Re: dnsperf and BIND memory consumption

[JINMEI Tatuya / 神明達哉]

At Thu, 27 Nov 2008 23:35:30 -0800 (PST),
ivan jr sy <[EMAIL PROTECTED]> wrote:

> so does this memory leak only occur if 
> @ISC_ARCH_DIR@ is "noatomic" under FreeBSD amd64?
> and not when its "x86_32" ?

First off, note that I have no explicit evidence of memory leak.  But
*if there is indeed leak in the FreeBSD pthread library*, the key is
"noatomic".  With this configuration named will call pthread
locks/unlocks much, much heavier, so the problem may be observable
more clearly.  named still uses pthread locks Even with x86_32, so it
may just be leaking memory more slowly.

Again, everything is just a guess and could be wrong.  We should seek
advice from someone who knows FreeBSD library well.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Just to make sure I have TTL's understood.

[Matus UHLAR - fantomas]

On 25.11.08 23:15, Scott Haneda wrote:
> Based on your suggestions, I have made a template zone file to base  
> all new zones on, do you agree with this?
> 
> * When I need to change to a low TTL for migration needs, what would  
> be the approach to that with this template format?

I personally use default TTL 43200, and higher only for NS records (and
apropriate A records) to have the same TTL as glue records in parent
domains.

> $TTL 1D
> @   IN  SOA ns1.hostwizard.com. scott.hostwizard.com. (
> 200810011   ; serial, todays date + todays serial #
> 8H  ; refresh
> 2H  ; retry
> 4W  ; expire
> 1H ); minimum
> @   IN  NS  ns1.hostwizard.com.
> @   IN  NS  ns1.nacio.com.
> @   IN  MX  10 gonepostal.hostwizard.com.  ; Primary Mail  
> Exchanger
> 
> ; email server base
> pop IN  A   64.84.37.6
> smtpIN  A   64.84.37.6
> imapIN  A   64.84.37.6
> @   IN  TXT "v=spf1 ip4:64.84.37.0/26 ?all"
> 
> ; http website base
> ;@  IN  A   64.84.37.x
> ;wwwIN  A   64.84.37.x
> ;ftpIN  A   64.84.37.x

those @'s are useless most of the time, if you don't provide name, the RR
applies for the last name provided. Move TXT just after SOA and you can
remove them all.

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization. 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnsperf and BIND memory consumption -- FreeBSD port dns/bind95 for AMD64 - memory leak?

[ivan jr sy]

Thanks for the advise.
I'm currently testing the performance of authoritative queries. Test data is 
100 zones with a total of 50,000 RRs, using dnsperf and invoked 6 times 
simultaneously. 

That's 300,000 queries per run of the script. The script was invoked 5 (runs) 
successively. memory consumption was observed by just using 'top'.

result:

1. 
FreeBSD dns/bind95 with the memory leak issue:
1st run:30,241QPS - mem: 220MB
2nd run:28,121QPS - mem: 640MB
3rd run:14,854QPS - mem: 990MB
4th run:9,521QPS - mem: 1780MB
5th run:7,545QPS - mem: 2540MB (1.5 million queries)

note: the physical memory of the system is just 2GIG, swap was 20% during the 
last test. 

i restarted the box (just to be sure) and... 

2.
FreeBSD dns/bind95 with the patch below. ARCH=x86_64
1st run:34,213QPS - mem: 65MB
2nd run:33,505QPS - mem: 65MB
3rd run:34,251QPS - mem: 65MB
4th run:34,345QPS - mem: 65MB
5th run:34,012QPS - mem: 65MB (1.5 million queries)
note: there was no movement in mem as shown by 'top'. not even a single KB

basically, the memory consumption did not move (as this is an isolated test 
setup)..

i'll be looping this script for a day or two, and after that test it as a 
recursive server for another day or two, and for another day and two as caching 
and authoritative at the same time. After that I can then migrate from my old 
linux box to this freebsd.

my tools are just:
http://www.nominum.com/services/measurement_tools.php


Thanks
- ivan



--- On Fri, 11/28/08, JINMEI Tatuya / 神明達哉 <[EMAIL PROTECTED]> wrote:

