Re: record PTR

[Ben Croswell]

181.242.197.in-addr.arpa. 3600 IN NS douala0.orange.cm.
181.242.197.in-addr.arpa. 3600 IN NS nsbangui.orangerca.com.
181.242.197.in-addr.arpa. 3600 IN NS yaounde0.orange.cm.

The in-addr currently points to the DNS servers above. Those would need to
be changed to your servers or the owners of those servers would need to add
the PTR records.

On Thu, Mar 14, 2024, 8:19 AM  wrote:

> Thank you for your response.
>
> In my case, I have added a PTR record for mail.sami.tn pointing to
> 197.242.181.69, but it is still not visible from the outside. However, when
> I test 'dig @0 -x 197.242.181.69', it works. Do I need to request a
> delegation of 197.242.181.69 to the name servers ns1.sami.tn?
>
>
>
> *De :* Ben Croswell 
> *Envoyé :* jeudi 14 mars 2024 13:10
> *À :* RAHAL Sami SOFRECOM ; ML BIND Users <
> bind-users@lists.isc.org>
> *Objet :* Re: record PTR
>
>
>
> The in-addr.arpa domain for your IP space will need to be delegated to
> your DNS servers. That generally happens at the entity that assigned the
> block. For instance ARIN, RIPE, or APNIC.
>
>
>
> On Thu, Mar 14, 2024, 8:06 AM  wrote:
>
> Hello, please, I want to know if I need to delegate a range of IP
> addresses to my authoritative DNS server with my registrar before creating
> a PTR record or not. In other words, if I want to create a PTR record on my
> authoritative server (ns1.mydomain.com) for mail.mydomain.com pointing to
> 41.226.22.50, should the range 41.226.22.0/24 be delegated to my
> authoritative DNS server ns1.mydomain.com?
>
> Regards Sami
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: record PTR

[Ben Croswell]

The in-addr.arpa domain for your IP space will need to be delegated to your
DNS servers. That generally happens at the entity that assigned the block.
For instance ARIN, RIPE, or APNIC.

On Thu, Mar 14, 2024, 8:06 AM  wrote:

> Hello, please, I want to know if I need to delegate a range of IP
> addresses to my authoritative DNS server with my registrar before creating
> a PTR record or not. In other words, if I want to create a PTR record on my
> authoritative server (ns1.mydomain.com) for mail.mydomain.com pointing to
> 41.226.22.50, should the range 41.226.22.0/24 be delegated to my
> authoritative DNS server ns1.mydomain.com?
>
> Regards Sami
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Recursive client query rate-limiting

[Ben Bridges]

Hi,

Is there a BIND configuration option that would limit the number of recursive 
client buffers/structures that any single client can consume on a BIND server 
at a time?  I.e., any single client could only consume (say) 10 recursive 
client buffers at a time, and if the client sends another (unique) recursive 
query while it is already consuming 10 recursive client buffers, the server 
would drop the new request (or send a SERVFAIL response).  I know about the 
Recursive Client Rate Limiting (fetches-per-server, fetches-per-zone) and 
clients-per-query, those aren't what I'm asking about.

Thanks,

.Ben Bridges.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Bind 9.16.1 crash

[Ben Bridges]

When you say “ISC packages”, are you referring to the packages in the 
ppa:isc/bind repository on launchpad?

Ben Bridges

From: Ondřej Surý 
Sent: Thursday, December 8, 2022 12:26 AM
To: Ben Bridges 
Cc: Emmanuel Fusté ; bind-users@lists.isc.org
Subject: Re: Bind 9.16.1 crash

In fact, it’s as far from being “fully patched” as possible. Not all bugs are 
security bugs and not all crashes are security bugs.

Ubuntu is pushing a version that has received most refactoring in the 
networking code in the recent history.

The “we don’t update upstream version” policy works well only if you carefully 
pick upstream version. Instead this is snapshot of Debian at random point int 
time and this is the unfortunate result. I’ve negotiated the exception for 
Debian to carry the latest upstream release for a good reason.

You are going to do so much better by using ISC packages. And my general 
recommendation would be to go straight to latest 9.18.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.


On 8. 12. 2022, at 1:03, Ben Bridges  wrote:

According to the Ubuntu maintainers, the bind9 package on our server 
(1:9.16.1-0ubuntu2.11) is fully patched for all the BIND 9 CVE’s including the 
latest batch of 6 released on 2022-09-21 (CVE-2022-38178, CVE-2022-38177, 
CVE-2022-3080, CVE-2022-2906, CVE-2022-2881, and CVE-2022-2795).


From: Emmanuel Fusté 
Sent: Wednesday, December 7, 2022 4:22 PM
To: Ben Bridges ; bind-users@lists.isc.org
Subject: Re: Bind 9.16.1 crash

Current ESV : 9.16.35

No, your release is not patched.
Add the ISC PPA repo and install the latest ESV. ISC PPA packaged are packaged 
by the same maintainers.

Le mer. 7 déc. 2022, 23:02, Ben Bridges 
mailto:bbrid...@springnet.net>> a écrit :
Ubuntu 20.04.5 is LTS and BIND 9.16 is the current stable ESV release, so 
they’re both still fully supported (and fully patched).

Thanks,
Ben Bridges

From: bind-users 
mailto:bind-users-boun...@lists.isc.org>> On 
Behalf Of John Thurston
Sent: Wednesday, December 7, 2022 2:32 PM
To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Subject: Re: Bind 9.16.1 crash


To me, the next step is to get your instance of BIND somewhat up to date.

I'm not a "gotta be on the bleeding edge" kinda guy, but running a version 
released in first quarter of 2020 is old even by my standards. Is there some 
business reason to keep running a +2 year old version of BIND?

--

Do things because you should, not just because you can.



John Thurston907-465-8591

john.thurs...@alaska.gov<mailto:john.thurs...@alaska.gov>

Department of Administration

State of Alaska
On 12/7/2022 10:32 AM, Ben Bridges wrote:
The BIND version is 9.16.1 running on a fully patched Ubuntu 20.04.5 server.


<~WRD2561.jpg>


<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.springnet.net%2F=05%7C01%7Cbbridges%40springnet.net%7C8cfa221dba534b913bc508dad8e51261%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060775631803256%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=FSsvuOcOZbeJGvJwFC4eFc1vL4Q3NElIAgIaa1YT504%3D=0>
<~WRD2561.jpg><https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.springnet.net%2F=05%7C01%7Cbbridges%40springnet.net%7C8cfa221dba534b913bc508dad8e51261%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060775631803256%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=FSsvuOcOZbeJGvJwFC4eFc1vL4Q3NElIAgIaa1YT504%3D=0>


Sales 417.575.7000 | Support 417.874.8000 | 
springnet.net<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.springnet.net%2F=05%7C01%7Cbbridges%40springnet.net%7C8cfa221dba534b913bc508dad8e51261%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060775631803256%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=FSsvuOcOZbeJGvJwFC4eFc1vL4Q3NElIAgIaa1YT504%3D=0>
--
Visit 
https://lists.isc.org/mailman/listinfo/bind-users<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users=05%7C01%7Cbbridges%40springnet.net%7C8cfa221dba534b913bc508dad8e51261%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060775631803256%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=fY9Hu18j4I8u5bWAz9vAJRcpGFlXuo5FNwZMW5aLI18%3D=0>
 to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at 
https://www.isc.org/contact/<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.isc.org%2Fcontact%2F=05%7C01%7Cbbridges%40springnet.net%7C8cfa221dba534b913bc508dad8e51261%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060775631803256%7CUnknown%7CTWFpb

RE: Bind 9.16.1 crash

[Ben Bridges]

It looks like that issue was occurring in a different part of the netmgr code 
and was fixed 8 months ago.

Thanks,
Ben Bridges

From: bind-users  On Behalf Of Andrew Latham
Sent: Wednesday, December 7, 2022 2:35 PM
Cc: bind-users@lists.isc.org
Subject: Re: Bind 9.16.1 crash

I see 
https://gitlab.isc.org/isc-projects/bind9/-/issues/3020<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.isc.org%2Fisc-projects%2Fbind9%2F-%2Fissues%2F3020=05%7C01%7Cbbridges%40springnet.net%7Cecd73a07950646259c7e08dad8928a21%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060421148193611%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=Fn7fvXD1Lp5Qgy3O910j%2FG3FyPLtYvBRexwPdP0C9Js%3D=0>
 and 
https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5998<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.isc.org%2Fisc-projects%2Fbind9%2F-%2Fmerge_requests%2F5998=05%7C01%7Cbbridges%40springnet.net%7Cecd73a07950646259c7e08dad8928a21%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060421148193611%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=8hkJR7%2FyIrc2dpUv%2FTYyBKqL2IiumjsZVFfw5yZ2Bog%3D=0>
 which might help

I did not see a CVE but only did a quick search


On Wed, Dec 7, 2022 at 12:33 PM Ben Bridges 
mailto:bbrid...@springnet.net>> wrote:
Greetings.

This morning one of our BIND daemons crashed.  The following messages were 
logged in named.run at the time:

07-Dec-2022 11:58:37.097 general: critical: netmgr.c:687: 
REQUIRE((__builtin_expect(!!((sock) != ((void *)0)), 1) && 
__builtin_expect(!!(((const isc__magic_t *)(sock))->magic == ((('N') << 24 | 
('M') << 16 | ('S') << 8 | ('K', 1))) failed, back trace
07-Dec-2022 11:58:37.097 general: critical: #0 0x56508c798e43 in ??
07-Dec-2022 11:58:37.097 general: critical: #1 0x7fa72e881ac0 in ??
07-Dec-2022 11:58:37.097 general: critical: #2 0x7fa72e89978a in ??
07-Dec-2022 11:58:37.097 general: critical: #3 0x7fa72e89a240 in ??
07-Dec-2022 11:58:37.097 general: critical: #4 0x7fa72e89e18b in ??
07-Dec-2022 11:58:37.097 general: critical: #5 0x7fa72eb67707 in ??
07-Dec-2022 11:58:37.097 general: critical: #6 0x7fa72eb68fe9 in ??
07-Dec-2022 11:58:37.097 general: critical: #7 0x7fa72eb779b0 in ??
07-Dec-2022 11:58:37.097 general: critical: #8 0x7fa72eb7f9a7 in ??
07-Dec-2022 11:58:37.097 general: critical: #9 0x7fa72eb8116e in ??
07-Dec-2022 11:58:37.097 general: critical: #10 0x7fa72eb816cd in ??
07-Dec-2022 11:58:37.097 general: critical: #11 0x7fa72eb823c9 in ??
07-Dec-2022 11:58:37.097 general: critical: #12 0x7fa72eb884c6 in ??
07-Dec-2022 11:58:37.097 general: critical: #13 0x7fa72e8a8fa1 in ??
07-Dec-2022 11:58:37.097 general: critical: #14 0x7fa72e370609 in ??
07-Dec-2022 11:58:37.097 general: critical: #15 0x7fa72e28f133 in ??
07-Dec-2022 11:58:37.097 general: critical: exiting (due to assertion failure)

I did some googling and was unable to find this specific "netmgr.c:687" 
message.  Is this assertion failure due to a known CVE (perhaps recently 
discovered and not yet patched)?  We've had no issues with this server up to 
this point.  The BIND version is 9.16.1 running on a fully patched Ubuntu 
20.04.5 server.  This server does nothing other than run BIND.  Any assistance 
determining what happened and how to prevent it from happening again would be 
much appreciated.  If this is not the proper forum for this posting, please 
point me in the right direction.

Thanks,
Ben Bridges






Sales 417.575.7000 | Support 417.874.8000 | 
springnet.net<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.springnet.net%2F=05%7C01%7Cbbridges%40springnet.net%7Cecd73a07950646259c7e08dad8928a21%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060421148193611%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=zJFfISvidD%2FlkA0kDNyzzNK8lyI4deHQDoTLIHb0Qn0%3D=0>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.springnet.net%2F=05%7C01%7Cbbridges%40springnet.net%7Cecd73a07950646259c7e08dad8928a21%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060421148193611%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=zJFfISvidD%2FlkA0kDNyzzNK8lyI4deHQDoTLIHb0Qn0%3D=0>

<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.springnet.net%2F=05%7C01%7Cbbridges%40springnet.net%7Cecd73a07950646259c7e08dad8928a21%7

RE: Bind 9.16.1 crash

[Ben Bridges]

According to the Ubuntu maintainers, the bind9 package on our server 
(1:9.16.1-0ubuntu2.11) is fully patched for all the BIND 9 CVE's including the 
latest batch of 6 released on 2022-09-21 (CVE-2022-38178, CVE-2022-38177, 
CVE-2022-3080, CVE-2022-2906, CVE-2022-2881, and CVE-2022-2795).


From: Emmanuel Fusté 
Sent: Wednesday, December 7, 2022 4:22 PM
To: Ben Bridges ; bind-users@lists.isc.org
Subject: Re: Bind 9.16.1 crash

Current ESV : 9.16.35

No, your release is not patched.
Add the ISC PPA repo and install the latest ESV. ISC PPA packaged are packaged 
by the same maintainers.

Le mer. 7 déc. 2022, 23:02, Ben Bridges 
mailto:bbrid...@springnet.net>> a écrit :
Ubuntu 20.04.5 is LTS and BIND 9.16 is the current stable ESV release, so 
they're both still fully supported (and fully patched).

Thanks,
Ben Bridges

From: bind-users 
mailto:bind-users-boun...@lists.isc.org>> On 
Behalf Of John Thurston
Sent: Wednesday, December 7, 2022 2:32 PM
To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Subject: Re: Bind 9.16.1 crash


To me, the next step is to get your instance of BIND somewhat up to date.

I'm not a "gotta be on the bleeding edge" kinda guy, but running a version 
released in first quarter of 2020 is old even by my standards. Is there some 
business reason to keep running a +2 year old version of BIND?

--

Do things because you should, not just because you can.



John Thurston907-465-8591

john.thurs...@alaska.gov<mailto:john.thurs...@alaska.gov>

Department of Administration

State of Alaska
On 12/7/2022 10:32 AM, Ben Bridges wrote:
The BIND version is 9.16.1 running on a fully patched Ubuntu 20.04.5 server.

[Image removed by sender. City Utilities]

[Image removed by sender. 
SpringNet]<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.springnet.net%2F=05%7C01%7Cbbridges%40springnet.net%7C76a3db8a1c814fcc43c408dad8a183e5%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060485475551174%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=hkHX70hyYBXF%2F8Ygn6J8N0AozojprcfDUZJj043%2Fz%2BQ%3D=0>

Sales 417.575.7000 | Support 417.874.8000 | 
springnet.net<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.springnet.net%2F=05%7C01%7Cbbridges%40springnet.net%7C76a3db8a1c814fcc43c408dad8a183e5%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060485475551174%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=hkHX70hyYBXF%2F8Ygn6J8N0AozojprcfDUZJj043%2Fz%2BQ%3D=0>
--
Visit 
https://lists.isc.org/mailman/listinfo/bind-users<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users=05%7C01%7Cbbridges%40springnet.net%7C76a3db8a1c814fcc43c408dad8a183e5%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060485475551174%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=wqftsNprK6CtbC5gYFMpOx3A0Cwu%2BsLr2AZYiJGpv98%3D=0>
 to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at 
https://www.isc.org/contact/<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.isc.org%2Fcontact%2F=05%7C01%7Cbbridges%40springnet.net%7C76a3db8a1c814fcc43c408dad8a183e5%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060485475551174%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=NBs212x2Fz8YFXEUKR4SFKOxRnTiberN8qC9Yc0fTjc%3D=0>
 for more information.


bind-users mailing list
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users=05%7C01%7Cbbridges%40springnet.net%7C76a3db8a1c814fcc43c408dad8a183e5%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060485475551174%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=wqftsNprK6CtbC5gYFMpOx3A0Cwu%2BsLr2AZYiJGpv98%3D=0>

[City Utilities]

[SpringNet]<http://www.springnet.net>

Sales 417.575.7000 | Support 417.874.8000 | 
springnet.net<http://www.springnet.net>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Bind 9.16.1 crash

[Ben Bridges]

Ubuntu 20.04.5 is LTS and BIND 9.16 is the current stable ESV release, so 
they’re both still fully supported (and fully patched).

Thanks,
Ben Bridges

From: bind-users  On Behalf Of John Thurston
Sent: Wednesday, December 7, 2022 2:32 PM
To: bind-users@lists.isc.org
Subject: Re: Bind 9.16.1 crash


To me, the next step is to get your instance of BIND somewhat up to date.

I'm not a "gotta be on the bleeding edge" kinda guy, but running a version 
released in first quarter of 2020 is old even by my standards. Is there some 
business reason to keep running a +2 year old version of BIND?

--

Do things because you should, not just because you can.



John Thurston907-465-8591

john.thurs...@alaska.gov<mailto:john.thurs...@alaska.gov>

Department of Administration

State of Alaska
On 12/7/2022 10:32 AM, Ben Bridges wrote:
The BIND version is 9.16.1 running on a fully patched Ubuntu 20.04.5 server.

[City Utilities]

[SpringNet]<http://www.springnet.net>

Sales 417.575.7000 | Support 417.874.8000 | 
springnet.net<http://www.springnet.net>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind 9.16.1 crash

[Ben Bridges]

Greetings.

This morning one of our BIND daemons crashed.  The following messages were 
logged in named.run at the time:

07-Dec-2022 11:58:37.097 general: critical: netmgr.c:687: 
REQUIRE((__builtin_expect(!!((sock) != ((void *)0)), 1) && 
__builtin_expect(!!(((const isc__magic_t *)(sock))->magic == ((('N') << 24 | 
('M') << 16 | ('S') << 8 | ('K', 1))) failed, back trace
07-Dec-2022 11:58:37.097 general: critical: #0 0x56508c798e43 in ??
07-Dec-2022 11:58:37.097 general: critical: #1 0x7fa72e881ac0 in ??
07-Dec-2022 11:58:37.097 general: critical: #2 0x7fa72e89978a in ??
07-Dec-2022 11:58:37.097 general: critical: #3 0x7fa72e89a240 in ??
07-Dec-2022 11:58:37.097 general: critical: #4 0x7fa72e89e18b in ??
07-Dec-2022 11:58:37.097 general: critical: #5 0x7fa72eb67707 in ??
07-Dec-2022 11:58:37.097 general: critical: #6 0x7fa72eb68fe9 in ??
07-Dec-2022 11:58:37.097 general: critical: #7 0x7fa72eb779b0 in ??
07-Dec-2022 11:58:37.097 general: critical: #8 0x7fa72eb7f9a7 in ??
07-Dec-2022 11:58:37.097 general: critical: #9 0x7fa72eb8116e in ??
07-Dec-2022 11:58:37.097 general: critical: #10 0x7fa72eb816cd in ??
07-Dec-2022 11:58:37.097 general: critical: #11 0x7fa72eb823c9 in ??
07-Dec-2022 11:58:37.097 general: critical: #12 0x7fa72eb884c6 in ??
07-Dec-2022 11:58:37.097 general: critical: #13 0x7fa72e8a8fa1 in ??
07-Dec-2022 11:58:37.097 general: critical: #14 0x7fa72e370609 in ??
07-Dec-2022 11:58:37.097 general: critical: #15 0x7fa72e28f133 in ??
07-Dec-2022 11:58:37.097 general: critical: exiting (due to assertion failure)

I did some googling and was unable to find this specific "netmgr.c:687" 
message.  Is this assertion failure due to a known CVE (perhaps recently 
discovered and not yet patched)?  We've had no issues with this server up to 
this point.  The BIND version is 9.16.1 running on a fully patched Ubuntu 
20.04.5 server.  This server does nothing other than run BIND.  Any assistance 
determining what happened and how to prevent it from happening again would be 
much appreciated.  If this is not the proper forum for this posting, please 
point me in the right direction.

Thanks,
Ben Bridges


[City Utilities]

[SpringNet]<http://www.springnet.net>

Sales 417.575.7000 | Support 417.874.8000 | 
springnet.net<http://www.springnet.net>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: AXFR from Windows 2008R2 failing after upgrading to 9.18

[Ben Lavender]

Any logs?

Regards

Ben Lavender

On Mon, 23 May 2022, 21:52 Lefteris Tsintjelis via bind-users, <
bind-users@lists.isc.org> wrote:

> I must be missing something. Any ideas why does it fail? Everything
> seems normal. Works well with Windows 2016. Downgrading to 9.16 works
> again.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Determining Which Authoritative Sever to Use

[Ben Croswell]

I will say edge DNS servers reduce client config complexity, even if you
have DHCP, and increase resiliency of the initial resolver.

Where it's true with DHCP you can change the DHCP server options it doesn't
help if someone just got a 4 day lease and then the DNS server dies.

Additionally the abstraction layer makes patching and decom of DNS servers
much easier. No config to chane just kill the box. Perhaps this is less of
a concern I'd you are running a smaller environment but when you are
running 400 to 500 servers in a variety of roles globally it becomes a
valuable resource.

