has a CNAME and other data, so it's illegal, no matter what you want to do, or what makes sense to you, or what is convenient for you. ah yes, forgot about that. you are correct on that line. -Sean ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS Question
On Fri, 23 Oct 2009 10:33:07 -0700 xSAPPYx xsap...@gmail.com wrote: Also, MX needs to resolve to an A, not a CNAME.. If you are using mail on all these domains, use A records You can use the domains for mail provided that that they share MX servers, if example.com has a CNAME pointing to example.net then mail to example.com will use the mx servers for example.net. What you shouldn't do is mix the CNAME with separate MX records because it creates an ambiguity. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: dns woes - resolved
As it turns out - following a new installation, named.conf is in /var/named/etc/namedb with a symlink from /etc/namedb. To keep all my original DNS records and settings I had restored a backup to /etc/namedb which destroyed the symlink - as a result when I altered /etc/namedb/named.conf named didn't see the changes because it was reading named.conf from another directory. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: dns woes
Replies interspersed On Tue, 2009-03-17 at 14:15 -0400, David Banning wrote: I have had my dns server working fine in the past but now it seems to be down and I can't locate the reason. Here are some details; # dig @127.0.0.1 mylocaldomain.com Is this a real registered .com or some local (to your subnet) domain name? works, but # dig @ns1.3s1.com mylocaldomain.com Same question. does not. I have all IP addresses listed in named.conf; listen-on { 192.168.1.1; 209.161.205.12; 127.0.0.1; }; I also note that $ telnet ns1.3s1.com 53 DNS' primary protocol is UDP, telnet uses TCP. Some DNS servers listen to TCP, however it is not required (the whole point in DNS over TCP are for packets that won't fit in one UDP packet, such as a zone transfer). show port 53 as closed, while $ telnet 127.0.0.1 53 See above. shows it as open The other strange thing is that I get the startup error; zone 0.0.127.IN-ADDR.ARPA/IN: loading master file master/localhost.rev: file not found when in fact /etc/namedb/master/localhost.rev -does- exist. named is chrooted by default. realpath /etc/namedb/master/localhost.rev != /var/named/etc/namedb/master/localhost.rev (the realpath of the chrooted named binary that is looking for that file). any pointers would be helpful See above. - - - - ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS and DHCP Management System
On Thu, Jul 24, 2008 at 1:59 PM, Zamri Besar [EMAIL PROTECTED] wrote: ... tools to manage a big deployment of dns and dhcp services? What do you mean by big? Or, how big is big. -- regards, dg ..but the more you use clever tricks, the less support you'll get ... -- M.W.Lucas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS troubles
On Mon, Jul 21, 2008 at 10:26 PM, Giorgos Keramidas [EMAIL PROTECTED] wrote: On Mon, 21 Jul 2008 21:30:56 -0400, Jim [EMAIL PROTECTED] wrote: I'm trying to get a machine working, but it can't seem to handle DNS requests. I've just done a 7.0 install (from CD, usually I use net, but it wasn't connecting to anything, now I know why). I have a machine with two built in NICs on the motheroboard, one using nfe the other using bge. When I try to connect to anything, I get a cannot resolve host error. Both are set up to be static, 192.168.1.84, and bge is 192.168.1.86. I have tried both 192.168.1.1 (the router, which points to the ISPs DNS) and 4.2.2.1 in the /etc/resolve.conf file, each separately, not both at once. The machine can ping both of these addresses and gets a decent to rapid return time (~.3ms for the former, 20ms for the latter) Neither works on this machine. Both work on the other FreeBSD and Windows machines in the house. I have the machine set to dual boot, and DNS works fine under Windows. I hope you didn't create a resolve.conf file, because it is called resolv.conf without a final e, i.e.: indeed I did. I removed the 'e' and it works perfeclty. Amazing the difference a byte can make. Still, I wonder why it wouldn't work during install? I feel extremely silly at this point. Anyway, anyone know how to turn off the typo daemon? I tried 'killall -9 typod' and '/etc/rc.d/typod stop', but nothing seems to get rid of it... Thanks again for the help, -Jim Stapleton ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS troubles
On Mon, 21 Jul 2008 21:30:56 -0400, Jim [EMAIL PROTECTED] wrote: I'm trying to get a machine working, but it can't seem to handle DNS requests. I've just done a 7.0 install (from CD, usually I use net, but it wasn't connecting to anything, now I know why). I have a machine with two built in NICs on the motheroboard, one using nfe the other using bge. When I try to connect to anything, I get a cannot resolve host error. Both are set up to be static, 192.168.1.84, and bge is 192.168.1.86. I have tried both 192.168.1.1 (the router, which points to the ISPs DNS) and 4.2.2.1 in the /etc/resolve.conf file, each separately, not both at once. The machine can ping both of these addresses and gets a decent to rapid return time (~.3ms for the former, 20ms for the latter) Neither works on this machine. Both work on the other FreeBSD and Windows machines in the house. I have the machine set to dual boot, and DNS works fine under Windows. I hope you didn't create a resolve.conf file, because it is called resolv.conf without a final e, i.e.: [EMAIL PROTECTED]:/root# ls -ld /etc/resol* -rw-r--r-- 1 root wheel - 35 Jul 22 01:36 /etc/resolv.conf [EMAIL PROTECTED]:/root# ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS troubles