> From: JINMEI Tatuya / 神明達哉 <[EMAIL PROTECTED]>
> Subject: Re: dnsperf and BIND memory consumption
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED], "Vinny Abello" <[EMAIL PROTECTED]>, "[EMAIL 
> PROTECTED]" <[EMAIL PROTECTED]>
> Date: Friday, November 28, 2008, 10:09 PM
> At Thu, 27 Nov 2008 23:35:30 -0800 (PST),
> ivan jr sy <[EMAIL PROTECTED]> wrote:
> 
> > so does this memory leak only occur if 
> > @ISC_ARCH_DIR@ is "noatomic" under FreeBSD
> amd64?
> > and not when its "x86_32" ?
> 
> First off, note that I have no explicit evidence of memory
> leak.  But
> *if there is indeed leak in the FreeBSD pthread library*,
> the key is
> "noatomic".  With this configuration named will
> call pthread
> locks/unlocks much, much heavier, so the problem may be
> observable
> more clearly.  named still uses pthread locks Even with
> x86_32, so it
> may just be leaking memory more slowly.
> 
> Again, everything is just a guess and could be wrong.  We
> should seek
> advice from someone who knows FreeBSD library well.
> 
> ---
> JINMEI, Tatuya
> Internet Systems Consortium, Inc.


  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

logging query results

[wes]

I would like to know if it's possible to log the output of each dns query.
I'd like to do this to catch failed queries so I can see what people are
looking for, and not finding, and add it for them if it should be there. I
recently lost my old dns server so I have to start from scratch.

This is my current logging configuration:

logging {
channel log {
   file "/var/log/named/named.log"
versions 10
size 100m;
   severity debug ;
   print-time yes;
   print-severity yes;
   print-category yes;
};
category default { log; };
category queries { log; };
};

as far as I can tell, this is set up to log everything ever. but, I still
don't get the actual query result in the log. Is there a way to do this?

If not, that's ok, I'll set up a tcpdump script to do it. but I thought I
would make sure there isn't a built-in method in bind first.

thanks for any advice.

-wes
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: logging query results

[ivan jr sy]

looks like an OK config for me.
- you should be able to view the name being queried and from what source IP
- debug10 = view the actual query (similar to dig)
so you can grep the NXDOMAIN or the ANSWER

are you able to view the log file? did it log the start-up processes of BIND? 
you should be able to see tons and tons of log messages even just on startup of 
named.

note that logging queries will significantly impact the query response rate of 
the server. its a no no for production. on the other hand, your tcpdump script 
sounds elegant...


--- On Sat, 11/29/08, wes <[EMAIL PROTECTED]> wrote:

> From: wes <[EMAIL PROTECTED]>
> Subject: logging query results
> To: bind-users@lists.isc.org
> Date: Saturday, November 29, 2008, 7:08 AM
> I would like to know if it's possible to log the output
> of each dns query.
> I'd like to do this to catch failed queries so I can
> see what people are
> looking for, and not finding, and add it for them if it
> should be there. I
> recently lost my old dns server so I have to start from
> scratch.
> 
> This is my current logging configuration:
> 
> logging {
> channel log {
>file "/var/log/named/named.log"
> versions 10
> size 100m;
>severity debug ;
>print-time yes;
>print-severity yes;
>print-category yes;
> };
> category default { log; };
> category queries { log; };
> };
> 
> as far as I can tell, this is set up to log everything
> ever. but, I still
> don't get the actual query result in the log. Is there
> a way to do this?
> 
> If not, that's ok, I'll set up a tcpdump script to
> do it. but I thought I
> would make sure there isn't a built-in method in bind
> first.
> 
> thanks for any advice.
> 
> -wes
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: dnsperf and BIND memory consumption

[Vinny Abello]

> -Original Message-
> From: JINMEI Tatuya / 神明達哉 [mailto:[EMAIL PROTECTED]
> Sent: Friday, November 28, 2008 4:09 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]; Vinny Abello; [EMAIL PROTECTED]
> Subject: Re: dnsperf and BIND memory consumption
> 
> At Thu, 27 Nov 2008 23:35:30 -0800 (PST),
> ivan jr sy <[EMAIL PROTECTED]> wrote:
> 
> > so does this memory leak only occur if
> > @ISC_ARCH_DIR@ is "noatomic" under FreeBSD amd64?
> > and not when its "x86_32" ?
> 
> First off, note that I have no explicit evidence of memory leak.  But
> *if there is indeed leak in the FreeBSD pthread library*, the key is
> "noatomic".  With this configuration named will call pthread
> locks/unlocks much, much heavier, so the problem may be observable
> more clearly.  named still uses pthread locks Even with x86_32, so it
> may just be leaking memory more slowly.
> 
> Again, everything is just a guess and could be wrong.  We should seek
> advice from someone who knows FreeBSD library well.