On Tue, May 10, 2022, 5:49 PM Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:

> On 5/8/22 5:58 AM, Tony Finch wrote:
> > Regarding anycast, it isn't necessary for internal authoritative
> > servers unless your organization is really huge (and probably not
> > even then): it is simpler to just use the DNS's standard reliabilty
> > features. All you need to do is have more than one authoritative
> > server for each zone.
>
> I don't know if it's a requirement for the OP or not, but Windows used
> to reach out to the MName server to perform dynamic updates.  So there
> might be some merit to the name of the MName server to be a pseudo name
> that resolves to an anycasted address, thus clients try to perform the
> dynamic update to the closest instance of the anycast / (pseudo) MName
> server.
>
> Aside:  Years ago, BIND secondaries would happily forward such dynamic
> updates the real primary MName server.
>
> Further aside:  The last time I looked, MS-DNS ADI zones would forge the
> local server's name as the MName to cause this type of client redirection.
>
> > On the other hand, anycast is a good way to improve the availability
> > and maintainability of your resolvers, because your users' devices
> > talk directly to them, and if they don't work there might as well
> > not be an Internet connection.
>
> I agree that anycasted service points make administration somewhat
> simpler.  However I do question the /need/ for such flexibility when
> things like DHCP are likely used for client configuration and can
> therefor manage most things automatically.
>
>
>
> --
> Grant. . . .
> unix || die
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Determining Which Authoritative Sever to Use (Bob McDonald)

[Ben Croswell]

On the closest server question it will prefer the closest but a certain
percentage will go to servers further away. Additionally depending on the
version of BIND and the distance it could lead to the servers further away
taking more traffic in high QPS situations.

If you are getting high QPS you could fire off a large amount of queries to
the "slower" server before it responds and resets its SRTT. I believe newer
BIND versions have moved away from a static decrement value and has fixed
the issue but even fixes some queries will go out of region.


On Sun, May 8, 2022, 12:47 PM Bob McDonald  wrote:

> Thanks for the answers. A couple more questions and then I'll stand down.
>
> First, it's Ben Croswell. Just pointing that out.
>
> Second, my reading of the definition of a static-stub zone in the Bvarm
> indicates that its use is to allow a local copy of the NS list which may
> differ from the primary zone. I'm not sure that's what I'm looking for. I
> think I'm ok with the NS list from the primary zone. Lei me take another
> swing and try to be a bit more pedantic to see if that helps.
>
> I wish to define a global internal DNS environment.
>
> At the level closest to the client would be a global network of recursive
> DNS servers which would handle all internal and external DNS requests. The
> internal DNS zones would be housed on a global network of authoritative
> only DNS servers. The NS list for the internal DNS zones on these
> authoritative only servers would be known to the recursive servers via stub
> zones. My question is, if a client in Mumbai submits a DNS request to his
> local recursive server for an internal authoritative only zone defined by a
> stub zone statement, which authoritative only server does the recursive
> server pick from the NS list and will that eventually be the "closest"
> server. I'm assuming a global distribution of the authoritative servers.
> E.g. Hong Kong, London, US East, US West, South Amer, etc. The use of the
> stub zones in this case is to eliminate the need for an internal root. I
> want to avoid lookups for example from clients in Asia being sent to
> authoritative only servers in South Amer.
>
> Bob
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Determining Which Authoritative Sever to Use

[Ben Croswell]

I would concur that internally Anycast is best for client facing edge nodes
to reduce client configuration complexity as well as reducing impact of a
first resolver outage.

On Sun, May 8, 2022, 7:59 AM Tony Finch  wrote:

> Bob McDonald  wrote:
> >
> > My question is this; how do the recursive servers determine from
> > the information in the stub zone which name server to query?
>
> As well as what Bob Croswell said about SRTT (which is entirely correct),
> there's a subtlety with stub zones in particular.
>
> A stub zone works a bit like the root zone hints, in that the name servers
> that you configure are just used to find the zone's NS records. This means
> that stub zones don't override where queries are routed for these zones.
> If you want your resolver to ignore the NS records on your internal zones,
> you should use static-stub instead.
>
> Regarding anycast, it isn't necessary for internal authoritative servers
> unless your organization is really huge (and probably not even then): it
> is simpler to just use the DNS's standard reliabilty features. All you
> need to do is have more than one authoritative server for each zone.
> On the other hand, anycast is a good way to improve the availability and
> maintainability of your resolvers, because your users' devices talk
> directly to them, and if they don't work there might as well not be an
> Internet connection.
>
> --
> Tony Finch(he/they)  Cambridge, England
> Selsey Bill to Lyme Regis: East or southeast, veering south later, 2
> to 4. Smooth or slight, occasionally moderate for a time offshore.
> Fair. Good.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Determining Which Authoritative Sever to Use

[Ben Croswell]

I can't speak definitively for stub zones, but I would assume it works the
same as NS delegations or forwarding.
A DNS server maintains a listing of smoothed round trip times (SRTT) for
each potential destination.  It uses the SRTT with the lowest value, and
after each successful response all of the SRTTs with a higher value are
decremented.  This is the self-healing mechanism.  Eventually a higher
value will be reduced far enough so it is the lowest and it will be used
and readjusted.  The readjusting will likely make it higher and it would go
back to the original server.  This is a long winded way of saying all of
the servers in the list will take a certain percentage of the overall query
volume.

On Sat, May 7, 2022 at 10:20 AM Bob McDonald  wrote:

> Forgive my ignorance if this is a trivial question.
>
> Supposing I have an internal IP network (rfc1918)  where there atr local
> caching servers (recursive) which clients connect to and scattered around
> are several authoritative servers  which provide answers for internal only
> zones. Those internal only zones are defined on the caching servers via
> stub zones.
>
> My question is this; how do the recursive servers determine from
> the information in the stub zone which name server to query? And, is that
> the closest (network wise)? Do I need to put anycast into the mix?
>
> TTFN,
>
> Bob
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
-Ben Croswell
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding zone, setup

[Ben Croswell]

Are you loading the parent domain and trying to zone forward a child domain
on the same DNS server? I.e. loading somedomain.local and trying to forward
ab.somedomain.local

If so an NS delegation is required in every instance I have done in my
environment. The NS doesn't need to be "right" but it needs to exist. I
don't know the internal BIND logic for that but I have always taken it as
"I load the parent and I know the child doesn't exist because there isn't a
delegation to make it exist so why would I forward something that doesn't
exist".


On Tue, Mar 1, 2022, 1:18 PM Gregory Sloop  wrote:

> Static-sub fixes the issue.
>
>
>
> Any idea why static-sub works when forwarder doesn't?
>
>
>
> (Again, the server is using recursion. Dig queries return the RA flag, so
> I know it's actually offering recursion in reality.)
>
>
>
> I can live with static-sub just fine, since it works - but I'd really love
> to understand why forwarder didn't - just so I can avoid getting bitten by
> it in some other situation.
>
>
>
> Thanks Andrej!
>
> -Greg
>
>
>
>
> Is static-stub something you are looking for?
>
>
> Reference documentation:
>
> https://bind9.readthedocs.io/en/v9_18_0/reference.html?highlight=static-stub#zone-types
>
>
> And in human terms:
> https://jpmens.net/2011/01/25/binds-new-static-stub-zone-type/
>
>
> Ondrej
> --
> Ondřej Surý (He/Him)
> ond...@isc.org
>
>
> My working hours and your working hours may be different. Please do not
> feel obligated to reply outside your normal working hours.
>
>
> On 28. 2. 2022, at 21:47, Gregory Sloop  wrote:
>
> So, I want to forward all queries for
> *.ab.somedomain.local to some other internal DNS servers.
> (Records in *.ab.somedomain.local actually are our active domain servers)
>
> (Yes, I know .local is reserved now, but we've been using it a long time
> and changing would be rather painful. Unless there's some horrible
> consequences, I think we'll just continue for now. We won't ever use mDNS.)
>
> zone "ab.somedomain.local" {
> type forward;
> forward only;
> forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
> };
>
> But this doesn't appear to do what I want.
>
> If I add the above to my regular BIND servers configuration, it doesn't
> return results like it's forwarding them. (I get NXDOMAIN for
> abc.ab.somedomain.local.)
>
> If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I
> get a proper result. (force dig to use the AD name servers directly,
> instead of relying on the forward.)
>
> (And yes the resolv.conf file has the ip addresses of the main internal
> BIND servers in it, and those only.)
> I've looked and while I think I'm doing it right, I'm not entirely sure.
> I figured before I beat my head against the wall for too long, I'd ask the
> real experts! :)
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND OS tuning

[Ben Croswell]

Does BIND take advantage of net.core.rmem_max on Linux boxes?
If I set the rmem_max to 12.5mb but leave the rmem_default as the OS
default will I see a benefit on a high QPS DNS server?

Or does BIND look to the rmem_default and ignore the rmem_max?

-- 
-Ben Croswell
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Do not cache certain domains

[Ben Lavender]

Thanks, yes the second is actually the aim. We don't have secondaries 
since we use ADDS and BIND simply acts as a recursive service for the 
other internal domains.


On 10/09/2020 16:01, Carl Byington wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Thu, 2020-09-10 at 15:35 +0100, Ben Lavender wrote:

Anyone think they may know the answer to this?

With the cooperation of the "certain domains" master servers, just slave
the zones. The masters should be configured to send you notify messages
on zone changes, so you always have the current authoritative contents.

Of course, if you are trying to avoid caching google.com, that won't
work.


-BEGIN PGP SIGNATURE-

iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCX1o/ehUcY2FybEBmaXZl
LXRlbi1zZy5jb20ACgkQL6j7milTFsFijgCeP/0k4923K9ha21b8SfFardvTYJYA
njg5U3NImciTSJEZn1eMzsgtNuAY
=4J6o
-END PGP SIGNATURE-



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Do not cache certain domains

[Ben Lavender]

Anyone think they may know the answer to this?

Thanks

Ben

On 07/09/2020 23:00, Ben Lavender wrote:

Hi,

Without having to alter the TTL of the existing RRs as well as the 
default TTL. I know this can be done using cache-max-ttl to limit the 
whole cache, but can this be done for say one single or multiple 
defined domains only?


Thanks


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Do not cache certain domains

[Ben Lavender]

Hi,

Without having to alter the TTL of the existing RRs as well as the 
default TTL. I know this can be done using cache-max-ttl to limit the 
whole cache, but can this be done for say one single or multiple defined 
domains only?


Thanks

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME / TXT

[Ben Croswell]

If you uncomment that mg CNAME you end up with a CNAME mx and TXT at the
same node in to the DNS tree and that is illegal. That is why you get the
error "cname and other data". The mx and txt are the other data.

On Sat, Aug 22, 2020, 8:19 PM Jukka Pakkanen  wrote:

> Cannot figure out what is wrong here… must be something simple but after
> sitting in airplanes the last 40 hours and it’s 2am…
>
> Only when I comment out the two lines in the end of the named.harriot, it
> goes through and BIND load the zone. With those two lines, get the
> following:
>
> C:\DNS\etc\namedb>named-checkzone harriot.fi named.harriot
>
> dns_master_load: named.harriot:33: mg.harriot.fi: CNAME and other data
>
> dns_rdata_fromtext: named.harriot:35: syntax error
>
> zone harriot.fi/IN: loading from master file named.harriot failed: CNAME
> and other data
>
> zone harriot.fi/IN: not loaded due to errors.
>
> ;
>
> ;File:  named.harriot
>
> ;
>
>
>
> $TTL 864
>
>
>
> @IN SOA  ns1.qnet.fi. helpdesk.qnet.fi.
> (
>
>  202008243  ; serial number
>
>  28800  ; refresh every 12 hours
>
>   7200  ; retry after 2 hours
>
> 604800  ; expire after 2 weeks
>
>   3600) ; default ttl is 2 days
>
>
>
> harriot.fi.   IN A  35.214.111.143
>
>   IN MX 10
> qntsrv8.qnet.fi.
>
>   IN MX 10
> qntsrv9.qnet.fi.
>
>  IN NS
> ns1.qnet.fi.
>
>  IN NS
> ns2.qnet.fi.
>
>  IN NS
> ns3.qnet.fi.
>
>   IN NS
> ns1.z.fi.
>
>   IN NS
> ns2.z.fi.
>
>
>
> wwwIN A 35.214.111.143
>
> api IN A 35.214.111.143
>
> webmailIN CNAME mail.qnet.fi.
>
> _autodiscover._tcp  IN SRV 0 5 443 mail.qnet.fi.
>
>
>
> dev
> IN A  35.214.111.143
>
>
>
> ;
> mg
> IN CNAME eu.mailgun.org.
>
> mg
> IN MX 10 mxa.eu.mailgun.org.
>
> mg
> IN MX 10 mxb.eu.mailgun.org.
>
> mg
> IN TXTv=spf1 include:eu.mailgun.org ~all
>
>
>
> ; smtp_domainkey.mg IN TXT "k=rsa; p=MII-AQAB"
>
>
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re:

[Ben Croswell]

In this case a zone level forwarder takes priority over the global
forwarder. Abc.com would go to 1.1.1.1

On Sat, Jun 27, 2020, 11:44 PM baalchina  wrote:

> Hi all,
>
> I had a bind 9.16.4 as recursive name server. I want to forward all
> queries to a specific dns server out of my net such as 8.8.8.8. While I
> have a new domain( such as abc.com) I want to forward to a new dns server
> such as 9.9.9.9.
>
> Here is my named.conf:
>
>
> options {
> listen-on port 53 {192.168.1.1;};
> recursion yes;
> allow-recursion {any;};
> forwarders {
> 8.8.8.8;
> };
> };
>
> zone "abc.com" {
> type forward;
> forwarders {1.1.1.1;};
>
> };
>
> So, in this configuration, the abc.com will be forward to 8.8.8.8 or
> 1.1.1.1?
>
> Thanks.
>
>
>
>
> --
> from:baalchina
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [Non-DoD Source] Re: BIND Masters and slaves

[Ben Lavender]

Some servers already do

Regards

Ben Lavender

On Mon, 15 Jun 2020, 19:02 DeCaro, James John (Jim) CIV DISA FE (USA) via
bind-users,  wrote:

> Or you can call the slave servers 'secondary' servers.
>
>
> V/R
> Jim DeCaro
> DISA
> Systems Administrator
> Windows and Unix Server Operations
> FE222/DoDNet Service Section
> Defense Enclave Services Directorate
> ☎ 301-225-8180
> ☎ 301-375-8180
> james.j.decaro3@mail.mil
> james.j.decaro3@mail.smil.mil
>
> "If you always do what you always did you will always get what you always
> got."
>
>
> -Original Message-
> From: bind-users  On Behalf Of Michael
> De Roover
> Sent: Monday, June 15, 2020 1:32 PM
> To: bind-users@lists.isc.org
> Subject: [Non-DoD Source] Re: BIND Masters and slaves
>
> All active links contained in this email were disabled. Please verify the
> identity of the sender, and confirm the authenticity of all links contained
> within the message prior to copying and pasting the address to a Web
> browser.
>
>
> 
>
>
>
>
> I concur with this. I'm still fairly new to BIND and DNS myself. I
> maintain 7 name servers (3 internal, 4 external) and master does signify to
> me that this is the server in control of the zone files for the other ones
> in that pool. The slaves are pretty much that to me, they take the zone
> files and apply them while not having any further control over the zone
> files themselves. In my external name servers it also goes paired with
> authority - slave authorities that are authoritative to the internet but
> slaves in that they replicate from an internal master. This is not
> something you'd see in real slavery, signifying that this is mere technical
> jargon. Is it a heavy term? Yes. Should we support "black lives matter" and
> condemn the completely egregious actions committed by the police officers
> towards George Floyd? Absolutely, and I hope that the former officers get
> convicted for not just manslaughter but murder, and that more protests will
> emerge (minus the plundering which was the case here in Brussels).
>
> However, changing a name and going for censorship of technical jargon
> which will only confuse newcomers who will now face duplicate nomenclature
> changes NOTHING. George Floyd wouldn't have been able to survive just
> because we give things a different name. Instead we'd border closer to
> censorship which we had during the wars, and still do in heavily oppressed
> countries like North Korea, China etc. It's ironic that what these people
> are pushing for in practice is exactly the thing they seemingly seek to
> eradicate.
>
> There is another relevant case where GitHub will apparently replace master
> branches in all their repositories. I'm really glad to be unaffected with
> my Gitea server. I may have to adjust my repository mirrors from GitHub
> however. For GitHub users, that change will likely break every one of their
> repositories that defaults to master and require adjustments from GitHub
> users of which many might not even know what branches are. That's the real
> impact of that and I find it deeply worrying.
>
> I do not want such a thing to happen to BIND just to please some people
> with large followings on Twitter who other than that, often have no
> affiliation with the project whatsoever.
>
>
> On 6/15/20 12:53 AM, Vinícius Ferrão via bind-users wrote:
>
>
> ISC had a statement about it a time ago: Caution-
> https://twitter.com/ISCdotORG/status/942815837299253248 < Caution-
> https://twitter.com/ISCdotORG/status/942815837299253248 >
>
> You can now call primary and secondary zones. But the prevalence
> of terms are still master and slave. And I really hope this thing of
> changing nomenclatures doesn’t go any further due to political correctness.
>
> For the newcomers it’s not OK to break years of terms, software
> and documentation just because some people can’t handle terms like master
> and slave. Slavery still exists today and making the word disappear will
> not solve the issue.
>
> And you’re correct about the BDSM thing. It’s a waste of time,
> efforts and lines of code.
>
>
> --
> Met vriendelijke groet / Best regards,
> Michael De Roover
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
_

Re: BIND Masters and slaves

[Ben Lavender]

The terminology is fairly misleading, as in the slave is not doing the 
work on-behalf of or instruction of the the master. But there is ways 
for the master to influence the slaves; such as "allow-transfer".


I don't see the big issue with making a terminology change in this case.

On 15/06/2020 15:38, Tony Finch wrote:

Vinícius Ferrão via bind-users  wrote:

But the prevalence of terms are still master and slave. And I really
hope this thing of changing nomenclatures doesn’t go any further due to
political correctness.

"Political correctness" just means being considerate for other people,
especially people who do not have many of the advantages we might take for
granted.

In any case, master/slave is bad terminology because it is actively
misleading. It suggests that zone transfers to downstream servers are
under the control of the upstream servers, which is definitely not the
case. And it suggests a binary categorization of servers which is also
wrong, because zone transfers often form a multi-level cascade between
servers that perform several different functions. It's better to talk
about update servers, signing servers, zone transfer servers, public or
private or stealth authoritative servers. For zone transfers it's better
to talk about which servers are upstream and downstream of each other in
the distribution network.

You should find that your writing is easier to understand, both for
experts and non-experts, if you don't use the bad old terminology.

Tony.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind DoH ANd DoT Implementation

[Ben Lavender]

They go over this in the YT video 
https://www.youtube.com/watch?v=eRbAigV2byE


It might not give you a total insight on how to configure it 
step-by-step but enough


On 08/06/2020 06:13, ShubhamGoyal wrote:

 Dear all,
   I want to ask about bind 
DoH Implementation by proxy server,
   Is there any Documentation 
of DoH Implementation.
 or Any other method to 
implement DoH and DoT.

Best Regards,
Shubham Goyal
Cyber Security Group
Centre for Development of Advanced Computing
Bangalore

150th Anniversary Mahatma Gandhi

 


[ C-DAC is on Social-Media too. Kindly follow us at:
Facebook: https://www.facebook.com/CDACINDIA & Twitter: @cdacindia ]

This e-mail is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. If you are not the
intended recipient, please contact the sender by reply e-mail and destroy
all copies and the original message. Any unauthorized review, use,
disclosure, dissemination, forwarding, printing or copying of this email
is strictly prohibited and appropriate legal action will be taken.
 



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Static-stub server-addresses re-order

[Ben Lavender]

Don't suppose anyone knows this do they?

Thanks

On Wed, 19 Jun 2019, 16:21 Ben Lavender,  wrote:

> Hello,
>
> Quick question, if we have a number of these IPs that do not reply
> (timeout), would BIND re-order these like it would with forwarder IPs? Or
> would it fail if it used one that didn't reply?
>
> Thanks
>
> Regards
>
> Ben Lavender
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about at zone transfer behaviour on slave

[Ben Croswell]

You are looking for the refresh timer in the SOA if you mean the timer for
a slave to check the serial with the master.

On Wed, Jun 5, 2019, 10:09 PM Techs-yama  wrote:

> Hi all,
>
> Have a question about at zone transfer behaviour on slave server.
>
> In case of slave zone configure and restarting named on slave server,
> After the named restart, It looks like starting polling to the master
> server for zone transfer by slave server.
> How many seconds polling interval on this timer ?
> and can i change interval value to configure it ?
>
> Thanks and regards.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Change DNS records automatically when a link is DOWN

[Ben Croswell]

If you can craft the monitor for the link it could call nsupdate to make
the change

On Wed, Jun 5, 2019, 11:16 AM Roberto Carna 
wrote:

> Dear people, I have two sites:
>
> - Main site with an Internet link and two BIND services (DNS1 y DNS2) and
> a /28 block, and web and mail services supported
> - Backup site with a second Internet link and a BIND service (DNS3) and
> another /28 block
>
> When the Internet link from main site is DOWN, the web and mail traffic
> come through the backup site to main site crossing a L2L. So I need to
> change the IP's of the FQDN hosts I have supported in the DNS3 in order to
> continue offering services (web and mail). How can I do this automatically?
> Is there any way that "something" monitors the main Internet link and in
> case it is DOWN automatically order to modify the FQDN records in DNS3 ???
>
> Thanks a lot and regards!!!
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Forwarders with static-stub

[Ben Lavender]

Hi,

When I setup static-stub zones with the global forwarders options
configured, BIND by design forwards the requests before using the stubs.

What is the best way around this so the stubs and cache are consulted first?

This is required for split-brain DNS.

Thanks

Regards

Ben Lavender
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Issues with Stub Zone

[Ben Lavender]

Thanks for your reply Chris,

When querying the SOA for that domain I successfully receive the full 
SOA details including the addition NS and A record for the authoritative 
server of the domain.


The stub server can contact the primary zone but only by IP, DNS 
resolution fails unless I add in a record in /etc/hosts.