Jim presented these words - circa 7/21/08 6:30 PM- I'm trying to get a machine working, but it can't seem to handle DNS requests. I've just done a 7.0 install (from CD, usually I use net, but it wasn't connecting to anything, now I know why). I have a machine with two built in NICs on the motheroboard, one using nfe the other using bge. When I try to connect to anything, I get a cannot resolve host error. Both are set up to be static, 192.168.1.84, and bge is 192.168.1.86. I have tried both 192.168.1.1 (the router, which points to the ISPs DNS) and 4.2.2.1 in the /etc/resolve.conf file, each separately, not both at once. The machine can ping both of these addresses and gets a decent to rapid return time (~.3ms for the former, 20ms for the latter) Neither works on this machine. Both work on the other FreeBSD and Windows machines in the house. I have the machine set to dual boot, and DNS works fine under Windows. I tried DHCP without an luck. The previous install on this machine just worked. What I *SUSPECT* is the biggest clue (my guess, check an rc.d file, which?) During boot up, after showing the network interfaces, until showing the login prompt, the terminal gets spammed with b: not found. Up to this point: - I installed it once with a boot only CD and it worked fine, but being absent minded, I reinstalled thinking it would be the quickest/easiest way to fix an issue, and the install I had wasn't really 'set-up' yet. - The DNS checker (bind?) wasn't working properly during the first reinstall. Sadly, I found this out after reformatting the partitions. - I re-burned the CD with CD1 (not boot only), and tried again - DNS still didn't work. - I installed from CD. Process for current install: - I installed i386/7.0 from Install Disk 1, minimal install + dict, man, info and doc - I set the root password during the install - I updated the /etc/ssh* files to the files from my old system (I can ssh into the computer fine) - I copied over the rc.conf and modified the NIC and startup entries (see below) - I added if_tap_load=YES to /boot/loader.conf (this was AFTER the DNS issues had started) - set the values in /etc/resolve.conf - I copied /etc/supfile-ports and /etc/supfile-src from the old install. These are pretty boring supfiles for ports and src respectively. - I added my non-root account (so I could ssh in) That's it. Any ideas? My suspicion is that my next step will be 'rebuild bind from within /usr/src wherever it resides in there'. However, since it wasn't working during install or now, I suspect that won't be enough. Why do you think 'bind' is the problem? You are not using bind, you are using the DNS resolver (which is the client side of Bind). Can you reach each of the nodes listed in resolv.conf? via ping? via traceroute? Have you tried to issue a 'dig 4.2.2.1 name' to see if you can reach the DNS server? I would first ensure that you have basic network connectivity, once that is confirmed, that you have access to the DNS servers. But your problem is not locally with Bind. Patrick Mahan ex-Window Washer Thanks, -Jim Stapleton /etc/resolve.conf domain var-dev.net nameserver 4.2.2.1 nameserver 4.2.2.2 nameserver 4.2.2.3 /etc/rc.conf hostname=elrond.var-dev.net ifconfig_bge0=inet 192.168.1.86 netmask 255.255.255.0 #ifconfig_re0_alias0=192.168.1.85 netmask 255.255.255.255 defaultrouter=192.168.1.1 #for QEmu ifconfig_nfe0=up polling autobridge_interfaces=bridge0 autobridge_bridge0=tap0 nfe0 cloned_interfaces=bridge0 # the bridge gets the IP #ifconfig_bridge0=inet 10.10.10.2 netmask 255.255.255.0 ifconfig_bridge0=inet 192.168.1.84 netmask 255.255.255.0 ifconfig_bridge0_alias0=192.168.1.85 netmask 255.255.255.0 sshd_enable=YES usbd_enable=YES linux_enable=YES #ntpdate_enable=YES ntpd_enable=YES #cupsd_enable=YES #moused_enable=YES #for beryl and hardware autodetect stuff #compat5_enable=YES #dbus_enable=YES #polkitd_enable=YES #hald_enable=YES #gdm_enable=YES bsdstats_enable=YES # -- sysinstall generated deltas -- # Tue Mar 25 08:22:19 2008 keymap=us.iso ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: dns update for 7.0
Joshua Frugé wrote: I just joined the list (but did search the archive), so I apologize in advance if this was already answered and I missed it. What's the process to update the base bind in freebsd for the new cacheing poisoning vuln that seems to be all the rage lately? I'm running freebsd 7.0-RELEASE-p2 and I am using the included base bind 9.4.2 as resolver for my network. Will there be an update through freebsd-update to upgrade to bind 9.4.2-p1, or is there some other process I need to followcompile source and replace?. I recommend you install one or other of the bind ports: dns/bin9 dns/bind94 dns/bind95 All of these were updated last night to include the UDP port randomization stuff in the latest security patch. (There's not much point in installing dns/bind9 though, as that's a downgrade to bind9.3 from the system supplied bind-9.4.2) You don't need to overwrite the base system bind -- the vulnerability works on the cache of a running instance of named when configured as a recursive resolver. So as long as you start up the patched daemon, everything should be fine. To start up the version of bind you just installed from ports, add named_enable=YES named_program=/usr/local/sbin/named named_flags=-c /etc/namedb/named.conf to /etc/rc.conf and then run: /etc/rc.d/named restart and check your system logs for a line saying something like: starting BIND 9.X.Y-P1 -c /etc/namedb/named.conf -t /var/named -u bind where the 'P1' bit shows you're running the patched version. There may well be a security notice and a patch for the base system generated in the next few days: the security team is looking into the matter and will respond in due course. D-day for having everything properly patched is the presentation Dan Kaminsky is doing at the Blackhats conference on August 6th (or possibly August 7th) The patches ISC have produced will have an adverse effect if you're answering something in excess of 10,000 DNS queries a second, which is rather more than most people would get to deal with, but are otherwise innocuous. http://www.isc.org/index.pl?/sw/bind/bind-security.php To test if a recursive nameserver is potentially vulnerable, grab the perl script from this site: http://michael.toren.net/code/noclicky/ Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: dns update for 7.0