Just out of curiosity, why in theory is this not seen in prior versions of BIND 
such as 9.4.2-P2 or 9.4.3 on the same FreeBSD 7.0 AMD64 platforms with 
threading enabled in BIND?

-Vinny
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: logging query results

[ivan jr sy]

and why not use..
https://www.dns-oarc.net/tools/dnscap

dnscap -m q -e y -c 100 -w /path/file

captures:
- queries only
- errors only
- after 100 packets where conditions are met
- write it to a file..


Enjoy!

--- On Sat, 11/29/08, ivan jr sy <[EMAIL PROTECTED]> wrote:

> From: ivan jr sy <[EMAIL PROTECTED]>
> Subject: Re: logging query results
> To: bind-users@lists.isc.org, "wes" <[EMAIL PROTECTED]>
> Date: Saturday, November 29, 2008, 7:56 AM
> looks like an OK config for me.
> - you should be able to view the name being queried and
> from what source IP
> - debug10 = view the actual query (similar to dig)
> so you can grep the NXDOMAIN or the ANSWER
> 
> are you able to view the log file? did it log the start-up
> processes of BIND? you should be able to see tons and tons
> of log messages even just on startup of named.
> 
> note that logging queries will significantly impact the
> query response rate of the server. its a no no for
> production. on the other hand, your tcpdump script sounds
> elegant...
> 
> 
> --- On Sat, 11/29/08, wes <[EMAIL PROTECTED]> wrote:
> 
> > From: wes <[EMAIL PROTECTED]>
> > Subject: logging query results
> > To: bind-users@lists.isc.org
> > Date: Saturday, November 29, 2008, 7:08 AM
> > I would like to know if it's possible to log the
> output
> > of each dns query.
> > I'd like to do this to catch failed queries so I
> can
> > see what people are
> > looking for, and not finding, and add it for them if
> it
> > should be there. I
> > recently lost my old dns server so I have to start
> from
> > scratch.
> > 
> > This is my current logging configuration:
> > 
> > logging {
> > channel log {
> >file "/var/log/named/named.log"
> > versions 10
> > size 100m;
> >severity debug ;
> >print-time yes;
> >print-severity yes;
> >print-category yes;
> > };
> > category default { log; };
> > category queries { log; };
> > };
> > 
> > as far as I can tell, this is set up to log everything
> > ever. but, I still
> > don't get the actual query result in the log. Is
> there
> > a way to do this?
> > 
> > If not, that's ok, I'll set up a tcpdump
> script to
> > do it. but I thought I
> > would make sure there isn't a built-in method in
> bind
> > first.
> > 
> > thanks for any advice.
> > 
> > -wes
> > ___
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
>   
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: logging query results

[wes]

thanks for the info. I do indeed see tons and tons of messages from named. I
even see the query itself (what people are asking for). Just not the result.
It seems like I get everything except the result.

-wes

On Fri, Nov 28, 2008 at 10:56 AM, ivan jr sy <[EMAIL PROTECTED]> wrote:

> looks like an OK config for me.
> - you should be able to view the name being queried and from what source IP
> - debug10 = view the actual query (similar to dig)
> so you can grep the NXDOMAIN or the ANSWER
>
> are you able to view the log file? did it log the start-up processes of
> BIND? you should be able to see tons and tons of log messages even just on
> startup of named.
>
> note that logging queries will significantly impact the query response rate
> of the server. its a no no for production. on the other hand, your tcpdump
> script sounds elegant...
>
>
> --- On Sat, 11/29/08, wes <[EMAIL PROTECTED]> wrote:
>
> > From: wes <[EMAIL PROTECTED]>
> > Subject: logging query results
> > To: bind-users@lists.isc.org
> > Date: Saturday, November 29, 2008, 7:08 AM
> > I would like to know if it's possible to log the output
> > of each dns query.
> > I'd like to do this to catch failed queries so I can
> > see what people are
> > looking for, and not finding, and add it for them if it
> > should be there. I
> > recently lost my old dns server so I have to start from
> > scratch.
> >
> > This is my current logging configuration:
> >
> > logging {
> > channel log {
> >file "/var/log/named/named.log"
> > versions 10
> > size 100m;
> >severity debug ;
> >print-time yes;
> >print-severity yes;
> >print-category yes;
> > };
> > category default { log; };
> > category queries { log; };
> > };
> >
> > as far as I can tell, this is set up to log everything
> > ever. but, I still
> > don't get the actual query result in the log. Is there
> > a way to do this?
> >
> > If not, that's ok, I'll set up a tcpdump script to
> > do it. but I thought I
> > would make sure there isn't a built-in method in bind
> > first.
> >
> > thanks for any advice.
> >
> > -wes
> > ___
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: logging query results