Also the stub zone file updates correctly. I have tested static-stubs 
and they work as expected but stubs don't when recursion is enabled on 
the BIND server.


Ben

On 08/05/2019 17:02, Chris Buxton wrote:

Remembering that a stub zone is a cache hint, more information is needed.

  o  What do the two "master" DNS servers say when asked for the SOA record of 
'benlavender.co.uk'?
  o  Are there A or  records in the Additional section? If so, can the 
indicated IP addresses be reached?

It may be that the behavior you're expecting is more in line with type "static-stub" than 
with type "stub".

Regards,
Chris Buxton


On May 7, 2019, at 4:08 PM, Ben Lavender  wrote:

Hi,

I've been trying to configure a stub zone using both BIND 9.8x and 9.9x for 
some split-brain internal DNS.

The problem I have is that any client that requests the NS or SOA records for 
this zone gets SERVFAIL. The BIND server populates the 
/var/named/slaves/benlavender.co.uk.DB file with the SOA and NS records 
straight away and can query them over UDP 53 to the masters if need be.

I've had a look through the logs that are used in this config but the only 
issues I see are in /lame-servers.log shows some IPv6 failures and that the 
client is getting a SERVFAIL back in the /default.log:

05-May-2019 22:58:32.846 client 192.168.1.4#51612 (benlavender.co.uk): query 
failed (SERVFAIL) for benlavender.co.uk/IN/NS at query.c:7038

The config I'm using in /etc/named.conf is:

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
 listen-on port 53 { 127.0.0.1; 172.16.4.31;};
 listen-on-v6 port 53 { ::1; };
 directory   "/var/named";
 dump-file   "/var/named/data/cache_dump.db";
 statistics-file "/var/named/data/named_stats.txt";
 memstatistics-file "/var/named/data/named_mem_stats.txt";
 recursing-file  "/var/named/data/named.recursing";
 secroots-file   "/var/named/data/named.secroots";
 allow-query { localhost; 172.16.4.2; 172.16.4.3; 192.168.1.4;};

 /*
  - If you are building an AUTHORITATIVE DNS server, do NOT enable 
recursion.
  - If you are building a RECURSIVE (caching) DNS server, you need to 
enable
recursion.
  - If your recursive DNS server has a public IP address, you MUST 
enable access
control to limit queries to your legitimate users. Failing to do so 
will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
 */
 recursion yes;

 dnssec-enable yes;
 dnssec-validation yes;

 /* Path to ISC DLV key */
 bindkeys-file "/etc/named.iscdlv.key";

 managed-keys-directory "/var/named/dynamic";

 pid-file "/run/named/named.pid";
 session-keyfile "/run/named/session.key";
};

logging {
 channel default_file {
 file "/var/named/default.log" versions 3 size 5m;
 severity debug;
 print-time yes;
 };
 channel general_file {
 file "/var/named/general.log" versions 3 size 5m;
 severity debug;
 print-time yes;
 };
 channel database_file {
 file "/var/named/database.log" versions 3 size 5m;
 severity debug;
 print-time yes;
 };
 channel security_file {
 file "/var/named/security.log" versions 3 size 5m;
 severity debug;
 print-time yes;
 };
 channel config_file {
 file "/var/named/config.log" versions 3 size 5m;
 severity debug;
 print-time yes;
 };
 channel resolver_file {
 file "/var/named/resolver.log" versions 3 size 5m;
 severity debug;
 print-time yes;
 };
 channel xfer-in_file {
 file "/var/named/xfer-in.log" versions 3 size 5m;
 severity debug;
 print-time yes;
 };
 channel xfer-out_file {
 file "/var/named/xfer-out.log" versions 3 size 5m;
 severity debug;
 pri

Issues with Stub Zone

[Ben Lavender]

Hi,

I've been trying to configure a stub zone using both BIND 9.8x and 9.9x 
for some split-brain internal DNS.


The problem I have is that any client that requests the NS or SOA 
records for this zone gets SERVFAIL. The BIND server populates the 
/var/named/slaves/benlavender.co.uk.DB file with the SOA and NS records 
straight away and can query them over UDP 53 to the masters if need be.


I've had a look through the logs that are used in this config but the 
only issues I see are in /lame-servers.log shows some IPv6 failures and 
that the client is getting a SERVFAIL back in the /default.log:


05-May-2019 22:58:32.846 client 192.168.1.4#51612 (benlavender.co.uk): 
query failed (SERVFAIL) for benlavender.co.uk/IN/NS at query.c:7038


The config I'm using in /etc/named.conf is:

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about 
the

// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
    listen-on port 53 { 127.0.0.1; 172.16.4.31;};
    listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    recursing-file  "/var/named/data/named.recursing";
    secroots-file   "/var/named/data/named.secroots";
    allow-query { localhost; 172.16.4.2; 172.16.4.3; 
192.168.1.4;};


    /*
 - If you are building an AUTHORITATIVE DNS server, do NOT 
enable recursion.
 - If you are building a RECURSIVE (caching) DNS server, you 
need to enable

   recursion.
 - If your recursive DNS server has a public IP address, you 
MUST enable access
   control to limit queries to your legitimate users. Failing 
to do so will
   cause your server to become part of large scale DNS 
amplification

   attacks. Implementing BCP38 within your network would greatly
   reduce such attack surface
    */
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};

logging {
    channel default_file {
    file "/var/named/default.log" versions 3 size 5m;
    severity debug;
    print-time yes;
    };
    channel general_file {
    file "/var/named/general.log" versions 3 size 5m;
    severity debug;
    print-time yes;
    };
    channel database_file {
    file "/var/named/database.log" versions 3 size 5m;
    severity debug;
    print-time yes;
    };
    channel security_file {
    file "/var/named/security.log" versions 3 size 5m;
    severity debug;
    print-time yes;
    };
    channel config_file {
    file "/var/named/config.log" versions 3 size 5m;
    severity debug;
    print-time yes;
    };
    channel resolver_file {
    file "/var/named/resolver.log" versions 3 size 5m;
    severity debug;
    print-time yes;
    };
    channel xfer-in_file {
    file "/var/named/xfer-in.log" versions 3 size 5m;
    severity debug;
    print-time yes;
    };
    channel xfer-out_file {
    file "/var/named/xfer-out.log" versions 3 size 5m;
    severity debug;
    print-time yes;
    };
    channel notify_file {
    file "/var/named/notify.log" versions 3 size 5m;
    severity debug;
    print-time yes;
    };
    channel client_file {
    file "/var/named/client.log" versions 3 size 5m;
    severity debug;
    print-time yes;
    };
    channel unmatched_file {
    file "/var/named/unmatched.log" versions 3 size 5m;
    severity debug;
    print-time yes;
    };
    channel queries_file {
    file "/var/named/queries.log" versions 3 size 5m;
    severity debug;
    print-time yes;
    };
    channel network_file {
    file "/var/named/network.log" versions 3 size 5m;
    severity debug;
    print-time yes;
    };
    channel update_file {
    file "/var/named/update.log" versions 3 size 5m;
    severity debug;
    print-time yes;
    };
    channel dispatch_file {
    file "/var/named/dispatch.log" versions 3 size 5m;
    severity debug;
    print-time yes;
    };
    channel dnssec_file {
    file "/var/named/dnssec.log" versions 3 size 5m;
    severity debug;
    print-time yes;
    };
    channel lame-servers_file {
    file "/var/named/lame-servers.log" versions 3 size 5m;
    severity debug;
    

Empty .local zone

[Ben Bridges]

Greetings.

Would it be advisable or inadvisable to define an empty zone for .local on a 
recursive, unicast BIND server that is not hosting any Microsoft Windows AD 
domains or other .local zones in order to keep the queries for .local off the 
root servers?  It seems to me like it would be a good idea, but online searches 
have returned mixed views on the subject, and BIND doesn't appear to have a 
built-in zone for it, suggesting there might be a reason not to create an empty 
zone for it.

(My definition of an empty zone is one that has no records in it except an SOA 
record and an NS record which returns either "localhost" (preferably) or the 
BIND server itself.)

Thanks,

Ben Bridges


[City Utilities]

[SpringNet]<http://www.springnet.net>

Sales 417.575.7000 | Support 417.874.8000 | 
springnet.net<http://www.springnet.net>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Flag Day: I had to open the TCP/53 port

[Ben Croswell]

When a DNS response is too large to fit in a single UDP packet, 512 bytes
up to 4k with edns, the DNS server will respond with as much as it can fit
in the UDP packet. It will also set the truncate, TC, bit to let the client
doing the query that the answer is truncated and the client should query
again over TCP for the full answer.

The TC bit is also used in conjunction with RRL.

On Mon, Feb 4, 2019, 8:57 AM Roberto Carna  Thanks Ben for your response, can you tell me the types of TCP traffic I
> have to expect in BIND, excepting Zone Tansfer?
>
> Thans a lot again!!!
>
> El lun., 4 feb. 2019 a las 10:50, Ben Croswell ()
> escribió:
>
>> BIND has always required UDP and TCP 53 for proper functionality. It
>> sometimes mistakenly believed that TCP is only for zone transfers but that
>> is not the case.
>>
>> On Mon, Feb 4, 2019, 8:46 AM Roberto Carna > wrote:
>>
>>> Dear, I have a BIND 9.10 public server and I have delegated some public
>>> domains.
>>>
>>> When I test these domains with the EDNS tool offered in the DNS Flag Day
>>> webpage, the test was wrong wit just UDP/53 port opened to Internet.
>>>
>>> After that, when I opened also TCP/53 port, the test was succesful.
>>>
>>> Please can you explain me the reason I have to open TCP/53 port to
>>> Internet from February 1st to the future???
>>>
>>> Really thanks, regards.
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Flag Day: I had to open the TCP/53 port

[Ben Croswell]

BIND has always required UDP and TCP 53 for proper functionality. It
sometimes mistakenly believed that TCP is only for zone transfers but that
is not the case.

On Mon, Feb 4, 2019, 8:46 AM Roberto Carna  Dear, I have a BIND 9.10 public server and I have delegated some public
> domains.
>
> When I test these domains with the EDNS tool offered in the DNS Flag Day
> webpage, the test was wrong wit just UDP/53 port opened to Internet.
>
> After that, when I opened also TCP/53 port, the test was succesful.
>
> Please can you explain me the reason I have to open TCP/53 port to
> Internet from February 1st to the future???
>
> Really thanks, regards.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS flag day

[Ben Croswell]

I would imagine "its a hoax" is code for we dont want to bother remediating.

On Fri, Jan 18, 2019, 3:20 PM Warren Kumari 
>
> On Fri, Jan 18, 2019 at 2:58 PM Ben Croswell 
> wrote:
>
>> I would say we had one provider go as far as saying this whole flag day
>> thing is a hoax.
>>
>
> That's a weird stance / position. "The whole flag day thing is
> [stupid|overblown|annoying|confusing|on a Friday]" are all positions I can
> understand - not agree with (modulo the Friday one), but at least
> understand. 'tis a hoax is just confusing...
> Flag Day been discussed at length, and presented at multiple DNS events -
> it seems that a DNS provider who hasn't seen any of the presentations and
> recognized at least one person pushing this isn't well connected to the
> community, and should probably be avoided...
>
> W
> P.S: Unless they think it is simply a *very* subtle, long running,
> widespread hoax... and now I'm wondering if I'm the patsy here :-P
>
>
>
>
>> Not sure what option there is other than voting with your wallet and
>> moving to a different provider.
>>
>
>> May even be worth looking at 2 providers. I see DNS provider redundancy
>> as being a huge priority after the Dyn DDoS event.
>>
>> On Fri, Jan 18, 2019, 2:50 PM Lightner, Jeffrey > wrote:
>>
>>> On checking I find that any of our domains that use Network Solutions’
>>> Worldnic.com nameservers are reporting failures when checked.
>>>
>>> For example this result:  https://ednscomp.isc.org/ednscomp/e30c6cf0ea
>>>
>>> Other people online have posted about Network Solutions as they also saw
>>> failures.
>>>
>>> On calling Network Solutions today they told me they are compliant
>>> despite what was reported by https://dnsflagday.net/
>>>
>>>
>>>
>>> This issue is with domains registered at Network Solutions and using
>>> their Advanced DNS (i.e. their Worldnic name servers).   Other domains we
>>> have registered with them but pointing to other name servers (i.e. our own
>>> BIND servers) displayed as compliant.
>>>
>>> When I sent them the links they saw what I saw but still claimed they
>>> are compliant.   They refused to send me something in writing stating that
>>> so I suggested they reach out to ISC regarding the checker’s results if
>>> they believe they are compliant, but they said they don’t see the need.
>>> I’ve asked them to escalate and they say they have but I suspect I’ll not
>>> hear back from them.
>>>
>>> Is there a list of known edns compliant Registrar name severs for the
>>> larger Registrars?
>>>
>>> Is it possible the failures seen are false?   If so, are there alternate
>>> edns compliance checkers that might show different responses than
>>> dnsflagday.net?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *From:* bind-users  * On Behalf Of *Ben
>>> Croswell
>>> *Sent:* Friday, January 18, 2019 12:19 PM
>>> *To:* bind-users@lists.isc.org
>>> *Subject:* Re: DNS flag day
>>>
>>>
>>>
>>> I shouldn't have posted so closely to responding to the other user.
>>>
>>>
>>>
>>> I am not running 9.8. I was replying to them about firewalls in regards
>>> to their 9.8 issues.
>>>
>>>
>>>
>>> Was just hoping for a statement of 9.x or greater supports the needed
>>> badvers signaling etc.
>>>
>>>
>>>
>>> On Fri, Jan 18, 2019, 12:15 PM Victoria Risk >>
>>>
>>>
>>> On Jan 18, 2019, at 9:09 AM, Ben Croswell 
>>> wrote:
>>>
>>>
>>>
>>> Has ISC released minimum viable BIND version for flag day?
>>>
>>>
>>>
>>> Most versions of BIND authoritative servers, going back years, are EDNS
>>> compatible. Certainly ALL currently supported versions are compatible. I
>>> see you are running 9.8, which has been EOL since September, 2014.  I think
>>> that is probably fine, as far as EDNS, however.
>>>
>>>
>>>
>>> The change in BIND related to DNS Flag Day is removing workarounds from
>>> resolvers, that will retry without EDNS or otherwise try to proceed even
>>> when EDNS fails. This change came in the BIND 9.13 development version, and
>>> will be in BIND 9.14, which is not yet released.
>>>
>>>
>>>
>>> The problem 

Re: DNS flag day

[Ben Croswell]

I would say we had one provider go as far as saying this whole flag day
thing is a hoax. Not sure what option there is other than voting with your
wallet and moving to a different provider.

May even be worth looking at 2 providers. I see DNS provider redundancy as
being a huge priority after the Dyn DDoS event.

On Fri, Jan 18, 2019, 2:50 PM Lightner, Jeffrey  On checking I find that any of our domains that use Network Solutions’
> Worldnic.com nameservers are reporting failures when checked.
>
> For example this result:  https://ednscomp.isc.org/ednscomp/e30c6cf0ea
>
> Other people online have posted about Network Solutions as they also saw
> failures.
>
> On calling Network Solutions today they told me they are compliant despite
> what was reported by https://dnsflagday.net/
>
>
>
> This issue is with domains registered at Network Solutions and using their
> Advanced DNS (i.e. their Worldnic name servers).   Other domains we have
> registered with them but pointing to other name servers (i.e. our own BIND
> servers) displayed as compliant.
>
> When I sent them the links they saw what I saw but still claimed they are
> compliant.   They refused to send me something in writing stating that so I
> suggested they reach out to ISC regarding the checker’s results if they
> believe they are compliant, but they said they don’t see the need.   I’ve
> asked them to escalate and they say they have but I suspect I’ll not hear
> back from them.
>
> Is there a list of known edns compliant Registrar name severs for the
> larger Registrars?
>
> Is it possible the failures seen are false?   If so, are there alternate
> edns compliance checkers that might show different responses than
> dnsflagday.net?
>
>
>
>
>
>
>
>
>
> *From:* bind-users  * On Behalf Of *Ben
> Croswell
> *Sent:* Friday, January 18, 2019 12:19 PM
> *To:* bind-users@lists.isc.org
> *Subject:* Re: DNS flag day
>
>
>
> I shouldn't have posted so closely to responding to the other user.
>
>
>
> I am not running 9.8. I was replying to them about firewalls in regards to
> their 9.8 issues.
>
>
>
> Was just hoping for a statement of 9.x or greater supports the needed
> badvers signaling etc.
>
>
>
> On Fri, Jan 18, 2019, 12:15 PM Victoria Risk 
>
>
> On Jan 18, 2019, at 9:09 AM, Ben Croswell  wrote:
>
>
>
> Has ISC released minimum viable BIND version for flag day?
>
>
>
> Most versions of BIND authoritative servers, going back years, are EDNS
> compatible. Certainly ALL currently supported versions are compatible. I
> see you are running 9.8, which has been EOL since September, 2014.  I think
> that is probably fine, as far as EDNS, however.
>
>
>
> The change in BIND related to DNS Flag Day is removing workarounds from
> resolvers, that will retry without EDNS or otherwise try to proceed even
> when EDNS fails. This change came in the BIND 9.13 development version, and
> will be in BIND 9.14, which is not yet released.
>
>
>
> The problem you are seeing is most likely firewall-related.
>
>
>
> Vicky
>
>
>
>
>
> I looked around and couldn't find anything.
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: EDNS Compliance

[Ben Croswell]

It more complicated than just packet size. I have seen FWs with IPS rules
that were dropping the packets because the rule stated 0 was the only edns
version and anything else was an attack.

I would check the FW logs to find the log of the drop and work back from
there.

On Fri, Jan 18, 2019, 12:29 PM N. Max Pierson  Thanks to the response Ben. After looking at the results, it seems we do
> have a different firewall between the 4 servers and they have IPs out of
> the same subnet for 2 of them which are failing. So this lets me know it is
> firewall related and now I can check that.
>
> Do you know what type of rule (in general, not anything specific) needs to
> be added to allow for larger EDNS packets? Is it as simple as allowing the
> maximum size for payload specified in the RFC (
> https://tools.ietf.org/html/rfc6891#section-6.2.5) which is 4096 bytes?
>
> Regards,
> Max
>
> On Fri, Jan 18, 2019 at 11:07 AM Ben Croswell 
> wrote:
>
>> As long as all 4 DNS servers are running the same version, my first
>> suggestion would be to check firewalls for dropped packets.
>>
>> Some FW/IPS drop packets with edns versions other 0 because they see it
>> as an attack.
>>
>> On Fri, Jan 18, 2019, 12:02 PM N. Max Pierson > wrote:
>>
>>> Hi List,
>>>
>>> I am trying to ensure our Bind servers comply with EDNS for the upcoming
>>> Flag Day (https://dnsflagday.net/). I am somewhat ignorant to EDNS but
>>> from what I have read, the information is somewhat conflicting as some
>>> documentation states EDNS is not a record that you configure in your zone
>>> file then other sites refer to some sort of OPT record you can configure.
>>> So my first question is which of the documentation is correct from what I
>>> have read? Is it DNS server functionality that supports EDNS or do you also
>>> have to configure something in the zone files?
>>>
>>> Also, I have 4 (well 5 counting the master that isn't queryable)
>>> nameservers with multiple domains served on them. When I run one of my
>>> primary domains through the ISC EDNS tool, it comes back as 2 out of the 4
>>> are failing EDNS queries.They are all on the same version of Bind
>>> (9.8.2rc1) and they are all slaves of the master so they should all have
>>> the same records. Can anyone please explain what I need to do to resolve
>>> the timeouts listed on the ISC testing tool?
>>>
>>> Here is what the tool says ...
>>>
>>>
>>> venyu.com. @208.79.48.30 (ns4.venyu.com.): dns=ok edns=ok
>>> *edns1=timeout* edns@512=ok ednsopt=ok *edns1opt=timeout* do=ok
>>> ednsflags=ok docookie=ok edns512tcp=ok *optlist=timeout*
>>>
>>> venyu.com. @69.2.33.250 (ns1.venyu.com.): dns=ok edns=ok edns1=ok
>>> edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok
>>> edns512tcp=ok optlist=ok
>>> venyu.com. @2604:d800:12::250 (ns1.venyu.com.): dns=ok edns=ok edns1=ok
>>> edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok
>>> edns512tcp=ok optlist=ok
>>>
>>> venyu.com. @69.2.63.250 (ns3.venyu.com.): dns=ok edns=ok edns1=ok
>>> edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok
>>> edns512tcp=ok optlist=ok
>>> venyu.com. @2604:d800:13::250 (ns3.venyu.com.): dns=ok edns=ok edns1=ok
>>> edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok
>>> edns512tcp=ok optlist=ok
>>>
>>> venyu.com. @208.79.48.26 (ns2.venyu.com.): dns=ok edns=ok
>>> *edns1=timeout* edns@512=ok ednsopt=ok *edns1opt=timeout* do=ok
>>> ednsflags=ok docookie=ok edns512tcp=ok *optlist=timeout*
>>>
>>>
>>> TIA!!
>>>
>>> Regards,
>>>
>>> Max
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS flag day

[Ben Croswell]

I shouldn't have posted so closely to responding to the other user.

I am not running 9.8. I was replying to them about firewalls in regards to
their 9.8 issues.

Was just hoping for a statement of 9.x or greater supports the needed
badvers signaling etc.

