Re: forward only recursive server doesn't forward

2016-10-19 Thread Mark Andrews 

In message

Re: forward only recursive server doesn't forward

2016-10-19 Thread Alex 
Hi Mark,

On Wed, Oct 19, 2016 at 9:48 PM, Mark Andrews  wrote:
>
> In message 
> , Alex 
> writes:
>> Hi,
>>
>> I have a bind-9.10.3 server on fedora22 that is authoritative for a
>> few domains and their corresponding IP ranges. I'd like to set up
>> another domain server (rbldnsd) on a host in one of those domains as a
>> forward-only server.
>>
>> The problem appears to be that the queries from the local box to the
>> subdomain being managed by the rbldnsd server are being answered by
>> the local bind instead of being sent to the remote machine running
>> rbldnsd.
>
> Add a delegation for scann.example.com in example.com.  Forward
> zones control *where* the queries are sent, not if queries are sent.

I'm sorry, I don't understand. This system is already a slave for the
forward zone example.com. I just realized I forgot to include that in
my previous post:

zone "example.com" {
type slave;
file "slaves/db.example.com";
masters { 64.1.1.3; };
allow-query { any; };
allow-transfer { trusted; };
};

Thanks,
Alex
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forward only recursive server doesn't forward

2016-10-19 Thread Mark Andrews 

In message 
, Alex 
writes:
> Hi,
> 
> I have a bind-9.10.3 server on fedora22 that is authoritative for a
> few domains and their corresponding IP ranges. I'd like to set up
> another domain server (rbldnsd) on a host in one of those domains as a
> forward-only server.
> 
> The problem appears to be that the queries from the local box to the
> subdomain being managed by the rbldnsd server are being answered by
> the local bind instead of being sent to the remote machine running
> rbldnsd.

Add a delegation for scann.example.com in example.com.  Forward
zones control *where* the queries are sent, not if queries are sent.

> In other words, I believe the issue is that the host is already
> authoritative for the reverse zone, so there would be no reason for it
> to forward these queries to another system.
> 
> Here are the relevant sections of my named.conf:
> 
> // spam IP entries
> zone "scann.example.com" {
> type forward;
> forwarders { 66.104.104.66; };
> };
> 
> // zone info for 66.104.104.96/28
> zone "96/28.104.104.66.in-addr.arpa" {
> type slave;
> file "slaves/db.104.104.66";
> masters { 64.1.1.3; };
> allow-query { any; };
> allow-transfer { trusted; };
> };
> 
> Queries for abc.com.scann.example.com fail with NXDOMAIN. Log entries
> are similar to this:
> 
> 19-Oct-2016 21:22:39.846 queries: client 127.0.0.1#41809
> (abc.com.scann.example.com): query: abc.com.scann.example.com IN A +
> (127.0.0.1)
> 
> I set up the reverse zone a long time ago, and I don't think the "zone
> 96/28.104.104.66.in-addr.arpa" is completely correct, but it appears
> to work. I'm not sure if that's related to the problem, but would
> appreciate advice there.
> 
> Thanks,
> Alex
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

forward only recursive server doesn't forward

2016-10-19 Thread Alex 
Hi,

I have a bind-9.10.3 server on fedora22 that is authoritative for a
few domains and their corresponding IP ranges. I'd like to set up
another domain server (rbldnsd) on a host in one of those domains as a
forward-only server.

The problem appears to be that the queries from the local box to the
subdomain being managed by the rbldnsd server are being answered by
the local bind instead of being sent to the remote machine running
rbldnsd.

In other words, I believe the issue is that the host is already
authoritative for the reverse zone, so there would be no reason for it
to forward these queries to another system.

Here are the relevant sections of my named.conf:

// spam IP entries
zone "scann.example.com" {
type forward;
forwarders { 66.104.104.66; };
};

// zone info for 66.104.104.96/28
zone "96/28.104.104.66.in-addr.arpa" {
type slave;
file "slaves/db.104.104.66";
masters { 64.1.1.3; };
allow-query { any; };
allow-transfer { trusted; };
};

Queries for abc.com.scann.example.com fail with NXDOMAIN. Log entries
are similar to this:

19-Oct-2016 21:22:39.846 queries: client 127.0.0.1#41809
(abc.com.scann.example.com): query: abc.com.scann.example.com IN A +
(127.0.0.1)

I set up the reverse zone a long time ago, and I don't think the "zone
96/28.104.104.66.in-addr.arpa" is completely correct, but it appears
to work. I'm not sure if that's related to the problem, but would
appreciate advice there.

Thanks,
Alex
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

network test machine

2016-10-19 Thread Curtis Blackburn 
ISC's software testing procedures no longer use our Ixia XT80-V2, so
rather than letting it sit idle, we have offered it for sale on eBay:

http://www.ebay.com/itm/-/192000694217

If you don't know what an Ixia XT80 is then probably you don't need one,
but if you do, this is a really good price.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: view problem

2016-10-19 Thread Pol Hallen 

If there are zones that both sets of clients should see, you have to
duplicate them in both views. Overlapping views don't do this
automatically.


solved thanks your advice

cheers!

