Re: record PTR
181.242.197.in-addr.arpa. 3600 IN NS douala0.orange.cm. 181.242.197.in-addr.arpa. 3600 IN NS nsbangui.orangerca.com. 181.242.197.in-addr.arpa. 3600 IN NS yaounde0.orange.cm. The in-addr currently points to the DNS servers above. Those would need to be changed to your servers or the owners of those servers would need to add the PTR records. On Thu, Mar 14, 2024, 8:19 AM wrote: > Thank you for your response. > > In my case, I have added a PTR record for mail.sami.tn pointing to > 197.242.181.69, but it is still not visible from the outside. However, when > I test 'dig @0 -x 197.242.181.69', it works. Do I need to request a > delegation of 197.242.181.69 to the name servers ns1.sami.tn? > > > > *De :* Ben Croswell > *Envoyé :* jeudi 14 mars 2024 13:10 > *À :* RAHAL Sami SOFRECOM ; ML BIND Users < > bind-users@lists.isc.org> > *Objet :* Re: record PTR > > > > The in-addr.arpa domain for your IP space will need to be delegated to > your DNS servers. That generally happens at the entity that assigned the > block. For instance ARIN, RIPE, or APNIC. > > > > On Thu, Mar 14, 2024, 8:06 AM wrote: > > Hello, please, I want to know if I need to delegate a range of IP > addresses to my authoritative DNS server with my registrar before creating > a PTR record or not. In other words, if I want to create a PTR record on my > authoritative server (ns1.mydomain.com) for mail.mydomain.com pointing to > 41.226.22.50, should the range 41.226.22.0/24 be delegated to my > authoritative DNS server ns1.mydomain.com? > > Regards Sami > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: record PTR
The in-addr.arpa domain for your IP space will need to be delegated to your DNS servers. That generally happens at the entity that assigned the block. For instance ARIN, RIPE, or APNIC. On Thu, Mar 14, 2024, 8:06 AM wrote: > Hello, please, I want to know if I need to delegate a range of IP > addresses to my authoritative DNS server with my registrar before creating > a PTR record or not. In other words, if I want to create a PTR record on my > authoritative server (ns1.mydomain.com) for mail.mydomain.com pointing to > 41.226.22.50, should the range 41.226.22.0/24 be delegated to my > authoritative DNS server ns1.mydomain.com? > > Regards Sami > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Recursive client query rate-limiting
Hi, Is there a BIND configuration option that would limit the number of recursive client buffers/structures that any single client can consume on a BIND server at a time? I.e., any single client could only consume (say) 10 recursive client buffers at a time, and if the client sends another (unique) recursive query while it is already consuming 10 recursive client buffers, the server would drop the new request (or send a SERVFAIL response). I know about the Recursive Client Rate Limiting (fetches-per-server, fetches-per-zone) and clients-per-query, those aren't what I'm asking about. Thanks, .Ben Bridges. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.16.1 crash
When you say “ISC packages”, are you referring to the packages in the ppa:isc/bind repository on launchpad? Ben Bridges From: Ondřej Surý Sent: Thursday, December 8, 2022 12:26 AM To: Ben Bridges Cc: Emmanuel Fusté ; bind-users@lists.isc.org Subject: Re: Bind 9.16.1 crash In fact, it’s as far from being “fully patched” as possible. Not all bugs are security bugs and not all crashes are security bugs. Ubuntu is pushing a version that has received most refactoring in the networking code in the recent history. The “we don’t update upstream version” policy works well only if you carefully pick upstream version. Instead this is snapshot of Debian at random point int time and this is the unfortunate result. I’ve negotiated the exception for Debian to carry the latest upstream release for a good reason. You are going to do so much better by using ISC packages. And my general recommendation would be to go straight to latest 9.18. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. On 8. 12. 2022, at 1:03, Ben Bridges wrote: According to the Ubuntu maintainers, the bind9 package on our server (1:9.16.1-0ubuntu2.11) is fully patched for all the BIND 9 CVE’s including the latest batch of 6 released on 2022-09-21 (CVE-2022-38178, CVE-2022-38177, CVE-2022-3080, CVE-2022-2906, CVE-2022-2881, and CVE-2022-2795). From: Emmanuel Fusté Sent: Wednesday, December 7, 2022 4:22 PM To: Ben Bridges ; bind-users@lists.isc.org Subject: Re: Bind 9.16.1 crash Current ESV : 9.16.35 No, your release is not patched. Add the ISC PPA repo and install the latest ESV. ISC PPA packaged are packaged by the same maintainers. Le mer. 7 déc. 2022, 23:02, Ben Bridges mailto:bbrid...@springnet.net>> a écrit : Ubuntu 20.04.5 is LTS and BIND 9.16 is the current stable ESV release, so they’re both still fully supported (and fully patched). Thanks, Ben Bridges From: bind-users mailto:bind-users-boun...@lists.isc.org>> On Behalf Of John Thurston Sent: Wednesday, December 7, 2022 2:32 PM To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Subject: Re: Bind 9.16.1 crash To me, the next step is to get your instance of BIND somewhat up to date. I'm not a "gotta be on the bleeding edge" kinda guy, but running a version released in first quarter of 2020 is old even by my standards. Is there some business reason to keep running a +2 year old version of BIND? -- Do things because you should, not just because you can. John Thurston907-465-8591 john.thurs...@alaska.gov<mailto:john.thurs...@alaska.gov> Department of Administration State of Alaska On 12/7/2022 10:32 AM, Ben Bridges wrote: The BIND version is 9.16.1 running on a fully patched Ubuntu 20.04.5 server. <~WRD2561.jpg> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.springnet.net%2F=05%7C01%7Cbbridges%40springnet.net%7C8cfa221dba534b913bc508dad8e51261%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060775631803256%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=FSsvuOcOZbeJGvJwFC4eFc1vL4Q3NElIAgIaa1YT504%3D=0> <~WRD2561.jpg><https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.springnet.net%2F=05%7C01%7Cbbridges%40springnet.net%7C8cfa221dba534b913bc508dad8e51261%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060775631803256%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=FSsvuOcOZbeJGvJwFC4eFc1vL4Q3NElIAgIaa1YT504%3D=0> Sales 417.575.7000 | Support 417.874.8000 | springnet.net<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.springnet.net%2F=05%7C01%7Cbbridges%40springnet.net%7C8cfa221dba534b913bc508dad8e51261%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060775631803256%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=FSsvuOcOZbeJGvJwFC4eFc1vL4Q3NElIAgIaa1YT504%3D=0> -- Visit https://lists.isc.org/mailman/listinfo/bind-users<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users=05%7C01%7Cbbridges%40springnet.net%7C8cfa221dba534b913bc508dad8e51261%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060775631803256%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=fY9Hu18j4I8u5bWAz9vAJRcpGFlXuo5FNwZMW5aLI18%3D=0> to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.isc.org%2Fcontact%2F=05%7C01%7Cbbridges%40springnet.net%7C8cfa221dba534b913bc508dad8e51261%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060775631803256%7CUnknown%7CTWFpb
RE: Bind 9.16.1 crash
It looks like that issue was occurring in a different part of the netmgr code and was fixed 8 months ago. Thanks, Ben Bridges From: bind-users On Behalf Of Andrew Latham Sent: Wednesday, December 7, 2022 2:35 PM Cc: bind-users@lists.isc.org Subject: Re: Bind 9.16.1 crash I see https://gitlab.isc.org/isc-projects/bind9/-/issues/3020<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.isc.org%2Fisc-projects%2Fbind9%2F-%2Fissues%2F3020=05%7C01%7Cbbridges%40springnet.net%7Cecd73a07950646259c7e08dad8928a21%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060421148193611%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=Fn7fvXD1Lp5Qgy3O910j%2FG3FyPLtYvBRexwPdP0C9Js%3D=0> and https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5998<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.isc.org%2Fisc-projects%2Fbind9%2F-%2Fmerge_requests%2F5998=05%7C01%7Cbbridges%40springnet.net%7Cecd73a07950646259c7e08dad8928a21%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060421148193611%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=8hkJR7%2FyIrc2dpUv%2FTYyBKqL2IiumjsZVFfw5yZ2Bog%3D=0> which might help I did not see a CVE but only did a quick search On Wed, Dec 7, 2022 at 12:33 PM Ben Bridges mailto:bbrid...@springnet.net>> wrote: Greetings. This morning one of our BIND daemons crashed. The following messages were logged in named.run at the time: 07-Dec-2022 11:58:37.097 general: critical: netmgr.c:687: REQUIRE((__builtin_expect(!!((sock) != ((void *)0)), 1) && __builtin_expect(!!(((const isc__magic_t *)(sock))->magic == ((('N') << 24 | ('M') << 16 | ('S') << 8 | ('K', 1))) failed, back trace 07-Dec-2022 11:58:37.097 general: critical: #0 0x56508c798e43 in ?? 07-Dec-2022 11:58:37.097 general: critical: #1 0x7fa72e881ac0 in ?? 07-Dec-2022 11:58:37.097 general: critical: #2 0x7fa72e89978a in ?? 07-Dec-2022 11:58:37.097 general: critical: #3 0x7fa72e89a240 in ?? 07-Dec-2022 11:58:37.097 general: critical: #4 0x7fa72e89e18b in ?? 07-Dec-2022 11:58:37.097 general: critical: #5 0x7fa72eb67707 in ?? 07-Dec-2022 11:58:37.097 general: critical: #6 0x7fa72eb68fe9 in ?? 07-Dec-2022 11:58:37.097 general: critical: #7 0x7fa72eb779b0 in ?? 07-Dec-2022 11:58:37.097 general: critical: #8 0x7fa72eb7f9a7 in ?? 07-Dec-2022 11:58:37.097 general: critical: #9 0x7fa72eb8116e in ?? 07-Dec-2022 11:58:37.097 general: critical: #10 0x7fa72eb816cd in ?? 07-Dec-2022 11:58:37.097 general: critical: #11 0x7fa72eb823c9 in ?? 07-Dec-2022 11:58:37.097 general: critical: #12 0x7fa72eb884c6 in ?? 07-Dec-2022 11:58:37.097 general: critical: #13 0x7fa72e8a8fa1 in ?? 07-Dec-2022 11:58:37.097 general: critical: #14 0x7fa72e370609 in ?? 07-Dec-2022 11:58:37.097 general: critical: #15 0x7fa72e28f133 in ?? 07-Dec-2022 11:58:37.097 general: critical: exiting (due to assertion failure) I did some googling and was unable to find this specific "netmgr.c:687" message. Is this assertion failure due to a known CVE (perhaps recently discovered and not yet patched)? We've had no issues with this server up to this point. The BIND version is 9.16.1 running on a fully patched Ubuntu 20.04.5 server. This server does nothing other than run BIND. Any assistance determining what happened and how to prevent it from happening again would be much appreciated. If this is not the proper forum for this posting, please point me in the right direction. Thanks, Ben Bridges Sales 417.575.7000 | Support 417.874.8000 | springnet.net<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.springnet.net%2F=05%7C01%7Cbbridges%40springnet.net%7Cecd73a07950646259c7e08dad8928a21%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060421148193611%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=zJFfISvidD%2FlkA0kDNyzzNK8lyI4deHQDoTLIHb0Qn0%3D=0> -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.springnet.net%2F=05%7C01%7Cbbridges%40springnet.net%7Cecd73a07950646259c7e08dad8928a21%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060421148193611%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=zJFfISvidD%2FlkA0kDNyzzNK8lyI4deHQDoTLIHb0Qn0%3D=0> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.springnet.net%2F=05%7C01%7Cbbridges%40springnet.net%7Cecd73a07950646259c7e08dad8928a21%7
RE: Bind 9.16.1 crash