On Fri, Jan 18, 2019, 12:15 PM Victoria Risk 
> On Jan 18, 2019, at 9:09 AM, Ben Croswell  wrote:
>
> Has ISC released minimum viable BIND version for flag day?
>
>
> Most versions of BIND authoritative servers, going back years, are EDNS
> compatible. Certainly ALL currently supported versions are compatible. I
> see you are running 9.8, which has been EOL since September, 2014.  I think
> that is probably fine, as far as EDNS, however.
>
> The change in BIND related to DNS Flag Day is removing workarounds from
> resolvers, that will retry without EDNS or otherwise try to proceed even
> when EDNS fails. This change came in the BIND 9.13 development version, and
> will be in BIND 9.14, which is not yet released.
>
> The problem you are seeing is most likely firewall-related.
>
> Vicky
>
>
> I looked around and couldn't find anything.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS flag day

[Ben Croswell]

Has ISC released minimum viable BIND version for flag day?

I looked around and couldn't find anything.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: EDNS Compliance

[Ben Croswell]

As long as all 4 DNS servers are running the same version, my first
suggestion would be to check firewalls for dropped packets.

Some FW/IPS drop packets with edns versions other 0 because they see it as
an attack.

On Fri, Jan 18, 2019, 12:02 PM N. Max Pierson  Hi List,
>
> I am trying to ensure our Bind servers comply with EDNS for the upcoming
> Flag Day (https://dnsflagday.net/). I am somewhat ignorant to EDNS but
> from what I have read, the information is somewhat conflicting as some
> documentation states EDNS is not a record that you configure in your zone
> file then other sites refer to some sort of OPT record you can configure.
> So my first question is which of the documentation is correct from what I
> have read? Is it DNS server functionality that supports EDNS or do you also
> have to configure something in the zone files?
>
> Also, I have 4 (well 5 counting the master that isn't queryable)
> nameservers with multiple domains served on them. When I run one of my
> primary domains through the ISC EDNS tool, it comes back as 2 out of the 4
> are failing EDNS queries.They are all on the same version of Bind
> (9.8.2rc1) and they are all slaves of the master so they should all have
> the same records. Can anyone please explain what I need to do to resolve
> the timeouts listed on the ISC testing tool?
>
> Here is what the tool says ...
>
>
> venyu.com. @208.79.48.30 (ns4.venyu.com.): dns=ok edns=ok *edns1=timeout*
>  edns@512=ok ednsopt=ok *edns1opt=timeout* do=ok ednsflags=ok docookie=ok
> edns512tcp=ok *optlist=timeout*
>
> venyu.com. @69.2.33.250 (ns1.venyu.com.): dns=ok edns=ok edns1=ok edns@512=ok
> ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok
> optlist=ok
> venyu.com. @2604:d800:12::250 (ns1.venyu.com.): dns=ok edns=ok edns1=ok
> edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok
> edns512tcp=ok optlist=ok
>
> venyu.com. @69.2.63.250 (ns3.venyu.com.): dns=ok edns=ok edns1=ok edns@512=ok
> ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok
> optlist=ok
> venyu.com. @2604:d800:13::250 (ns3.venyu.com.): dns=ok edns=ok edns1=ok
> edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok
> edns512tcp=ok optlist=ok
>
> venyu.com. @208.79.48.26 (ns2.venyu.com.): dns=ok edns=ok *edns1=timeout*
>  edns@512=ok ednsopt=ok *edns1opt=timeout* do=ok ednsflags=ok docookie=ok
> edns512tcp=ok *optlist=timeout*
>
>
> TIA!!
>
> Regards,
>
> Max
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND and UDP tuning

[Ben Croswell]

When we ran into UDP tuning issues on high traffic devices it presented as
silent discards rather than SERVFAIL.

On Thu, Sep 27, 2018, 12:04 PM Alex  wrote:

> Hi,
>
> > On Thu, Sep 27, 2018 at 10:53:25AM -0400, Alex wrote:
> > > Many of these values I've already tweaked and have had no effect on my
> > > SERVFAIL issues :-(
> >
> > If you are getting SERVFAILs from a BIND resolver you administer, then
> > it has responded to your query. If you turn up the log level to
> > something like -d 99, it'll print the steps that led to that SERVFAIL.
> > Usually you'll find something there that directs you to next steps.
> >
> > On this topic, my home resolver is also a stock packaged BIND version as
> > you, and I too see spurious SERVFAILs sometimes. I used to think this
> > was due to too much indirection, e.g., when named starts up and you run:
> >
> > dig -x 176.9.81.50
>
> It doesn't typically happen when running from the command-line. It
> does occasionally happen, though. I usually run something like "dig
> +all +trace +nodnssec ". It sometimes times out in the
> middle, with something like "cannot resolve xyz host", which may even
> be one of the root servers.
>
> I also typically run it with "rndc trace 11" which shows me quite a
> bit of debugging info - too much to look through manually. With trace
> 99, I can imagine it being overwhelming amount of info. Do you have
> any ideas of what to look for? "query-errors"?
>
> Also, I also see other SERVFAIL errors that really are SERVFAIL errors
> - when querying the host manually, it still responds immediately with
> SERVFAIL.
>
> Thanks,
> Alex
>
>
>
> >
> > on a cold cache. However it seems to be returning SERVFAIL sometimes for
> > what should be a cached answer. I'll also turn up the debug logging and
> > watch it.
> >
> > Mukund
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS-Format-Eroor

[Ben McGinnes]

On Tue, Dec 19, 2017 at 09:28:28AM +0300, Mohammed Ejaz wrote:
> 
> No this IP 212.76.76.18 doesn’t belongs to us and even not in a
> trusted list of our DNS.  After looking at my logs I noticed this IP
> asked for this domain mumbai-m.site to which our name server denied
> as shown in the below logs. Whereas our NCSA claiming that massive
> malicious requests from our dns. Just I want to understand how is
> this possible massive attack towards the internet for deny requests.

Those logs also show requests from another address in your own
netblocks that's been assigned to a customer of Cyberia in Jeddah.
That's in 212.119.73.32/27.

Sten's explanation was almost certainly right with regards to the
traffic seen or analysed by SA's national CERT.  The traffic appearing
to emanate from your DNS servers will be the result of the botnet or
whatever it is making connections back to it's command and control
host and spoofing the source addresses of the requests.  The DNS
resolvers can't tell the difference and reply to all the IPs a request
appears to come from.

Obviously you can't do anything about 212.76.76.18/32 directly, but if
it's taken up this much time already then if I were in your position
I'd just null route it at the border of Cyberia's network.  Maybe
notify Sahara Net that you've had to do it and forward them the same
info SA's CERT gave you regarding their IP address.

Meanwhile, one of your own customers (the one assigned that /27) need
to hire an IT security consultant to clean their network.

I'm assuming that log sample was just a quick cut and paste and
there's actually a lot more.  Search all the resolver logs for
addresses in your IP space requesting that hostname and send all those
customers a "your computer/network on IP $FOO has been compromised,
you have X days to fix it or your connection will be suspended."

Just warn your support staff before you do that because they're the
ones who will receive the angry calls from confused accountants.


Regards,
Ben



signature.asc
Description: PGP signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Max slaves limit?

[Ben Croswell]

That is a valid consideration but being a slave doesn't always mean being
in the NS records.

On Dec 18, 2017 9:47 AM, "Barry S. Finkel"  wrote:

> On Sun, 17 Dec 2017 22:06:58 +0530, vijay bommareddy 
> wrote:
>
>> Hello folks,
>>
>> I'm trying to find more information on the practical limitations of adding
>> more slaves.
>> Can someone tell me, how many number of slaves does BIND technically
>> support? Is there a maximum limit per master server?
>>
>> Thank you
>> Vijay
>>
>
> A minor point - if there are too many slaves, then the NS list might
> not fit into a UDP packet, causing TCP to be used.  I do not know
> how many NS records would be needed to exceed the UDP packet size;
> it would depend upon the length of the nodenames of the DNS servers.
>
> --Barry Finkel
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: EDNS0 client subnet in BIND 9.10

[Ben Croswell]

The use case i am looking at is using ECS or some other mechanism to pass
the IP of client making the query to the global load-balancer. This
information could then be used by the global load-balancer in making
proximity decisions when crafting its response.
I.e. GLB sees 10.1.1.1 and returns a given IP but if it sees 10.2.2.2 the
answer is different.

On Nov 11, 2017 5:31 AM, "Ray Bellis" <r...@isc.org> wrote:

> On 11/11/2017 04:50, Mukund Sivaraman wrote:
> > I'm not sure how ECS would be useful for load-balancing, as in the best
> > case scenario it would require one to control every client side to send
> > the client-subnet option.
>
> It would help if Ben provided more details about what he's trying to
> achieve.
>
> I do have a draft that I'm trying to get adopted at IETF to allow
> client-related information to be carried from load balancer to back-end
> server.  It's not yet implemented in BIND, though:
>
> <https://tools.ietf.org/html/draft-bellis-dnsop-xpf-03>
>
> Ray
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

EDNS0 client subnet in BIND 9.10

[Ben Croswell]

I would like to use the client subnet option to overcome some hurdles
related to proximity load-balancing.

I have looked through the ARM and found references to setting the option in
a dig. However I was not able locate options for sourcing that option on
the DNS server.

Is anyone using ECS currently?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Forwarding from delegated zone not working

[Ben Croswell]

I guess i made the assumption that zone was properly forwarded at the MS
end.

 However as you mentioned if it was only delegated then it would SERVFAIL
at the BIND server when receiving an iterative query from MS if BIND isn't
authoritative.

On Oct 10, 2017 11:44 AM, "Darcy Kevin (FCA)" <kevin.da...@fcagroup.com>
wrote:

But surely you’d get an NXDOMAIN in that case, not a SERVFAIL.



The assumption I made in my post was that the delegation was pointed to the
forwarding BIND instance, which is a non-starter.



-  Kevin





*From:* bind-users [mailto:bind-users-boun...@lists.isc.org] *On Behalf Of *Ben
Croswell
*Sent:* Tuesday, October 10, 2017 11:38 AM
*To:* seanliam73 <sean.orei...@landg.com>
*Cc:* bind-users@lists.isc.org
*Subject:* Re: Forwarding from delegated zone not working



If the AD environment loads company.com you need to make sure it has NS
delegations. The nameserver will ignore the zone forwarded if it knows the
child doesn't exist.



On Oct 10, 2017 11:22 AM, "seanliam73" <sean.orei...@landg.com> wrote:

Hi

I have a subdomain delegated from AD to a bind9 instance I have running that
so that all requests for that subdomain are sent to the bind 9 instance. I
would then like to set up zone forwarding so that further subdomains can be
managed by other bind 9 instances.

I know the forwarding is working because I can query the main bind9 instance
at receive the expected results. However if I query from the AD server that
is doing the delegation I get a SERVFAIL error.

Am I trying to do something that is not possible or am I just missing some
configuration.

*main instance config*

options {
directory "/var/named";
listen-on port 53 { listen addr; };
auth-nxdomain yes;
recursion yes;
allow-query { ip addresses; };
listen-on-v6 { any; };
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
};

logging {
channel default_debug {
file "data/named.run";
severity debug 3;
};

channel querylog {
file "data/query.log";
severity debug 5;
};

category default { default_debug; };
category queries { querylog; };
};

zone "example.company.com" IN {
type forward;
forward only;
forwarders { ip address; };
};

zone "development.example.company.com" IN {
type forward;
forward only;
forwarders { ip address; };
};



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding from delegated zone not working

[Ben Croswell]

If the AD environment loads company.com you need to make sure it has NS
delegations. The nameserver will ignore the zone forwarded if it knows the
child doesn't exist.

On Oct 10, 2017 11:22 AM, "seanliam73"  wrote:

> Hi
>
> I have a subdomain delegated from AD to a bind9 instance I have running
> that
> so that all requests for that subdomain are sent to the bind 9 instance. I
> would then like to set up zone forwarding so that further subdomains can be
> managed by other bind 9 instances.
>
> I know the forwarding is working because I can query the main bind9
> instance
> at receive the expected results. However if I query from the AD server that
> is doing the delegation I get a SERVFAIL error.
>
> Am I trying to do something that is not possible or am I just missing some
> configuration.
>
> *main instance config*
>
> options {
> directory "/var/named";
> listen-on port 53 { listen addr; };
> auth-nxdomain yes;
> recursion yes;
> allow-query { ip addresses; };
> listen-on-v6 { any; };
> dnssec-enable no;
> dnssec-validation no;
> dnssec-lookaside auto;
> };
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity debug 3;
> };
>
> channel querylog {
> file "data/query.log";
> severity debug 5;
> };
>
> category default { default_debug; };
> category queries { querylog; };
> };
>
> zone "example.company.com" IN {
> type forward;
> forward only;
> forwarders { ip address; };
> };
>
> zone "development.example.company.com" IN {
> type forward;
> forward only;
> forwarders { ip address; };
> };
>
>
>
> --
> Sent from: http://bind-users-forum.2342410.n4.nabble.com/
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: strange problem with query being dropped/ignored by the BIND process

[Ben Croswell]

Have you checked deeper at the OS level? I have seen on Linux DNS servers
silent drops of queries on very busy servers that were exhausting UDP
receive buffers.

On Jun 28, 2017 10:26 AM, "Marc Richter" 
wrote:

Hi,

we have a setup here consisting of a recursive DNS server and two
monitoring servers. The monitoring servers sent a test query to the DNS
server once every two minutes to check if it is answering properly.

We now have the problems that these test queries are timing out from time
to time, (correctly) resulting in alarms in our monitoring system.

I have checked this now and noticed that each time we see that alarm, the
query sent by the monitoring server is not being answered at all.
To debug that I ran tcpdump on both the monitoring server and the recursive
DNS server. I see the query being sent out on the monitoring server and I
also see the query being received on the DNS server, however there is no
response sent to this query at all.
Looking at the query log, which I enabled temporarily, the query is also
not logged there so it looks like BIND is ignoring that query somewhere,
although it is properly received by the IP stack of the server.

Do you have any suggestions how to debug this further, to hopefully find
out where these queries are stuck/dropped/ignored, as I have run out of
ideas ?

The environment is:
BIND 9.9.9-P5 (Extended Support Version) 
running on SunOS sun4v 5.11 11.3


Thanks !
Marc
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Why would a master zone use forwarders ?

[Ben Croswell]

If you load foo.com on server A and delegate bar.foo.com to server B with a
global forwarder of server C you resolution will vary depending on forward
first vs forward only and forwarders {}.

With no forward {} the path for blah.bar.foo.com directed at server A will
be A > C > B
With forward {} the global forward will be short circuited for foo.com and
below resulting in a path of A > B

On May 12, 2017 11:56 AM, "Mik J" <mikyde...@yahoo.fr> wrote:

Thank you Ben for your answer

My server uses a global forwarding

I don't understand what you wrote
"If it is master for a foo.com and also has global forwarding it will use
the global forward for any delegated child domains under foo.com unless
they are also loaded locally."

If my DNS is autoritative, why would I use a forwarding ?

For my sub domains I use delegations
sub.mydomain.com NS ns.sub.mydomain.com
ns.sub.mydomain.com A 1.1.1.1

What's the difference between the global forward for delegated child
domains and the delegation I do ?

Thank you



Le Vendredi 12 mai 2017 15h34, Ben Croswell <ben.crosw...@gmail.com> a
écrit :


This would only change behavior if the server has global forwarding.

If it is master for a foo.com and also has global forwarding it will use
the global forward for any delegated child domains under foo.com unless
they are also loaded locally.  The forward{} turns off global forwarding
for that branch of the tree.

On May 12, 2017 9:27 AM, "Mik J via bind-users" <bind-users@lists.isc.org>
wrote:

Hello,

If my DNS is master/slave for a zone, why would I want it to use forwarders.

In other terms why would I want
zone "mydomain.com"
{
type master;
file "zones/master/com/mydomain.com ";
allow-update { acl; };
};

Instead of (forwarders {};)
zone "mydomain.com"
{
type master;
file "zones/master/com/mydomain.com ";
allow-update { acl; };
forwarders {};
};

Why would I want to forward requests if I'm autoritative for the zone ?

Thank you for those who can hightligh this point.

__ _
Please visit https://lists.isc.org/mailman/ listinfo/bind-users
<https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from
this list


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/ listinfo/bind-users
<https://lists.isc.org/mailman/listinfo/bind-users>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Why would a master zone use forwarders ?

[Ben Croswell]

This would only change behavior if the server has global forwarding.

If it is master for a foo.com and also has global forwarding it will use
the global forward for any delegated child domains under foo.com unless
they are also loaded locally.  The forward{} turns off global forwarding
for that branch of the tree.

On May 12, 2017 9:27 AM, "Mik J via bind-users" 
wrote:

> Hello,
>
> If my DNS is master/slave for a zone, why would I want it to use
> forwarders.
>
> In other terms why would I want
> zone "mydomain.com"
> {
> type master;
> file "zones/master/com/mydomain.com";
> allow-update { acl; };
> };
>
> Instead of (forwarders {};)
> zone "mydomain.com"
> {
> type master;
> file "zones/master/com/mydomain.com";
> allow-update { acl; };
> forwarders {};
> };
>
> Why would I want to forward requests if I'm autoritative for the zone ?
>
> Thank you for those who can hightligh this point.
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind master keeps saying it is not authoritative

[Ben Croswell]

Ensure that the allow-query clause on the master includes the slave. If the
slave can't query for the SOA on the zone it can't do an xfer.

On Mar 2, 2017 6:34 AM, "Xavier Humbert" 
wrote:

> The whole configuration, comments removed :
>
> -- Master --
> acl my-slaves {
> any;// DEBUG
> };
>
> acl my-clients {
> any;// DEBUG
> };
>
> options {
> // IP config
> listen-on port 53 {172.29.16.135; 127.0.0.1; };
> listen-on-v6 port 53 {none; };
>
> // Paths
> directory"/var/named";
> dump-file   "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
>
> // Behaviour
> recursion no;
> allow-transfer{ my-slaves; };
> };
>
> // rndc key
> include "/etc/rndc.key";
>
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; } keys { "rndc-key"; };
> };
>
> // Logging
> // omitted
>
> zone "in.acv.orion.education.fr" {
> type master;
> file "/etc/named/internal/in.acv.orion.education.fr.db";
> allow-transfer {my-slaves; };
> };
>
> -- Slave --
> acl my-clients {
> localhost;
> any;//DEBUG
> };
>
> options {
> // IP config
> listen-on port 53 {172.29.16.133; 127.0.0.1; };
> listen-on-v6 port 53 {none; };
>
> // Paths
> directory"/var/named";
> dump-file   "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
>
> // Behaviour
> recursion no;
> allow-update{ 172.29.16.135; };
> allow-transfer{ 172.29.16.135; };
>
> };
>
> // rndc key
> include "/etc/rndc.key";
>
> // Logging
> // Omitted
>
> zone "in.acv.orion.education.gouv.fr" {
> type slave;
> file "/etc/named/in.acv.orion.education.gouv.fr.db";
> masters {172.29.16.135; };
> };
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
>
> --
>
> Really, reall basic !
> Thanks
>
> --
> Xavier Humbert
> CRT Supervision et Exploitation de Niveau 1
> Rectorat de Nancy-Metz
> 03 83 86 27 39
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: The DDOS attack on DYN & RRL ?

[Ben Croswell]

The other option being having a master owned by your company and then
setting both external providers to secondary from your master. You to
maintain control over data and hqve diversity.

On Nov 1, 2016 10:42 AM, "Barry Margolin" <bar...@alum.mit.edu> wrote:

> In article <mailman.546.1477931391.7.bind-us...@lists.isc.org>,
>  Ben Croswell <ben.crosw...@gmail.com> wrote:
>
> > I think what we see as a result of this attack is DNS provider diversity
> > being the new buzz phrase. The same as not relying on a single ISP link i
> > see more people using multiple DNS providers.
> > The size of these attacks will grow as IoT continues to grow. It makes
> > sense to have diverse providers to ensure your domains are serviceable
> if a
> > provider gets attacked.
>
> My boss asked me to look into this after the attack. The sticking point
> seems to be that most DNS providers don't allow zone transfers from
> their servers. We currently get our auth DNS from SoftLayer, the hosting
> provider for our primary web, application, and database servers. I
> contacted them to find out if it's possible to enable zone transfers to
> a third party slave service, they said no; they suggested that we simply
> set up both services as masters, which would mean we'd have to update
> them independently (or write our own scripts that make use of each
> service's API). The customers of Dyn are in the same situation.
>
> Maybe last week's incident will prompt enough big customers to demand
> this that they'll change their policies.
>
> --
> Barry Margolin
> Arlington, MA
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: The DDOS attack on DYN & RRL ?

[Ben Croswell]

I think what we see as a result of this attack is DNS provider diversity
being the new buzz phrase. The same as not relying on a single ISP link i
see more people using multiple DNS providers.
The size of these attacks will grow as IoT continues to grow. It makes
sense to have diverse providers to ensure your domains are serviceable if a
provider gets attacked.

On Oct 31, 2016 12:25 PM, "Matthew Seaman" 
wrote:

> On 2016/10/31 16:09, Barry Margolin wrote:
> > I heard that the impact of the attack was even narrower than just the
> > US, it was mostly eastern US. That suggests some things about the
> > granularity of Dyn's anycast network and the distribution of the Mirai
> > botnet.
>
> There were actually three attacks on the same day.  The first (about
> 12:00 UTC) affected pretty much just the Eastern USA, and we saw little
> beyond some raised RTTs in Europe.  The second (about 16:00UTC) took out
> all the Dyn POPs in the USA and affected their European POP.  The third
> (around 18:00UTC) ... was pretty much a non-event.  Dyn had mitigated
> the attacks pretty effectively by that point.
>
> Cheers,
>
> Matthew
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind caching data from additional section in responses

[ben thielsen via bind-users]

On Oct 07, 2016, at 05.44, Tony Finch <d...@dotat.at> wrote:
> 
> ben thielsen via bind-users <bind-users@lists.isc.org> wrote:
>> 
>> zone "example.com" {
>>  type stub;
>>  masters {
>>  "example.com" ;
>>  };
>> };
>> 
>> masters "example.com" {
>>  192.168.81.50 ;
>> };
> 
> If you want a fixed set of master servers for a zone, use static-stub.

aha, this seems to have worked.

