RE: refused rcode is not working RPZ?
> On 17/11/2016 10:20, LEE SUKMOON wrote: > > > I want to response NXDOMAIN. > > Is it a solution this case? > > You'd usually get SERVFAIL from the recursor because the domain is > misconfigured with a lame delegation, and either way the client won't > get an answer. > > Is there a particular reason that the exact RCODE matters ? > > Ray > This domain causes many recursive query. And client received late SERVFAIL response. I want to quickly response "*.jifr.net". I want to solve this problem using RPZ. Thanks. Sukmoon Lee. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
refused rcode is not working RPZ?
Hi all. I am using RPZ zone. Below line is rpz zone file. But jifr.net is not working. jifr.netCNAME . *.jifr.net CNAME . Unusual, this domain is responding with refused rcode. (from authority name server) $ dig @173.245.58.51 jifr.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 39590 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;jifr.net. IN A ;; Query time: 105 msec I want to response NXDOMAIN. Is it a solution this case? Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.11, cookes by default
In message <1479332234.30976.34.ca...@ns.five-ten-sg.com>, Carl Byington writes : > On Thu, 2016-11-17 at 07:47 +1100, Mark Andrews wrote: > > I know you think doing this collectively is a service but having > > individuals discover and complain to the site operators that their > > DNS is broken is the only way there will be enough presure brought > > to bear for some of these companies to fix their server > > configurations. > > > It requires noise for them to act. Collectively hiding broken > > servers doesn't generate the noise. > > I agree that having individuals complain is the way to bring enough > pressure to get things fixed. But recording the results of the discovery > process can be centralized. > > > > https://ednscomp.isc.org/ has lists of servers with broken EDNS > > support some of which stops / slows DNS resolution in BIND. > > I am only interested (for now) in the names that are fully broken > without "send-cookie no". It seems more important to get those fixed, > than to fix those that (only) slow down resolution. > > I propose adding /etc/named.broken.servers to track those that cannot > handle cookies, but that file won't be included in the default > /etc/named.conf configuration. It will include for each server the dig > tests that can verify that the server is still broken, and should > include contact information so the bind administrator can send a note > asking that it be fixed. > > For example, something like: > > // adobe servers that don't understand edns options > // > // please send a note asking hostmas...@adobe.com to fix those servers. > // > // dig wip4.adobe.com ns > // dig airdownload.wip4.adobe.com @192.150.16.247 +cookie ==> nxdomain > // dig airdownload.wip4.adobe.com @192.150.16.247 +nocookie ==> noerror > server 192.150.16.247 { send-cookie no; }; > server 192.150.19.247 { send-cookie no; }; > server 193.104.215.247 { send-cookie no; }; > > > > Note that "dig wip4.adobe.com soa" shows hostmas...@sj1gtm001.adobe.com > for that zone, but sj1gtm001.adobe.com has no MX record, and the A > record target does not answer port 25 connections. Adobe has been told multiple times that their servers are misconfigured. The even half fixed them once. Their DNS administrators are just plain incompentent. They can fix this in less than 5 minutes by adding a single period (.) to the end of "sl-download.adobe.com.edgekey.net" in the fallback zone which is used when the a cookie option is present. It should be "sl-download.adobe.com.edgekey.net." which has a period at the end. Without a cookie option you get: airdownload.wip4.adobe.com. 300 IN CNAME ssl-download.adobe.com.edgekey.net. With a cookie option you get: airdownload.wip4.adobe.com. 300 IN CNAME ssl-download.adobe.com.edgekey.net.wip4.adobe.com. They just refuse to act. Mark > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.14 (GNU/Linux) > > iEYEAREKAAYFAlgs0WkACgkQL6j7milTFsFF5gCfdguqebQ8OAlClMDJMbFQH06h > LtQAn16TQQaG/zgAL0Sx/mrFCdSvnFwJ > =O049 > -END PGP SIGNATURE- > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.11, cookes by default