According to the Ubuntu maintainers, the bind9 package on our server (1:9.16.1-0ubuntu2.11) is fully patched for all the BIND 9 CVE's including the latest batch of 6 released on 2022-09-21 (CVE-2022-38178, CVE-2022-38177, CVE-2022-3080, CVE-2022-2906, CVE-2022-2881, and CVE-2022-2795). From: Emmanuel Fusté Sent: Wednesday, December 7, 2022 4:22 PM To: Ben Bridges ; bind-users@lists.isc.org Subject: Re: Bind 9.16.1 crash Current ESV : 9.16.35 No, your release is not patched. Add the ISC PPA repo and install the latest ESV. ISC PPA packaged are packaged by the same maintainers. Le mer. 7 déc. 2022, 23:02, Ben Bridges mailto:bbrid...@springnet.net>> a écrit : Ubuntu 20.04.5 is LTS and BIND 9.16 is the current stable ESV release, so they're both still fully supported (and fully patched). Thanks, Ben Bridges From: bind-users mailto:bind-users-boun...@lists.isc.org>> On Behalf Of John Thurston Sent: Wednesday, December 7, 2022 2:32 PM To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Subject: Re: Bind 9.16.1 crash To me, the next step is to get your instance of BIND somewhat up to date. I'm not a "gotta be on the bleeding edge" kinda guy, but running a version released in first quarter of 2020 is old even by my standards. Is there some business reason to keep running a +2 year old version of BIND? -- Do things because you should, not just because you can. John Thurston907-465-8591 john.thurs...@alaska.gov<mailto:john.thurs...@alaska.gov> Department of Administration State of Alaska On 12/7/2022 10:32 AM, Ben Bridges wrote: The BIND version is 9.16.1 running on a fully patched Ubuntu 20.04.5 server. [Image removed by sender. City Utilities] [Image removed by sender. SpringNet]<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.springnet.net%2F=05%7C01%7Cbbridges%40springnet.net%7C76a3db8a1c814fcc43c408dad8a183e5%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060485475551174%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=hkHX70hyYBXF%2F8Ygn6J8N0AozojprcfDUZJj043%2Fz%2BQ%3D=0> Sales 417.575.7000 | Support 417.874.8000 | springnet.net<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.springnet.net%2F=05%7C01%7Cbbridges%40springnet.net%7C76a3db8a1c814fcc43c408dad8a183e5%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060485475551174%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=hkHX70hyYBXF%2F8Ygn6J8N0AozojprcfDUZJj043%2Fz%2BQ%3D=0> -- Visit https://lists.isc.org/mailman/listinfo/bind-users<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users=05%7C01%7Cbbridges%40springnet.net%7C76a3db8a1c814fcc43c408dad8a183e5%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060485475551174%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=wqftsNprK6CtbC5gYFMpOx3A0Cwu%2BsLr2AZYiJGpv98%3D=0> to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.isc.org%2Fcontact%2F=05%7C01%7Cbbridges%40springnet.net%7C76a3db8a1c814fcc43c408dad8a183e5%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060485475551174%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=NBs212x2Fz8YFXEUKR4SFKOxRnTiberN8qC9Yc0fTjc%3D=0> for more information. bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users=05%7C01%7Cbbridges%40springnet.net%7C76a3db8a1c814fcc43c408dad8a183e5%7Cd5c4167800674aa2b1d53a72abc6a57c%7C0%7C0%7C638060485475551174%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=wqftsNprK6CtbC5gYFMpOx3A0Cwu%2BsLr2AZYiJGpv98%3D=0> [City Utilities] [SpringNet]<http://www.springnet.net> Sales 417.575.7000 | Support 417.874.8000 | springnet.net<http://www.springnet.net> -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.16.1 crash
Ubuntu 20.04.5 is LTS and BIND 9.16 is the current stable ESV release, so they’re both still fully supported (and fully patched). Thanks, Ben Bridges From: bind-users On Behalf Of John Thurston Sent: Wednesday, December 7, 2022 2:32 PM To: bind-users@lists.isc.org Subject: Re: Bind 9.16.1 crash To me, the next step is to get your instance of BIND somewhat up to date. I'm not a "gotta be on the bleeding edge" kinda guy, but running a version released in first quarter of 2020 is old even by my standards. Is there some business reason to keep running a +2 year old version of BIND? -- Do things because you should, not just because you can. John Thurston907-465-8591 john.thurs...@alaska.gov<mailto:john.thurs...@alaska.gov> Department of Administration State of Alaska On 12/7/2022 10:32 AM, Ben Bridges wrote: The BIND version is 9.16.1 running on a fully patched Ubuntu 20.04.5 server. [City Utilities] [SpringNet]<http://www.springnet.net> Sales 417.575.7000 | Support 417.874.8000 | springnet.net<http://www.springnet.net> -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind 9.16.1 crash
Greetings. This morning one of our BIND daemons crashed. The following messages were logged in named.run at the time: 07-Dec-2022 11:58:37.097 general: critical: netmgr.c:687: REQUIRE((__builtin_expect(!!((sock) != ((void *)0)), 1) && __builtin_expect(!!(((const isc__magic_t *)(sock))->magic == ((('N') << 24 | ('M') << 16 | ('S') << 8 | ('K', 1))) failed, back trace 07-Dec-2022 11:58:37.097 general: critical: #0 0x56508c798e43 in ?? 07-Dec-2022 11:58:37.097 general: critical: #1 0x7fa72e881ac0 in ?? 07-Dec-2022 11:58:37.097 general: critical: #2 0x7fa72e89978a in ?? 07-Dec-2022 11:58:37.097 general: critical: #3 0x7fa72e89a240 in ?? 07-Dec-2022 11:58:37.097 general: critical: #4 0x7fa72e89e18b in ?? 07-Dec-2022 11:58:37.097 general: critical: #5 0x7fa72eb67707 in ?? 07-Dec-2022 11:58:37.097 general: critical: #6 0x7fa72eb68fe9 in ?? 07-Dec-2022 11:58:37.097 general: critical: #7 0x7fa72eb779b0 in ?? 07-Dec-2022 11:58:37.097 general: critical: #8 0x7fa72eb7f9a7 in ?? 07-Dec-2022 11:58:37.097 general: critical: #9 0x7fa72eb8116e in ?? 07-Dec-2022 11:58:37.097 general: critical: #10 0x7fa72eb816cd in ?? 07-Dec-2022 11:58:37.097 general: critical: #11 0x7fa72eb823c9 in ?? 07-Dec-2022 11:58:37.097 general: critical: #12 0x7fa72eb884c6 in ?? 07-Dec-2022 11:58:37.097 general: critical: #13 0x7fa72e8a8fa1 in ?? 07-Dec-2022 11:58:37.097 general: critical: #14 0x7fa72e370609 in ?? 07-Dec-2022 11:58:37.097 general: critical: #15 0x7fa72e28f133 in ?? 07-Dec-2022 11:58:37.097 general: critical: exiting (due to assertion failure) I did some googling and was unable to find this specific "netmgr.c:687" message. Is this assertion failure due to a known CVE (perhaps recently discovered and not yet patched)? We've had no issues with this server up to this point. The BIND version is 9.16.1 running on a fully patched Ubuntu 20.04.5 server. This server does nothing other than run BIND. Any assistance determining what happened and how to prevent it from happening again would be much appreciated. If this is not the proper forum for this posting, please point me in the right direction. Thanks, Ben Bridges [City Utilities] [SpringNet]<http://www.springnet.net> Sales 417.575.7000 | Support 417.874.8000 | springnet.net<http://www.springnet.net> -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AXFR from Windows 2008R2 failing after upgrading to 9.18
Any logs? Regards Ben Lavender On Mon, 23 May 2022, 21:52 Lefteris Tsintjelis via bind-users, < bind-users@lists.isc.org> wrote: > I must be missing something. Any ideas why does it fail? Everything > seems normal. Works well with Windows 2016. Downgrading to 9.16 works > again. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Determining Which Authoritative Sever to Use
I will say edge DNS servers reduce client config complexity, even if you have DHCP, and increase resiliency of the initial resolver. Where it's true with DHCP you can change the DHCP server options it doesn't help if someone just got a 4 day lease and then the DNS server dies. Additionally the abstraction layer makes patching and decom of DNS servers much easier. No config to chane just kill the box. Perhaps this is less of a concern I'd you are running a smaller environment but when you are running 400 to 500 servers in a variety of roles globally it becomes a valuable resource. On Tue, May 10, 2022, 5:49 PM Grant Taylor via bind-users < bind-users@lists.isc.org> wrote: > On 5/8/22 5:58 AM, Tony Finch wrote: > > Regarding anycast, it isn't necessary for internal authoritative > > servers unless your organization is really huge (and probably not > > even then): it is simpler to just use the DNS's standard reliabilty > > features. All you need to do is have more than one authoritative > > server for each zone. > > I don't know if it's a requirement for the OP or not, but Windows used > to reach out to the MName server to perform dynamic updates. So there > might be some merit to the name of the MName server to be a pseudo name > that resolves to an anycasted address, thus clients try to perform the > dynamic update to the closest instance of the anycast / (pseudo) MName > server. > > Aside: Years ago, BIND secondaries would happily forward such dynamic > updates the real primary MName server. > > Further aside: The last time I looked, MS-DNS ADI zones would forge the > local server's name as the MName to cause this type of client redirection. > > > On the other hand, anycast is a good way to improve the availability > > and maintainability of your resolvers, because your users' devices > > talk directly to them, and if they don't work there might as well > > not be an Internet connection. > > I agree that anycasted service points make administration somewhat > simpler. However I do question the /need/ for such flexibility when > things like DHCP are likely used for client configuration and can > therefor manage most things automatically. > > > > -- > Grant. . . . > unix || die > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Determining Which Authoritative Sever to Use (Bob McDonald)
On the closest server question it will prefer the closest but a certain percentage will go to servers further away. Additionally depending on the version of BIND and the distance it could lead to the servers further away taking more traffic in high QPS situations. If you are getting high QPS you could fire off a large amount of queries to the "slower" server before it responds and resets its SRTT. I believe newer BIND versions have moved away from a static decrement value and has fixed the issue but even fixes some queries will go out of region. On Sun, May 8, 2022, 12:47 PM Bob McDonald wrote: > Thanks for the answers. A couple more questions and then I'll stand down. > > First, it's Ben Croswell. Just pointing that out. > > Second, my reading of the definition of a static-stub zone in the Bvarm > indicates that its use is to allow a local copy of the NS list which may > differ from the primary zone. I'm not sure that's what I'm looking for. I > think I'm ok with the NS list from the primary zone. Lei me take another > swing and try to be a bit more pedantic to see if that helps. > > I wish to define a global internal DNS environment. > > At the level closest to the client would be a global network of recursive > DNS servers which would handle all internal and external DNS requests. The > internal DNS zones would be housed on a global network of authoritative > only DNS servers. The NS list for the internal DNS zones on these > authoritative only servers would be known to the recursive servers via stub > zones. My question is, if a client in Mumbai submits a DNS request to his > local recursive server for an internal authoritative only zone defined by a > stub zone statement, which authoritative only server does the recursive > server pick from the NS list and will that eventually be the "closest" > server. I'm assuming a global distribution of the authoritative servers. > E.g. Hong Kong, London, US East, US West, South Amer, etc. The use of the > stub zones in this case is to eliminate the need for an internal root. I > want to avoid lookups for example from clients in Asia being sent to > authoritative only servers in South Amer. > > Bob > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Determining Which Authoritative Sever to Use