>> is my perception accurate?  is bind caching the data it got back in the
>> additional section, for a name outside of the queried zone?  if so, why?
> 
> See RFC 2181 section 5.4.1 on trustworthiness ranking of DNS data.
> 
> BIND needs to cache referrals in order to be able to find the servers for
> follow-up queries (including when it is completing the current query!).
> It doesn't pro-actively check the authoritative servers to get more
> trustworthy versions of the referral records.

thanks for taking the time to summarize this.  i sort of have mixed feelings, a 
little bit, about that degree of trust in additional data, but i get the 
rationale.

-ben
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

bind caching data from additional section in responses

[ben thielsen via bind-users]

obal options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16683
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns1.example.com.   IN  A

;; Query time: 4008 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 06 14:12:50 EDT 2016
;; MSG SIZE  rcvd: 46

a brief inspection of the cache seems to corroborate this:

>rm named_dump.db 

>rndc flush

>dig @localhost example.net ns

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @localhost example.net ns
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13961
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.net.   IN  NS

;; ANSWER SECTION:
example.net.300 IN  NS  ns1.he.net.
example.net.300 IN  NS  ns1.example.com.
example.net.300 IN  NS  ns2.he.net.
example.net.300 IN  NS  ns3.he.net.

;; ADDITIONAL SECTION:
ns1.he.net. 172799  IN  A   216.218.130.2
ns1.example.com.172799  IN  A   192.0.2.1
ns2.he.net. 172799  IN  A   216.218.131.2
ns2.he.net. 172799  IN  2001:470:200::2
ns3.he.net. 172799  IN  A   216.218.132.2
ns3.he.net. 172799  IN  2001:470:300::2

;; Query time: 1393 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 06 14:17:04 EDT 2016
;; MSG SIZE  rcvd: 245

>rndc dumpdb

>grep -iF -B 5 -A 5 'example.com' named_dump.db 
[...]
; answer
example.net.292 NS  ns1.he.net.
292 NS  ns1.example.com.
292 NS  ns2.he.net.
292 NS  ns3.he.net.
[...]
; glue
ns1.example.com.172791  A   192.0.2.1
; glue
[...]

is my perception accurate?  is bind caching the data it got back in the 
additional section, for a name outside of the queried zone?  if so, why?  how 
can i tell it to not do this?  enabling "nat loopback" would "fix" this, but 
imho, to put it diplomatically, that is inelegant at best, and i'd prefer not 
to.

thanks
-ben

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: statistics-channels not serving rdtype records

[Ben Wilson]

Uh, user error. Turns out they aren't created until the server actually
received requests.
I started testing the server for completeness, and the records started
showing up!

In any case:
statistics-channels {
   inet *  port 8053 allow { any; };
};


Thanks!
Ben

On Thu, Apr 7, 2016 at 4:45 PM John Miller <johnm...@brandeis.edu> wrote:

> On Thu, Apr 7, 2016 at 3:42 PM, Ben Wilson <doubting...@gmail.com> wrote:
> > Hi,
> >
> > I'm not sure what is different on a new server I'm setting up, but when
> > querying the port configured for statistics-channels, no rdtype records
> are
> > included.
> >
> > resstat, socket, task, etc are all there, but not the number of queries.
> >
> > My version:
> > ii  bind9   1:9.9.5.dfsg-3ubuntu0.8
> amd64
> > Internet Domain Name Server
> > ii  bind9-host  1:9.9.5.dfsg-3ubuntu0.8
> amd64
> > Version of 'host' bundled with BIND 9.X
> > ii  bind9utils  1:9.9.5.dfsg-3ubuntu0.8
> amd64
> > Utilities for BIND
> > ii  libbind9-90 1:9.9.5.dfsg-3ubuntu0.8
> amd64
> > BIND9 Shared Library used by BIND
>
> Hi Ben,
>
> Can you show us your statistics-channels {} blocks from both your old
> server and your new server config?  That'll be easier than trying to
> compare Ubuntu package versions or anything like that.
>
> John
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

statistics-channels not serving rdtype records

[Ben Wilson]

Hi,

I'm not sure what is different on a new server I'm setting up, but when
querying the port configured for statistics-channels, no rdtype records are
included.

resstat, socket, task, etc are all there, but not the number of queries.

My version:
ii  bind9   1:9.9.5.dfsg-3ubuntu0.8  amd64
   Internet Domain Name Server
ii  bind9-host  1:9.9.5.dfsg-3ubuntu0.8  amd64
   Version of 'host' bundled with BIND 9.X
ii  bind9utils  1:9.9.5.dfsg-3ubuntu0.8  amd64
   Utilities for BIND
ii  libbind9-90 1:9.9.5.dfsg-3ubuntu0.8  amd64
   BIND9 Shared Library used by BIND

Any idea's what I'm missing here?

Thanks!
Ben
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Configuring different TTLs in multiple RRs for the same domain name, TYPE, and CLASS

[Ben Bridges]

TXT records are multiple-purpose.  They can be used for SPF records, Office 365 
"MS" records, DMARC records, or whatever arbitrary uses someone dreams up, all 
for the same domain name.  Microsoft wants a short TTL for their Office 365 
records, but I would prefer to generally use a longer TTL for most records 
(including other TXT records) in order to reduce the query load on our servers. 
 It would be nice to be able to set a short TTL for the Office 365 record but a 
longer TTL for other TXT records for the same domain name.

Thanks,
Ben

From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Darcy Kevin (FCA)
Sent: Thursday, March 24, 2016 9:55 AM
To: bind-users@lists.isc.org
Subject: RE: Configuring different TTLs in multiple RRs for the same domain 
name, TYPE, and CLASS


This is deliberately forbidden by standard. See RFC 2181, Section 5.2 ("TTLs of 
RRs in an RRSet")

Why would you want to do this?


- Kevin


From: bind-users-boun...@lists.isc.org<mailto:bind-users-boun...@lists.isc.org> 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Ben Bridges
Sent: Thursday, March 24, 2016 10:48 AM
To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Subject: Configuring different TTLs in multiple RRs for the same domain name, 
TYPE, and CLASS

Greetings.

Is it possible in BIND to configure multiple resource records for the same 
domain name, TYPE, and CLASS with different TTL values?  For example:

Test-txt.example.com 300IN   TXT"Test 300"
Test-txt.example.com 400IN   TXT"Test 400"
Test-txt.example.com 500IN   TXT"Test 500"
Test-txt.example.com 600IN   TXT"Test 600"
Test-txt.example.com 700IN   TXT"Test 700"

I tried it, and BIND set the TTL for all five records to 300 (or more 
specifically, the TTL of the first one of the RRs in the file).  I looked for a 
BIND directive in the manual to change this behavior but could find no obvious 
candidate.

Thanks,

Ben Bridges
Springfield, MO

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Configuring different TTLs in multiple RRs for the same domain name, TYPE, and CLASS

[Ben Bridges]

Greetings.

Is it possible in BIND to configure multiple resource records for the same 
domain name, TYPE, and CLASS with different TTL values?  For example:

Test-txt.example.com 300IN   TXT"Test 300"
Test-txt.example.com 400IN   TXT"Test 400"
Test-txt.example.com 500IN   TXT"Test 500"
Test-txt.example.com 600IN   TXT"Test 600"
Test-txt.example.com 700IN   TXT"Test 700"

I tried it, and BIND set the TTL for all five records to 300 (or more 
specifically, the TTL of the first one of the RRs in the file).  I looked for a 
BIND directive in the manual to change this behavior but could find no obvious 
candidate.

Thanks,

Ben Bridges
Springfield, MO

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CVE-2015-7547: getaddrinfo() stack-based buffer overflow

[Ben Croswell]

Cyber folks asked if there was any way for the DNS servers to "protect" the
vulnerable clients.
The only thing i  could see from the explanation  was disabling or limiting
edns0 sizes. That is obviously not a long term option.
On Feb 17, 2016 11:39 AM, "Alan Clegg"  wrote:

> On 2/17/16, 11:34 AM, "Reindl Harald"  behalf of h.rei...@thelounge.net> wrote:
>
> >Am 17.02.2016 um 17:22 schrieb Dominique Jullier:
> >> Are they any thoughts around, how to handle yesterday's glibc
> >> vulnerability[1][2] from the side bind?
> >>
> >> Since it is a rather painful task in order to update all hosts to a new
> >> version of glibc, we were thinking about other possible workarounds
> >
> >Fedora, RHEL and Debian as well as likely all other relevant
> >distributions are providing a patched glibc - dunno what is "rather
> >painful" to apply a ordinary update like kernel security updates and
> >restart all network relevant processes or reboot
>
> While I agree that the "major distributions" (and even the minor ones) are
> getting patches out, I'd like to point out something that Alan Cox posted
> over on G+:
>
> "You can upgrade all your servers but if that little cheapo plastic box on
> your network somewhere has a vulnerable post 2008 glibc and ever does DNS
> lookups chances are it's the equivalent of a trapdoor into your network."
>
> https://plus.google.com/+AlanClegg/posts/R1UkJjHMMB6
>
> There does need to be something a bit deeper than "patch your servers"..
>
> AlanC
> >
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: About CVE-2015-5477 (An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure)

[Ben Croswell]

Is it safe to say the only vulnerable hosts would be those accepting
queries from the outside world, or would this also pertain servers getting
responses from the outside world with no inbound queries?
 On Jul 28, 2015 5:42 PM, Michael McNally mcna...@isc.org wrote:

 As the security incident manager for this particular vulnerability
 notification, I'd like to say a little extra, beyond our official
 vulnerability disclosure (https://kb.isc.org/article/AA-01272)
 about this critical defect in BIND.

 Many of our bugs are limited in scope or affect only users having
 a particular set of configuration choices.  CVE-2015-5477 does not
 fall into that category.  Almost all unpatched BIND servers are
 potentially vulnerable.  We know of no configuration workarounds.
 Screening the offending packets with firewalls is likely to be
 difficult or impossible unless those devices understand DNS at a
 protocol level and may be problematic even then.  And the fix for
 this defect is very localized to one specific area of the BIND code.

 The practical effect of this is that this bug is difficult to defend
 against (except by patching, which is completely effective) and will
 not be particularly difficult to reverse-engineer.  I have already
 been told by one expert that they have successfully reverse-engineered
 an attack kit from what has been divulged and from analyzing the code
 changes, and while I have complete confidence that the individual who
 told me this is not intending to use his kit in a malicious manner,
 there are others who will do so who may not be far behind.

 Please take steps to patch immediately.  This bug is designated
 Critical and it deserves that designation.
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Diagnostic help

[Ben Croswell]

The default for allow query is local host local nets.  Basically the server
itself and directly connected networks
On Sep 29, 2014 8:03 PM, Bill Christensen billc_li...@greenbuilder.com
wrote:

  Hi folks,

 Something got sideways on one of my DNS servers, and I would appreciate
 some help in figuring out what's going on.

 I'm running BIND 9.10.1.  This server is authoritative master for a number
 of domains.

 First off, I may have the allow-query set incorrectly.  Currently I have:

 acl query-permit {
 (range of IP address on the local LAN which are allowed to use this
 server as their query server)
 };

 acl recursive-permit {
 (range of IP address on the local LAN which are allowed to use this
 server for recursive queries)
 };

 acl transfer-permit {
 (IP addresses of a couple other name servers allowed to do transfers
 with this one)
 };

 and at the beginning of the options  section:

 allow-recursion { recursive-permit; };
  allow-transfer { transfer-permit; };
 // allow-query { query-permit; };

 Allow-query is commented out, which I assume will allow anyone to query
 this server for the domains for which it has master or slave records, but
 does not allow the general public to do recursive queries or queries on
 domains not hosted here.

 Let me know if I've got that right, or how to correct it if I don't.

 If this part is correct I'll continue the questioning.

 Thanks!




 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Slave zero-TTL on CNAMES

[Ben Croswell]

Cisco routers do have the ability to doctor DNS packets when doing NAT.
When it doctors it sets the TTL to 0 but I dont know why it would only do
it on CNAME records.
On Jun 5, 2014 12:43 PM, Reindl Harald h.rei...@thelounge.net wrote:



 Am 05.06.2014 17:58, schrieb /dev/rob0:
  On Thu, Jun 05, 2014 at 05:21:47PM +0200, Reindl Harald wrote:
  what the hell invents $TTL 0  ; 0 seconds lines before
  each CNAME block while on the master there is exactly
  one TTL line with 86400 on top of the file?
 
  The way named writes a zone file is not the way I would do it.
  Records are strictly in alphabetic order, and $TTL blocks are made
  around all RRSETs where TTL varies.
 
  The zone FILE is not your problem. I don't know exactly what the
  problem might be. It seems that something is intercepting and
  filtering the zone transfers?
 
  You could try transfers manually from the slave:
 
  dig [key auth if required] rhsoft.net. axfr @91.118.73.16
 
  Does that show any zero TTLs? If so I suggest you place a couple of
  sniffers at strategic spots, one leaving the master, another entering
  the slave, and force a zone transfer.

 as yolu can see clearly below any CNAME record comes with a zero TTL
 the dotted line are a lot of CNAMES, all with zero TTL
 after them the first A-record has again the desired 86400

 the SOA at the end comes also with 86400 and the CNAME
 block before again has a TTL of zero

 i can't imagine anyhting which would sit between the
 transfer and change things - h wait there was a
 Zyxel router in front of ns1 which was exploitable
 and now is replaced by a small Cisco from the ISP

 oh, no, don't tell me that my ISP clutters DNS again :-(

 [root@ns2:~]$ dig rhsoft.net. axfr @91.118.73.16

 ;  DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-15.P2.fc19  rhsoft.net.
 axfr @91.118.73.16
 ;; global options: +cmd
 rhsoft.net. 86400   IN  SOA ns2.thelounge.net.
 hostmaster.thelounge.net. 1226095186 3600 1800
 1814400 3600
 rhsoft.net. 86400   IN  MX  10 barracuda.thelounge.net
 .
 rhsoft.net. 86400   IN  TXT v=spf1 ip4:91.118.73.0/24
 ip4:89.207.144.27 ip4:62.178.103.85 -all
 rhsoft.net. 86400   IN  SPF v=spf1 ip4:91.118.73.0/24
 ip4:89.207.144.27 ip4:62.178.103.85 -all
 rhsoft.net. 86400   IN  NS  ns2.thelounge.net.
 rhsoft.net. 86400   IN  NS  ns1.thelounge.net.
 rhsoft.net. 86400   IN  A   91.118.73.4
 **.rhsoft.net.  0   IN  CNAME   **.rhsoft.net.
 **.rhsoft.net.  0   IN  CNAME   **.rhsoft.net.
 
 testserver.rhsoft.net.  86400   IN  A   84.113.92.77
 **.rhsoft.net.  0   IN  CNAME   **.rhsoft.net.
 rhsoft.net. 86400   IN  SOA ns2.thelounge.net.
 hostmaster.thelounge.net. 1226095186 3600 1800
 1814400 3600
 ;; Query time: 22 msec
 ;; SERVER: 91.118.73.16#53(91.118.73.16)
 ;; WHEN: Do Jun 05 18:35:08 CEST 2014
 ;; XFR size: 58 records (messages 1, bytes 1545)


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.9.1 forward zone local

[Ben Croswell]

I would imagine your issue is a lack of an NS delegation in the root zone
you are slaving.  If you load a parent and then try to forward a child of
that parent you must have a delegation in the parent. The delegation
doesn't have to match the forwarders but it must exist.
On Mar 25, 2014 1:57 PM, Андрей Ветров proukorn...@gmail.com wrote:

 Hello. I have a problem with forwarding zone local to ISP resolvers.
 My config is:
 options {
 directory /tmp;
 disable-empty-zone .;
 };

 zone . {
 type slave;
 masters { 192.0.32.132; 193.0.14.129;};
 masterfile-format text;
 file /etc/bind/db.root;
 allow-query { any; };
 };

 zone local. IN {
 type forward;
 forwarders {DNS_IP_ISP;};
 forward only;
 };

 zone opendns.com IN {
 type forward;
 forwarders {208.67.222.222; 208.67.222.220; 208.67.220.220;
 208.67.220.222;};
 forward only;
 };
 Forwarding to opendns works, dig +short myip.opendns.com returns ip
 address correctly.
 Forwarding to local doesnt works, dig return nxdomain.
 Commenting zone . leads to correct work of zone local

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: which Name sever is selected?

[Ben Croswell]

By decaying I mean they take some percent of time off of the rtt of the
name servers that aren't used when there is a successful query to the
fastest.  Eventually the slower servers will be faster than the fastest and
get queried. That query will set the rtt again for that server and will go
back to being slower.
On Mar 3, 2014 8:24 AM, houguanghua houguang...@hotmail.com wrote:

 Hi Ben,

 What's the meaning of bind decaying? Where can I find the detailed
 description? Thanks!

 Guanghua


 
 Date: Fri, 28 Feb 2014 11:39:54 -0500
 From: Ben Croswell ben.crosw...@gmail.com
 To: bind-users@lists.isc.org
 Subject: Re: which Name sever is selected?
 Message-ID:
 cajga8zsug2nrznufuxetbpkvzqkjczzred5u2qxw+uqw0pm...@mail.gmail.com
 Content-Type: text/plain; charset=iso-8859-1

 RTT banding was removed in early versions of 9.8 due to the performance hit
 being larger than any security benefit.
 So it would depend what version of bind is being used in this case.
 https://www.isc.org/blogs/rtt-banding-removal-from-bind-9/

 It is important to note that all ns records will take some percent of the
 traffic even if they are not the fastest. This is due to bind decaying
 the RTT on the ns records that were not used when it gets a successful
 query from the fastest ns. That way if there is a failure on a box it can
 eventually be tried again and make back into the top position.
 On Feb 28, 2014 11:07 AM, Barry Margolin bar...@alum.mit.edu wrote:

  In article mailman.2368.1393596895.20661.bind-us...@lists.isc.org,
  houguanghua houguang...@hotmail.com wrote:
 
   If there is a list of NS records, the local name server uses the RTT
  (round
   trip time) algorithm to find the fatest, and queries that server.
   But I found it's not right. In the testing, the local name server
 doesn't
   query the fastest authority name server. Some one tells me that if the
  local
   name server gets the RTT to one remote server is les than 30ms, it will
  not
   test RTT to other remote servers, even if the RTT is more less. In
 other
   words, the local server will only query the first remote server with
 the
  RTT
   less than 30ms. Who would tell me the truth? Thanks! Guanghua
 
  I believe the RTT values are grouped into ranges, and it prefers servers
  that are in a better range. 30 ms might be in the lowest range, so
  another server can't be better.
 
  --
  Barry Margolin
  Arlington, MA

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: which Name sever is selected?

[Ben Croswell]

RTT banding was removed in early versions of 9.8 due to the performance hit
being larger than any security benefit.
So it would depend what version of bind is being used in this case.
https://www.isc.org/blogs/rtt-banding-removal-from-bind-9/

It is important to note that all ns records will take some percent of the
traffic even if they are not the fastest.  This is due to bind decaying
the RTT on the ns records that were not used when it gets a successful
query from the fastest ns. That way if there is a failure on a box it can
eventually be tried again and make back into the top position.
On Feb 28, 2014 11:07 AM, Barry Margolin bar...@alum.mit.edu wrote:

 In article mailman.2368.1393596895.20661.bind-us...@lists.isc.org,
  houguanghua houguang...@hotmail.com wrote:

  If there is a list of NS records, the local name server uses the RTT
 (round
  trip time) algorithm to find the fatest, and queries that server.
  But I found it's not right. In the testing, the local name server doesn't
  query the fastest authority name server. Some one tells me that if the
 local
  name server gets the RTT to one remote server is les than 30ms, it will
 not
  test RTT to other remote servers, even if the RTT is more less. In other
  words, the local server will only query the first remote server with the
 RTT
  less than 30ms. Who would tell me the truth? Thanks! Guanghua

 I believe the RTT values are grouped into ranges, and it prefers servers
 that are in a better range. 30 ms might be in the lowest range, so
 another server can't be better.

 --
 Barry Margolin
 Arlington, MA
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind vs flood

[Ben Croswell]

I guess I am missing why anyone on the internet should be able to open
queries against your caching resolver.

Why would in bound queries be allowed to servers that are for your people
to get out?
On Feb 27, 2014 10:13 AM, Ivo i...@nic.lv wrote:

  Hi Dmitry,

 We observed that similar requests are landing on our cache resolver mostly
 from various home routers running dns server as open resolver and that also
 masquerades the original request source.
 We have a collection of ~60 domains involved and most of them are related
 to China. The problem is that attacker selects few domains and generates
 queries with random hostnames which therefore are not in the cache and
 server has to perform recursion for each query. So each query will consume
 one udp or tcp socket for at least 10 seconds because remote DNS server is
 responding slowly or is down and based on a query volume it can effectively
 overload the cache server.