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Thu, 2016-11-17 at 07:47 +1100, Mark Andrews wrote: > I know you think doing this collectively is a service but having > individuals discover and complain to the site operators that their > DNS is broken is the only way there will be enough presure brought > to bear for some of these companies to fix their server > configurations. > It requires noise for them to act. Collectively hiding broken > servers doesn't generate the noise. I agree that having individuals complain is the way to bring enough pressure to get things fixed. But recording the results of the discovery process can be centralized. > https://ednscomp.isc.org/ has lists of servers with broken EDNS > support some of which stops / slows DNS resolution in BIND. I am only interested (for now) in the names that are fully broken without "send-cookie no". It seems more important to get those fixed, than to fix those that (only) slow down resolution. I propose adding /etc/named.broken.servers to track those that cannot handle cookies, but that file won't be included in the default /etc/named.conf configuration. It will include for each server the dig tests that can verify that the server is still broken, and should include contact information so the bind administrator can send a note asking that it be fixed. For example, something like: // adobe servers that don't understand edns options // // please send a note asking hostmas...@adobe.com to fix those servers. // // dig wip4.adobe.com ns // dig airdownload.wip4.adobe.com @192.150.16.247 +cookie ==> nxdomain // dig airdownload.wip4.adobe.com @192.150.16.247 +nocookie ==> noerror server 192.150.16.247 { send-cookie no; }; server 192.150.19.247 { send-cookie no; }; server 193.104.215.247 { send-cookie no; }; Note that "dig wip4.adobe.com soa" shows hostmas...@sj1gtm001.adobe.com for that zone, but sj1gtm001.adobe.com has no MX record, and the A record target does not answer port 25 connections. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlgs0WkACgkQL6j7milTFsFF5gCfdguqebQ8OAlClMDJMbFQH06h LtQAn16TQQaG/zgAL0Sx/mrFCdSvnFwJ =O049 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc addzone type forward
> I'm trying to add zone of type "forward" with rndc addzone, but it fails with: Unfortunately that's not currently possible. The configuration syntax is misleading here. You configure forwarding in a view by putting a "zone" statement in named.conf, but it doesn't actually build a zone *object*, the way type "master" or "slave" does; it tells the server to set up a different data structure entirely. The addzone command is focused on zone objects and doesn't know what to do with this. (I thought I remembered documenting this limitation, but I don't see it in the ARM; my apologies for that oversight.) We've had a feature request in our queue for some time to make it possible to configure forwarding via rndc. Hopefully in 9.12. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.11, cookes by default
I know you think doing this collectively is a service but having individuals discover and complain to the site operators that their DNS is broken is the only way there will be enough presure brought to bear for some of these companies to fix their server configurations. It requires noise for them to act. Collectively hiding broken servers doesn't generate the noise. https://ednscomp.isc.org/ has lists of servers with broken EDNS support some of which stops / slows DNS resolution in BIND. Everyone subscribe to the gtld-tech mailing list and complain that ICANN doesn't require registries and registrars under its control to check that servers being delegated to are RFC compliant. Tell them that lack of EDNS compliance is breaking DNS resolution. gtld-tech is tasked with providing operational stability. My lone voice is not enough. It requires collective action to people of the backsides to do stuff. Similarly ask your countries TLD administrators to audit delegated server for DNS and EDNS compliance and to remove delegations if the servers are not fixed in a reasonable period of time. https://datatracker.ietf.org/doc/draft-ietf-dnsop-no-response-issue/ has a list of tests which cover this and other issues which affect DNS interoperability. Mark In message <1479321516.30976.7.ca...