--On Thursday, July 10, 2008 11:05:11 -0500 Joshua Frugé [EMAIL PROTECTED] wrote: I just joined the list (but did search the archive), so I apologize in advance if this was already answered and I missed it. What's the process to update the base bind in freebsd for the new cacheing poisoning vuln that seems to be all the rage lately? I'm running freebsd 7.0-RELEASE-p2 and I am using the included base bind 9.4.2 as resolver for my network. Will there be an update through freebsd-update to upgrade to bind 9.4.2-p1, or is there some other process I need to followcompile source and replace?. Base bind is updated by freebsd-update *assuming* you are using the base bind and not the port bind *and* assuming you haven't altered any of the binaries by patching them manually. You can, of course, use the tried and true make buildworld process to update it as well *when* the patches are released. -- Paul Schmehl As if it wasn't already obvious, my opinions are my own and not those of my employer. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS Problem
Ruel Luchavez wrote: when i resume it to its current configuration Obtain DBS server automatically the problem is back, is this a problem in my DNS server? I'm using the FreeBSD 6.2 version... I already restarted the DNS Server /etc/rc.d/named restart but nothing happens the problem is still there..Is there any one here could help me solve it? I'm not sure but it seems that you are trying to use dhcp to receive the address of DNS-server. Check the file /etc/resolv.conf ,this file should look like this: nameserver 10.1.2.3 nameserver 10.4.5.6 nameserver 10.7.8.9 -- Christer Hermansson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS Problem
before i post here i already check the /etc/resolve.conf and this is what's inside of it domain name On Fri, May 2, 2008 at 12:23 AM, Christer Hermansson [EMAIL PROTECTED] wrote: Ruel Luchavez wrote: when i resume it to its current configuration Obtain DBS server automatically the problem is back, is this a problem in my DNS server? I'm using the FreeBSD 6.2 version... I already restarted the DNS Server /etc/rc.d/named restart but nothing happens the problem is still there..Is there any one here could help me solve it? I'm not sure but it seems that you are trying to use dhcp to receive the address of DNS-server. Check the file /etc/resolv.conf ,this file should look like this: nameserver 10.1.2.3 nameserver 10.4.5.6 nameserver 10.7.8.9 -- Christer Hermansson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS Problem
before i post here i already check the /etc/resolve.conf and this is what's inside of it domain name myplace.com.ph name server 101.1.21.1 name server192.168.1.62 could it be my firewall blocking it? but i didn't change any configuration from it.. Thanks in advance for your help..:( On Fri, May 2, 2008 at 12:23 AM, Christer Hermansson [EMAIL PROTECTED] wrote: Ruel Luchavez wrote: when i resume it to its current configuration Obtain DBS server automatically the problem is back, is this a problem in my DNS server? I'm using the FreeBSD 6.2 version... I already restarted the DNS Server /etc/rc.d/named restart but nothing happens the problem is still there..Is there any one here could help me solve it? I'm not sure but it seems that you are trying to use dhcp to receive the address of DNS-server. Check the file /etc/resolv.conf ,this file should look like this: nameserver 10.1.2.3 nameserver 10.4.5.6 nameserver 10.7.8.9 -- Christer Hermansson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS Problem
On Fri, 2 May 2008 at 09:36 +0800, [EMAIL PROTECTED] confabulated: before i post here i already check the /etc/resolve.conf and this is what's inside of it domain name myplace.com.ph name server 101.1.21.1 name server192.168.1.62 According to the resolver(5) documentation, it should look like this: domain myplace.com.ph nameserver 101.1.21.1 nameserver 192.168.1.62 could it be my firewall blocking it? but i didn't change any configuration from it.. Thanks in advance for your help..:( On Fri, May 2, 2008 at 12:23 AM, Christer Hermansson [EMAIL PROTECTED] wrote: Ruel Luchavez wrote: when i resume it to its current configuration Obtain DBS server automatically the problem is back, is this a problem in my DNS server? I'm using the FreeBSD 6.2 version... I already restarted the DNS Server /etc/rc.d/named restart but nothing happens the problem is still there..Is there any one here could help me solve it? I'm not sure but it seems that you are trying to use dhcp to receive the address of DNS-server. Check the file /etc/resolv.conf ,this file should look like this: nameserver 10.1.2.3 nameserver 10.4.5.6 nameserver 10.7.8.9 -- Christer Hermansson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS Problem
Ok..I have follow your post D Hill, but it doesn't solve the problem Please HELP... Thanks..:( On Fri, May 2, 2008 at 9:45 AM, D Hill [EMAIL PROTECTED] wrote: On Fri, 2 May 2008 at 09:36 +0800, [EMAIL PROTECTED] confabulated: before i post here i already check the /etc/resolve.conf and this is what's inside of it domain name myplace.com.ph name server 101.1.21.1 name server192.168.1.62 According to the resolver(5) documentation, it should look like this: domain myplace.com.ph nameserver 101.1.21.1 nameserver 192.168.1.62 could it be my firewall blocking it? but i didn't change any configuration from it.. Thanks in advance for your help..:( On Fri, May 2, 2008 at 12:23 AM, Christer Hermansson [EMAIL PROTECTED] wrote: Ruel Luchavez wrote: when i resume it to its current configuration Obtain DBS server automatically the problem is back, is this a problem in my DNS server? I'm using the FreeBSD 6.2 version... I already restarted the DNS Server /etc/rc.d/named restart but nothing happens the problem is still there..Is there any one here could help me solve it? I'm not sure but it seems that you are trying to use dhcp to receive the address of DNS-server. Check the file /etc/resolv.conf ,this file should look like this: nameserver 10.1.2.3 nameserver 10.4.5.6 nameserver 10.7.8.9 -- Christer Hermansson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS Problem