 Initially we thought we could fix it with  resolver-query-timeout, but
 after bind code analysis it seems that everything less that 10 seconds
 would be ignored, it would be great to mention this in the documentation.
 So one solution is to change MINIMUM_QUERY_TIMEOUT in resolver.c and
 recompile named, but  it would be nice to understand why 10 seconds as
 minimum value were selected in the first place, see /lib/dns/resolver.c

 #define MAX_SINGLE_QUERY_TIMEOUT 9U
 #define MINIMUM_QUERY_TIMEOUT (MAX_SINGLE_QUERY_TIMEOUT + 1U)

 snip

 void
 dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) {
 REQUIRE(VALID_RESOLVER(resolver));
 if (seconds == 0)
 seconds = DEFAULT_QUERY_TIMEOUT;
 if (seconds  MAXIMUM_QUERY_TIMEOUT)
 seconds = MAXIMUM_QUERY_TIMEOUT;
 if (seconds  MINIMUM_QUERY_TIMEOUT)
 seconds =  MINIMUM_QUERY_TIMEOUT;
 resolver-query_timeout = seconds;
 }

 We also tried to create local dummy zones for all these domains but since
 domains change frequently we started to block most active open resolvers
 and coordinate with local CERT.

 It would be nice to have some kind of rate limits for query volume of
 different hosts inside a single zone.

 Best regards,

 Ivo


 On 2/27/14 7:59 AM, Dmitry Rybin wrote:

 Over 2 weeks ago begins flood. A lot of queries:

 niqcs.www.84822258.com
 vbhea.www.84822258.com
 abpqeftuijklm.www.84822258.com
 adcbefmzidmx.www.84822258.com
 and many others.

 Bind answers with Server failure. On high load (4 qps) all normal client
 can get Servfail on good query. Or query can execute more 2-3 second.

 Recursion clients via rnds status 300-500.

 I can try to use rate limit:
 rate-limit {
 nxdomains-per-second 10;
 errors-per-second 10;
 nodata-per-second 10;
 };
 I do not see an any improvement.

 Found one exit in this situation, add flood zones local.

 What can we do in this situation?
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind vs flood

[Ben Croswell]

Ah I see you are in provider situation.  Shows my assumption you were in an
enclosed enterprise environment.
On Feb 27, 2014 10:57 AM, Ivo i...@nic.lv wrote:

  Ben,

 No, our server is not an open resolver,  we have a large user community
 and the problem is that users install their own wifi box like Zyxel or
 similar which may have open resolver by default.

 Ivo

 On 2/27/14 5:18 PM, Ben Croswell wrote:

 I guess I am missing why anyone on the internet should be able to open
 queries against your caching resolver.

 Why would in bound queries be allowed to servers that are for your people
 to get out?
 On Feb 27, 2014 10:13 AM, Ivo i...@nic.lv wrote:

  Hi Dmitry,

 We observed that similar requests are landing on our cache resolver
 mostly from various home routers running dns server as open resolver and
 that also masquerades the original request source.
 We have a collection of ~60 domains involved and most of them are related
 to China. The problem is that attacker selects few domains and generates
 queries with random hostnames which therefore are not in the cache and
 server has to perform recursion for each query. So each query will consume
 one udp or tcp socket for at least 10 seconds because remote DNS server is
 responding slowly or is down and based on a query volume it can effectively
 overload the cache server.

 Initially we thought we could fix it with  resolver-query-timeout, but
 after bind code analysis it seems that everything less that 10 seconds
 would be ignored, it would be great to mention this in the documentation.
 So one solution is to change MINIMUM_QUERY_TIMEOUT in resolver.c and
 recompile named, but  it would be nice to understand why 10 seconds as
 minimum value were selected in the first place, see /lib/dns/resolver.c

 #define MAX_SINGLE_QUERY_TIMEOUT 9U
 #define MINIMUM_QUERY_TIMEOUT (MAX_SINGLE_QUERY_TIMEOUT + 1U)

 snip

 void
 dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) {
 REQUIRE(VALID_RESOLVER(resolver));
 if (seconds == 0)
 seconds = DEFAULT_QUERY_TIMEOUT;
 if (seconds  MAXIMUM_QUERY_TIMEOUT)
 seconds = MAXIMUM_QUERY_TIMEOUT;
 if (seconds  MINIMUM_QUERY_TIMEOUT)
 seconds =  MINIMUM_QUERY_TIMEOUT;
 resolver-query_timeout = seconds;
 }

 We also tried to create local dummy zones for all these domains but since
 domains change frequently we started to block most active open resolvers
 and coordinate with local CERT.

 It would be nice to have some kind of rate limits for query volume of
 different hosts inside a single zone.

 Best regards,

 Ivo


 On 2/27/14 7:59 AM, Dmitry Rybin wrote:

 Over 2 weeks ago begins flood. A lot of queries:

 niqcs.www.84822258.com
 vbhea.www.84822258.com
 abpqeftuijklm.www.84822258.com
 adcbefmzidmx.www.84822258.com
 and many others.

 Bind answers with Server failure. On high load (4 qps) all normal
 client can get Servfail on good query. Or query can execute more 2-3
 second.

 Recursion clients via rnds status 300-500.

 I can try to use rate limit:
 rate-limit {
 nxdomains-per-second 10;
 errors-per-second 10;
 nodata-per-second 10;
 };
 I do not see an any improvement.

 Found one exit in this situation, add flood zones local.

 What can we do in this situation?
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users



 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to modify the cache

[Ben Croswell]

You can't modify cache.  If that was allowed you could cache poison any
domain you wanted.
On Feb 14, 2014 8:52 AM, houguanghua houguang...@hotmail.com wrote:

 Hi all,
 Bind provides rndc tools to operate the cache. But how to change a record
 in the cache. For example:
 to modify origin record  *www.abc.com* http://www.abc.com/* A IN
 219.142.3.1 * into *www abc.com http://abc.com A IN 143.3.1.20*.
 I just know that using rndc flush to clear the cache, but don't know how
 to modify the cache.

 Who can tell me how to do?Thanks.
 Guanghua

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to modify the cache

[Ben Croswell]

What you say is true, but the OP wasn't clear in who owned the record he
wanted to override.  I assumed it was someone else's or you would just
change authoritative source that you own.
On Feb 14, 2014 10:20 AM, Barry Margolin bar...@alum.mit.edu wrote:

 In article mailman.2257.1392386898.20661.bind-us...@lists.isc.org,
  Ben Croswell ben.crosw...@gmail.com wrote:

  You can't modify cache.  If that was allowed you could cache poison any
  domain you wanted.

 poisoning refers to putting incorrect records into the cache of some
 *other* server. If you operate the server itself, you can put anything
 you want into its memory. If you want to override a particular record
 that would normally be cached, just make the server authoritative for
 that name.

 --
 Barry Margolin
 Arlington, MA
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: I may be confused regarding sub delegated zone

[Ben Croswell]

A freshly started server with no cache will be directed to nd1 first which
will give a referral to ns2 for the subdomain. After that it will go to ns2
directly until the ns records time out in cache.
On Jan 23, 2014 12:30 PM, Blason R blaso...@gmail.com wrote:

 Hello friends,

 I may sound like novice but have basic question regarding Sub-zone which
 is an delegated zone. lets say I have zone example.com whose NS are
 ns1.example.com and then I have delegated sub-zone subdom.example.comwhose ns 
 record would be say
 ns2.example.com.

 So people who will be querying to A record for subdom.example.com [which
 @] will first be forwarded to ns1.example.com and then from there ns
 record of subdom.example.com will be given?

 Or will it directly be forwarded to n2.example.com?

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation and Forwarding

[Ben Croswell]

The basic answer is that you use null forwarders for any domains that you
want to turn off the global forwarders.
If you have a global forwarder and then you have bob.com with a null
forwarder, bob.com and the domains below is will follow delegation.
On Dec 11, 2013 7:10 AM, Bob McDonald bmcdonal...@gmail.com wrote:

 I'm a bit confused on the need for a blank forwarders statement inside of
 a zone statement in the named.conf file.  Given an internal zone on a
 recursive server with global forwarders, what are the situations which
 would require me to code a blank forwarders statement inside of a zone
 statement in a named.conf?  I have internal zones which 1) do not delegate
 children, 2) delegate children on the same server, and delegate children on
 different servers (and different versions of bind).  I know that delegation
 is not affected on servers without global forwarders.  The documentation
 around this is not clear (at least to me grin).

 Is there a difference if the parent is local and the child is forwarded?
  (or both forwarded but to different addresses?)

 Thanks,

 Bob

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Confused about a basic concept

[Ben Croswell]

Everything you listed is pretty close to accurate.
A couple points of clarification.

8) The master needs UDP/TCP 53 open to the slaves.  Before a zone transfer
can happen the slave needs to get the SOA RR from the master to see if the
serial number has changed.  This normally happens over UDP 53(see my point
on 9).  So The slaves need to also be in the allow-query ACL on the master,
if they cant query for SOA they can never determine the serial number and
cant transfer.
9) You should always have UDP/TCP 53 open to DNS servers.  Normal queries
happen on UDP 53, but if an answer is too large to fit in a single packet
the answer will be truncated and the TC bit will be set.  This bit tells
the client they didnt get the full answer and that they may want to try
the same query via TCP.

On you last points you are pretty much spot on the answer but are wondering
the mechanics. Most best practices state that you should not have recursion
and authoritative on the same DNS server. That is a should, but not a must.
 What you said is the normal answer you run DNS servers that host zones,
and you run DNS servers that serve direct client queries. The client
caching DNS servers would need to know where your authoritative servers are
via NS records or forwarding.

One big reason for the split is DNSSEC. An authoritative DNS server cant
validate DNSSEC for a query sent directly to it from a client.  There has
to be another step in between.  For instance if I ask you if you are Bryan
and you say yes, why should I believe you.  However, if I ask a trusted
friend if you are Bryan I will believe you because there is third party
verification.



On Wed, Jun 5, 2013 at 10:02 AM, Bryan Harris bryanlhar...@me.com wrote:

 Hi all,

 I think I may be confused about a very basic DNS concept.  Sorry if this
 has been asked before.

 1. I have a master and two slaves.
 2. The master server is the SOA for my zone.  The SOA record points to the
 master server.
 3. Each of the two slaves are authoritative for my zone.
 4. There are 2 NS records for my zone.  The first NS = slave1 and the
 second NS = slave2.
 5. The Master server is not listed in the NS records for my zone.
 6. The master does not receive any queries from the clients.
 7. The slaves receive queries from the clients.
 8. The master - slaves relationship is via tcp/53 (notifies  zone
 transfers)
 9. The slaves - clients relationship is via udp/53 (queries)

 Is this correct so far?  I'm being told our authoritative DNS servers
 should not receive any queries, as well as DNS slaves respond to
 queries.  These statements seem like a conflict to me, but maybe I'm
 simply confused?


 I don't see how a slave could respond to a query unless it's
 authoritative.  The only thing I can imagine is adding some more caching
 servers just for queries and have them forward+recurse to the authoritative
 slave servers (but they're not slaves themselves).  But even in that case,
 the authoritative servers would still need to respond to queries, no?
  Otherwise how would the caching servers get any answers in the first place?

 Bryan


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




-- 
-Ben Croswell
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.4.x and check-names

[Ben-Eliezer, Tal (ITS)]

Isn't it time to upgrade?

Yes, it is. In fact, adding these statements to the options clause is in 
preparation for our migration to a later version. 
It seems from my testing that while BIND 9.4 was very passive about these type 
of records, and would load a zone despite illegal chars, later versions of 
BIND would actually fail to start. This is a fundamental difference between 
BIND 9.4 and 9.7.3, for example.
I am dealing with about 14 BIND servers so the more preparation steps I can 
take prior to cutover, the better.

 bind 9.4 has also check-names response;

Ok, I'm reading up on that now. Should I be able to suppress the logging using:
check-names response ignore; ?

Thanks
-Original Message-

Date: Wed, 17 Apr 2013 17:58:30 +0200
From: Matus UHLAR - fantomas uh...@fantomas.sk
To: bind-users@lists.isc.org
Subject: Re: BIND 9.4.x and check-names
Message-ID: 20130417155830.ga14...@fantomas.sk
Content-Type: text/plain; charset=us-ascii; format=flowed

On 17.04.13 06:39, Ben-Eliezer, Tal (ITS) wrote:
Subject: BIND 9.4.x and check-names

Isn't it time to upgrade?

I recently implemented a change in our DNS environment with the 
intention  of suppressing the log events related to AD-integrated 
zones, and their  Non-RFC compliant nature.

check-names slave ignore;
check-names master ignore;

bind 9.4 has also check-names response;

However, I still see these entries appear in the logs. Could someone 
please  chime in and let me know if my expectation or implementation 
was  incorrect?  Many thanks!!

default.log:12-Apr-2013 00:45:37.447 general: warning: zone 
/IN: gc._msdcs./A: bad owner name 
(check-names)
default.log:12-Apr-2013 00:45:37.447 general: warning: zone 
/IN: gc._msdcs./A: bad owner name 
(check-names)

Hmm, aren't those supposed to be SRV records?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete


--

Message: 2
Date: Wed, 17 Apr 2013 09:02:44 -0700
From: Chris Buxton cli...@buxtonfamily.us
To: Matus UHLAR - fantomas uh...@fantomas.sk
Cc: bind-users@lists.isc.org
Subject: Re: BIND 9.4.x and check-names
Message-ID: 9a8b8bf0-e675-4959-97ac-c9cf2007a...@buxtonfamily.us
Content-Type: text/plain; charset=us-ascii


On Apr 17, 2013, at 8:58 AM, Matus UHLAR - fantomas wrote:

 On 17.04.13 06:39, Ben-Eliezer, Tal (ITS) wrote:
 default.log:12-Apr-2013 00:45:37.447 general: warning: zone 
 /IN: gc._msdcs./A: bad owner name (check-names)
 default.log:12-Apr-2013 00:45:37.447 general: warning: zone 
 /IN: gc._msdcs./A: bad owner name (check-names)
 
 Hmm, aren't those supposed to be SRV records?

No, they are the addresses of the global catalog servers. If they were SRV 
records, check-names would not complain.

Chris Buxton

--

Message: 3
Date: Wed, 17 Apr 2013 12:07:07 -0400
From: Barry Margolin bar...@alum.mit.edu
To: comp-protocols-dns-b...@isc.org
Subject: Re: “Foreign” name in the reverse lookup zone
Message-ID: barmar-c85efa.12070717042...@news.eternal-september.org

In article mailman.146.1366210213.20661.bind-us...@lists.isc.org,
 PAVLOV Misha misha.pav...@socgen.com wrote:

 Folks,
 
 Wonder if someone can kindly confirm that there is nothing wrong with having 
 a PTR record in one of the subnet zone file (we are authorative for) with PTR 
 to the name owned by another office (domain). A server 
 exchange.north.our.company (owned and registered in north.our.company domain) 
 installed here, on the same network as all local south.our.company machines. 
 We own, are authorative and maintain the db.1.2.3 subnet reverse zone, but 
 not the north.our.company name registered far away.

There's nothing wrong with it, and it's done all the time. Consider the 
case where www.company.com server is hosted at a third party. The A 
record will be in the company's domain, but the PTR record will be in 
the hosting service's reverse domain.

Just make sure that there is a corresponding A record. Some software 
will check for this before believing the PTR record. This is mostly done 
in software that uses reverse lookups in security checks; for instance, 
if a hosts.allow file allows access from *.company.com, it can't just 
believe the PTR record because anyone can put some-addr PTR 
foo.company.com. in their reverse zone.

-- 
Barry Margolin
Arlington, MA


--

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

End of bind-users Digest, Vol 1502, Issue 1
***

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users

RE: bind-users Digest, Vol 1485, Issue 1

[Ben-Eliezer, Tal (ITS)]

Hi Kevin-

Thank you for the further elaboration on how you use the include statements in 
your environment.

Oddly enough this may be a way for me to accomplish what I'd like to do.

Thanks again for the help! I'll report back with any further issues I may 
experience. Have a great day all!

Tal

-Original Message-
From: bind-users-bounces+tal.ben-eliezer=its.ny@lists.isc.org 
[mailto:bind-users-bounces+tal.ben-eliezer=its.ny@lists.isc.org] On Behalf 
Of bind-users-requ...@lists.isc.org
Sent: Monday, April 1, 2013 8:00 AM
To: bind-users@lists.isc.org
Subject: bind-users Digest, Vol 1485, Issue 1

Send bind-users mailing list submissions to
bind-users@lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
bind-users-requ...@lists.isc.org

You can reach the person managing the list at
bind-users-ow...@lists.isc.org

When replying, please edit your Subject line so it is more specific than Re: 
Contents of bind-users digest...


Today's Topics:

   1. Re: Forward First on Master Zone (bypass SOA) (Kevin Darcy)
   2. Re: Lots of RSA_verify failed after upgrade to 9.7.7
  (Noel Butler)
   3. Re: Lots of RSA_verify failed after upgrade to 9.7.7
  (Mark Andrews)
   4. Re: Lots of RSA_verify failed after upgrade to 9.7.7
  (Noel Butler)


--

Message: 1
Date: Sun, 31 Mar 2013 18:01:36 -0400
From: Kevin Darcy k...@chrysler.com
To: bind-users@lists.isc.org
Subject: Re: Forward First on Master Zone (bypass SOA)
Message-ID: 5158b240.70...@chrysler.com
Content-Type: text/plain; charset=UTF-8; format=flowed

On 3/29/2013 6:12 PM, Lawrence K. Chen, P.Eng. wrote:
 - Original Message -
 On Mar 28, 2013, at 12:28 PM, Ben-Eliezer, Tal (ITS) wrote:

 I?ve spent hours researching a way to accomplish this without any 
 luck. Is there any way to accomplish what I?m trying to do?
 No, not unless you want to monkey around with static zones and 
 $INCLUDE directives -- something like this:

 Internal zone file:

 $INCLUDE internal.zone.apex
 $INCLUDE example.com.common-records
 $TTL 86400
 some.internal.host   A   192.0.2.1
 [...]

 External zone file:

 $INCLUDE external.zone.apex
 $INCLUDE example.com.common-records
 $TTL 86400
 some.external.host   A   192.0.2.254
 [...]

 where the *.zone.apex files look something like this:

 $TTL 86400
 @SOA [... 7 data fields ...]
  NS  ns1.example.com.
  NS  ns2.example.com.
  MX  10 mx1.example.com.

 This way, you mostly maintain 3 files of DNS records for the zone -- 
 external, internal, and common. Note that this is not compatible with 
 dynamic zones.

 If you need to support dynamic zones (and who doesn't, these days?), 
 you're out of luck.

 Chris Buxton
 BlueCat Networks
 I/we maintain a 'single' zone file (with help of subversion/cfengine) which 
 is then processed into 4 different zone files through a Makefile on my master 
 nameserver.

 Basically, the as-is zone file is the external view state.

 All the internal (campus) view lines/$includes are prefixed with:

 ;CAMPUS;

 where sed removes those comments to generate the 'campus' view zone file.

 There there are lines that will have different comments after the line.

 one is ;GUEST_NETWORK and another is ;DISASTER_RECOVERY

 sed script will replace the IP part of ;GUEST_NETWORK with the IP of a 
 static page informing the user that the resource is available from the 
 guest network. (this is for services where we couldn't have the 
 service owner to do this within their application.)  And, 
 ;DISASTER_RECOVERY replaces the IP with the IP of the server at our DR 
 site.  With the intent that the result is sent by alternate means to 
 our off-campus secondaries, where they can switch to using this 
 fileetc.  Due to DNSSEC, we have to generate a DR version of our 
 zone file (instead of have secondary edit the transfer file and 
 present that.)

 These are also based off the external view (since internal services aren't 
 exposed to the guest network, and DR is an alternate external).

 All the different zone files are signed using dnssec-signzone with the 
 '-N unixtime' optionto avoid serial number issues. (especially now 
 that I'm not the only one handling dns requests)

 Before split-DNS, we had created our own TLD ... but the problem with 
 that was we couldn't buy SSL certificates for these services, and 
 there was no interest in having our users to accept self-signed certs 
 or to add a private CA to everything  so the TLD became a 
 subdomain that was only in the internal view (originally)...though 
 later added a stub in the external view to publish an MX record so 
 that users/apps sending mail without setting a correct from address 
 would still work. (sure I've told people they need to do

Forward First on Master Zone (bypass SOA)

[Ben-Eliezer, Tal (ITS)]

Hello,

My organization is evaluating the use of split-view DNS in our environment.
One of the challenges I've yet to overcome in my trials, is the ability to 
minimize the administrative overhead of maintaining two copies of the zone.
Upon reviewing some of the BIND options, forward first; caught my eye. Below 
is the description of this feature I found on Zytrax:

forward is only relevant in conjunction with a valid forwarders statement. If 
set to 'only' the server will only forward queries, if set to 'first' (default) 
it will send the queries to the forwarder and if not answered will attempt to 
answer the query. This statement may be used in a zone, view or a global 
options clause.

If I understand this correctly, BIND should handle a query for host.example.com 
by first passing it through the configured forwarder, which should succeed (the 
record exists on the Internet).
However, I believe since this server is also authoritative for this domain (the 
internal copy), and the record is not in this view of the zone file, I 
receive an NXDOMAIN.

I've spent hours researching a way to accomplish this without any luck. Is 
there any way to accomplish what I'm trying to do?

Thanks,

Tal Ben-Eliezer


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Forward First on Master Zone (bypass SOA)

[Ben-Eliezer, Tal (ITS)]

Hi Chris, this looks interesting, I'll do some testing and report back!

Thank you,
Tal

-Original Message-
From: Chris Buxton [mailto:cli...@buxtonfamily.us] 
Sent: Thursday, March 28, 2013 5:02 PM
To: Ben-Eliezer, Tal (ITS)
Cc: bind-users@lists.isc.org
Subject: Re: Forward First on Master Zone (bypass SOA)

On Mar 28, 2013, at 12:28 PM, Ben-Eliezer, Tal (ITS) wrote:

 I've spent hours researching a way to accomplish this without any luck. Is 
 there any way to accomplish what I'm trying to do?