[wes]

That seems interesting. I will look into that if I can't get bind's built-in
logging system to do what I want.

thanks,
-wes

On Fri, Nov 28, 2008 at 11:23 AM, ivan jr sy <[EMAIL PROTECTED]> wrote:

>
> and why not use..
> https://www.dns-oarc.net/tools/dnscap
>
> dnscap -m q -e y -c 100 -w /path/file
>
> captures:
> - queries only
> - errors only
> - after 100 packets where conditions are met
> - write it to a file..
>
>
> Enjoy!
>
> --- On Sat, 11/29/08, ivan jr sy <[EMAIL PROTECTED]> wrote:
>
> > From: ivan jr sy <[EMAIL PROTECTED]>
> > Subject: Re: logging query results
> > To: bind-users@lists.isc.org, "wes" <[EMAIL PROTECTED]>
> > Date: Saturday, November 29, 2008, 7:56 AM
> > looks like an OK config for me.
> > - you should be able to view the name being queried and
> > from what source IP
> > - debug10 = view the actual query (similar to dig)
> > so you can grep the NXDOMAIN or the ANSWER
> >
> > are you able to view the log file? did it log the start-up
> > processes of BIND? you should be able to see tons and tons
> > of log messages even just on startup of named.
> >
> > note that logging queries will significantly impact the
> > query response rate of the server. its a no no for
> > production. on the other hand, your tcpdump script sounds
> > elegant...
> >
> >
> > --- On Sat, 11/29/08, wes <[EMAIL PROTECTED]> wrote:
> >
> > > From: wes <[EMAIL PROTECTED]>
> > > Subject: logging query results
> > > To: bind-users@lists.isc.org
> > > Date: Saturday, November 29, 2008, 7:08 AM
> > > I would like to know if it's possible to log the
> > output
> > > of each dns query.
> > > I'd like to do this to catch failed queries so I
> > can
> > > see what people are
> > > looking for, and not finding, and add it for them if
> > it
> > > should be there. I
> > > recently lost my old dns server so I have to start
> > from
> > > scratch.
> > >
> > > This is my current logging configuration:
> > >
> > > logging {
> > > channel log {
> > >file "/var/log/named/named.log"
> > > versions 10
> > > size 100m;
> > >severity debug ;
> > >print-time yes;
> > >print-severity yes;
> > >print-category yes;
> > > };
> > > category default { log; };
> > > category queries { log; };
> > > };
> > >
> > > as far as I can tell, this is set up to log everything
> > > ever. but, I still
> > > don't get the actual query result in the log. Is
> > there
> > > a way to do this?
> > >
> > > If not, that's ok, I'll set up a tcpdump
> > script to
> > > do it. but I thought I
> > > would make sure there isn't a built-in method in
> > bind
> > > first.
> > >
> > > thanks for any advice.
> > >
> > > -wes
> > > ___
> > > bind-users mailing list
> > > bind-users@lists.isc.org
> > > https://lists.isc.org/mailman/listinfo/bind-users
> >
> >
> >
> > ___
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: logging query results

[wes]

Good point, I had only used rndc reload to activate the changes to the conf
file. The changes definitely took effect at that point, as I could then see
all the debug messages in the log. But, I tried a stop && start (had to use
/etc/init.d/bind9 because rndc doesn't have a start command for some reason)
and I get the same behavior. Here is a sample output from 1 entire
transaction. This was generated after running "host www.solestruck.comlocalhost"