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: RRL BIND Recursive

2016-10-19 Thread Mahdi Adnan 
Thank you for your reply.I'll look into RCRRL.Im getting huge number of bogus 
requests that causing SERVFAIL like "snwjkjsdw.com" and so on, and thats why im 
trying to use RRL, all those requests are coming from my internal clients.rnds 
status:
version: 9.9.4-RedHatCPUs found: 48worker threads: 48UDP listeners per 
interface: 12number of zones: 5debug level: 0xfers running: 0xfers deferred: 
0soa queries in progress: 0query logging is OFFrecursive clients: 
870/99900/10tcp clients: 3/100

if you have any other idea to block such requests that would be helpful. 


-- 



Respectfully

Mahdi A. Mahdi



> Subject: Re: RRL BIND Recursive
> To: bind-users@lists.isc.org
> From: cat...@isc.org
> Date: Wed, 19 Oct 2016 10:05:10 +0100
> 
> On 18/10/2016 07:37, Mahdi Adnan wrote:
> > Hi,
> > 
> > I have a few servers running a recursive DNS bind service, i configured
> > one of the servers to limit the rate of requests.
> > my configuration is:
> > 
> > rate-limit { log-only yes; errors-per-second 8; nxdomains-per-second 8;
> > ipv4-prefix-length 32;
> > 
> > As soon as i apply these changes my server drop 90% of the requests
> > after a minute or two.
> > do you have any idea why is this happening ?
> > bind version is :
> > BIND 9.9.4-RedHat-9.9.4-29.el7_2.4
> 
> This is a recursive server, so I think you've chosen the wrong tool -
> Response Rate Limiting (RRL) is applied to responses - so all of the
> work to get the response for a client is done before the rate limiting
> being applied - you want something that prevents that, not just the
> responses.
> 
> Have a look a recursive client rate limiting instead:
> https://kb.isc.org/article/AA-01304
> 
> (You're probably going to have to upgrade your BIND to get it).
> 
> Moreover, you have "ipv4-prefix-length 32;" (the default is 24 and is 24
> for a reason - the overhead of managing all the rate limited buckets is
> going to be greater when you have more granularity.)
> 
> I would guess that by adding RRL, even log-only, to a recursive server
> that is already under stress, that you've made it harder for it to
> function and have tipped it over the edge and you now have a build-up of
> recursive clients (backlog) to the point where named isn't able to
> respond to incoming queries quickly enough.  It's also possible that
> your named isn't able to read queries from the UDP socket fast enough,
> and you have the buffer there overrunning and dropping queries.
> 
> rndc status will show you if you're hitting the limit of recursive
> clients.  If you are, increasing it probably isn't going to help you -
> you need to deal with why you have the backlog (but having a limit that
> is bigger than 1000 will get you a soft limit as well as a hard limit,
> so reaching the limit should cause SERVFAIL rather than drops).
> 
> Cathy
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RRL BIND Recursive

2016-10-19 Thread Cathy Almond 
On 18/10/2016 07:37, Mahdi Adnan wrote:
> Hi,
> 
> I have a few servers running a recursive DNS bind service, i configured
> one of the servers to limit the rate of requests.
> my configuration is:
> 
> rate-limit { log-only yes; errors-per-second 8; nxdomains-per-second 8;
> ipv4-prefix-length 32;
> 
> As soon as i apply these changes my server drop 90% of the requests
> after a minute or two.
> do you have any idea why is this happening ?
> bind version is :
> BIND 9.9.4-RedHat-9.9.4-29.el7_2.4

This is a recursive server, so I think you've chosen the wrong tool -
Response Rate Limiting (RRL) is applied to responses - so all of the
work to get the response for a client is done before the rate limiting
being applied - you want something that prevents that, not just the
responses.

Have a look a recursive client rate limiting instead:
https://kb.isc.org/article/AA-01304

(You're probably going to have to upgrade your BIND to get it).

Moreover, you have "ipv4-prefix-length 32;" (the default is 24 and is 24
for a reason - the overhead of managing all the rate limited buckets is
going to be greater when you have more granularity.)

I would guess that by adding RRL, even log-only, to a recursive server
that is already under stress, that you've made it harder for it to
function and have tipped it over the edge and you now have a build-up of
recursive clients (backlog) to the point where named isn't able to
respond to incoming queries quickly enough.  It's also possible that
your named isn't able to read queries from the UDP socket fast enough,
and you have the buffer there overrunning and dropping queries.

rndc status will show you if you're hitting the limit of recursive
clients.  If you are, increasing it probably isn't going to help you -
you need to deal with why you have the backlog (but having a limit that
is bigger than 1000 will get you a soft limit as well as a hard limit,
so reaching the limit should cause SERVFAIL rather than drops).

Cathy


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users