No, not unless you want to monkey around with static zones and $INCLUDE 
directives -- something like this:

Internal zone file:

$INCLUDE internal.zone.apex
$INCLUDE example.com.common-records
$TTL 86400
some.internal.host  A   192.0.2.1
[...]

External zone file:

$INCLUDE external.zone.apex
$INCLUDE example.com.common-records
$TTL 86400
some.external.host  A   192.0.2.254
[...]

where the *.zone.apex files look something like this:

$TTL 86400
@   SOA [... 7 data fields ...]
NS  ns1.example.com.
NS  ns2.example.com.
MX  10 mx1.example.com.

This way, you mostly maintain 3 files of DNS records for the zone -- external, 
internal, and common. Note that this is not compatible with dynamic zones.

If you need to support dynamic zones (and who doesn't, these days?), you're out 
of luck.

Chris Buxton
BlueCat Networks

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Most specific match on PTR records

[Ben Croswell]

You need to ensure if the resolver that is doing the forwarding also loads
the blank 10/8 that you have the smaller /24 delegated in the 10/8.
The reason being if it loads the /8 with no /24 delegation it will ignore
the forward because it believes the /24 doesn't exist.
On Feb 21, 2013 1:21 PM, Nikita Koshikov koshi...@gmail.com wrote:

 Hello list,


 I'm trying to cut /24 network from the scope of /8 network, here is
 example:

 zone 11.2.10.in-addr.arpa {
 type forward;
 forwarders { 192.168.1.23; 192.168.1.24; };
 };

 zone 10.in-addr.arpa {
 type master;
 file master/int/10.in-addr.arpa;
 };

 10.in-addr.arpa is just a file that returns NXDOMAIN for any 10.0.0.0/8ip 
 address. But I need to forward requests for
 10.2.11.0/24 net to other dns servers and the above config not working.
 I got empty responses for 10.2.11.0/24 net.

 This is right: (192.168.1.8 - server with bind)

 $ host -t ptr 10.1.1.1 192.168.1.8
 Using domain server:
 Name: 192.168.1.8
 Address: 192.168.1.8#53
 Aliases:
 Host 1.1.1.10.in-addr.arpa. not found: 3(NXDOMAIN)

 This is wrong:
 $ host -t ptr 10.2.11.10  192.168.1.8
 Using domain server:
 Name: 192.168.1.8
 Address: 192.168.1.8#53
 Aliases:
 Host 10.11.2.10.in-addr.arpa. not found: 3(NXDOMAIN)

 This is expected answer from the forwarded server  - 192.168.1.23
 $ host -t ptr 10.2.11.10  192.168.1.23
 Using domain server:
 Name: 192.168.1.23
 Address: 192.168.1.23#53
 Aliases:
 10.11.2.10.in-addr.arpa domain name pointer hawk-agent.local.intranet.

 Can someone help with this ?


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What causes 'zone transfer setup failed' ?

[Ben Croswell]

A common issue is the secondary not being allowed to query the master for
the SOA of the zone. Ensure the master has an allow-query that includes the
secondary.
On Jan 25, 2013 6:06 AM, Jan-Piet Mens jpmens@gmail.com wrote:

 Hello,

 I'm seeing quite a number of messages like

 xfer-out: debug 3: client 192.168.1.2#54688 (example.com): zone
 transfer setup failed

 BIND 9.9.2P1 here, configured with:

 request-ixfr no;
 transfer-format many-answers;
 transfers-in 100;
 transfers-per-ns 100;
 max-transfer-time-in 60;

 BIND has a lot of zones to transfer; does this have something to do with
 too many TCP connections?

 FWIW, BIND is running on Centos 6.3 in an OpenVZ container.

 Regards,

 -JP
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Define an internal zone with only a couple of A records, then forward to an external dns server

[Ben Croswell]

If you load the zone your server will believe it knows everything about the
zone and not forward anything below it.

If you load foo.com with two records, nothing but those two records will
ever resolve on that server for foo.com.

One way to make it work would be to load two zones. Vpn1.foo.com and
vpn2.foo.com each with their A records. Then you would only blackhole
things below vpn1.foo.com and vpn2.foo.com.
On Jan 17, 2013 10:09 AM, Alberto Zanon alberto.za...@edistar.com wrote:

 Hi all,

 I googled all the morning without success :( I'm using Bind 9.9.1 and i'm
 a newbie of Bind. This is my goal:

 - I want to define in my dns server a zone external_partner.com, which
 is the domain of our partner who manages it with his dns public server 
 dns.external_partner.com.
 - I need to define into this zone a couple of servers (vpn_host_1.
 external_partner.com, vpn_host_2.external_partner.com) because we
 connect via vpn to our partner.
 - I want that the rest of the names, e.g. www.external_partner.com, are
 resolved forwarding the requests to the dns of our partner.

 I tried this without success:

 - in named.conf:

 zone external_partner.com {   type master;   file master/
 external_partner.com.zon;   forwarders {xxx.xxx.xxx.xxx;}; };

 and I have recursion yes in the options.


 - in external_partner.com.zon I have only the two entries:

 $TTL300
 @   IN  SOA dns.edistar.com. admin.dns.edistar.com. (
 2013011701  ; Serial
 300 ; Refresh
 300 ; Retry every hour
 300 ; Expire after a
 week
 300 )   ; Minimum ttl of 1
 day

 IN  NS  dns.edistar.com.
 TXT vpn servers


 vpn_host_1.external_partner.com.  IN  A
 xxx.xxx.xxx.xxx
 vpn_host_2.external_partner.com.  IN  A
 xxx.xxx.xxx.xxx


 I read about forward first option but is the opposite of my goal,
 correct?




 Thanks in advance for your responses.


  Alberto Zanon


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MNAME not a listed NS record

[Ben Croswell]

There is no issue with a configuration like this. It is the very definition
of a stealth master and is a very common configuration. Any DDNS updates
will continue to reach the stealth master via the mname and no resolvers
will find the master via NS records so it won't be queried.
On Jan 16, 2013 3:42 PM, Dave Warren li...@hireahit.com wrote:

 Is there anything technically wrong with having a SOA MNAME field that
 isn't listed as a NS record?

 The server listed as MNAME will host the zone and is authoritative for the
 zone, but out of latency concerns it isn't ideal to have other resolvers
 querying this server.

 Various online DNS diagnostic tools throw warnings, but as far as I can
 tell from the RFCs, this is a valid configuration. Is it valid? Are there
 any operational gotchas to be aware of or can I ignore the warnings?

 --
 Dave Warren
 http://www.hireahit.com/
 http://ca.linkedin.com/in/**davejwarrenhttp://ca.linkedin.com/in/davejwarren

 __**_
 Please visit 
 https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-usersto
  unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Name resolution fails if not forwarding

[Ben Croswell]

My first thought would be lack of firewall rules and connectivity to the
Internet.
On Jan 8, 2013 9:35 AM, Daniele d.imbrog...@gmail.com wrote:

 If I use BIND9 forwarding all the queries not belonging to my local zones,
 it works.

 But if I don't forward those queries, `dig` sometimes (and this is weird)
 fails (with connection timed out; no servers could be reached) and the
 logs are full of lame server, FORMERR.

 Why?

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind not forwarding all requests

[Ben Croswell]

It is probably related to forward first versus forward only. Forward first
is default but will fall back to no forwarding if the forwarders fail.
On Dec 7, 2012 12:06 PM, Romgo ro...@free.fr wrote:

 Hello,

 I am currently running two bind9 server on Debian Squeeze.
  1:9.7.3.dfsg-1~squeeze8

 Server 1 is internal dns server and serve some local zone. This server
 should forward all unknown requests to our  public DNS server. So I
 configured this server as follow :
 /etc/bind/named.conf.options

   forward only;
 forwarders {
   ip_server_2;
 };


 The second server is allowed to do DNS request on the internet, so there
 is no forwarder configured.

 The issue is that I see on my firewall that server1 is trying to do DNS
 requests on DNS ROOT server.

 Any idea why I do have this issue ? wrong configuration ?

 Regards,



 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Performance tuning

[Ben Croswell]

I did digs to both names from my work DNS infrastructure.  The response was
58ms to resolve the WWW entry and 44ms for the non WWW entry. Would not
appear to be a resolution related slow down.
-Ben Croswell
On Nov 26, 2012 1:25 PM, Lightner, Jeff jlight...@water.com wrote:

   For question 1:

 “Loading” is a function of the web site not DNS.  Your first question
 could have to do what the default site is in your web configuration and
 what kind of rewrite rules are getting you to the other.

 ** **

 If it were me I’d probably do some timed “host” or “dig” commands for the
 two records to verify name resolution itself wasn’t a problem.   

 ** **

 I guess it MIGHT be a minutely slower to resolve www if it is a CNAME to
 the other as opposed to both being A records.   However, since this is a
 fairly common practice I doubt it is likely to be of major importance in
 overall timing.

 ** **

 *From:* bind-users-bounces+jlightner=water@lists.isc.org [mailto:
 bind-users-bounces+jlightner=water@lists.isc.org] *On Behalf Of *Adamiec,
 Lawrence
 *Sent:* Monday, November 26, 2012 1:13 PM
 *To:* bind-users@lists.isc.org
 *Subject:* Re: Performance tuning

 ** **

 To the best of my knowledge, there are no problems with our DNS.  We only
 host 25 domains.

 ** **

 The report must also address these two specific questions:

 ** **

1. Why does www.kentlaw.iit.edu load quicker than kentlaw.iit.edu in
any browser?
2. What happens if we remove the forwarders option from named.conf?

  I can't duplicate the issue in Q1 and I'm trying to determine a way of
 testing Q2.

 ** **

 Larry

 ** **

 On Mon, Nov 26, 2012 at 11:39 AM, Doug Barton do...@dougbarton.us wrote:
 

 What a delightfully vague requirement. :)

 I would push back a bit on exactly what problems are attempted to be
 solved here. The BIND defaults are about as efficient as they can be,
 especially so in later versions.

 Doug


 On 11/26/2012 11:01 AM, Adamiec, Lawrence wrote:
  Hi,
 
  I have been tasked with authoring a DNS report to achieve optimal
  performance.  The report must include:
 
  CPU usage
  memory usage
  bandwidth usage
  throughput
  latency
 
  I have found some information regarding the number of queries processed
  per minute but nothing of value for the above areas.
 
  Is there some documentation that discusses the above areas?
 
  We are running BIND 9.6-ESV-R5-P1, Solaris 10 on a SPARC server.  My
  report will include the fact we must upgrade from BIND 9.6-ESV-R5-P1
 
  Thank you in advance.
 
  Larry
 
  Lawrence Adamiec
  UNIX Mgr
  IIT Chicago-Kent College of Law

 ** **









 Athena®, Created for the Cause™

 Making a Difference in the Fight Against Breast Cancer





 *How and Why I Should Support Bottled Water!
 *Do not relinquish your right to choose bottled water as a healthy
 alternative to beverages that contain sugar, calories, etc. Your support of
 bottled water will make a difference! Your signatures count! Go to
 http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and
 sign a petition to support your right to always choose bottled water. Help
 fight federal and state issues, such as bottle deposits (or taxes) and
 organizations that want to ban the sale of bottled water. Support community
 curbside recycling programs. Support bottled water as a healthy way to
 maintain proper hydration. Our goal is 50,000 signatures. Share this
 petition with your friends and family today!



 -
 CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
 information and is for the sole use of the intended recipient(s). If you
 are not the intended recipient, any disclosure, copying, distribution, or
 use of the contents of this information is prohibited and may be unlawful.
 If you have received this electronic transmission in error, please reply
 immediately to the sender that you have received the message in error, and
 delete it. Thank you.
 --




 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarder is ignored when authoritative zone is added

[Ben Croswell]

The one thing I can think of off the top of my head is to ensure the child
subdomain is properly delegated in the parent. If you try to zone level
forward a child domain on a server that loads the parent it will ignore the
forward if  it can see the child doesn't exist as a true delegation.
I assume the logic is, why would I forward a subdomain I know doesn't exist.

-Ben Croswell
On Oct 26, 2012 2:17 AM, Frank Even lists+isc@elitists.org wrote:

 I've recently had an issue that I'm having some issues finding
 information on solving.

 I have internal DNS resolvers...they act as recursive name servers for
 general internet queries, but we have forwarders explicitly defined
 for specific internal zones being served by other name servers.

 My configuration has one particular zone configured as such:

 zone internal.organization.com IN { type forward; forward only;
 forwarders {172.x.x.x; 172.x.x.x; }; };

 I have our main zone, organization.com, hosted in an external area
 outside of a firewall with a wildcard record contained in it for
 anything that is not explicitly defined.  I have some services that I
 need to reach using names that are in this external zone internally.
 What I'm trying to do is to slave the organization.com zone to my
 internal recursive resolver to mitigate any possible network issues.

 So I setup the internal resolver as a slave for the organization.com
 zone and found that queries against internal.organization.com were
 getting answered with the wildcard for the external organization.com
 zone.  I can't seem to figure out why the forwarders are getting
 ignored.  Is it an order of precedence, say authoritative zones are
 respected over forwarders...or something else??

 Thanks for any assistance anyone can provide, or point me to some
 documentation I'm missing,
 Frank
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarder is ignored when authoritative zone is added

[Ben Croswell]

The thing that brings me back to a delegation issue is the statement of
slaving an external version of the second level domain the internal DNS
server. I know if I was splitting a domain I would not put internal only
delegations external.

-Ben Croswell
On Oct 26, 2012 7:23 AM, Sten Carlsen st...@s-carlsen.dk wrote:


 On 26/10/12 12:56, Ben Croswell wrote:

 The one thing I can think of off the top of my head is to ensure the child
 subdomain is properly delegated in the parent. If you try to zone level
 forward a child domain on a server that loads the parent it will ignore the
 forward if  it can see the child doesn't exist as a true delegation.
 I assume the logic is, why would I forward a subdomain I know doesn't
 exist.

 I should think that internal.org... is properly delegated, so the forward
 will not be concerned about a subdomain, only about the domain, that is
 actually forwarded. internal.org... will then be looked up in the normal
 recursive way, so another forward statement might solve this issue.

 -Ben Croswell
 On Oct 26, 2012 2:17 AM, Frank Even lists+isc@elitists.org wrote:

 I've recently had an issue that I'm having some issues finding
 information on solving.

 I have internal DNS resolvers...they act as recursive name servers for
 general internet queries, but we have forwarders explicitly defined
 for specific internal zones being served by other name servers.

 My configuration has one particular zone configured as such:

 zone internal.organization.com IN { type forward; forward only;
 forwarders {172.x.x.x; 172.x.x.x; }; };

 I have our main zone, organization.com, hosted in an external area
 outside of a firewall with a wildcard record contained in it for
 anything that is not explicitly defined.  I have some services that I
 need to reach using names that are in this external zone internally.
 What I'm trying to do is to slave the organization.com zone to my
 internal recursive resolver to mitigate any possible network issues.

 So I setup the internal resolver as a slave for the organization.com
 zone and found that queries against internal.organization.com were
 getting answered with the wildcard for the external organization.com
 zone.  I can't seem to figure out why the forwarders are getting
 ignored.  Is it an order of precedence, say authoritative zones are
 respected over forwarders...or something else??

 Thanks for any assistance anyone can provide, or point me to some
 documentation I'm missing,
 Frank
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users



 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list

 bind-users mailing 
 listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users


 --
 Best regards

 Sten Carlsen

 No improvements come from shouting:
MALE BOVINE MANURE!!!


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Queries aborted due to Quota

[Ben]

Hi,

I am monitoring rndc stats output and got

++ Resolver Statistics ++
[Common]
   82121 queries aborted due to quota
5987 failures in opening query sockets

What does it mean by queries aborted due to quota and failing in opening 
query socket ?


Is there any OS resource limitation or ?

BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6


Regards,
Ben
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Queries aborted due to Quota

[Ben]

added one question:

i found some logs in syslog,

Jul 28 03:13:42 ns1 named[20922]: adb: grow_entries finished
Jul 28 03:13:42 ns1 named[20922]: adb: grow_names to 2039 starting
Jul 28 03:13:42 ns1 named[20922]: adb: grow_names finished

what does it mean by adb growing..?

Is there any document or link from which, we can read about rndc stats 
commands in deep or any FAQ/Information about general error messages 
regarding bind services.


Best Regards,
Ben

Hi,

I am monitoring rndc stats output and got

++ Resolver Statistics ++
[Common]
   82121 queries aborted due to quota
5987 failures in opening query sockets

What does it mean by queries aborted due to quota and failing in 
opening query socket ?


Is there any OS resource limitation or ?

BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6


Regards,
Ben



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: global forwarders - current BIND9 behaviour documentation

[Ben Croswell]

All forwarders in the list will tried at least some. Every time the fastest
forwarder responds the srtt of the remaining forwarders are decayed.
Eventually they will be lower and get tried. If they are slower than the
original fastest their srtt go back up and the original will be used again.
It's the method for retrying a forwarder after it was set high due to a
timeout etc.

-Ben Croswell
On Jul 25, 2012 2:36 PM, ip admin ipm...@googlemail.com wrote:

 Hi,

 anybody there who can provide a definitive answer on the current BIND 9.7
 (or higher) global forwarder behaviour?

 I did find the following info before on using multiple forwarders:

 https://lists.isc.org/pipermail/bind-users/2007-September/067830.html

 My expectation based on that is that the fastest responding forwarder will
 basically always be used until a timeout may occur, i.e. when specifying
 three forwarders one will be the prefered one based on SRTT and the others
 are only used if the prefered one goes down.

 First of all when doing 'rndc dumpdb -all' I cannot find my forwarders' IP
 addresses in the named_dump.db at all as explained in the posting above
 (BIND 9.7.3-P3 on Linux), so I cannot verify the SRTTs. 'rndc stats' /
 named.stats does not show any info on the forwarders as well.

 Also by doing a tcpdump I can see that all three forwarders I have
 specified are constantly used. However it is not a real round-robin but
 roughly a 3:2:1 ratio instead (i.e. one receives approx 3 times the number
 of queries compared to the third one, the other one receives 2 times the
 number of queries compared to the 3rd one). In fact the 3:2:1 distribution
 reflects the response time I can manually determine by running dig against
 all forwarders - the one which responds quickest gets the most queries and
 the one which is slowest gets the fewest queries.

 My server receives quite a few queries (approx 10.000 within a minute).
 Any idea if the DNS-Server will send every 10th query or so the slower
 forwarders?

 I also tried to set the logging level to debug 10 for category resolver
 but no luck at all in finding out which forwarder is used (and why).

 So . . . if somebody could explain what the current behaviour is supposed
 to be that would be helpful.

 Regards
  Tom


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc stats command

[Ben]

Hi,

Thanks for your kind response. sorry for the delay.

Currently i make a logic with shell scripts is that

i run my statistics.sh by cron via every 1 minute and collect INCOMING 
QUERY AND CACHE HIT RATIO.


CACHE HIT RATIO = (IN COMING QUERY - RECURSION )  / INCOMING QUERY.

Let say i run first time : 10.00 AM
First i clean named_Stat file and then run rndc stats command so it will 
write statistics to named_stat file and then i collect incoming query 
numbers and cache hit ratio.


Second time run same logic : 10.01 AM
so this time i again get incoming query numbers and hit ratio value and 
while plotting these by rrdtool, i remove old value ( 10.00 AM ) from 
current value ( 10.01 AM) and get actual value.


same fashion, i run above logic for time frame.

Kindly correct me , if i am running wrong logic.

when i run rndc stats , it gives me full outpur.can i get only certain 
output from it by any command or something?


My concern is that to find QPS / no. of queries per RR / hit ratio.

Best Regards,
Ben

On Jul 18 2012, Ben wrote:


Hi,

As per man page and my understanding rndc stats writes a current 
named statistics into defined file in named.conf


so suppose, if i run rndc stats command and then i take required 
information from named statistics file.


And after some time, ( after 5 minutes or approx.) when i do again 
rndc stats , so that times it provides new statistics.?


My understanding is that while running rndc stats , it writes current 
named statistics to defined file and internally it flush named 
statistics ( which wrote into file as per named.conf )


And while second time run same command , again it append fresh/new 
named statistics to defined fiel, is it so?


Or is there any interval for rndc / named to generate fresh/new 
statistics.?


Kindly correct me if I am missing something...


I think you are missing at least the following:

rndc stats *appends* to the statistics file. It doesn't overwrite
any previous contents.

rndc stats does not reset the internal statistics counters (I take
it that was what you meant by flush). They are always accumulative
from when named was last started.

From two successive set of ststistics written by rndc stats, you
can deduce what happened during the interval by taking the difference
in the values of corresponding counters, and to deduce rates you
divide by the length of the interval which you can deduce from
the difference in their timestamps

+++ Statistics Dump +++ (1342566900)
...
--- Statistics Dump --- (1342566900)
 ^^
which are in time_t format (seconds since the Unix epoch).

[What's annoyingly missing, by the way, is the time when named was
in fact started. That's present in the XML on the statistics channel,
but not in the file written by rndc stats.]




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

rndc stats command

[Ben]

Hi,

As per man page and my understanding rndc stats writes a current named 
statistics into defined file in named.conf


so suppose, if i run rndc stats command and then i take required 
information from named statistics file.


And after some time, ( after 5 minutes or approx.) when i do again rndc 
stats , so that times it provides new statistics.?