I would concur that internally Anycast is best for client facing edge nodes to reduce client configuration complexity as well as reducing impact of a first resolver outage. On Sun, May 8, 2022, 7:59 AM Tony Finch wrote: > Bob McDonald wrote: > > > > My question is this; how do the recursive servers determine from > > the information in the stub zone which name server to query? > > As well as what Bob Croswell said about SRTT (which is entirely correct), > there's a subtlety with stub zones in particular. > > A stub zone works a bit like the root zone hints, in that the name servers > that you configure are just used to find the zone's NS records. This means > that stub zones don't override where queries are routed for these zones. > If you want your resolver to ignore the NS records on your internal zones, > you should use static-stub instead. > > Regarding anycast, it isn't necessary for internal authoritative servers > unless your organization is really huge (and probably not even then): it > is simpler to just use the DNS's standard reliabilty features. All you > need to do is have more than one authoritative server for each zone. > On the other hand, anycast is a good way to improve the availability and > maintainability of your resolvers, because your users' devices talk > directly to them, and if they don't work there might as well not be an > Internet connection. > > -- > Tony Finch(he/they) Cambridge, England > Selsey Bill to Lyme Regis: East or southeast, veering south later, 2 > to 4. Smooth or slight, occasionally moderate for a time offshore. > Fair. Good. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Determining Which Authoritative Sever to Use
I can't speak definitively for stub zones, but I would assume it works the same as NS delegations or forwarding. A DNS server maintains a listing of smoothed round trip times (SRTT) for each potential destination. It uses the SRTT with the lowest value, and after each successful response all of the SRTTs with a higher value are decremented. This is the self-healing mechanism. Eventually a higher value will be reduced far enough so it is the lowest and it will be used and readjusted. The readjusting will likely make it higher and it would go back to the original server. This is a long winded way of saying all of the servers in the list will take a certain percentage of the overall query volume. On Sat, May 7, 2022 at 10:20 AM Bob McDonald wrote: > Forgive my ignorance if this is a trivial question. > > Supposing I have an internal IP network (rfc1918) where there atr local > caching servers (recursive) which clients connect to and scattered around > are several authoritative servers which provide answers for internal only > zones. Those internal only zones are defined on the caching servers via > stub zones. > > My question is this; how do the recursive servers determine from > the information in the stub zone which name server to query? And, is that > the closest (network wise)? Do I need to put anycast into the mix? > > TTFN, > > Bob > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- -Ben Croswell -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding zone, setup
Are you loading the parent domain and trying to zone forward a child domain on the same DNS server? I.e. loading somedomain.local and trying to forward ab.somedomain.local If so an NS delegation is required in every instance I have done in my environment. The NS doesn't need to be "right" but it needs to exist. I don't know the internal BIND logic for that but I have always taken it as "I load the parent and I know the child doesn't exist because there isn't a delegation to make it exist so why would I forward something that doesn't exist". On Tue, Mar 1, 2022, 1:18 PM Gregory Sloop wrote: > Static-sub fixes the issue. > > > > Any idea why static-sub works when forwarder doesn't? > > > > (Again, the server is using recursion. Dig queries return the RA flag, so > I know it's actually offering recursion in reality.) > > > > I can live with static-sub just fine, since it works - but I'd really love > to understand why forwarder didn't - just so I can avoid getting bitten by > it in some other situation. > > > > Thanks Andrej! > > -Greg > > > > > Is static-stub something you are looking for? > > > Reference documentation: > > https://bind9.readthedocs.io/en/v9_18_0/reference.html?highlight=static-stub#zone-types > > > And in human terms: > https://jpmens.net/2011/01/25/binds-new-static-stub-zone-type/ > > > Ondrej > -- > Ondřej Surý (He/Him) > ond...@isc.org > > > My working hours and your working hours may be different. Please do not > feel obligated to reply outside your normal working hours. > > > On 28. 2. 2022, at 21:47, Gregory Sloop wrote: > > So, I want to forward all queries for > *.ab.somedomain.local to some other internal DNS servers. > (Records in *.ab.somedomain.local actually are our active domain servers) > > (Yes, I know .local is reserved now, but we've been using it a long time > and changing would be rather painful. Unless there's some horrible > consequences, I think we'll just continue for now. We won't ever use mDNS.) > > zone "ab.somedomain.local" { > type forward; > forward only; > forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; }; > }; > > But this doesn't appear to do what I want. > > If I add the above to my regular BIND servers configuration, it doesn't > return results like it's forwarding them. (I get NXDOMAIN for > abc.ab.somedomain.local.) > > If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I > get a proper result. (force dig to use the AD name servers directly, > instead of relying on the forward.) > > (And yes the resolv.conf file has the ip addresses of the main internal > BIND servers in it, and those only.) > I've looked and while I think I'm doing it right, I'm not entirely sure. > I figured before I beat my head against the wall for too long, I'd ask the > real experts! :) > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND OS tuning
Does BIND take advantage of net.core.rmem_max on Linux boxes? If I set the rmem_max to 12.5mb but leave the rmem_default as the OS default will I see a benefit on a high QPS DNS server? Or does BIND look to the rmem_default and ignore the rmem_max? -- -Ben Croswell ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Do not cache certain domains
Thanks, yes the second is actually the aim. We don't have secondaries since we use ADDS and BIND simply acts as a recursive service for the other internal domains. On 10/09/2020 16:01, Carl Byington wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Thu, 2020-09-10 at 15:35 +0100, Ben Lavender wrote: Anyone think they may know the answer to this? With the cooperation of the "certain domains" master servers, just slave the zones. The masters should be configured to send you notify messages on zone changes, so you always have the current authoritative contents. Of course, if you are trying to avoid caching google.com, that won't work. -BEGIN PGP SIGNATURE- iHMEAREKADMWIQSuFMepaSkjWnTxQ5QvqPuaKVMWwQUCX1o/ehUcY2FybEBmaXZl LXRlbi1zZy5jb20ACgkQL6j7milTFsFijgCeP/0k4923K9ha21b8SfFardvTYJYA njg5U3NImciTSJEZn1eMzsgtNuAY =4J6o -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Do not cache certain domains
Anyone think they may know the answer to this? Thanks Ben On 07/09/2020 23:00, Ben Lavender wrote: Hi, Without having to alter the TTL of the existing RRs as well as the default TTL. I know this can be done using cache-max-ttl to limit the whole cache, but can this be done for say one single or multiple defined domains only? Thanks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Do not cache certain domains
Hi, Without having to alter the TTL of the existing RRs as well as the default TTL. I know this can be done using cache-max-ttl to limit the whole cache, but can this be done for say one single or multiple defined domains only? Thanks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME / TXT
If you uncomment that mg CNAME you end up with a CNAME mx and TXT at the same node in to the DNS tree and that is illegal. That is why you get the error "cname and other data". The mx and txt are the other data. On Sat, Aug 22, 2020, 8:19 PM Jukka Pakkanen wrote: > Cannot figure out what is wrong here… must be something simple but after > sitting in airplanes the last 40 hours and it’s 2am… > > Only when I comment out the two lines in the end of the named.harriot, it > goes through and BIND load the zone. With those two lines, get the > following: > > C:\DNS\etc\namedb>named-checkzone harriot.fi named.harriot > > dns_master_load: named.harriot:33: mg.harriot.fi: CNAME and other data > > dns_rdata_fromtext: named.harriot:35: syntax error > > zone harriot.fi/IN: loading from master file named.harriot failed: CNAME > and other data > > zone harriot.fi/IN: not loaded due to errors. > > ; > > ;File: named.harriot > > ; > > > > $TTL 864 > > > > @IN SOA ns1.qnet.fi. helpdesk.qnet.fi. > ( > > 202008243 ; serial number > > 28800 ; refresh every 12 hours > > 7200 ; retry after 2 hours > > 604800 ; expire after 2 weeks > > 3600) ; default ttl is 2 days > > > > harriot.fi. IN A 35.214.111.143 > > IN MX 10 > qntsrv8.qnet.fi. > > IN MX 10 > qntsrv9.qnet.fi. > > IN NS > ns1.qnet.fi. > > IN NS > ns2.qnet.fi. > > IN NS > ns3.qnet.fi. > > IN NS > ns1.z.fi. > > IN NS > ns2.z.fi. > > > > wwwIN A 35.214.111.143 > > api IN A 35.214.111.143 > > webmailIN CNAME mail.qnet.fi. > > _autodiscover._tcp IN SRV 0 5 443 mail.qnet.fi. > > > > dev > IN A 35.214.111.143 > > > > ; > mg > IN CNAME eu.mailgun.org. > > mg > IN MX 10 mxa.eu.mailgun.org. > > mg > IN MX 10 mxb.eu.mailgun.org. > > mg > IN TXTv=spf1 include:eu.mailgun.org ~all > > > > ; smtp_domainkey.mg IN TXT "k=rsa; p=MII-AQAB" > > > > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:
In this case a zone level forwarder takes priority over the global forwarder. Abc.com would go to 1.1.1.1 On Sat, Jun 27, 2020, 11:44 PM baalchina wrote: > Hi all, > > I had a bind 9.16.4 as recursive name server. I want to forward all > queries to a specific dns server out of my net such as 8.8.8.8. While I > have a new domain( such as abc.com) I want to forward to a new dns server > such as 9.9.9.9. > > Here is my named.conf: > > > options { > listen-on port 53 {192.168.1.1;}; > recursion yes; > allow-recursion {any;}; > forwarders { > 8.8.8.8; > }; > }; > > zone "abc.com" { > type forward; > forwarders {1.1.1.1;}; > > }; > > So, in this configuration, the abc.com will be forward to 8.8.8.8 or > 1.1.1.1? > > Thanks. > > > > > -- > from:baalchina > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [Non-DoD Source] Re: BIND Masters and slaves