On Fri, May 02, 2008 at 09:36:51AM +0800, Ruel Luchavez wrote: before i post here i already check the /etc/resolve.conf and this is what's inside of it domain name myplace.com.ph name server 101.1.21.1 name server192.168.1.62 The problems with what you've just posted are: 1. the file is /etc/resolv.conf, not /etc/resolve.conf 2. your contents are wrong, they should look like: domain myplace.com.ph nameserver 101.1.21.1 nameserver 192.168.1.62 -- Jonathan Chen [EMAIL PROTECTED] -- The things we know best are the things we haven't been taught. - Marquis de Vauvenargues ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS Problem
On Fri, 2 May 2008 at 15:35 +1200, [EMAIL PROTECTED] confabulated: On Fri, May 02, 2008 at 09:36:51AM +0800, Ruel Luchavez wrote: before i post here i already check the /etc/resolve.conf and this is what's inside of it domain name myplace.com.ph name server 101.1.21.1 name server192.168.1.62 The problems with what you've just posted are: 1. the file is /etc/resolv.conf, not /etc/resolve.conf Ha! I didn't catch the misspelling of resolv.conf. :-( 2. your contents are wrong, they should look like: domain myplace.com.ph nameserver 101.1.21.1 nameserver 192.168.1.62 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS server Problem
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Ruel Luchavez wrote: Hi, I have BIND DNS Server in my freebsd, i keep on searching in google on how to restart it? is there a command to restart it like the squid and dhcp? or there is no command for it? That is somewhat different to what you've asked about previously. You don't say if you're running the base system version of BIND or one from ports. In the former case, you can do: /etc/rc.d/named restart In the latter case, that command should still work, but may not depending on how it was all set up. (The bind94 port doesn't come with its own rc script -- I believe the expectation is that you should use the system script by setting variables in /etc/rc.conf appropriately) In either case you should be able to do: rndc reload so long as you've properly set up /etc/namedb/rndc.conf or /etc/namedb/rndc.key Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. Flat 3 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW, UK -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.8 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREDAAYFAkgDIDUACgkQ3jDkPpsZ+VbMBQCfXxg/zVy3A3WkIFkkCwaaFPBX UDkAoLVno5AyqfbcBqa9lA/J1IJn+2Iv =9bI5 -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: DNS server Problem
I have BIND DNS Server in my freebsd, i keep on searching in google on how to restart it? is there a command to restart it like the squid and dhcp? or there is no command for it? You might like to try # rndc reload Cheers Thanks in advanced.. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions- [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS server Problem
On Monday 14 April 2008 11:02:43 Ruel Luchavez wrote: I have BIND DNS Server in my freebsd, i keep on searching in google on how to restart it? is there a command to restart it like the squid and dhcp? or there is no command for it? If you start reading here: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/system-administration.html It will soon answer your question and you will pick up the basics of FreeBSD administration very quickly. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS server Problem
I have BIND DNS Server in my freebsd, i keep on searching in google on how to restart it? /etc/rc.d/named restart is there a command to restart it like the squid and dhcp? or there is no command for it? Thanks in advanced.. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS Question
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 国徽 wrote: Hello, I am building the DNS Server,But I can't find the script /etc/namedb/make-localhost used in the document, So I can't go on now? Please tell me how to find the script,Thank you very much! Unfortunately the documentation is a bit out of date. You no longer need to run 'make-localhost' -- there are pre-built zone files for localhost, and for 1.0.0.127.in-addr.arpa and the equivalent inverse domain for IPv6-ish ::1 that come with the system and which you can just use without further ado. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. Flat 3 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW, UK -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHzsJT3jDkPpsZ+VYRA9/oAJwPFc7OhS/5rl2RAVhqKGRP0ii/8wCbBf+m 0HqFbp1sTRR/wadko9k5BRQ= =ufcj -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS Question
Hi Erik: I don't recall the how-to explaining the usage of this script. I too, just recently setup a DNS server for a couple domains. My recommendation is to familiarize yourself with the Administrators Reference Manual (ARM) on BIND's website: http://www.isc.org/index.pl?/sw/bind/arm93/ I found it more valuable than just following someone else's simple steps! David Alanis Quoting ?? [EMAIL PROTECTED]: Hello, I am building the DNS Server,But I can't find the script /etc/namedb/make-localhost used in the document, So I can't go on now? Please tell me how to find the script,Thank you very much! Best Regards! Freebsd Lover:Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] This message was sent using IMP, the Internet Messaging Program. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS /etc/namedb owner hell
On Wed, Feb 20, 2008 at 10:09:53AM +0200, Deian Popov typed: Hello, I have the following problem with bind: it is configured to run as bind:bind and after every reboot of the system all files and directories under /etc/namedb become owned by root:wheel so bind is unable is unable to update it's zone files after dhcpd leases IP to any given client. How to fix either owner, or set somewhere that the owner of this folder, subfolder and files is my DNS server? Try setting named_chroot_autoupdate to NO in your rc.conf Ruben ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS /etc/namedb owner hell