# grep 127.0.0.1#32999 named.log
28-Nov-2008 11:48:53.063 general: debug 60: socket 0xb7f2f148
127.0.0.1#32999: packet received correctly
28-Nov-2008 11:48:53.063 client: debug 3: client 127.0.0.1#32999: UDP
request
28-Nov-2008 11:48:53.063 client: debug 5: client 127.0.0.1#32999: using view
'_default'
28-Nov-2008 11:48:53.063 security: debug 3: client 127.0.0.1#32999: request
is not signed
28-Nov-2008 11:48:53.063 security: debug 3: client 127.0.0.1#32999:
recursion available
28-Nov-2008 11:48:53.063 client: debug 3: client 127.0.0.1#32999: query
28-Nov-2008 11:48:53.064 queries: info: client 127.0.0.1#32999: query:
www.solestruck.com IN A +
28-Nov-2008 11:48:53.064 client: debug 10: client 127.0.0.1#32999:
ns_client_attach: ref = 1
28-Nov-2008 11:48:53.064 security: debug 3: client 127.0.0.1#32999: query '
www.solestruck.com/A/IN' approved
28-Nov-2008 11:48:53.064 client: debug 3: client 127.0.0.1#32999: send
28-Nov-2008 11:48:53.064 client: debug 3: client 127.0.0.1#32999: sendto
28-Nov-2008 11:48:53.064 client: debug 3: client 127.0.0.1#32999: senddone
28-Nov-2008 11:48:53.064 client: debug 3: client 127.0.0.1#32999: next
28-Nov-2008 11:48:53.064 client: debug 10: client 127.0.0.1#32999:
ns_client_detach: ref = 0
28-Nov-2008 11:48:53.064 client: debug 3: client 127.0.0.1#32999: endrequest
28-Nov-2008 11:48:53.065 general: debug 60: socket 0xb7f2f148
127.0.0.1#32999: packet received correctly
28-Nov-2008 11:48:53.065 client: debug 3: client 127.0.0.1#32999: UDP
request
28-Nov-2008 11:48:53.065 client: debug 5: client 127.0.0.1#32999: using view
'_default'
28-Nov-2008 11:48:53.065 security: debug 3: client 127.0.0.1#32999: request
is not signed
28-Nov-2008 11:48:53.065 security: debug 3: client 127.0.0.1#32999:
recursion available
28-Nov-2008 11:48:53.065 client: debug 3: client 127.0.0.1#32999: query
28-Nov-2008 11:48:53.065 queries: info: client 127.0.0.1#32999: query:
www.solestruck.com IN  +
28-Nov-2008 11:48:53.065 client: debug 10: client 127.0.0.1#32999:
ns_client_attach: ref = 1
28-Nov-2008 11:48:53.065 security: debug 3: client 127.0.0.1#32999: query '
www.solestruck.com//IN' approved
28-Nov-2008 11:48:53.065 client: debug 3: client 127.0.0.1#32999: send
28-Nov-2008 11:48:53.065 client: debug 3: client 127.0.0.1#32999: sendto
28-Nov-2008 11:48:53.065 client: debug 3: client 127.0.0.1#32999: senddone
28-Nov-2008 11:48:53.065 client: debug 3: client 127.0.0.1#32999: next
28-Nov-2008 11:48:53.065 client: debug 10: client 127.0.0.1#32999:
ns_client_detach: ref = 0
28-Nov-2008 11:48:53.065 client: debug 3: client 127.0.0.1#32999: endrequest
28-Nov-2008 11:48:53.066 general: debug 60: socket 0xb7f2f148
127.0.0.1#32999: packet received correctly
28-Nov-2008 11:48:53.066 client: debug 3: client 127.0.0.1#32999: UDP
request
28-Nov-2008 11:48:53.066 client: debug 5: client 127.0.0.1#32999: using view
'_default'
28-Nov-2008 11:48:53.066 security: debug 3: client 127.0.0.1#32999: request
is not signed
28-Nov-2008 11:48:53.066 security: debug 3: client 127.0.0.1#32999:
recursion available
28-Nov-2008 11:48:53.066 client: debug 3: client 127.0.0.1#32999: query
28-Nov-2008 11:48:53.066 queries: info: client 127.0.0.1#32999: query:
www.solestruck.com IN MX +
28-Nov-2008 11:48:53.066 client: debug 10: client 127.0.0.1#32999:
ns_client_attach: ref = 1
28-Nov-2008 11:48:53.066 security: debug 3: client 127.0.0.1#32999: query '
www.solestruck.com/MX/IN' approved
28-Nov-2008 11:48:53.066 client: debug 3: client 127.0.0.1#32999: send
28-Nov-2008 11:48:53.066 client: debug 3: client 127.0.0.1#32999: sendto
28-Nov-2008 11:48:53.066 client: debug 3: client 127.0.0.1#32999: senddone
28-Nov-2008 11:48:53.066 client: debug 3: client 127.0.0.1#32999: next
28-Nov-2008 11:48:53.066 client: debug 10: client 127.0.0.1#32999:
ns_client_detach: ref = 0
28-Nov-2008 11:48:53.066 client: debug 3: client 127.0.0.1#32999: endrequest

thanks for the pointer. Any other ideas?