Some servers already do Regards Ben Lavender On Mon, 15 Jun 2020, 19:02 DeCaro, James John (Jim) CIV DISA FE (USA) via bind-users, wrote: > Or you can call the slave servers 'secondary' servers. > > > V/R > Jim DeCaro > DISA > Systems Administrator > Windows and Unix Server Operations > FE222/DoDNet Service Section > Defense Enclave Services Directorate > ☎ 301-225-8180 > ☎ 301-375-8180 > james.j.decaro3@mail.mil > james.j.decaro3@mail.smil.mil > > "If you always do what you always did you will always get what you always > got." > > > -Original Message- > From: bind-users On Behalf Of Michael > De Roover > Sent: Monday, June 15, 2020 1:32 PM > To: bind-users@lists.isc.org > Subject: [Non-DoD Source] Re: BIND Masters and slaves > > All active links contained in this email were disabled. Please verify the > identity of the sender, and confirm the authenticity of all links contained > within the message prior to copying and pasting the address to a Web > browser. > > > > > > > > I concur with this. I'm still fairly new to BIND and DNS myself. I > maintain 7 name servers (3 internal, 4 external) and master does signify to > me that this is the server in control of the zone files for the other ones > in that pool. The slaves are pretty much that to me, they take the zone > files and apply them while not having any further control over the zone > files themselves. In my external name servers it also goes paired with > authority - slave authorities that are authoritative to the internet but > slaves in that they replicate from an internal master. This is not > something you'd see in real slavery, signifying that this is mere technical > jargon. Is it a heavy term? Yes. Should we support "black lives matter" and > condemn the completely egregious actions committed by the police officers > towards George Floyd? Absolutely, and I hope that the former officers get > convicted for not just manslaughter but murder, and that more protests will > emerge (minus the plundering which was the case here in Brussels). > > However, changing a name and going for censorship of technical jargon > which will only confuse newcomers who will now face duplicate nomenclature > changes NOTHING. George Floyd wouldn't have been able to survive just > because we give things a different name. Instead we'd border closer to > censorship which we had during the wars, and still do in heavily oppressed > countries like North Korea, China etc. It's ironic that what these people > are pushing for in practice is exactly the thing they seemingly seek to > eradicate. > > There is another relevant case where GitHub will apparently replace master > branches in all their repositories. I'm really glad to be unaffected with > my Gitea server. I may have to adjust my repository mirrors from GitHub > however. For GitHub users, that change will likely break every one of their > repositories that defaults to master and require adjustments from GitHub > users of which many might not even know what branches are. That's the real > impact of that and I find it deeply worrying. > > I do not want such a thing to happen to BIND just to please some people > with large followings on Twitter who other than that, often have no > affiliation with the project whatsoever. > > > On 6/15/20 12:53 AM, Vinícius Ferrão via bind-users wrote: > > > ISC had a statement about it a time ago: Caution- > https://twitter.com/ISCdotORG/status/942815837299253248 < Caution- > https://twitter.com/ISCdotORG/status/942815837299253248 > > > You can now call primary and secondary zones. But the prevalence > of terms are still master and slave. And I really hope this thing of > changing nomenclatures doesn’t go any further due to political correctness. > > For the newcomers it’s not OK to break years of terms, software > and documentation just because some people can’t handle terms like master > and slave. Slavery still exists today and making the word disappear will > not solve the issue. > > And you’re correct about the BDSM thing. It’s a waste of time, > efforts and lines of code. > > > -- > Met vriendelijke groet / Best regards, > Michael De Roover > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > _
Re: BIND Masters and slaves
The terminology is fairly misleading, as in the slave is not doing the work on-behalf of or instruction of the the master. But there is ways for the master to influence the slaves; such as "allow-transfer". I don't see the big issue with making a terminology change in this case. On 15/06/2020 15:38, Tony Finch wrote: Vinícius Ferrão via bind-users wrote: But the prevalence of terms are still master and slave. And I really hope this thing of changing nomenclatures doesn’t go any further due to political correctness. "Political correctness" just means being considerate for other people, especially people who do not have many of the advantages we might take for granted. In any case, master/slave is bad terminology because it is actively misleading. It suggests that zone transfers to downstream servers are under the control of the upstream servers, which is definitely not the case. And it suggests a binary categorization of servers which is also wrong, because zone transfers often form a multi-level cascade between servers that perform several different functions. It's better to talk about update servers, signing servers, zone transfer servers, public or private or stealth authoritative servers. For zone transfers it's better to talk about which servers are upstream and downstream of each other in the distribution network. You should find that your writing is easier to understand, both for experts and non-experts, if you don't use the bad old terminology. Tony. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind DoH ANd DoT Implementation
They go over this in the YT video https://www.youtube.com/watch?v=eRbAigV2byE It might not give you a total insight on how to configure it step-by-step but enough On 08/06/2020 06:13, ShubhamGoyal wrote: Dear all, I want to ask about bind DoH Implementation by proxy server, Is there any Documentation of DoH Implementation. or Any other method to implement DoH and DoT. Best Regards, Shubham Goyal Cyber Security Group Centre for Development of Advanced Computing Bangalore 150th Anniversary Mahatma Gandhi [ C-DAC is on Social-Media too. Kindly follow us at: Facebook: https://www.facebook.com/CDACINDIA & Twitter: @cdacindia ] This e-mail is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies and the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email is strictly prohibited and appropriate legal action will be taken. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Static-stub server-addresses re-order
Don't suppose anyone knows this do they? Thanks On Wed, 19 Jun 2019, 16:21 Ben Lavender, wrote: > Hello, > > Quick question, if we have a number of these IPs that do not reply > (timeout), would BIND re-order these like it would with forwarder IPs? Or > would it fail if it used one that didn't reply? > > Thanks > > Regards > > Ben Lavender > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about at zone transfer behaviour on slave
You are looking for the refresh timer in the SOA if you mean the timer for a slave to check the serial with the master. On Wed, Jun 5, 2019, 10:09 PM Techs-yama wrote: > Hi all, > > Have a question about at zone transfer behaviour on slave server. > > In case of slave zone configure and restarting named on slave server, > After the named restart, It looks like starting polling to the master > server for zone transfer by slave server. > How many seconds polling interval on this timer ? > and can i change interval value to configure it ? > > Thanks and regards. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Change DNS records automatically when a link is DOWN
If you can craft the monitor for the link it could call nsupdate to make the change On Wed, Jun 5, 2019, 11:16 AM Roberto Carna wrote: > Dear people, I have two sites: > > - Main site with an Internet link and two BIND services (DNS1 y DNS2) and > a /28 block, and web and mail services supported > - Backup site with a second Internet link and a BIND service (DNS3) and > another /28 block > > When the Internet link from main site is DOWN, the web and mail traffic > come through the backup site to main site crossing a L2L. So I need to > change the IP's of the FQDN hosts I have supported in the DNS3 in order to > continue offering services (web and mail). How can I do this automatically? > Is there any way that "something" monitors the main Internet link and in > case it is DOWN automatically order to modify the FQDN records in DNS3 ??? > > Thanks a lot and regards!!! > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Forwarders with static-stub
Hi, When I setup static-stub zones with the global forwarders options configured, BIND by design forwards the requests before using the stubs. What is the best way around this so the stubs and cache are consulted first? This is required for split-brain DNS. Thanks Regards Ben Lavender ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Issues with Stub Zone
Thanks for your reply Chris, When querying the SOA for that domain I successfully receive the full SOA details including the addition NS and A record for the authoritative server of the domain. The stub server can contact the primary zone but only by IP, DNS resolution fails unless I add in a record in /etc/hosts. Also the stub zone file updates correctly. I have tested static-stubs and they work as expected but stubs don't when recursion is enabled on the BIND server. Ben On 08/05/2019 17:02, Chris Buxton wrote: Remembering that a stub zone is a cache hint, more information is needed. o What do the two "master" DNS servers say when asked for the SOA record of 'benlavender.co.uk'? o Are there A or records in the Additional section? If so, can the indicated IP addresses be reached? It may be that the behavior you're expecting is more in line with type "static-stub" than with type "stub". Regards, Chris Buxton On May 7, 2019, at 4:08 PM, Ben Lavender wrote: Hi, I've been trying to configure a stub zone using both BIND 9.8x and 9.9x for some split-brain internal DNS. The problem I have is that any client that requests the NS or SOA records for this zone gets SERVFAIL. The BIND server populates the /var/named/slaves/benlavender.co.uk.DB file with the SOA and NS records straight away and can query them over UDP 53 to the masters if need be. I've had a look through the logs that are used in this config but the only issues I see are in /lame-servers.log shows some IPv6 failures and that the client is getting a SERVFAIL back in the /default.log: 05-May-2019 22:58:32.846 client 192.168.1.4#51612 (benlavender.co.uk): query failed (SERVFAIL) for benlavender.co.uk/IN/NS at query.c:7038 The config I'm using in /etc/named.conf is: // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { listen-on port 53 { 127.0.0.1; 172.16.4.31;}; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { localhost; 172.16.4.2; 172.16.4.3; 192.168.1.4;}; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_file { file "/var/named/default.log" versions 3 size 5m; severity debug; print-time yes; }; channel general_file { file "/var/named/general.log" versions 3 size 5m; severity debug; print-time yes; }; channel database_file { file "/var/named/database.log" versions 3 size 5m; severity debug; print-time yes; }; channel security_file { file "/var/named/security.log" versions 3 size 5m; severity debug; print-time yes; }; channel config_file { file "/var/named/config.log" versions 3 size 5m; severity debug; print-time yes; }; channel resolver_file { file "/var/named/resolver.log" versions 3 size 5m; severity debug; print-time yes; }; channel xfer-in_file { file "/var/named/xfer-in.log" versions 3 size 5m; severity debug; print-time yes; }; channel xfer-out_file { file "/var/named/xfer-out.log" versions 3 size 5m; severity debug; pri
Issues with Stub Zone