Ruben de Groot writes: I have the following problem with bind: it is configured to run as bind:bind and after every reboot of the system all files and directories under /etc/namedb become owned by root:wheel so bind is unable is unable to update it's zone files after dhcpd leases IP to any given client. How to fix either owner, or set somewhere that the owner of this folder, subfolder and files is my DNS server? Try setting named_chroot_autoupdate to NO in your rc.conf Does this still work if you don't run chrooted? To the OP: does this happen every reboot, or when you update the system? I used to have tha latter problem, and fixed it by adding NO_BIND_ETC= true# Do not install files to /etc/namedb to /etc/make.conf. Upsides: no permission mangling, and no automatic file update. Downside: no automatic file update, though you can deal with this using mergeaster. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS /etc/namedb owner hell
Thank you both, you solved the problem! On Wed, Feb 20, 2008 at 3:17 PM, Robert Huff [EMAIL PROTECTED] wrote: Ruben de Groot writes: I have the following problem with bind: it is configured to run as bind:bind and after every reboot of the system all files and directories under /etc/namedb become owned by root:wheel so bind is unable is unable to update it's zone files after dhcpd leases IP to any given client. How to fix either owner, or set somewhere that the owner of this folder, subfolder and files is my DNS server? Try setting named_chroot_autoupdate to NO in your rc.conf Does this still work if you don't run chrooted? To the OP: does this happen every reboot, or when you update the system? I used to have tha latter problem, and fixed it by adding NO_BIND_ETC= true# Do not install files to /etc/namedb to /etc/make.conf. Upsides: no permission mangling, and no automatic file update. Downside: no automatic file update, though you can deal with this using mergeaster. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS /etc/namedb owner hell
Deian Popov wrote: Hello, I have the following problem with bind: it is configured to run as bind:bind and after every reboot of the system all files and directories under /etc/namedb become owned by root:wheel so bind is unable is unable to update it's zone files after dhcpd leases IP to any given client. How to fix either owner, or set somewhere that the owner of this folder, subfolder and files is my DNS server? See /etc/rc.d/named and /etc/mtree/BIND.chroot.dist. And please, next time don't be so quick on mailing [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS /etc/namedb owner hell
Hi there, On 20/02/2008, Jordan Gordeev [EMAIL PROTECTED] wrote: [...] See /etc/rc.d/named and /etc/mtree/BIND.chroot.dist. And please, next time don't be so quick on mailing [EMAIL PROTECTED] IMO questions is exactly dedicated for this purpose. Of course the OP could've solved the problem on his own, but maybe he just came across FreeBSD recently and does not now all of FreeBSDs specialties. Maybe the OP isn't used to reading shell scripts (not everyone dealing with Unix system is capable of reading or even writing scripts). I think discouraging a user of asking questions he/she is unable to solve on his/her own is not that usefull. Just my $0.02 Christian PS: I had to deal with this problem and it took me longer than expected. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS and IP
please read apache manual and set up httpd.conf right. it's not only possible, but very often used, i have 30 sites on one IP On Sun, 4 Nov 2007, Brian Finniff wrote: My question is, if you are running a website for 2 different people on the Internet and they both wanted to acquire a domain but you only have one IP address, would it be possible to forward each domain to the same IP address and somehow each one becomes distinct? If so, how is this possible? Can you explain to me how it can be done. Oh and for reference, I am not talking about web redirects. _ Windows Live Hotmail and Microsoft Office Outlook ? together at last. Get it now. http://office.microsoft.com/en-us/outlook/HA102225181033.aspx?pid=CL100626971033___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS and IP
On Sun, Nov 04, 2007 at 06:00:27PM -0500, Brian Finniff wrote: My question is, if you are running a website for 2 different people on the Internet and they both wanted to acquire a domain but you only have one IP address, would it be possible to forward each domain to the same IP address and somehow each one becomes distinct? If so, how is this possible? Can you explain to me how it can be done. It sounds like you want to set up name based virtual hosts. That is SOP for many servers. It is documented. You would also have to deal with the name server issues to get the web stuff (ports 80 and 443) directed to your single IP. If you do the name service, that is easy. If you have to beg another service, then that could be the hardest part. jerry Oh and for reference, I am not talking about web redirects. _ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS and IP
Of course, just setup a virtual host in your httpd.conf file point the dns to the same ip. Apache will take care of the rest. Brian Finniff wrote: My question is, if you are running a website for 2 different people on the Internet and they both wanted to acquire a domain but you only have one IP address, would it be possible to forward each domain to the same IP address and somehow each one becomes distinct? If so, how is this possible? Can you explain to me how it can be done. Oh and for reference, I am not talking about web redirects. _ Windows Live Hotmail and Microsoft Office Outlook – together at last. Get it now. http://office.microsoft.com/en-us/outlook/HA102225181033.aspx?pid=CL100626971033___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- --- Bill Banks 508-829-2005 Wachusett Programming Ourweb http://www.ourweb.net http://www.ourwebtemplates.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS and IP