@ns.five-ten-sg.com>, Carl Byington write s: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Now that bind is sending cookies by default, there are some broken > servers out there that we need to configure with send-cookie no;. > > Unless I am missing something, 9.11.0-P1 will (by default) fail to > resolve names like airdownload.wip4.adobe.com. > > In the interest of publicly naming and shaming their operators, I will > add an "include /etc/named.broken.servers" file in my packaging. The > content so far is below. Send me a note if you run into any others. > > > // adobe servers that don't understand edns options > // dig wip4.adobe.com ns > // dig airdownload.wip4.adobe.com @192.150.16.247 +cookie ==> nxdomain > // dig airdownload.wip4.adobe.com @192.150.16.247 +nocookie ==> noerror > server 192.150.16.247 { send-cookie no; }; > server 192.150.19.247 { send-cookie no; }; > server 193.104.215.247 { send-cookie no; }; > > > > // eia.gov servers that don't understand edns options > // dig eia.gov ns > // dig phantom.eia.gov. @205.254.135.9 +cookie => formerr > // dig phantom.eia.gov. @205.254.135.9 +nocookie => noerror > server 205.254.135.9{ send-cookie no; }; > server 199.36.140.199 { send-cookie no; }; > > > > // lctcs.edu servers that don't understand edns options > // dig lctcs.edu ns > // dig www.lctcs.edu @76.165.120.16 +cookie => formerr > // dig www.lctcs.edu @76.165.120.16 +nocookie => noerror > server 76.165.120.16{ send-cookie no; }; > server 76.165.210.249 { send-cookie no; }; > > > > // london-nano.com servers that don't understand edns options > // dig london-nano.com ns > // dig www.london-nano.com @213.162.97.177 +cookie > // dig www.london-nano.com @213.162.97.177 +nocookie > server 213.162.97.177 { send-cookie no; }; > server 213.162.97.178 { send-cookie no; }; > > > > // etdbw.com servers that don't understand edns options > (www.mycoverageinfo.com) > // dig www.mycoverageinfo.gtm.etdbw.com. +trace > // dig www.mycoverageinfo.gtm.etdbw.com. @167.79.186.7 +cookie => > noerror, 0 answers > // dig www.mycoverageinfo.gtm.etdbw.com. @167.79.186.7 +nocookie => > noerror, 1 answer > server 167.79.45.7 { send-cookie no; }; > server 167.79.182.7 { send-cookie no; }; > server 167.79.186.7 { send-cookie no; }; > server 167.79.192.7 { send-cookie no; }; > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.14 (GNU/Linux) > > iEYEAREKAAYFAlgsp6AACgkQL6j7milTFsF5VACfXxKp+HLNNX7fczr4xF4qT4LP > UCIAn3h4WPC2QZ21+gYnSuECG3t2nwEQ > =22tF > -END PGP SIGNATURE- > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri > be from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind 9.11, cookes by default
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Now that bind is sending cookies by default, there are some broken servers out there that we need to configure with send-cookie no;. Unless I am missing something, 9.11.0-P1 will (by default) fail to resolve names like airdownload.wip4.adobe.com. In the interest of publicly naming and shaming their operators, I will add an "include /etc/named.broken.servers" file in my packaging. The content so far is below. Send me a note if you run into any others. // adobe servers that don't understand edns options // dig wip4.adobe.com ns // dig airdownload.wip4.adobe.com @192.150.16.247 +cookie ==> nxdomain // dig airdownload.wip4.adobe.com @192.150.16.247 +nocookie ==> noerror server 192.150.16.247 { send-cookie no; }; server 192.150.19.247 { send-cookie no; }; server 193.104.215.247 { send-cookie no; }; // eia.gov servers that don't understand edns options // dig eia.gov ns // dig phantom.eia.gov. @205.254.135.9 +cookie => formerr // dig phantom.eia.gov. @205.254.135.9 +nocookie => noerror server 205.254.135.9{ send-cookie no; }; server 199.36.140.199 { send-cookie no; }; // lctcs.edu servers that don't understand edns options // dig lctcs.edu ns // dig www.lctcs.edu @76.165.120.16 +cookie => formerr // dig www.lctcs.edu @76.165.120.16 +nocookie => noerror server 76.165.120.16{ send-cookie no; }; server 76.165.210.249 { send-cookie no; }; // london-nano.com servers that don't understand edns options // dig london-nano.com ns // dig www.london-nano.com @213.162.97.177 +cookie // dig www.london-nano.com @213.162.97.177 +nocookie server 213.162.97.177 { send-cookie no; }; server 213.162.97.178 { send-cookie no; }; // etdbw.com servers that don't understand edns options (www.mycoverageinfo.com) // dig www.mycoverageinfo.gtm.etdbw.com. +trace // dig www.mycoverageinfo.gtm.etdbw.com. @167.79.186.7 +cookie => noerror, 0 answers // dig www.mycoverageinfo.gtm.etdbw.com. @167.79.186.7 +nocookie => noerror, 1 answer server 167.79.45.7 { send-cookie no; }; server 167.79.182.7 { send-cookie no; }; server 167.79.186.7 { send-cookie no; }; server 167.79.192.7 { send-cookie no; }; -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlgsp6AACgkQL6j7milTFsF5VACfXxKp+HLNNX7fczr4xF4qT4LP UCIAn3h4WPC2QZ21+gYnSuECG3t2nwEQ =22tF -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc addzone type forward