Hi, I've been trying to configure a stub zone using both BIND 9.8x and 9.9x for some split-brain internal DNS. The problem I have is that any client that requests the NS or SOA records for this zone gets SERVFAIL. The BIND server populates the /var/named/slaves/benlavender.co.uk.DB file with the SOA and NS records straight away and can query them over UDP 53 to the masters if need be. I've had a look through the logs that are used in this config but the only issues I see are in /lame-servers.log shows some IPv6 failures and that the client is getting a SERVFAIL back in the /default.log: 05-May-2019 22:58:32.846 client 192.168.1.4#51612 (benlavender.co.uk): query failed (SERVFAIL) for benlavender.co.uk/IN/NS at query.c:7038 The config I'm using in /etc/named.conf is: // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { listen-on port 53 { 127.0.0.1; 172.16.4.31;}; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { localhost; 172.16.4.2; 172.16.4.3; 192.168.1.4;}; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_file { file "/var/named/default.log" versions 3 size 5m; severity debug; print-time yes; }; channel general_file { file "/var/named/general.log" versions 3 size 5m; severity debug; print-time yes; }; channel database_file { file "/var/named/database.log" versions 3 size 5m; severity debug; print-time yes; }; channel security_file { file "/var/named/security.log" versions 3 size 5m; severity debug; print-time yes; }; channel config_file { file "/var/named/config.log" versions 3 size 5m; severity debug; print-time yes; }; channel resolver_file { file "/var/named/resolver.log" versions 3 size 5m; severity debug; print-time yes; }; channel xfer-in_file { file "/var/named/xfer-in.log" versions 3 size 5m; severity debug; print-time yes; }; channel xfer-out_file { file "/var/named/xfer-out.log" versions 3 size 5m; severity debug; print-time yes; }; channel notify_file { file "/var/named/notify.log" versions 3 size 5m; severity debug; print-time yes; }; channel client_file { file "/var/named/client.log" versions 3 size 5m; severity debug; print-time yes; }; channel unmatched_file { file "/var/named/unmatched.log" versions 3 size 5m; severity debug; print-time yes; }; channel queries_file { file "/var/named/queries.log" versions 3 size 5m; severity debug; print-time yes; }; channel network_file { file "/var/named/network.log" versions 3 size 5m; severity debug; print-time yes; }; channel update_file { file "/var/named/update.log" versions 3 size 5m; severity debug; print-time yes; }; channel dispatch_file { file "/var/named/dispatch.log" versions 3 size 5m; severity debug; print-time yes; }; channel dnssec_file { file "/var/named/dnssec.log" versions 3 size 5m; severity debug; print-time yes; }; channel lame-servers_file { file "/var/named/lame-servers.log" versions 3 size 5m; severity debug;
Empty .local zone
Greetings. Would it be advisable or inadvisable to define an empty zone for .local on a recursive, unicast BIND server that is not hosting any Microsoft Windows AD domains or other .local zones in order to keep the queries for .local off the root servers? It seems to me like it would be a good idea, but online searches have returned mixed views on the subject, and BIND doesn't appear to have a built-in zone for it, suggesting there might be a reason not to create an empty zone for it. (My definition of an empty zone is one that has no records in it except an SOA record and an NS record which returns either "localhost" (preferably) or the BIND server itself.) Thanks, Ben Bridges [City Utilities] [SpringNet]<http://www.springnet.net> Sales 417.575.7000 | Support 417.874.8000 | springnet.net<http://www.springnet.net> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Flag Day: I had to open the TCP/53 port
When a DNS response is too large to fit in a single UDP packet, 512 bytes up to 4k with edns, the DNS server will respond with as much as it can fit in the UDP packet. It will also set the truncate, TC, bit to let the client doing the query that the answer is truncated and the client should query again over TCP for the full answer. The TC bit is also used in conjunction with RRL. On Mon, Feb 4, 2019, 8:57 AM Roberto Carna Thanks Ben for your response, can you tell me the types of TCP traffic I > have to expect in BIND, excepting Zone Tansfer? > > Thans a lot again!!! > > El lun., 4 feb. 2019 a las 10:50, Ben Croswell () > escribió: > >> BIND has always required UDP and TCP 53 for proper functionality. It >> sometimes mistakenly believed that TCP is only for zone transfers but that >> is not the case. >> >> On Mon, Feb 4, 2019, 8:46 AM Roberto Carna > wrote: >> >>> Dear, I have a BIND 9.10 public server and I have delegated some public >>> domains. >>> >>> When I test these domains with the EDNS tool offered in the DNS Flag Day >>> webpage, the test was wrong wit just UDP/53 port opened to Internet. >>> >>> After that, when I opened also TCP/53 port, the test was succesful. >>> >>> Please can you explain me the reason I have to open TCP/53 port to >>> Internet from February 1st to the future??? >>> >>> Really thanks, regards. >>> ___ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe from this list >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users >>> >> ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Flag Day: I had to open the TCP/53 port
BIND has always required UDP and TCP 53 for proper functionality. It sometimes mistakenly believed that TCP is only for zone transfers but that is not the case. On Mon, Feb 4, 2019, 8:46 AM Roberto Carna Dear, I have a BIND 9.10 public server and I have delegated some public > domains. > > When I test these domains with the EDNS tool offered in the DNS Flag Day > webpage, the test was wrong wit just UDP/53 port opened to Internet. > > After that, when I opened also TCP/53 port, the test was succesful. > > Please can you explain me the reason I have to open TCP/53 port to > Internet from February 1st to the future??? > > Really thanks, regards. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS flag day
I would imagine "its a hoax" is code for we dont want to bother remediating. On Fri, Jan 18, 2019, 3:20 PM Warren Kumari > > On Fri, Jan 18, 2019 at 2:58 PM Ben Croswell > wrote: > >> I would say we had one provider go as far as saying this whole flag day >> thing is a hoax. >> > > That's a weird stance / position. "The whole flag day thing is > [stupid|overblown|annoying|confusing|on a Friday]" are all positions I can > understand - not agree with (modulo the Friday one), but at least > understand. 'tis a hoax is just confusing... > Flag Day been discussed at length, and presented at multiple DNS events - > it seems that a DNS provider who hasn't seen any of the presentations and > recognized at least one person pushing this isn't well connected to the > community, and should probably be avoided... > > W > P.S: Unless they think it is simply a *very* subtle, long running, > widespread hoax... and now I'm wondering if I'm the patsy here :-P > > > > >> Not sure what option there is other than voting with your wallet and >> moving to a different provider. >> > >> May even be worth looking at 2 providers. I see DNS provider redundancy >> as being a huge priority after the Dyn DDoS event. >> >> On Fri, Jan 18, 2019, 2:50 PM Lightner, Jeffrey > wrote: >> >>> On checking I find that any of our domains that use Network Solutions’ >>> Worldnic.com nameservers are reporting failures when checked. >>> >>> For example this result: https://ednscomp.isc.org/ednscomp/e30c6cf0ea >>> >>> Other people online have posted about Network Solutions as they also saw >>> failures. >>> >>> On calling Network Solutions today they told me they are compliant >>> despite what was reported by https://dnsflagday.net/ >>> >>> >>> >>> This issue is with domains registered at Network Solutions and using >>> their Advanced DNS (i.e. their Worldnic name servers). Other domains we >>> have registered with them but pointing to other name servers (i.e. our own >>> BIND servers) displayed as compliant. >>> >>> When I sent them the links they saw what I saw but still claimed they >>> are compliant. They refused to send me something in writing stating that >>> so I suggested they reach out to ISC regarding the checker’s results if >>> they believe they are compliant, but they said they don’t see the need. >>> I’ve asked them to escalate and they say they have but I suspect I’ll not >>> hear back from them. >>> >>> Is there a list of known edns compliant Registrar name severs for the >>> larger Registrars? >>> >>> Is it possible the failures seen are false? If so, are there alternate >>> edns compliance checkers that might show different responses than >>> dnsflagday.net? >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> *From:* bind-users * On Behalf Of *Ben >>> Croswell >>> *Sent:* Friday, January 18, 2019 12:19 PM >>> *To:* bind-users@lists.isc.org >>> *Subject:* Re: DNS flag day >>> >>> >>> >>> I shouldn't have posted so closely to responding to the other user. >>> >>> >>> >>> I am not running 9.8. I was replying to them about firewalls in regards >>> to their 9.8 issues. >>> >>> >>> >>> Was just hoping for a statement of 9.x or greater supports the needed >>> badvers signaling etc. >>> >>> >>> >>> On Fri, Jan 18, 2019, 12:15 PM Victoria Risk >> >>> >>> >>> On Jan 18, 2019, at 9:09 AM, Ben Croswell >>> wrote: >>> >>> >>> >>> Has ISC released minimum viable BIND version for flag day? >>> >>> >>> >>> Most versions of BIND authoritative servers, going back years, are EDNS >>> compatible. Certainly ALL currently supported versions are compatible. I >>> see you are running 9.8, which has been EOL since September, 2014. I think >>> that is probably fine, as far as EDNS, however. >>> >>> >>> >>> The change in BIND related to DNS Flag Day is removing workarounds from >>> resolvers, that will retry without EDNS or otherwise try to proceed even >>> when EDNS fails. This change came in the BIND 9.13 development version, and >>> will be in BIND 9.14, which is not yet released. >>> >>> >>> >>> The problem
Re: DNS flag day
I would say we had one provider go as far as saying this whole flag day thing is a hoax. Not sure what option there is other than voting with your wallet and moving to a different provider. May even be worth looking at 2 providers. I see DNS provider redundancy as being a huge priority after the Dyn DDoS event. On Fri, Jan 18, 2019, 2:50 PM Lightner, Jeffrey On checking I find that any of our domains that use Network Solutions’ > Worldnic.com nameservers are reporting failures when checked. > > For example this result: https://ednscomp.isc.org/ednscomp/e30c6cf0ea > > Other people online have posted about Network Solutions as they also saw > failures. > > On calling Network Solutions today they told me they are compliant despite > what was reported by https://dnsflagday.net/ > > > > This issue is with domains registered at Network Solutions and using their > Advanced DNS (i.e. their Worldnic name servers). Other domains we have > registered with them but pointing to other name servers (i.e. our own BIND > servers) displayed as compliant. > > When I sent them the links they saw what I saw but still claimed they are > compliant. They refused to send me something in writing stating that so I > suggested they reach out to ISC regarding the checker’s results if they > believe they are compliant, but they said they don’t see the need. I’ve > asked them to escalate and they say they have but I suspect I’ll not hear > back from them. > > Is there a list of known edns compliant Registrar name severs for the > larger Registrars? > > Is it possible the failures seen are false? If so, are there alternate > edns compliance checkers that might show different responses than > dnsflagday.net? > > > > > > > > > > *From:* bind-users * On Behalf Of *Ben > Croswell > *Sent:* Friday, January 18, 2019 12:19 PM > *To:* bind-users@lists.isc.org > *Subject:* Re: DNS flag day > > > > I shouldn't have posted so closely to responding to the other user. > > > > I am not running 9.8. I was replying to them about firewalls in regards to > their 9.8 issues. > > > > Was just hoping for a statement of 9.x or greater supports the needed > badvers signaling etc. > > > > On Fri, Jan 18, 2019, 12:15 PM Victoria Risk > > > On Jan 18, 2019, at 9:09 AM, Ben Croswell wrote: > > > > Has ISC released minimum viable BIND version for flag day? > > > > Most versions of BIND authoritative servers, going back years, are EDNS > compatible. Certainly ALL currently supported versions are compatible. I > see you are running 9.8, which has been EOL since September, 2014. I think > that is probably fine, as far as EDNS, however. > > > > The change in BIND related to DNS Flag Day is removing workarounds from > resolvers, that will retry without EDNS or otherwise try to proceed even > when EDNS fails. This change came in the BIND 9.13 development version, and > will be in BIND 9.14, which is not yet released. > > > > The problem you are seeing is most likely firewall-related. > > > > Vicky > > > > > > I looked around and couldn't find anything. > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: EDNS Compliance