Hi, Of course, just setup a virtual host in your httpd.conf file point the dns to the same ip. Apache will take care of the rest. To be a litthe bit more precise, in your Apache configuraton you need something like: NameVirtualHost 10.0.0.1 VirtualHost 10.0.0.1 ServerName www.first-server.com ... /VirtualHost VirtualHost 10.0.0.1 ServerName www.second-server.com ... /VirtualHost BUT you will not be able to configure SSL on both sites, it will be either one or the other. You need on distinct IP per site to configure SSL. Best regards, Olivier Brian Finniff wrote: My question is, if you are running a website for 2 different people on the Internet and they both wanted to acquire a domain but you only have one IP address, would it be possible to forward each domain to the same IP address and somehow each one becomes distinct? If so, how is this possible? Can you explain to me how it can be done. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS and IP
Brian Finniff wrote: My question is, if you are running a website for 2 different people on the Internet and they both wanted to acquire a domain but you only have one IP address, would it be possible to forward each domain to the same IP address and somehow each one becomes distinct? If so, how is this possible? Can you explain to me how it can be done. Oh and for reference, I am not talking about web redirects. If you're talking port 80, google for Virtual hosts. -- Jay ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS and IP
On Sun, 4 Nov 2007 18:00:27 -0500 Brian Finniff [EMAIL PROTECTED] wrote: My question is, if you are running a website for 2 different people on the Internet and they both wanted to acquire a domain but you only have one IP address, would it be possible to forward each domain to the same IP address and somehow each one becomes distinct? If so, how is this possible? Can you explain to me how it can be done. Oh and for reference, I am not talking about web redirects. Hi Brian, to be more generic in the answer, you can map as many FQDN (fully qualified domain name) as you want to a single IP via DNS (you can even enable wildcard records in certain DNS server software that will match *.yourdomain.com to a default IP). That tells {client_software} that {this_FQDN} is {this_IP}. {client_software}will use that information in whatever form is suitable to {client_software} - in most cases it will contact {server_sofware} running in a server (or group of servers) running as {this_IP}. It is up to {server_software} to determine how the request from {client_software} is handled. For a variety of {server_software}, there is support for named based virtual hosts, where the server will behave differently depending on what FQDN the client is attempting to contact : web servers, FTP servers, etc. Others don't, because it doesn't make sense, or because the protocol used doesn't support such thing (HTTPS, for example). If you want a more specific answer, you need to defined what you want to do. Odds are, you are talking about websites - the other replies to your mail should have answered that point. Best, B _ {Beto|Norberto|Numard} Meijome Q. How do you make God laugh? A. Tell him your plans. I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS and IP
On Mon, 5 Nov 2007 13:50:17 +1100 Norberto Meijome [EMAIL PROTECTED] wrote: On Sun, 4 Nov 2007 18:00:27 -0500 Brian Finniff [EMAIL PROTECTED] wrote: My question is, if you are running a website for 2 different people on the Internet and they both wanted to acquire a domain but you only have one IP address, would it be possible to forward each domain to the same IP address and somehow each one becomes distinct? If so, how is this possible? Can you explain to me how it can be done. Oh and for reference, I am not talking about web redirects. Hi Brian, to be more generic in the answer, you can map as many FQDN (fully qualified domain name) as you want to a single IP via DNS (you can even enable wildcard records in certain DNS server software that will match *.yourdomain.com to a default IP). That tells {client_software} that {this_FQDN} is {this_IP}. {client_software}will use that information in whatever form is suitable to {client_software} - in most cases it will contact {server_sofware} running in a server (or group of servers) running as {this_IP}. It is up to {server_software} to determine how the request from {client_software} is handled. To be even more specific: the domain name of the recipient is specified at ISO-OSI level 7 in the HTTP protocol with a Host: header like this: Host: www.example.com This header, alongside other HTTP headers is received on port 80 of your web server, and it's up to your web server to route that to the right virtual domain by serving the correct files... By the way, if you're using Lighty (lighttpd), you can host virtual domains as well: http://trac.lighttpd.net/trac/wiki/Docs:ModSimpleVhost -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: DNS Cache - Bind
if your not running with -4 you will get this, unless you have IPv6 configured of course... Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jack Barnett Sent: Tuesday, May 15, 2007 7:46 PM To: freeBSD Subject: DNS Cache - Bind I'm running Bind 9.3.4 on FreeBSD 6.2 for my local network. It doesn't have any zones, it's just a local DNS that has a bunch of forwarders. The first request is slow (between 150 and 300 ms) - but after that (the next query on same domain) is fast (less then 10 ms usually). This is nice and working the way I like it. :) What I'm wondering though is: a) How do I flush the cache if I need to (ie. need to get a new update from the forwards) - just restart named? b) Are there any settings I can tweak that determine how long the cache is kept? (ie. Say I want to keep all queries for 7 days before they are queried from the upstream DNS servers). [This will probably screw up dynamic DNS sites, but want to see what settings are available] c) Is there a easy way to 'blacklist' sites? Say I want 'SpammerNetwork.com' to resolve to 127.0.0.1. Basically I want to take this host file: http://www.mvps.org/winhelp2002/hosts.htm and then pump it into my DNS server, that way all the LAN clients are protected from these sites. Is there a way to do that? -J ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS Cache - Bind