Emil Natanwrote: > > I also compiled BIND 9.11.0rc3, but nothing changed, no more verbosity, > only the name of the .nzf file created changed from hash to plain text. Try 9.11.0-P1 which has a few changes since rc3. > Another finding is that the failure .nzf file is created, but it's empty > and the next run of rndc addzone fails with "already exists". Is the zone present in memory but not on disk, perhaps? Try something like: $ curl -Ssf http://server:8053/json/v1/zones | grep name Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode South Biscay, South Fitzroy: Northeasterly 4 or 5 at times in Fitzroy, otherwise variable 3 or 4, becoming westerly 5 or 6 in north. Slight or moderate, becoming rough later in north. Rain or showers. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc addzone type forward
Original Message Subject: Re: rndc addzone type forward Local Time: November 16, 2016 5:50 PM UTC Time: November 16, 2016 3:50 PM From: e...@foowatch.com To: bind-users@lists.isc.orgOriginal Message Subject: Re: rndc addzone type forward Local Time: November 16, 2016 5:12 PM UTC Time: November 16, 2016 3:12 PM From: d...@dotat.at To: Emil Natan bind-users@lists.isc.org Emil Natan wrote: > > I'm trying to add zone of type "forward" with rndc addzone, but it fails with: > > rndc addzone zone.org '{type forward; forward only; forwarders { > 192.168.20.115; }; };' > rndc: 'addzone' failed: not found I think this happens if you are using a version before 9.11 (which has a more verbose error) and you get the view name wrong. The view name can be wrong if you have multiple views and you don't specify which one. e.g. on a 9.10 server with views: $ rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: not found $ And on a 9.11 server with views: $ rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: not found no matching view found for '_default' $ You can get a similar error if you specify an incorrect view: $ rndc addzone google in error '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: not found no matching view found for 'error' $ Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Shannon: West 6 to gale 8, perhaps severe gale 9 later. Rough or very rough, becoming mainly high. Thundery showers. Good, occasionally poor. Thank you for your response. I'm not using and not specifying view, which is optional anyway. I also compiled BIND 9.11.0rc3, but nothing changed, no more verbosity, only the name of the .nzf file created changed from hash to plain text. Another finding is that the failure .nzf file is created, but it's empty and the next run of rndc addzone fails with "already exists". root@debugtzc:/usr/local/stow# find /chroot/named -name "*.nzf" root@debugtzc:/usr/local/stow# rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: not found root@debugtzc:/usr/local/stow# find /chroot/named -name "*.nzf" /chroot/named/var/named/_default.nzf root@debugtzc:/usr/local/stow# rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: already exists configure_zone failed: already exists ls -l /chroot/named/var/named/_default.nzf -rw-r--r-- 1 named named 0 Nov 16 17:39 /chroot/named/var/named/_default.nzf Emil Update: despite the errors, the forwarding takes effect, checked with tcpdump. But now I can't remove the forwarding zone: After: root@debugtzc:/usr/local/stow# rndc addzone google.com '{ type forward; forward only; forwarders { 8.8.4.4; }; }; 'rndc: 'addzone' failed: not found Here forwarding works: 18:04:36.703150 IP debugtzc.isoc.org.il.55531 > 8.8.4.4.domain: 20892+% [1au] A? google.com. (51) But then: root@debugtzc:/usr/local/stow# rndc delzone google.com rndc: 'delzone' failed: not found no matching zone 'google.com' in any view And the queries for google.com are still forwarded to 8.8.4.4. Emil___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc addzone type forward
Original Message Subject: Re: rndc addzone type forward Local Time: November 16, 2016 5:12 PM UTC Time: November 16, 2016 3:12 PM From: d...@dotat.at To: Emil Natanbind-users@lists.isc.org Emil Natan wrote: > > I'm trying to add zone of type "forward" with rndc addzone, but it fails with: > > rndc addzone zone.org '{type forward; forward only; forwarders { > 192.168.20.115; }; };' > rndc: 'addzone' failed: not found I think this happens if you are using a version before 9.11 (which has a more verbose error) and you get the view name wrong. The view name can be wrong if you have multiple views and you don't specify which one. e.g. on a 9.10 server with views: $ rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: not found $ And on a 9.11 server with views: $ rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: not found