It more complicated than just packet size. I have seen FWs with IPS rules that were dropping the packets because the rule stated 0 was the only edns version and anything else was an attack. I would check the FW logs to find the log of the drop and work back from there. On Fri, Jan 18, 2019, 12:29 PM N. Max Pierson Thanks to the response Ben. After looking at the results, it seems we do > have a different firewall between the 4 servers and they have IPs out of > the same subnet for 2 of them which are failing. So this lets me know it is > firewall related and now I can check that. > > Do you know what type of rule (in general, not anything specific) needs to > be added to allow for larger EDNS packets? Is it as simple as allowing the > maximum size for payload specified in the RFC ( > https://tools.ietf.org/html/rfc6891#section-6.2.5) which is 4096 bytes? > > Regards, > Max > > On Fri, Jan 18, 2019 at 11:07 AM Ben Croswell > wrote: > >> As long as all 4 DNS servers are running the same version, my first >> suggestion would be to check firewalls for dropped packets. >> >> Some FW/IPS drop packets with edns versions other 0 because they see it >> as an attack. >> >> On Fri, Jan 18, 2019, 12:02 PM N. Max Pierson > wrote: >> >>> Hi List, >>> >>> I am trying to ensure our Bind servers comply with EDNS for the upcoming >>> Flag Day (https://dnsflagday.net/). I am somewhat ignorant to EDNS but >>> from what I have read, the information is somewhat conflicting as some >>> documentation states EDNS is not a record that you configure in your zone >>> file then other sites refer to some sort of OPT record you can configure. >>> So my first question is which of the documentation is correct from what I >>> have read? Is it DNS server functionality that supports EDNS or do you also >>> have to configure something in the zone files? >>> >>> Also, I have 4 (well 5 counting the master that isn't queryable) >>> nameservers with multiple domains served on them. When I run one of my >>> primary domains through the ISC EDNS tool, it comes back as 2 out of the 4 >>> are failing EDNS queries.They are all on the same version of Bind >>> (9.8.2rc1) and they are all slaves of the master so they should all have >>> the same records. Can anyone please explain what I need to do to resolve >>> the timeouts listed on the ISC testing tool? >>> >>> Here is what the tool says ... >>> >>> >>> venyu.com. @208.79.48.30 (ns4.venyu.com.): dns=ok edns=ok >>> *edns1=timeout* edns@512=ok ednsopt=ok *edns1opt=timeout* do=ok >>> ednsflags=ok docookie=ok edns512tcp=ok *optlist=timeout* >>> >>> venyu.com. @69.2.33.250 (ns1.venyu.com.): dns=ok edns=ok edns1=ok >>> edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok >>> edns512tcp=ok optlist=ok >>> venyu.com. @2604:d800:12::250 (ns1.venyu.com.): dns=ok edns=ok edns1=ok >>> edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok >>> edns512tcp=ok optlist=ok >>> >>> venyu.com. @69.2.63.250 (ns3.venyu.com.): dns=ok edns=ok edns1=ok >>> edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok >>> edns512tcp=ok optlist=ok >>> venyu.com. @2604:d800:13::250 (ns3.venyu.com.): dns=ok edns=ok edns1=ok >>> edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok >>> edns512tcp=ok optlist=ok >>> >>> venyu.com. @208.79.48.26 (ns2.venyu.com.): dns=ok edns=ok >>> *edns1=timeout* edns@512=ok ednsopt=ok *edns1opt=timeout* do=ok >>> ednsflags=ok docookie=ok edns512tcp=ok *optlist=timeout* >>> >>> >>> TIA!! >>> >>> Regards, >>> >>> Max >>> ___ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe from this list >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users >>> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS flag day
I shouldn't have posted so closely to responding to the other user. I am not running 9.8. I was replying to them about firewalls in regards to their 9.8 issues. Was just hoping for a statement of 9.x or greater supports the needed badvers signaling etc. On Fri, Jan 18, 2019, 12:15 PM Victoria Risk > On Jan 18, 2019, at 9:09 AM, Ben Croswell wrote: > > Has ISC released minimum viable BIND version for flag day? > > > Most versions of BIND authoritative servers, going back years, are EDNS > compatible. Certainly ALL currently supported versions are compatible. I > see you are running 9.8, which has been EOL since September, 2014. I think > that is probably fine, as far as EDNS, however. > > The change in BIND related to DNS Flag Day is removing workarounds from > resolvers, that will retry without EDNS or otherwise try to proceed even > when EDNS fails. This change came in the BIND 9.13 development version, and > will be in BIND 9.14, which is not yet released. > > The problem you are seeing is most likely firewall-related. > > Vicky > > > I looked around and couldn't find anything. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS flag day
Has ISC released minimum viable BIND version for flag day? I looked around and couldn't find anything. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: EDNS Compliance
As long as all 4 DNS servers are running the same version, my first suggestion would be to check firewalls for dropped packets. Some FW/IPS drop packets with edns versions other 0 because they see it as an attack. On Fri, Jan 18, 2019, 12:02 PM N. Max Pierson Hi List, > > I am trying to ensure our Bind servers comply with EDNS for the upcoming > Flag Day (https://dnsflagday.net/). I am somewhat ignorant to EDNS but > from what I have read, the information is somewhat conflicting as some > documentation states EDNS is not a record that you configure in your zone > file then other sites refer to some sort of OPT record you can configure. > So my first question is which of the documentation is correct from what I > have read? Is it DNS server functionality that supports EDNS or do you also > have to configure something in the zone files? > > Also, I have 4 (well 5 counting the master that isn't queryable) > nameservers with multiple domains served on them. When I run one of my > primary domains through the ISC EDNS tool, it comes back as 2 out of the 4 > are failing EDNS queries.They are all on the same version of Bind > (9.8.2rc1) and they are all slaves of the master so they should all have > the same records. Can anyone please explain what I need to do to resolve > the timeouts listed on the ISC testing tool? > > Here is what the tool says ... > > > venyu.com. @208.79.48.30 (ns4.venyu.com.): dns=ok edns=ok *edns1=timeout* > edns@512=ok ednsopt=ok *edns1opt=timeout* do=ok ednsflags=ok docookie=ok > edns512tcp=ok *optlist=timeout* > > venyu.com. @69.2.33.250 (ns1.venyu.com.): dns=ok edns=ok edns1=ok edns@512=ok > ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok > optlist=ok > venyu.com. @2604:d800:12::250 (ns1.venyu.com.): dns=ok edns=ok edns1=ok > edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok > edns512tcp=ok optlist=ok > > venyu.com. @69.2.63.250 (ns3.venyu.com.): dns=ok edns=ok edns1=ok edns@512=ok > ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok > optlist=ok > venyu.com. @2604:d800:13::250 (ns3.venyu.com.): dns=ok edns=ok edns1=ok > edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok > edns512tcp=ok optlist=ok > > venyu.com. @208.79.48.26 (ns2.venyu.com.): dns=ok edns=ok *edns1=timeout* > edns@512=ok ednsopt=ok *edns1opt=timeout* do=ok ednsflags=ok docookie=ok > edns512tcp=ok *optlist=timeout* > > > TIA!! > > Regards, > > Max > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND and UDP tuning
When we ran into UDP tuning issues on high traffic devices it presented as silent discards rather than SERVFAIL. On Thu, Sep 27, 2018, 12:04 PM Alex wrote: > Hi, > > > On Thu, Sep 27, 2018 at 10:53:25AM -0400, Alex wrote: > > > Many of these values I've already tweaked and have had no effect on my > > > SERVFAIL issues :-( > > > > If you are getting SERVFAILs from a BIND resolver you administer, then > > it has responded to your query. If you turn up the log level to > > something like -d 99, it'll print the steps that led to that SERVFAIL. > > Usually you'll find something there that directs you to next steps. > > > > On this topic, my home resolver is also a stock packaged BIND version as > > you, and I too see spurious SERVFAILs sometimes. I used to think this > > was due to too much indirection, e.g., when named starts up and you run: > > > > dig -x 176.9.81.50 > > It doesn't typically happen when running from the command-line. It > does occasionally happen, though. I usually run something like "dig > +all +trace +nodnssec ". It sometimes times out in the > middle, with something like "cannot resolve xyz host", which may even > be one of the root servers. > > I also typically run it with "rndc trace 11" which shows me quite a > bit of debugging info - too much to look through manually. With trace > 99, I can imagine it being overwhelming amount of info. Do you have > any ideas of what to look for? "query-errors"? > > Also, I also see other SERVFAIL errors that really are SERVFAIL errors > - when querying the host manually, it still responds immediately with > SERVFAIL. > > Thanks, > Alex > > > > > > > on a cold cache. However it seems to be returning SERVFAIL sometimes for > > what should be a cached answer. I'll also turn up the debug logging and > > watch it. > > > > Mukund > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS-Format-Eroor
On Tue, Dec 19, 2017 at 09:28:28AM +0300, Mohammed Ejaz wrote: > > No this IP 212.76.76.18 doesn’t belongs to us and even not in a > trusted list of our DNS. After looking at my logs I noticed this IP > asked for this domain mumbai-m.site to which our name server denied > as shown in the below logs. Whereas our NCSA claiming that massive > malicious requests from our dns. Just I want to understand how is > this possible massive attack towards the internet for deny requests. Those logs also show requests from another address in your own netblocks that's been assigned to a customer of Cyberia in Jeddah. That's in 212.119.73.32/27. Sten's explanation was almost certainly right with regards to the traffic seen or analysed by SA's national CERT. The traffic appearing to emanate from your DNS servers will be the result of the botnet or whatever it is making connections back to it's command and control host and spoofing the source addresses of the requests. The DNS resolvers can't tell the difference and reply to all the IPs a request appears to come from. Obviously you can't do anything about 212.76.76.18/32 directly, but if it's taken up this much time already then if I were in your position I'd just null route it at the border of Cyberia's network. Maybe notify Sahara Net that you've had to do it and forward them the same info SA's CERT gave you regarding their IP address. Meanwhile, one of your own customers (the one assigned that /27) need to hire an IT security consultant to clean their network. I'm assuming that log sample was just a quick cut and paste and there's actually a lot more. Search all the resolver logs for addresses in your IP space requesting that hostname and send all those customers a "your computer/network on IP $FOO has been compromised, you have X days to fix it or your connection will be suspended." Just warn your support staff before you do that because they're the ones who will receive the angry calls from confused accountants. Regards, Ben signature.asc Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Max slaves limit?