My understanding is that while running rndc stats , it writes current 
named statistics to defined file and internally it flush named 
statistics ( which wrote into file as per named.conf )


And while second time run same command , again it append fresh/new named 
statistics to defined fiel, is it so?


Or is there any interval for rndc / named to generate fresh/new statistics.?

Kindly correct me if I am missing something...


Regards,
Ben
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Operation Cancelled Error

[Ben]

How to check from 10 queries, which are on cache and which are not ?

Still, my question is open..

Dear ISC team, can you please suggest what happend with my caching DNS 
load test.? I mean, want to find root cause of it.



Den 12. juli 2012 kl. 01:49 skrev Ben benjo11...@gmail.com:


If someone share his experience with it, What are the maximum QPS handled by 
bind? that is good to understand more.

Well, it depends.

If you test with a freshly restarted BIND (nothing cached yet), and ask for 
only external data, you will get one result and be at the mercy of the external 
nameservers.

You will probably get the highest result if you only ask for pre-cached 
answers, in which case reaching 100k qps (and higher) on a single server should 
be easy (with some not-too-old hardware)

Regards
Eivind Olsen




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Operation Cancelled Error

[Ben]

Hi,


On Jul 10, 2012, at 2:25 AM, Ben wrote:


Hi,

We deploy BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 and trying to do load test 
while doing it we got so many erros logs in named.run.

I must admit to being a little confused…

It *looks* to me like you are forwarding all queries to 8.8.8.8? (If so, I'm a little 
confused by the load test bit). You will almost certainly get rate limited 
with this setup (assuming you have more than one or two users behind this server…


Actually, I am doing load testing with my CACHING DNS SERVER, and for 
that i setup one client machine which sent queries to CACHING DNS 
SERVER, and while doing this , i got below given erros in log.So is 
point to any network problem or any fine tunning / configuration 
required to bind?


I am using google public dns ips as forwarder in named.conf

lame server operation cancelled : it means bind cancelled queries which 
got from client ...is it so ?


Regards,
Ben



W




What does it mean by lam servers operation canceled? Is it due to network 
rechability problem or bandwidth problem or anything others which related to 
bind?

Kindly guide me solve it.

10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'osnews.com/MX/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'campaignjobs.asia/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'couponbuddy.s3.amazonaws.com/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'ms-frontend.hse.ru/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'chriss2d.deviantart.com/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'www.cintegral.cl/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'krisknits.blogspot.com/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'css3.info/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'aventuras.isladejuegos.es/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'aliner.com/MX/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'uprl.kandk.ru/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'hospiceheart.org.s8a1.psmtp.com/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'orig-10060.conduit.cotcdn.net/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) 
resolving 'sjc-dns1.ebaydns.com/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) 
resolving 'sisar4k.com/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) 
resolving 'musica.itematika.com/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) 
resolving 'video-6.filmix.net/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) 
resolving 'shop.ebay.com/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) 
resolving 'mediawiki-lb.eqiad.wikimedia.org/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) 
resolving 'www.carascorridas.com/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) 
resolving 'technologie.gazeta.pl/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) 
resolving 'ns1.kasperskylabs.net/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.732 lame-servers: info: error (operation canceled) 
resolving '142.192.186.24.in-addr.arpa/PTR/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.732 lame-servers: info: error (operation canceled) 
resolving 'geo.tp-cdn.com/A/IN': 8.8.8.8#53

Regards,
Ben
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Operation Cancelled Error

[Ben]

I am doing load testing on our local caching dns.But while doing it , i 
added google dns and some other dns ips as forwarder to test QPS.
Even if I am not using any forwarder in that case also, I am having 
those same error which i was getting.


I am confusing that those errors are due to bind misconfiguration or 
something else?


If someone share his experience with it, What are the maximum QPS 
handled by bind? that is good to understand more.


Regards,
Ben

Hi Ben,
At 05:37 11-07-2012, Ben wrote:
Actually, I am doing load testing with my CACHING DNS SERVER, and for 
that i setup one client machine which sent queries to CACHING DNS 
SERVER, and while doing this , i got below given erros in log.So is 
point to any network problem or any fine tunning / configuration 
required to bind?


I am using google public dns ips as forwarder in named.conf


Are you doing load testing on Google's DNS server?

Regards,
-sm



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Operation Cancelled Error

[Ben]

Hi,

We deploy BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 and trying to do load 
test while doing it we got so many erros logs in named.run.


What does it mean by lam servers operation canceled? Is it due to 
network rechability problem or bandwidth problem or anything others 
which related to bind?


Kindly guide me solve it.

10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'osnews.com/MX/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'campaignjobs.asia/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'couponbuddy.s3.amazonaws.com/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'ms-frontend.hse.ru/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'chriss2d.deviantart.com/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'www.cintegral.cl/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'krisknits.blogspot.com/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'css3.info/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'aventuras.isladejuegos.es/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'aliner.com/MX/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'uprl.kandk.ru/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'hospiceheart.org.s8a1.psmtp.com/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) 
resolving 'orig-10060.conduit.cotcdn.net/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) 
resolving 'sjc-dns1.ebaydns.com/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) 
resolving 'sisar4k.com/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) 
resolving 'musica.itematika.com/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) 
resolving 'video-6.filmix.net/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) 
resolving 'shop.ebay.com/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) 
resolving 'mediawiki-lb.eqiad.wikimedia.org/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) 
resolving 'www.carascorridas.com/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) 
resolving 'technologie.gazeta.pl/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) 
resolving 'ns1.kasperskylabs.net/A/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.732 lame-servers: info: error (operation canceled) 
resolving '142.192.186.24.in-addr.arpa/PTR/IN': 8.8.8.8#53
10-Jul-2012 11:47:42.732 lame-servers: info: error (operation canceled) 
resolving 'geo.tp-cdn.com/A/IN': 8.8.8.8#53


Regards,
Ben
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting edns disabling message in logs

[Ben]

Hi Tony,

Thanks for your kind response. Disabling EDNS due to firewall 
misconfiguration, raise any problem to DNS activity.? I mean my users 
face any name resolution problesms or ...?


Is there any way that we can show that current disabling EDNS happens by 
firewall issue ?


Regards,
Ben

Ben benjo11...@gmail.com wrote:

We run bind as caching only dns server for our customers. In logs, i can
see so many entries which tells

success resolving 'x.y.z/A' (in '.'?) after disabling EDNS

How to check that current bind installation has EDNS enabled or ?
what could be reason behind it?

BIND has EDNS enabled by default. These log messages indicate that BIND is
trying and failing to make EDNS queries. This is usually caused by a
misconfigured firewall between the name server and the rest of the
Internet.

Tony.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

getting edns disabling message in logs

[Ben]

Hi,

We run bind as caching only dns server for our customers.In logs, i can 
see so many entries which tells


success resolving 'malayalam.samachar.com/A' (in '.'?) after disabling EDNS
success resolving 'm.sify.com/A' (in '.'?) after disabling EDNS
success resolving 'planetradiocity.com/A' (in '.'?) after disabling EDNS
success resolving 'ns-3.2o7.net/A' (in '.'?) after disabling EDNS
success resolving 'ns-2.2o7.net/A' (in '.'?) after disabling EDNS
success resolving 'sifycorp.com/A' (in '.'?) after disabling EDNS

How to check that current bind installation has EDNS enabled or ?
what could be reason behind it? we do not disable any EDNS in 
named.conf. Please suggest me to resolve it.



Bind version : BIND 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3

Regards,
Ben
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Operation cancelled Error

[Ben]

Dear ISC Team,

Any input please, if is there anything from my side, kindly suggest me.

Best Regards,
Ben

Dear ISC Team,

Any suggestions please.

Regards,
Ben

Hi,

I tried all things to avoid current problem, but still same.Can we 
have information that why bind shows  Operation canceled error in 
named.run file? and why bind does not take full power?when i do load 
test and same time watching rndc status command , it only tries to 
reach to 6000-6500 , and then goes back to 0..


Is there anything remaining in bind to configure or any issue in OS?

I would request you to please suggest me to solve this.

Regards,
Be



Hi Jeremy,

Thanks for your kind response.

On Thu, 24 May 2012, Ben wrote:


version: 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2
CPUs found: 8
worker threads: 8
number of zones: 19
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 6400/29900/3
tcp clients: 0/100
server is up and running


i constanly watch rndc status command , and at recuresive-clients 
tab ,
first values increases maximum up to 6000-6500, why it is not 
going to

maximum which i define 3..?

I don't know why it never reached the maximum. resperf should try to
scale up to attempting 100,000 questions in its last second. (At 60th
second I think; the final 40 seconds is waiting for responses.) It 
only

tries 74038 during its total time, but I am not sure what is limiting
it.

Maybe your datafile is not unique enough? Maybe your source port range
is not large enough? So then BIND 9 is matching existing requests and
dropping.

My source port range is
cat /proc/sys/net/ipv4/ip_local_port_range
102465535

I downloaded data file from resperf provider site.

It depends a lot on the dataset. (I think I have seen around 17,000
queries with resperf and as low as 236 qps -- in this case it was
depending on number of ACLs.)

I do not using more acl for testing purpose.

I don't know why you have the burst of operation canceled. (The
ISC_R_CANCELED can happen from different problems.)
Please suggest us that what are reasons generate operation 
canceled error comes in named.run log file
rndc status shows 8 worker process, when i checked  by pgrep 
named , it

shows only single instance.so does it need to show 8 instance or ?

8 worker threads is different than 8 processes.

Currently we use bind as caching name server , so why rndc status 
shows

number of zones 19..?

The 19 zones are built-in zones. (See the ARM for the list.)

By the way, to set some comparison maximum baseline you can try having
resperf query the built-in zones. (It won't be real recursive work, 
but

should show you some potential maximum qps.)

Is there anything which we need to mind on OS kernel tuning 
parameters or from bind configuration side to achieve more QPS?


By the way, what is highest benchmark for bind with no. of QPS in 
production servers?


I would request you , if someone has getting high QPS with bind in 
production servers, kindly suggest your inputs.




   Jeremy C. Reed
   ISC

Regards,
Ben






___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Operation cancelled Error

[Ben]

Dear ISC Team,

Any suggestions please.

Regards,
Ben

Hi,

I tried all things to avoid current problem, but still same.Can we 
have information that why bind shows  Operation canceled error in 
named.run file? and why bind does not take full power?when i do load 
test and same time watching rndc status command , it only tries to 
reach to 6000-6500 , and then goes back to 0..


Is there anything remaining in bind to configure or any issue in OS?

I would request you to please suggest me to solve this.

Regards,
Be



Hi Jeremy,

Thanks for your kind response.

On Thu, 24 May 2012, Ben wrote:


version: 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2
CPUs found: 8
worker threads: 8
number of zones: 19
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 6400/29900/3
tcp clients: 0/100
server is up and running


i constanly watch rndc status command , and at recuresive-clients 
tab ,
first values increases maximum up to 6000-6500, why it is not 
going to

maximum which i define 3..?

I don't know why it never reached the maximum. resperf should try to
scale up to attempting 100,000 questions in its last second. (At 60th
second I think; the final 40 seconds is waiting for responses.) It only
tries 74038 during its total time, but I am not sure what is limiting
it.

Maybe your datafile is not unique enough? Maybe your source port range
is not large enough? So then BIND 9 is matching existing requests and
dropping.

My source port range is
cat /proc/sys/net/ipv4/ip_local_port_range
102465535

I downloaded data file from resperf provider site.

It depends a lot on the dataset. (I think I have seen around 17,000
queries with resperf and as low as 236 qps -- in this case it was
depending on number of ACLs.)

I do not using more acl for testing purpose.

I don't know why you have the burst of operation canceled. (The
ISC_R_CANCELED can happen from different problems.)
Please suggest us that what are reasons generate operation canceled 
error comes in named.run log file
rndc status shows 8 worker process, when i checked  by pgrep named 
, it

shows only single instance.so does it need to show 8 instance or ?

8 worker threads is different than 8 processes.

Currently we use bind as caching name server , so why rndc status 
shows

number of zones 19..?

The 19 zones are built-in zones. (See the ARM for the list.)

By the way, to set some comparison maximum baseline you can try having
resperf query the built-in zones. (It won't be real recursive work, but
should show you some potential maximum qps.)

Is there anything which we need to mind on OS kernel tuning 
parameters or from bind configuration side to achieve more QPS?


By the way, what is highest benchmark for bind with no. of QPS in 
production servers?


I would request you , if someone has getting high QPS with bind in 
production servers, kindly suggest your inputs.




   Jeremy C. Reed
   ISC

Regards,
Ben




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Operation cancelled Error

[Ben]

Hi Jeremy,

Thanks for your kind response.

On Thu, 24 May 2012, Ben wrote:


version: 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2
CPUs found: 8
worker threads: 8
number of zones: 19
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 6400/29900/3
tcp clients: 0/100
server is up and running


i constanly watch rndc status command , and at recuresive-clients tab ,
first values increases maximum up to 6000-6500, why it is not going to
maximum which i define 3..?

I don't know why it never reached the maximum. resperf should try to
scale up to attempting 100,000 questions in its last second. (At 60th
second I think; the final 40 seconds is waiting for responses.) It only
tries 74038 during its total time, but I am not sure what is limiting
it.

Maybe your datafile is not unique enough? Maybe your source port range
is not large enough? So then BIND 9 is matching existing requests and
dropping.

My source port range is
cat /proc/sys/net/ipv4/ip_local_port_range
102465535

I downloaded data file from resperf provider site.

It depends a lot on the dataset. (I think I have seen around 17,000
queries with resperf and as low as 236 qps -- in this case it was
depending on number of ACLs.)

I do not using more acl for testing purpose.

I don't know why you have the burst of operation canceled. (The
ISC_R_CANCELED can happen from different problems.)
Please suggest us that what are reasons generate operation canceled 
error comes in named.run log file

rndc status shows 8 worker process, when i checked  by pgrep named , it
shows only single instance.so does it need to show 8 instance or ?

8 worker threads is different than 8 processes.


Currently we use bind as caching name server , so why rndc status shows
number of zones 19..?

The 19 zones are built-in zones. (See the ARM for the list.)

By the way, to set some comparison maximum baseline you can try having
resperf query the built-in zones. (It won't be real recursive work, but
should show you some potential maximum qps.)

Is there anything which we need to mind on OS kernel tuning parameters 
or from bind configuration side to achieve more QPS?


By the way, what is highest benchmark for bind with no. of QPS in 
production servers?


I would request you , if someone has getting high QPS with bind in 
production servers, kindly suggest your inputs.




   Jeremy C. Reed
   ISC

Regards,
Ben
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Operation cancelled Error

[Ben]

Hi,

I tried all things to avoid current problem, but still same.Can we have 
information that why bind shows  Operation canceled error in named.run 
file? and why bind does not take full power?when i do load test and same 
time watching rndc status command , it only tries to reach to 6000-6500 
, and then goes back to 0..


Is there anything remaining in bind to configure or any issue in OS?

I would request you to please suggest me to solve this.

Regards,
Ben



Hi Jeremy,

Thanks for your kind response.

On Thu, 24 May 2012, Ben wrote:


version: 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2
CPUs found: 8
worker threads: 8
number of zones: 19
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 6400/29900/3
tcp clients: 0/100
server is up and running


i constanly watch rndc status command , and at recuresive-clients 
tab ,

first values increases maximum up to 6000-6500, why it is not going to
maximum which i define 3..?

I don't know why it never reached the maximum. resperf should try to
scale up to attempting 100,000 questions in its last second. (At 60th
second I think; the final 40 seconds is waiting for responses.) It only
tries 74038 during its total time, but I am not sure what is limiting
it.

Maybe your datafile is not unique enough? Maybe your source port range
is not large enough? So then BIND 9 is matching existing requests and
dropping.

My source port range is
cat /proc/sys/net/ipv4/ip_local_port_range
102465535

I downloaded data file from resperf provider site.

It depends a lot on the dataset. (I think I have seen around 17,000
queries with resperf and as low as 236 qps -- in this case it was
depending on number of ACLs.)

I do not using more acl for testing purpose.

I don't know why you have the burst of operation canceled. (The
ISC_R_CANCELED can happen from different problems.)
Please suggest us that what are reasons generate operation canceled 
error comes in named.run log file
rndc status shows 8 worker process, when i checked  by pgrep named 
, it

shows only single instance.so does it need to show 8 instance or ?

8 worker threads is different than 8 processes.

Currently we use bind as caching name server , so why rndc status 
shows

number of zones 19..?

The 19 zones are built-in zones. (See the ARM for the list.)

By the way, to set some comparison maximum baseline you can try having
resperf query the built-in zones. (It won't be real recursive work, but
should show you some potential maximum qps.)

Is there anything which we need to mind on OS kernel tuning parameters 
or from bind configuration side to achieve more QPS?


By the way, what is highest benchmark for bind with no. of QPS in 
production servers?


I would request you , if someone has getting high QPS with bind in 
production servers, kindly suggest your inputs.




   Jeremy C. Reed
   ISC

Regards,
Ben


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Operation cancelled Error

[Ben]

Hello,

Any reply please...

Regards,
Ben

Hi,

I am doing load testing for bind as caching dns server.Fro that i 
configure one machine as client and one as server.I setup bind as 
caching dns server and set recursive-clients 3.


While doing load test from client machine via resperf, i got many 
errors in named.run file which shows,I checked that time there is no 
cpu high usage / memory high usage on server and clients.Why server is 
not permitted operation.


23-May-2012 23:30:12.085 error (operation canceled) resolving 
'www.thethreadexchange.com//IN': 192.33.14.30#53
23-May-2012 23:30:12.085 error (operation canceled) resolving 
'c2.nstld.net/A/IN': 192.42.93.31#53
23-May-2012 23:30:12.085 error (operation canceled) resolving 
'nothirst.com/A/IN': 192.54.112.30#53
23-May-2012 23:30:12.085 error (operation canceled) resolving 
'172.153.42.186.in-addr.arpa/PTR/IN': 199.212.0.53#53
23-May-2012 23:30:12.085 error (operation canceled) resolving 
'xxy.com/MX/IN': 192.12.94.30#53
23-May-2012 23:30:12.086 error (operation canceled) resolving 
'192.140.138.187.in-addr.arpa/PTR/IN': 193.0.9.3#53
23-May-2012 23:30:12.086 error (operation canceled) resolving 
'mail.n-u-c.ru/A/IN': 193.232.128.6#53
23-May-2012 23:30:12.086 error (operation canceled) resolving 
'www.gayteacher.net/A/IN': 108.59.10.134#53
23-May-2012 23:30:12.086 error (operation canceled) resolving 
'www.forever-christies.com/A/IN': 192.12.94.30#53
23-May-2012 23:30:12.086 error (operation canceled) resolving 
'166.98.232.189.in-addr.arpa/PTR/IN': 200.3.13.10#53
23-May-2012 23:30:12.086 error (operation canceled) resolving 
'89.140.112.200.in-addr.arpa/PTR/IN': 202.12.28.140#53
23-May-2012 23:30:12.086 error (operation canceled) resolving 
'9z772drlt.89ys/A/IN': 192.228.79.201#53
23-May-2012 23:30:12.087 error (operation canceled) resolving 
'video327.myfreecams.com/A/IN': 192.26.92.30#53
23-May-2012 23:30:12.087 error (operation canceled) resolving 
'ns1.thny.bbc.co.uk/A/IN': 194.83.244.131#53
23-May-2012 23:30:12.087 error (operation canceled) resolving 
'6.246.26.190.in-addr.arpa/PTR/IN': 200.3.13.10#53
23-May-2012 23:30:12.087 error (operation canceled) resolving 
'instagram.com/A/IN': 192.54.112.30#53
23-May-2012 23:30:12.087 error (operation canceled) resolving 
'acriacao.com/A/IN': 192.12.94.30#53
23-May-2012 23:30:12.087 error (operation canceled) resolving 
'technologie.gazeta.pl/A/IN': 192.203.230.10#53


rndc status shows,


version: 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2
CPUs found: 8
worker threads: 8
number of zones: 19
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 6400/29900/3
tcp clients: 0/100
server is up and running


i constanly watch rndc status command , and at recuresive-clients tab 
, first values increases maximum up to 6000-6500, why it is not going 
to maximum which i define 3..?
rndc status shows 8 worker process, when i checked  by pgrep named , 
it shows only single instance.so does it need to show 8 instance or ?
Currently we use bind as caching name server , so why rndc status 
shows number of zones 19..?


Kindly guide me to resolve above confusion.

Bind build info:
 named -V
BIND 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 built with 
'--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' 
'--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' 
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' 
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' 
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec' 
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' 
'--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' 
'--disable-openssl-version-check' '--with-dlz-ldap=yes' 
'--with-dlz-postgres=yes' '--with-dlz-mysql=yes' 
'--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' 
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 
'build_alias=x86_64-redhat-linux-gnu' 
'host_alias=x86_64-redhat-linux-gnu' 
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall 
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'



From client machine :

/usr/local/nom/bin/resperf -s 10.115.1.231 -d 
/root/dnsperf_test_queries.tsv

DNS Resolution Performance Testing Tool
Nominum Version 2.0.0.0

[Status] Command line: resperf -s 10.115.1.231 -d 
/root/dnsperf_test_queries.tsv

[Status] Sending
[Status] Reached 65536 outstanding queries
[Status] Waiting for more responses
[Status] Testing complete

Statistics:

  Queries sent: 74038
  Queries completed:74038
  Queries lost: 0
  Run time (s): 100.00
  Maximum throughput:   2838.00 qps
  Lost at that point:   24.32%


what are the configuration parameter required to  increase QPS for 
server? I mean any fine tuning in bind / OS side