no matching view found for '_default' $ You can get a similar error if you specify an incorrect view: $ rndc addzone google in error '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: not found no matching view found for 'error' $ Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Shannon: West 6 to gale 8, perhaps severe gale 9 later. Rough or very rough, becoming mainly high. Thundery showers. Good, occasionally poor. Thank you for your response. I'm not using and not specifying view, which is optional anyway. I also compiled BIND 9.11.0rc3, but nothing changed, no more verbosity, only the name of the .nzf file created changed from hash to plain text. Another finding is that the failure .nzf file is created, but it's empty and the next run of rndc addzone fails with "already exists". root@debugtzc:/usr/local/stow# find /chroot/named -name "*.nzf" root@debugtzc:/usr/local/stow# rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: not found root@debugtzc:/usr/local/stow# find /chroot/named -name "*.nzf" /chroot/named/var/named/_default.nzf root@debugtzc:/usr/local/stow# rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: already exists configure_zone failed: already exists ls -l /chroot/named/var/named/_default.nzf -rw-r--r-- 1 named named 0 Nov 16 17:39 /chroot/named/var/named/_default.nzf Emil___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc addzone type forward
Emil Natanwrote: > > I'm trying to add zone of type "forward" with rndc addzone, but it fails with: > > rndc addzone zone.org '{type forward; forward only; forwarders { > 192.168.20.115; }; };' > rndc: 'addzone' failed: not found I think this happens if you are using a version before 9.11 (which has a more verbose error) and you get the view name wrong. The view name can be wrong if you have multiple views and you don't specify which one. e.g. on a 9.10 server with views: $ rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: not found $ And on a 9.11 server with views: $ rndc addzone google '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: not found no matching view found for '_default' $ You can get a similar error if you specify an incorrect view: $ rndc addzone google in error '{ type forward; forward only; forwarders { 8.8.8.8; }; };' rndc: 'addzone' failed: not found no matching view found for 'error' $ Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Shannon: West 6 to gale 8, perhaps severe gale 9 later. Rough or very rough, becoming mainly high. Thundery showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
rndc addzone type forward
Hello, I'm trying to add zone of type "forward" with rndc addzone, but it fails with: rndc addzone zone.org '{type forward; forward only; forwarders { 192.168.20.115; }; };' rndc: 'addzone' failed: not found I have allow-new-zones set to yes in named.conf. Loading zones of type master works fine. All I see in the logs is: Nov 16 16:12:33 debugtzs named[1018]: general: info: received control channel command 'addzone' Am I missing something? Emil___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND statistics?
On Wed, Nov 16, 2016 at 8:45 AM, Voigt, Thomaswrote: > Hi all, > > I need to create some statistics for our BIND resolvers here. One of the > measures is the number of unique ip addresses per day which are querying > our resolvers. > > I've already checked "rndc stats" output as well as BIND's XML statistics > channels. But I didn't found any value that satisfies this question. > > Another way could be to apply some "grep | sort --unique" logic to the > named_querylog file(s). But those files are around >2Gig per day and > resolver here. That's to much work... > > Is there another way to get this measure? > > -- > Regards > > Thomas > > I suspect that "DSC" collects the data you want, but you might need to configure a graph to show it. https://www.dns-oarc.net/tools/dsc -- Bob Harold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND statistics?
Hi all, I need to create some statistics for our BIND resolvers here. One of the measures is the number of unique ip addresses per day which are querying our resolvers. I've already checked "rndc stats" output as well as BIND's XML statistics channels. But I didn't found any value that satisfies this question. Another way could be to apply some "grep | sort --unique" logic to the named_querylog file(s). But those files are around >2Gig per day and resolver here. That's to much work... Is there another way to get this measure? -- Regards Thomas ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users