Re: Silently drop queries for AAAA records

2010-12-07 Thread Niobos 
On 2010-12-07 23:31, David A. Evans wrote:
> 
> I'm in the mood to prove a point.   I have a very poorly written
> application that is generating a few hundred queries per second of
> completely bogus  records before attempting a lookup of the correct
> A records.  This is because the application was compiled with a IPv6
> interface enabled on the severs so it assumes that v6 is available.  It
> is not.  The application owner does not see an issue as they get the
> handful NXDOMAIN responses back in ~2 ms for each valid response and
> don't see any performance hit.

Actually, this is the desired behavior for IPv6 applications. They
prefer v6, so they first try to connect over v6 (hence the 
request). When they either (1) don't get an IPv6 address or (2) they see
that they have no route to that IPv6 address or (3) the v6 connection
times out; they fall back to IPv4.

Most applications are configurable to "only try" either v4 or v6. In my
humble opinion, you should ask for this last option in your software.

As for proving your point in that second case, you can add a bogus IPv6
address and push the client into failure mode (3), which will cause a
noticeable delay.

Niobos

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Troubleshooting slow DNS lookup

2010-12-07 Thread Rianto Wahyudi 
Hi Mark,

Thanks for your quick response !

> Standards Track.
> RFC 2671 Extension Mechanisms for DNS (EDNS0)
> RFC 3226 DNSSEC and IPv6 A6 aware server/resolver message size requirements

Unfortunately RFC is not considered as good enough ... unless if we
can find an actual proof that can be replicated :(

I also done some dnssec trace demonstration, and it still not a good
enough reason :
ie : dig www.anyhostname.com +trace +dnssec .
This test always fail and it produce FWSM log entry similar to:
: %FWSM-2-106007: Deny inbound UDP from 198.142.0.51/53 to
10.0.0.1/64788 due to DNS Response



> Informational.
> RFC 4294 IPv6 Node Requirements
>
> http://labs.ripe.net/Members/anandb/content-testing-your-resolver-dns-reply-size-issues
>


> How about the root servers?
>
>> - Any example of dns record that send packet larger than 512 ?
>
> The root servers.
>
>        dig +dnssec dnskey .

This for some reason  works without any problem  :


; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> +dnssec dnskey .
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64905
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 14

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;.  IN  DNSKEY

;; ANSWER SECTION:
.   86400   IN  DNSKEY  256 3 8
AwEAAcAPhPM4CQHqg6hZ49y2P3IdKZuF44QNCc50vjATD7W+je4va6dj
Y5JpnNP0pIohKNYiCFap/b4Y9jjJGSOkOfkfBR8neI7X5LisMEGUjwRc
rG8J9UYP1S1unTNqRcWyDYFH2q3KnIO08zImh5DiFt8yfCdKoqZUN1du p5hy0UWz
.   86400   IN  DNSKEY  257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=

;; AUTHORITY SECTION:
.   518400  IN  NS  c.root-servers.net.
.   518400  IN  NS  d.root-servers.net.
.   518400  IN  NS  e.root-servers.net.
.   518400  IN  NS  f.root-servers.net.
.   518400  IN  NS  g.root-servers.net.
.   518400  IN  NS  h.root-servers.net.
.   518400  IN  NS  i.root-servers.net.
.   518400  IN  NS  j.root-servers.net.
.   518400  IN  NS  k.root-servers.net.
.   518400  IN  NS  l.root-servers.net.
.   518400  IN  NS  m.root-servers.net.
.   518400  IN  NS  a.root-servers.net.
.   518400  IN  NS  b.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net. 2592000 IN  A   198.41.0.4
b.root-servers.net. 2592000 IN  A   192.228.79.201
c.root-servers.net. 2592000 IN  A   192.33.4.12
d.root-servers.net. 2592000 IN  A   128.8.10.90
e.root-servers.net. 2592000 IN  A   192.203.230.10
f.root-servers.net. 2592000 IN  A   192.5.5.241
g.root-servers.net. 2592000 IN  A   192.112.36.4
h.root-servers.net. 2592000 IN  A   128.63.2.53
i.root-servers.net. 2592000 IN  A   192.36.148.17
k.root-servers.net. 2592000 IN  A   193.0.14.129
a.root-servers.net. 2592000 IN  2001:503:ba3e::2:30
f.root-servers.net. 2592000 IN  2001:500:2f::f
h.root-servers.net. 2592000 IN  2001:500:1::803f:235