Jack Barnett wrote: I'm running Bind 9.3.4 on FreeBSD 6.2 for my local network. It doesn't have any zones, it's just a local DNS that has a bunch of forwarders. The first request is slow (between 150 and 300 ms) - but after that (the next query on same domain) is fast (less then 10 ms usually). This is nice and working the way I like it. :) What I'm wondering though is: a) How do I flush the cache if I need to (ie. need to get a new update from the forwards) - just restart named? # man rndc # rndc flush b) Are there any settings I can tweak that determine how long the cache is kept? (ie. Say I want to keep all queries for 7 days before they are queried from the upstream DNS servers). [This will probably screw up dynamic DNS sites, but want to see what settings are available] # man named.conf But this is what you're after: max-cache-ttl integer; www.isc.org has a lot more (detailed) info. c) Is there a easy way to 'blacklist' sites? Say I want 'SpammerNetwork.com' to resolve to 127.0.0.1. This is a great start: http://www.cymru.com/Documents/secure-bind-template.html Basically I want to take this host file: http://www.mvps.org/winhelp2002/hosts.htm and then pump it into my DNS server, that way all the LAN clients are protected from these sites. Is there a way to do that? Regards, Mikhail. -- Mikhail Goriachev Webanoide Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: [EMAIL PROTECTED] Web: www.webanoide.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS is not reachable
On Fri, Apr 13, 2007 at 04:59:20PM +0100, Jay Azimi wrote: Hi, I have a network run under Windows 2003 server with About 13 stations. Hmmm. THere are many versitile persons with cross system experience on this list, so you might get some help.But, your message doesn't indicate any relevance to the FreeBSD operating system. So, since this is a list dedicated to FreeBSD, why did you post this question here? Or, did you leave out some important details? jerry At least 5 times a day I cannot open a page with Internet Explorer or Firefox or any other browser. The error message In all these cases is ; DNS in not reachable. Even if during this time window of about 2 minute I jump on The server the problem is the same. More interestingly, during this time modem shows that the Internet connection is on and the radio I listen to from the internet does not get disrupted. After about 2 minutes its is all back but it is very frustrating. Help. Jay ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS configuration at FreeBSD
neo neo wrote: could u please tell me detail how to configure DNS ip ? Please stop posting the same question multiple times. Also, http://www.freebsd.org/doc/en_US.ISO8859-1/articles/mailing-list-faq/etiquette.html Nick. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS configuration
but i don't know how to configure DNS . plz .. ? Read the same handbook as adviced earlier. And for DNS the O'Reilly book is great. DNS is no toy. It should be handled with great care. The internet depends on it. exactly. it's quite easy to make domains not synchronize to slaves right etc. without being careful ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS configuration
On Fri, 16 Mar 2007 10:56:31 +0100 (CET) Wojciech Puchar [EMAIL PROTECTED] wrote: but i don't know how to configure DNS . plz .. ? Read the same handbook as adviced earlier. And for DNS the O'Reilly book is great. DNS is no toy. It should be handled with great care. The internet depends on it. exactly. it's quite easy to make domains not synchronize to slaves right etc. without being careful Since he's at the stage of setting an IP address and a default route, I'd be pretty surprized if he's asking about Bind. See the Handbook: 11.10.2.1 /etc/resolv.conf ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS configuration
On Thu, Mar 15, 2007 at 10:16:46AM -1200, neo neo wrote: hi For NAT ; i already configure internal and external ip . And also finished gateway. but i don't know how to configure DNS . plz .. ? Will you be doing your own DNS or will that be done by your ISP? by the way , route add default xx.xx.xx.xx is setting gateway .. is it right ? very thankz... i am very happy for your support.. ZAW HTET AUNG ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS configuration at FreeBSD
Hello there hiding behind an anonymous email account whoever you are, Not knowing what you really ask for, since you don't provide much information I assume that you want to setup a small dns for LAN with forwarding to your ISP? If this is correct may I suggest that you have look at djbdns from the ports tree and follow the guides at http://cr.yp.to/djbdns.html . The examples are plentiful and it's a fairly easy dns to setup and run. Good luck! neo neo skrev: could u please tell me detail how to configure DNS ip ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS configuration
On Thu, 15 Mar 2007 10:16:46 -1200 neo neo [EMAIL PROTECTED] wrote: but i don't know how to configure DNS . plz .. ? Read the same handbook as adviced earlier. And for DNS the O'Reilly book is great. DNS is no toy. It should be handled with great care. The internet depends on it. -- Dick Hoogendijk -- PGP/GnuPG key: F86289CE ++ http://nagual.nl/ | Solaris 10 11/06 ++ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS configuration at FreeBSD
On Thursday 15 March 2007 14:53, neo neo said: could u please tell me detail how to configure DNS ip ? You really need to read the handbook. Most of your questions will be answered there. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html Bind and DNS questions here: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-dns.html And here: http://www.isc.org/sw/bind/ Also google is your friend. Beech -- --- Beech Rintoul - Port Maintainer - [EMAIL PROTECTED] /\ ASCII Ribbon Campaign | FreeBSD Since 4.x \ / - NO HTML/RTF in e-mail | http://www.freebsd.org X - NO Word docs in e-mail | Latest Release: / \ - http://www.freebsd.org/releases/6.2R/announce.html --- pgpB4njkJT9Wk.pgp Description: PGP signature
Re: DNS and mail servers behind a PF firewall?