That is a valid consideration but being a slave doesn't always mean being in the NS records. On Dec 18, 2017 9:47 AM, "Barry S. Finkel"wrote: > On Sun, 17 Dec 2017 22:06:58 +0530, vijay bommareddy > wrote: > >> Hello folks, >> >> I'm trying to find more information on the practical limitations of adding >> more slaves. >> Can someone tell me, how many number of slaves does BIND technically >> support? Is there a maximum limit per master server? >> >> Thank you >> Vijay >> > > A minor point - if there are too many slaves, then the NS list might > not fit into a UDP packet, causing TCP to be used. I do not know > how many NS records would be needed to exceed the UDP packet size; > it would depend upon the length of the nodenames of the DNS servers. > > --Barry Finkel > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: EDNS0 client subnet in BIND 9.10
The use case i am looking at is using ECS or some other mechanism to pass the IP of client making the query to the global load-balancer. This information could then be used by the global load-balancer in making proximity decisions when crafting its response. I.e. GLB sees 10.1.1.1 and returns a given IP but if it sees 10.2.2.2 the answer is different. On Nov 11, 2017 5:31 AM, "Ray Bellis" <r...@isc.org> wrote: > On 11/11/2017 04:50, Mukund Sivaraman wrote: > > I'm not sure how ECS would be useful for load-balancing, as in the best > > case scenario it would require one to control every client side to send > > the client-subnet option. > > It would help if Ben provided more details about what he's trying to > achieve. > > I do have a draft that I'm trying to get adopted at IETF to allow > client-related information to be carried from load balancer to back-end > server. It's not yet implemented in BIND, though: > > <https://tools.ietf.org/html/draft-bellis-dnsop-xpf-03> > > Ray > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
EDNS0 client subnet in BIND 9.10
I would like to use the client subnet option to overcome some hurdles related to proximity load-balancing. I have looked through the ARM and found references to setting the option in a dig. However I was not able locate options for sourcing that option on the DNS server. Is anyone using ECS currently? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Forwarding from delegated zone not working
I guess i made the assumption that zone was properly forwarded at the MS end. However as you mentioned if it was only delegated then it would SERVFAIL at the BIND server when receiving an iterative query from MS if BIND isn't authoritative. On Oct 10, 2017 11:44 AM, "Darcy Kevin (FCA)" <kevin.da...@fcagroup.com> wrote: But surely you’d get an NXDOMAIN in that case, not a SERVFAIL. The assumption I made in my post was that the delegation was pointed to the forwarding BIND instance, which is a non-starter. - Kevin *From:* bind-users [mailto:bind-users-boun...@lists.isc.org] *On Behalf Of *Ben Croswell *Sent:* Tuesday, October 10, 2017 11:38 AM *To:* seanliam73 <sean.orei...@landg.com> *Cc:* bind-users@lists.isc.org *Subject:* Re: Forwarding from delegated zone not working If the AD environment loads company.com you need to make sure it has NS delegations. The nameserver will ignore the zone forwarded if it knows the child doesn't exist. On Oct 10, 2017 11:22 AM, "seanliam73" <sean.orei...@landg.com> wrote: Hi I have a subdomain delegated from AD to a bind9 instance I have running that so that all requests for that subdomain are sent to the bind 9 instance. I would then like to set up zone forwarding so that further subdomains can be managed by other bind 9 instances. I know the forwarding is working because I can query the main bind9 instance at receive the expected results. However if I query from the AD server that is doing the delegation I get a SERVFAIL error. Am I trying to do something that is not possible or am I just missing some configuration. *main instance config* options { directory "/var/named"; listen-on port 53 { listen addr; }; auth-nxdomain yes; recursion yes; allow-query { ip addresses; }; listen-on-v6 { any; }; dnssec-enable no; dnssec-validation no; dnssec-lookaside auto; }; logging { channel default_debug { file "data/named.run"; severity debug 3; }; channel querylog { file "data/query.log"; severity debug 5; }; category default { default_debug; }; category queries { querylog; }; }; zone "example.company.com" IN { type forward; forward only; forwarders { ip address; }; }; zone "development.example.company.com" IN { type forward; forward only; forwarders { ip address; }; }; -- Sent from: http://bind-users-forum.2342410.n4.nabble.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding from delegated zone not working
If the AD environment loads company.com you need to make sure it has NS delegations. The nameserver will ignore the zone forwarded if it knows the child doesn't exist. On Oct 10, 2017 11:22 AM, "seanliam73"wrote: > Hi > > I have a subdomain delegated from AD to a bind9 instance I have running > that > so that all requests for that subdomain are sent to the bind 9 instance. I > would then like to set up zone forwarding so that further subdomains can be > managed by other bind 9 instances. > > I know the forwarding is working because I can query the main bind9 > instance > at receive the expected results. However if I query from the AD server that > is doing the delegation I get a SERVFAIL error. > > Am I trying to do something that is not possible or am I just missing some > configuration. > > *main instance config* > > options { > directory "/var/named"; > listen-on port 53 { listen addr; }; > auth-nxdomain yes; > recursion yes; > allow-query { ip addresses; }; > listen-on-v6 { any; }; > dnssec-enable no; > dnssec-validation no; > dnssec-lookaside auto; > }; > > logging { > channel default_debug { > file "data/named.run"; > severity debug 3; > }; > > channel querylog { > file "data/query.log"; > severity debug 5; > }; > > category default { default_debug; }; > category queries { querylog; }; > }; > > zone "example.company.com" IN { > type forward; > forward only; > forwarders { ip address; }; > }; > > zone "development.example.company.com" IN { > type forward; > forward only; > forwarders { ip address; }; > }; > > > > -- > Sent from: http://bind-users-forum.2342410.n4.nabble.com/ > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: strange problem with query being dropped/ignored by the BIND process
Have you checked deeper at the OS level? I have seen on Linux DNS servers silent drops of queries on very busy servers that were exhausting UDP receive buffers. On Jun 28, 2017 10:26 AM, "Marc Richter"wrote: Hi, we have a setup here consisting of a recursive DNS server and two monitoring servers. The monitoring servers sent a test query to the DNS server once every two minutes to check if it is answering properly. We now have the problems that these test queries are timing out from time to time, (correctly) resulting in alarms in our monitoring system. I have checked this now and noticed that each time we see that alarm, the query sent by the monitoring server is not being answered at all. To debug that I ran tcpdump on both the monitoring server and the recursive DNS server. I see the query being sent out on the monitoring server and I also see the query being received on the DNS server, however there is no response sent to this query at all. Looking at the query log, which I enabled temporarily, the query is also not logged there so it looks like BIND is ignoring that query somewhere, although it is properly received by the IP stack of the server. Do you have any suggestions how to debug this further, to hopefully find out where these queries are stuck/dropped/ignored, as I have run out of ideas ? The environment is: BIND 9.9.9-P5 (Extended Support Version) running on SunOS sun4v 5.11 11.3 Thanks ! Marc ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Why would a master zone use forwarders ?
If you load foo.com on server A and delegate bar.foo.com to server B with a global forwarder of server C you resolution will vary depending on forward first vs forward only and forwarders {}. With no forward {} the path for blah.bar.foo.com directed at server A will be A > C > B With forward {} the global forward will be short circuited for foo.com and below resulting in a path of A > B On May 12, 2017 11:56 AM, "Mik J" <mikyde...@yahoo.fr> wrote: Thank you Ben for your answer My server uses a global forwarding I don't understand what you wrote "If it is master for a foo.com and also has global forwarding it will use the global forward for any delegated child domains under foo.com unless they are also loaded locally." If my DNS is autoritative, why would I use a forwarding ? For my sub domains I use delegations sub.mydomain.com NS ns.sub.mydomain.com ns.sub.mydomain.com A 1.1.1.1 What's the difference between the global forward for delegated child domains and the delegation I do ? Thank you Le Vendredi 12 mai 2017 15h34, Ben Croswell <ben.crosw...@gmail.com> a écrit : This would only change behavior if the server has global forwarding. If it is master for a foo.com and also has global forwarding it will use the global forward for any delegated child domains under foo.com unless they are also loaded locally. The forward{} turns off global forwarding for that branch of the tree. On May 12, 2017 9:27 AM, "Mik J via bind-users" <bind-users@lists.isc.org> wrote: Hello, If my DNS is master/slave for a zone, why would I want it to use forwarders. In other terms why would I want zone "mydomain.com" { type master; file "zones/master/com/mydomain.com "; allow-update { acl; }; }; Instead of (forwarders {};) zone "mydomain.com" { type master; file "zones/master/com/mydomain.com "; allow-update { acl; }; forwarders {}; }; Why would I want to forward requests if I'm autoritative for the zone ? Thank you for those who can hightligh this point. __ _ Please visit https://lists.isc.org/mailman/ listinfo/bind-users <https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/ listinfo/bind-users <https://lists.isc.org/mailman/listinfo/bind-users> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Why would a master zone use forwarders ?
This would only change behavior if the server has global forwarding. If it is master for a foo.com and also has global forwarding it will use the global forward for any delegated child domains under foo.com unless they are also loaded locally. The forward{} turns off global forwarding for that branch of the tree. On May 12, 2017 9:27 AM, "Mik J via bind-users"wrote: > Hello, > > If my DNS is master/slave for a zone, why would I want it to use > forwarders. > > In other terms why would I want > zone "mydomain.com" > { > type master; > file "zones/master/com/mydomain.com"; > allow-update { acl; }; > }; > > Instead of (forwarders {};) > zone "mydomain.com" > { > type master; > file "zones/master/com/mydomain.com"; > allow-update { acl; }; > forwarders {}; > }; > > Why would I want to forward requests if I'm autoritative for the zone ? > > Thank you for those who can hightligh this point. > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind master keeps saying it is not authoritative
Ensure that the allow-query clause on the master includes the slave. If the slave can't query for the SOA on the zone it can't do an xfer. On Mar 2, 2017 6:34 AM, "Xavier Humbert"wrote: > The whole configuration, comments removed : > > -- Master -- > acl my-slaves { > any;// DEBUG > }; > > acl my-clients { > any;// DEBUG > }; > > options { > // IP config > listen-on port 53 {172.29.16.135; 127.0.0.1; }; > listen-on-v6 port 53 {none; }; > > // Paths > directory"/var/named"; > dump-file "/var/named/data/cache_dump.db"; > statistics-file "/var/named/data/named_stats.txt"; > memstatistics-file "/var/named/data/named_mem_stats.txt"; > > // Behaviour > recursion no; > allow-transfer{ my-slaves; }; > }; > > // rndc key > include "/etc/rndc.key"; > > controls { > inet 127.0.0.1 port 953 > allow { 127.0.0.1; } keys { "rndc-key"; }; > }; > > // Logging > // omitted > > zone "in.acv.orion.education.fr" { > type master; > file "/etc/named/internal/in.acv.orion.education.fr.db"; > allow-transfer {my-slaves; }; > }; > > -- Slave -- > acl my-clients { > localhost; > any;//DEBUG > }; > > options { > // IP config > listen-on port 53 {172.29.16.133; 127.0.0.1; }; > listen-on-v6 port 53 {none; }; > > // Paths > directory"/var/named"; > dump-file "/var/named/data/cache_dump.db"; > statistics-file "/var/named/data/named_stats.txt"; > memstatistics-file "/var/named/data/named_mem_stats.txt"; > > // Behaviour > recursion no; > allow-update{ 172.29.16.135; }; > allow-transfer{ 172.29.16.135; }; > > }; > > // rndc key > include "/etc/rndc.key"; > > // Logging > // Omitted > > zone "in.acv.orion.education.gouv.fr" { > type slave; > file "/etc/named/in.acv.orion.education.gouv.fr.db"; > masters {172.29.16.135; }; > }; > zone "." IN { > type hint; > file "named.ca"; > }; > > include "/etc/named.rfc1912.zones"; > include "/etc/named.root.key"; > > -- > > Really, reall basic ! > Thanks > > -- > Xavier Humbert > CRT Supervision et Exploitation de Niveau 1 > Rectorat de Nancy-Metz > 03 83 86 27 39 > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: The DDOS attack on DYN & RRL ?