;; Query time: 547 msec
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Troubleshooting slow DNS lookup

2010-12-07 Thread Mark Andrews 

In message , Rian
to Wahyudi writes:
> Our network team are quite reluctant to make any changes on the FWSM
> in regards to DNS inspection.
> So it seems that we are stuck with maximum UDP packet of 512 byte.
>
> Unfortunately, I do not have much evidence (ie user complains) to
> escalate this issue much further except from few number of users who
> *intermittently* unable to access www.paypal.com.
> The term "intermittently" is the main keyword, and because of that the
> finger are now point back the the DNS server.

It's intermittent because it takes named time to workout what will
work with your firewall and the clients timeout in the meantime.
This will only get worse over time.

> I believe that Increasing the maximum limit or disable inspection will
> fix the issue , but I will need to gather sufficient case and
> compelling report.

Standards Track.
RFC 2671 Extension Mechanisms for DNS (EDNS0)
RFC 3226 DNSSEC and IPv6 A6 aware server/resolver message size requirements

Informational.
RFC 4294 IPv6 Node Requirements

http://labs.ripe.net/Members/anandb/content-testing-your-resolver-dns-reply-size-issues

> - Does any one have a good example of prominent website that have
> DNSEC setup properly other than paypal?

How about the root servers?

> - Any example of dns record that send packet larger than 512 ?

The root servers.

dig +dnssec dnskey .

> - Any other information I can use to help create the report ?
> 
> As a work around I can possibly set EDNS UDP size to match the
> firewall limit, but I think this is my last option.
> 
> Any help is greatly appreciated!
> 
> Regards,
> Rianto Wahyudi
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Troubleshooting slow DNS lookup

2010-12-07 Thread Rianto Wahyudi 
Our network team are quite reluctant to make any changes on the FWSM
in regards to DNS inspection.
So it seems that we are stuck with maximum UDP packet of 512 byte.

Unfortunately, I do not have much evidence (ie user complains) to
escalate this issue much further except from few number of users who
*intermittently* unable to access www.paypal.com.
The term "intermittently" is the main keyword, and because of that the
finger are now point back the the DNS server.

I believe that Increasing the maximum limit or disable inspection will
fix the issue , but I will need to gather sufficient case and
compelling report.

- Does any one have a good example of prominent website that have
DNSEC setup properly other than paypal?
- Any example of dns record that send packet larger than 512 ?
- Any other information I can use to help create the report ?

As a work around I can possibly set EDNS UDP size to match the
firewall limit, but I think this is my last option.

Any help is greatly appreciated!

Regards,
Rianto Wahyudi
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Black berry

2010-12-07 Thread John Payne 
I can guarantee that ns1.nameserver.net was not provided to this user by anyone 
in a position to do so authoritatively. 


On Dec 7, 2010, at 10:23 AM, Greg Whynott  wrote:

> i'm wondering if domain.net and ns1.nameserver.net are defaults which haven't 
> been configured yet.  but he is a senior sysadmin, i'm sure he considered 
> that already…
> 
> -g
> 
> 
> On Dec 7, 2010, at 7:37 AM, Matus UHLAR - fantomas wrote:
> 
>> On 07.12.10 11:06, Ejaz wrote:
>>> We have problem in sending mail emails when using black berry device,
>>> problem is like user cannot send emails either inside or outside the domain
>>> when some one connected to our ISP and use our DNS server,
>>> 
>>> Does it require any special configuration of bind in named.conf file for
>>> the blackberry users?
>> 
>> no. You only must configure DNS properly.
>> 
>>> The following message to <  x...@domain.net> was
>>> undeliverable.
>>> The reason for the problem:
>>> 5.4.7 - Delivery expired (message too old) 'DNS Soft Error looking up
>>> domain.net (MX) while asking ns1.nameserver.net. Error was: unable to reach
>>> nameserver on any valid IP'
>> 
>> And you must count with the fact that with blackberry, your mail is not
>> coming from your internal network, so your mailservers have to be reachable
>> from the internet, or at least from blackberry IP ranges.
>> --
>> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
>> Warning: I wish NOT to receive e-mail advertising to this address.
>> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>> 2B|!2B, that's a question!
>> ___
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> --
> 
> This message and any attachments may contain confidential and/or privileged 
> information for the sole use of the intended recipient. Any review or 
> distribution by anyone other than the person for whom it was originally 
> intended is strictly prohibited. If you have received this message in error, 
> please contact the sender and delete all copies. Opinions, conclusions or 
> other information contained in this message may not be that of the 
> organization.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Silently drop queries for AAAA records