-wes

On Fri, Nov 28, 2008 at 10:31 AM, Ben Croswell <[EMAIL PROTECTED]>wrote:

> If you didn't actually do a stop and start, you may want to do that or an
> rndc query to kickstart the query logs.
>
>
> On Fri, Nov 28, 2008 at 1:08 PM, wes <[EMAIL PROTECTED]> wrote:
>
>> I would like to know if it's possible to log the output of each dns query.
>> I'd like to do this to catch failed queries so I can see what people are
>> looking for, and not finding, and add it for them if it should be there. I
>> recently lost my old dns server so I have to start from scratch.
>>
>> This is my current logging configuration:

Re: rfc1918 ns records coming from internet are queried?

[ivan jr sy]

this might also help..

http://code.google.com/p/google-dnswall

in a nutshell, its like a DNS proxy server, you can use this to forward to 
BIND. between your clients and your internal BIND servers.

it filters:
- Invalid IP address: an IP address that starts with 0; i.e. 0.x.x.x
- Node-Local IP address: 127.x.x.x
- Link-Local IP address: 169.254.x.x
- Site-Local IP address: 10.x.x.x, 172.x.x.x, 192.168.x.x
- Multicast IP address: 224.x.x.x


""DNSWall is a proof-of-concept (PoC) tool developed by some security 
researchers from Stanford University as a protection mechanism against DNS 
rebinding attacks.""

http://securebits.org/blog/blog.php/2008/10/15/dnswall-a-protection-mechanism-against-d


--- On Fri, 11/28/08, David Sparks <[EMAIL PROTECTED]> wrote:

> From: David Sparks <[EMAIL PROTECTED]>
> Subject: Re: rfc1918 ns records coming from internet are queried?
> To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> Date: Friday, November 28, 2008, 8:29 AM
> Thanks, the suggestion below looks like it might be what
> I'm looking for.
> 
> ds
> 
> > You can in fact set up the environment I described
> using views. Just
> > have the private view forward to the internet view.
> The following
> > resolving name server will ignore referrals to private
> name servers
> > for outside names; note that it's missing the
> masters list definition
> > named "private-auth-servers", plus the
> options statement, but is
> > otherwise complete.
> > 
> > acl "private" {
> > 10/8;
> > 172.16/12;
> > 192.168/16;
> > # does not include 127/8
> > };
> > view "private" {
> > match-clients { private; };
> > # forward unknown names to the internet view:
> > forward only;
> > forwarders { 127.0.0.1; };
> > # stub, slave, or forward zones for the
> private namespace:
> > zone "private.zone" {
> > type stub;
> > masters { private-auth-servers; };
> > file "stub.private.zone";
> > forwarders { }; # disable forwarding
> for stub zones
> > };
> > };
> > view "internet" {
> > server 10/8 { bogus yes; };
> > server 172.16/12 { bogus yes; };
> > server 192.168/16 { bogus yes; };
> > allow-query { 127.0.0.1; };
> > };
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


  
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

rndc-confgen no response

[Ken DBA]

Hello,

Sometime when I run sbin/rndc-confgen there is not response from this command, 
no any output after long time. But sometime it behaves well.

The OS is Slackware Linux, kernel is 2.6.24.5-smp.
Bind is BIND 9.5.0-P2, I compiled and installed it from sources.

Please help. Thanks.

Ken


  

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc-confgen no response

[Mark Andrews]

In message <[EMAIL PROTECTED]>, Ken DBA writes:
> Hello,
> 
> Sometime when I run sbin/rndc-confgen there is not response from this command
> , no any output after long time. But sometime it behaves well.
> 
> The OS is Slackware Linux, kernel is 2.6.24.5-smp.
> Bind is BIND 9.5.0-P2, I compiled and installed it from sources.
> 
> Please help. Thanks.
> 
> Ken

/dev/random has run out of random bits.  You need to make your machine
generate more of them.

Mark

5.4. FreeBSD

Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.

A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to
   use certain interrupts as a source of random events. You can make this
   permanent by setting rand_irqs in /etc/rc.conf.

   /etc/rc.conf
   rand_irqs="3 14 15"

   See also .

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc-confgen no response

[Ken DBA]

--- On Sat, 11/29/08, Mark Andrews <[EMAIL PROTECTED]> wrote:


> 
> /dev/random has run out of random bits.  You need to make
> your machine
> generate more of them.
> 

Thanks.
Could I clear /dev/random to zero by hand?


  

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users