On 2/26/07, Jacques Beigbeder [EMAIL PROTECTED] wrote: Hello, My question is related to PF performances with large state tables. FreeBSD : 5.5 hw.model: Intel(R) Xeon(TM) CPU 3.20GHz hw.physmem: 2138378240 = 2 Gb If I put a mail server 20 SMTP hits per second (thanks to spam...) 15 seconds per SMTP dialog 90 seconds for PF timeout tcp.close the state table will have: 20 * (90 + 15) * 2 ways = 5.000 entries Since any mail generates a few DNS queries (reverse DNS, + DSNRBL queries), the state table will also gets 2 ways * 60 seconds (timeout udp.multiple) * 5 (DNS queries) * 20 (connections) = 12.000 entries So I'll get around 20.000 entries, each of them have a short lifetime. Question: . is such a number a performance problem? It seems strange to constantly add and delete entries for DNS requests in the state table? . or do I have to write rules to avoid all the (unnecessary??) entries? As far as I understand, beginning with pass in quick proto udp from a.b.c.d port 53 to any ... same for TCP/25 ... is the trick. [snip] Yes, keeping state on DNS traffic is quite expensive ;) This is mentioned in the series of 3 artilcles by the architect of pf, Daniel Hartmeier, at undeadly.org http://undeadly.org/cgi?action=articlesid=20060927091645mode=expanded http://undeadly.org/cgi?action=articlesid=20060928081238mode=expanded http://undeadly.org/cgi?action=articlesid=20060929080943mode=expanded Try if just passing quick port 53 traffic without keeping state has a measurable postive impact. Or you could install a small not resource hungry caching nameserver like Bernstein's dnscache, which will save a lot of DNS and RBL ttraffic. Most of the time however, perl based virus scanning is the cause of less than expected performance of a mail server. =Adriaan= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS Resolver Problem
On Jan 15, 2007, at 10:47 PM, Bob McIsaac wrote: linux quest wrote: Dear Jay The FreeBSD Communities, Thanks for putting your time and patience to help me out. Anyway, I tried it out, both changing the rc.conf and the dhclient.conf (one at a time). After that (for both of the ways), I did manage to stop the resolv.conf from being overwritten after the PC reboot. However, when I ping 192.168.52.1 or 192.168.52.2, the error msg says that there is no route to both of the IP. Even after I add the default route by using command line ... I am still unable to ping google.com. Then, I undo everything by using VMWare... (including undo the DHCP configuration in rc.conf) so that I am able to ping google.com again. Since, I desperately needed to connect to the Internet at this point of time, I create a file called resolv.conf in /root ... I am thinking how can I create a script so that it can copy resolv.conf from /root to /etc/resolv.conf every 30 minutes at start up - This is because I don't wanna manually type in cp / root/resolv.conf /etc/resolv.conf every 30 minutes. Hope somebody can share with me the simple coding. Thanks :) Regards, Linux Quest Jay Chandler [EMAIL PROTECTED] wrote: Please don't top-post. linux quest wrote: Dear Jay, Actually, I am running FreeBSD Unix on a VMWare machine (Host OS: Win2003, Guest OS: FreeBSD). Any ideas how I can disable / ignore the routing from the VMnet8? Below are the only VMWare NAT configuration that I have access to. No DHCP enable / disable option. Ethernet adapter VMware Network Adapter VMnet8: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.52.1 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.52.2 When I install FreeBSD, I remember I did select some option to enable DHCP. Perhaps, I should disable the DHCP service in FreeBSD (Guest OS) - if so, any idea how do I do it? Thanks :) Regards, Linux Quest Simple enough, then. Edit /etc/rc.conf, and remove the line relating to the dhcp client. Then add: defaultrouter=192.168.51.2 hostname=boxname! ifconfig_em0=inet 192.168.52.WHATEVERYOUWANT netmask 255.255.255.0 Hi: DHCP intends that everything works easily. However, if the DHCP lease is unsatisfactory, you can change it after doing man dhclient.conf. Can you post /var/db/ dhclient.leases? Also, in one shell type tcpdump -v -c 20 and in another do ping or click a web page. Finally, netstat -r regards, -Bob- defaultrouter should match the gateway IP address for the virtual interface you're using in FreeBSD under vmware; defaultrouter is an alias for the default route use by the kernel for directing packets (this can be viewed by looking at netstat -nr and looking for the default route, or route show default--more verbose output). The subnet/IP should match something similar to what's provided with DHCP--just in static form (which /etc/rc.conf will provide). -Garrett ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS Resolver Problem
linux quest wrote: I have a problem with the DNS setting in FreeBSD. Every 1 hour, I will not be able to ping google.com (because I need to type in my ISP's DNS into /etc/resolv.conf) May I know what is the best solution for this, so that I do not have to type in my ISP's DNS to the resolver all the time? Perhaps, should I set a static IP configuration? If so, may I know which file should I modify? Thanks. Their DNS changes hourly? What the heck ISP are you using that pulls such things? Or do you mean to say that you're on DHCP, and when it renews the lease it clears out DNS info? -- Jay Chandler Network Administrator, Chapman University 714.628.7249 / [EMAIL PROTECTED] Today's Excuse: emissions from GSM-phones ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: DNS Resolver Problem
Jay Chandler wrote: linux quest wrote: I have a problem with the DNS setting in FreeBSD. Every 1 hour, I will not be able to ping google.com (because I need to type in my ISP's DNS into /etc/resolv.conf) May I know what is the best solution for this, so that I do not have to type in my ISP's DNS to the resolver all the time? Perhaps, should I set a static IP configuration? If so, may I know which file should I modify? Thanks. Their DNS changes hourly? What the heck ISP are you using that pulls such things? Or do you mean to say that you're on DHCP, and when it renews the lease it clears out DNS info? 1. Could we see any relevant options in rc.conf related to network configuration (interface_*, dns, DHCP, etc). 2. Could you provide your /etc/resolv.conf? 3. Have you tried contacting your ISP about this? Maybe their DHCP settings are skewed. -Garrett ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]