2010-12-07 Thread Karl Auer 
On Tue, 2010-12-07 at 16:31 -0600, David A. Evans wrote:
> I would like to silently drop the  record lookups instead
> of responding back with NXDOMAIN.  Thusly generating a performance hit
> as the application waits 2 seconds for the reply. 

Responding with NXDOMAIN will have a definite effect on your
recalcitrant application owner - it will stop the v4 lookup as well :-)
If you can do it just for him, that would be ideal.

If the application exists only at one or very few locations you could
rate limit inbound queries at your firewall.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156


signature.asc
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Silently drop queries for AAAA records

2010-12-07 Thread David A. Evans 
I'm in the mood to prove a point.   I have a very poorly written 
application that is generating a few hundred queries per second of 
completely bogus  records before attempting a lookup of the correct A 
records.  This is because the application was compiled with a IPv6 
interface enabled on the severs so it assumes that v6 is available.  It is 
not.  The application owner does not see an issue as they get the handful 
NXDOMAIN responses back in ~2 ms for each valid response and don't see any 
performance hit. 

I would like to silently drop the  record lookups instead of 
responding back with NXDOMAIN.  Thusly generating a performance hit as the 
application waits 2 seconds for the reply.

I have found the filter--on-v4  but it doesn't quiet do what I 
want.  From the description and my testing it appears to still reply with 
NXDOMAIN to these queries, it simply filters out the 'valid'  records 
from IPV4 based replies. (which is a really cool solution to other issues, 
but not what I need.)

Besides spinning up a bind 4.x box which google tells me did this 
by default, is there any way of doing this?


David A. Evans
Enterprise IP/DNS Management
Network Infrastructure Tools and Services
evans_davi...@cat.com
 
Eschew Obfuscation___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Private Zones and Deligation bind9.7.2

2010-12-07 Thread Jay Ford 

On Mon, 6 Dec 2010, Barry Margolin wrote:

In article ,
Jay Ford  wrote:


On Mon, 6 Dec 2010, Martin McCormick wrote:

the config for this private zone is:

zone "r.ds" {
type master;
file "/etc/namedb/master/r.ds.zone";
   allow-update {
key updsrv;
};
   allow-query { any; };
#a list of slaves
include "/etc/zoneconfigs/stwnotify";
notify yes;
};


You configured this server to be master for the r.ds zone, which tells this
server that it is authoritative for names in that zone.  If it gets a query
for a resource record in that zone which it doesn't know, it will answer
authoritatively with a negative answer (either NXDOMAIN if the name doesn't
exist at all, or NOERROR with no "answer" data if the name exists but not
with the queried type).  NS records in a zone don't cause an authoritative
server to send queries elsewhere, because the server knows the answer by
virtue of being authoritative for the zone.


That's not true.  NS records delimit the extent of the authority, and
tell it that some other server is authoritative for the subdomain.  So
as long as recursion is enabled, and the query is recursive, the server
should follow the delegation.


If this were a normal delegation, from "ds" to "r.ds", you'd be right. 
However, in this case he was defining the "r.ds" zone as master & trying to 
delegate it.  You can't have both.  The master definition overrode the 
delegation, so the server in question acted authoritatively, ignoring the NS 
records.  It didn't need them because it was configured to be master.


I just verified that behavior with a fake master "mit.edu" zone with nothing 
in it but a fake SOA & real NS records.  The server gives an authoritative 
NXDOMAIN for alum.mit.edu & friends because they don't exist in the fake 
"mit.edu" zone for which it is configured to be master.


Anyway, it's a broken configuration which the original poster fixed.


Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Black berry

2010-12-07 Thread Greg Whynott 
i'm wondering if domain.net and ns1.nameserver.net are defaults which haven't 
been configured yet.  but he is a senior sysadmin, i'm sure he considered that 
already…

-g


On Dec 7, 2010, at 7:37 AM, Matus UHLAR - fantomas wrote:

> On 07.12.10 11:06, Ejaz wrote:
>> We have problem in sending mail emails when using black berry device,
>> problem is like user cannot send emails either inside or outside the domain
>> when some one connected to our ISP and use our DNS server,
>>
>> Does it require any special configuration of bind in named.conf file for
>> the blackberry users?
>
> no. You only must configure DNS properly.
>
>> The following message to <  x...@domain.net> was
>> undeliverable.
>> The reason for the problem:
>> 5.4.7 - Delivery expired (message too old) 'DNS Soft Error looking up
>> domain.net (MX) while asking ns1.nameserver.net. Error was: unable to reach
>> nameserver on any valid IP'
>
> And you must count with the fact that with blackberry, your mail is not
> coming from your internal network, so your mailservers have to be reachable
> from the internet, or at least from blackberry IP ranges.
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> 2B|!2B, that's a question!
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


--

This message and any attachments may contain confidential and/or privileged 
information for the sole use of the intended recipient. Any review or 
distribution by anyone other than the person for whom it was originally 
intended is strictly prohibited. If you have received this message in error, 
please contact the sender and delete all copies. Opinions, conclusions or other 
information contained in this message may not be that of the organization.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Black berry

2010-12-07 Thread Matus UHLAR - fantomas 
On 07.12.10 11:06, Ejaz wrote:
> We have problem in sending mail emails when using black berry device,
> problem is like user cannot send emails either inside or outside the domain
> when some one connected to our ISP and use our DNS server, 
> 
> Does it require any special configuration of bind in named.conf file for
> the blackberry users?

no. You only must configure DNS properly.

> The following message to <  x...@domain.net> was
> undeliverable.
> The reason for the problem:
> 5.4.7 - Delivery expired (message too old) 'DNS Soft Error looking up
> domain.net (MX) while asking ns1.nameserver.net. Error was: unable to reach
> nameserver on any valid IP'

And you must count with the fact that with blackberry, your mail is not
coming from your internal network, so your mailservers have to be reachable
from the internet, or at least from blackberry IP ranges.
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Fwd: Problems with Bind-Kerberos-Windows-Linux

2010-12-07 Thread Phil Mayers 

On 12/07/2010 07:53 AM, Jürgen Dietl wrote:

Hello Sergiu,
I tried to put in 2 credential Entries in the named.conf:

tkey-gssapi-credential "DNS/test.loc"; (that was in before)
tkey-gssapi-credential "USER/test.loc", (new entry)
tkey-domain "TEST.LOC";


This is all wrong.

There are two principals involved:

 1. The server - this is what you configure on the DNS server
 2. The client - this is the clients ticket; you don't need to 
configure this, the client obtains it themselves and supplies it when 
they connect


All you need to do is the following:

 1. Ensure there is a prinicpal in your kerberos realm 
"DNS/hostname.domain.com", matching the hostname of your DNS server


 2. Ensure the keytab on the DNS server contains the keys for this 
principal and is readable by bind


 3. List this principal in the "tkey-gssapi-credential" in named.conf

 4. Ensure the SOA for your domain contains a MNAME field matching the 
hostname


Unless your DNS server is called "test.loc" I don't think you're doing 
it right. I think you need "DNS/hostname.test.loc"

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Black berry

2010-12-07 Thread Ejaz 
 

Hello all

 

We have problem in sending mail emails when using black berry device,
problem is like user cannot send emails either inside or outside the domain
when some one connected to our ISP and use our DNS server, 

 

Does it require any special configuration of bind in named.conf file for the
blackberry users? 

 

Any one help and suggestion are much appreciated. 

 

 

Thanks in advance. 

 

Here is the non deliver report up on trying to send, 

 

The following message to <  x...@domain.net> was
undeliverable.
The reason for the problem:
5.4.7 - Delivery expired (message too old) 'DNS Soft Error looking up
domain.net (MX) while asking ns1.nameserver.net. Error was: unable to reach
nameserver on any valid IP'

 

 

Regards, 
__
Mohammed Ejaz 
Sr,Systems Administrator
Middle East Internet Company (CYBERIA)
Riyadh, Saudi Arabia
Phone: +966-1-4647114  Ext: 140
Mobile +966-562311787
Fax: +966-1-4654735
E-mail: me...@cyberia.net.sa

 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users