The other option being having a master owned by your company and then setting both external providers to secondary from your master. You to maintain control over data and hqve diversity. On Nov 1, 2016 10:42 AM, "Barry Margolin" <bar...@alum.mit.edu> wrote: > In article <mailman.546.1477931391.7.bind-us...@lists.isc.org>, > Ben Croswell <ben.crosw...@gmail.com> wrote: > > > I think what we see as a result of this attack is DNS provider diversity > > being the new buzz phrase. The same as not relying on a single ISP link i > > see more people using multiple DNS providers. > > The size of these attacks will grow as IoT continues to grow. It makes > > sense to have diverse providers to ensure your domains are serviceable > if a > > provider gets attacked. > > My boss asked me to look into this after the attack. The sticking point > seems to be that most DNS providers don't allow zone transfers from > their servers. We currently get our auth DNS from SoftLayer, the hosting > provider for our primary web, application, and database servers. I > contacted them to find out if it's possible to enable zone transfers to > a third party slave service, they said no; they suggested that we simply > set up both services as masters, which would mean we'd have to update > them independently (or write our own scripts that make use of each > service's API). The customers of Dyn are in the same situation. > > Maybe last week's incident will prompt enough big customers to demand > this that they'll change their policies. > > -- > Barry Margolin > Arlington, MA > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: The DDOS attack on DYN & RRL ?
I think what we see as a result of this attack is DNS provider diversity being the new buzz phrase. The same as not relying on a single ISP link i see more people using multiple DNS providers. The size of these attacks will grow as IoT continues to grow. It makes sense to have diverse providers to ensure your domains are serviceable if a provider gets attacked. On Oct 31, 2016 12:25 PM, "Matthew Seaman"wrote: > On 2016/10/31 16:09, Barry Margolin wrote: > > I heard that the impact of the attack was even narrower than just the > > US, it was mostly eastern US. That suggests some things about the > > granularity of Dyn's anycast network and the distribution of the Mirai > > botnet. > > There were actually three attacks on the same day. The first (about > 12:00 UTC) affected pretty much just the Eastern USA, and we saw little > beyond some raised RTTs in Europe. The second (about 16:00UTC) took out > all the Dyn POPs in the USA and affected their European POP. The third > (around 18:00UTC) ... was pretty much a non-event. Dyn had mitigated > the attacks pretty effectively by that point. > > Cheers, > > Matthew > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind caching data from additional section in responses
On Oct 07, 2016, at 05.44, Tony Finch <d...@dotat.at> wrote: > > ben thielsen via bind-users <bind-users@lists.isc.org> wrote: >> >> zone "example.com" { >> type stub; >> masters { >> "example.com" ; >> }; >> }; >> >> masters "example.com" { >> 192.168.81.50 ; >> }; > > If you want a fixed set of master servers for a zone, use static-stub. aha, this seems to have worked. >> is my perception accurate? is bind caching the data it got back in the >> additional section, for a name outside of the queried zone? if so, why? > > See RFC 2181 section 5.4.1 on trustworthiness ranking of DNS data. > > BIND needs to cache referrals in order to be able to find the servers for > follow-up queries (including when it is completing the current query!). > It doesn't pro-actively check the authoritative servers to get more > trustworthy versions of the referral records. thanks for taking the time to summarize this. i sort of have mixed feelings, a little bit, about that degree of trust in additional data, but i get the rationale. -ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind caching data from additional section in responses
obal options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16683 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ns1.example.com. IN A ;; Query time: 4008 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Oct 06 14:12:50 EDT 2016 ;; MSG SIZE rcvd: 46 a brief inspection of the cache seems to corroborate this: >rm named_dump.db >rndc flush >dig @localhost example.net ns ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @localhost example.net ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13961 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 7 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;example.net. IN NS ;; ANSWER SECTION: example.net.300 IN NS ns1.he.net. example.net.300 IN NS ns1.example.com. example.net.300 IN NS ns2.he.net. example.net.300 IN NS ns3.he.net. ;; ADDITIONAL SECTION: ns1.he.net. 172799 IN A 216.218.130.2 ns1.example.com.172799 IN A 192.0.2.1 ns2.he.net. 172799 IN A 216.218.131.2 ns2.he.net. 172799 IN 2001:470:200::2 ns3.he.net. 172799 IN A 216.218.132.2 ns3.he.net. 172799 IN 2001:470:300::2 ;; Query time: 1393 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Oct 06 14:17:04 EDT 2016 ;; MSG SIZE rcvd: 245 >rndc dumpdb >grep -iF -B 5 -A 5 'example.com' named_dump.db [...] ; answer example.net.292 NS ns1.he.net. 292 NS ns1.example.com. 292 NS ns2.he.net. 292 NS ns3.he.net. [...] ; glue ns1.example.com.172791 A 192.0.2.1 ; glue [...] is my perception accurate? is bind caching the data it got back in the additional section, for a name outside of the queried zone? if so, why? how can i tell it to not do this? enabling "nat loopback" would "fix" this, but imho, to put it diplomatically, that is inelegant at best, and i'd prefer not to. thanks -ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: statistics-channels not serving rdtype records
Uh, user error. Turns out they aren't created until the server actually received requests. I started testing the server for completeness, and the records started showing up! In any case: statistics-channels { inet * port 8053 allow { any; }; }; Thanks! Ben On Thu, Apr 7, 2016 at 4:45 PM John Miller <johnm...@brandeis.edu> wrote: > On Thu, Apr 7, 2016 at 3:42 PM, Ben Wilson <doubting...@gmail.com> wrote: > > Hi, > > > > I'm not sure what is different on a new server I'm setting up, but when > > querying the port configured for statistics-channels, no rdtype records > are > > included. > > > > resstat, socket, task, etc are all there, but not the number of queries. > > > > My version: > > ii bind9 1:9.9.5.dfsg-3ubuntu0.8 > amd64 > > Internet Domain Name Server > > ii bind9-host 1:9.9.5.dfsg-3ubuntu0.8 > amd64 > > Version of 'host' bundled with BIND 9.X > > ii bind9utils 1:9.9.5.dfsg-3ubuntu0.8 > amd64 > > Utilities for BIND > > ii libbind9-90 1:9.9.5.dfsg-3ubuntu0.8 > amd64 > > BIND9 Shared Library used by BIND > > Hi Ben, > > Can you show us your statistics-channels {} blocks from both your old > server and your new server config? That'll be easier than trying to > compare Ubuntu package versions or anything like that. > > John > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
statistics-channels not serving rdtype records
Hi, I'm not sure what is different on a new server I'm setting up, but when querying the port configured for statistics-channels, no rdtype records are included. resstat, socket, task, etc are all there, but not the number of queries. My version: ii bind9 1:9.9.5.dfsg-3ubuntu0.8 amd64 Internet Domain Name Server ii bind9-host 1:9.9.5.dfsg-3ubuntu0.8 amd64 Version of 'host' bundled with BIND 9.X ii bind9utils 1:9.9.5.dfsg-3ubuntu0.8 amd64 Utilities for BIND ii libbind9-90 1:9.9.5.dfsg-3ubuntu0.8 amd64 BIND9 Shared Library used by BIND Any idea's what I'm missing here? Thanks! Ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Configuring different TTLs in multiple RRs for the same domain name, TYPE, and CLASS
TXT records are multiple-purpose. They can be used for SPF records, Office 365 "MS" records, DMARC records, or whatever arbitrary uses someone dreams up, all for the same domain name. Microsoft wants a short TTL for their Office 365 records, but I would prefer to generally use a longer TTL for most records (including other TXT records) in order to reduce the query load on our servers. It would be nice to be able to set a short TTL for the Office 365 record but a longer TTL for other TXT records for the same domain name. Thanks, Ben From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Darcy Kevin (FCA) Sent: Thursday, March 24, 2016 9:55 AM To: bind-users@lists.isc.org Subject: RE: Configuring different TTLs in multiple RRs for the same domain name, TYPE, and CLASS This is deliberately forbidden by standard. See RFC 2181, Section 5.2 ("TTLs of RRs in an RRSet") Why would you want to do this? - Kevin From: bind-users-boun...@lists.isc.org<mailto:bind-users-boun...@lists.isc.org> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Ben Bridges Sent: Thursday, March 24, 2016 10:48 AM To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> Subject: Configuring different TTLs in multiple RRs for the same domain name, TYPE, and CLASS Greetings. Is it possible in BIND to configure multiple resource records for the same domain name, TYPE, and CLASS with different TTL values? For example: Test-txt.example.com 300IN TXT"Test 300" Test-txt.example.com 400IN TXT"Test 400" Test-txt.example.com 500IN TXT"Test 500" Test-txt.example.com 600IN TXT"Test 600" Test-txt.example.com 700IN TXT"Test 700" I tried it, and BIND set the TTL for all five records to 300 (or more specifically, the TTL of the first one of the RRs in the file). I looked for a BIND directive in the manual to change this behavior but could find no obvious candidate. Thanks, Ben Bridges Springfield, MO ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Configuring different TTLs in multiple RRs for the same domain name, TYPE, and CLASS
Greetings. Is it possible in BIND to configure multiple resource records for the same domain name, TYPE, and CLASS with different TTL values? For example: Test-txt.example.com 300IN TXT"Test 300" Test-txt.example.com 400IN TXT"Test 400" Test-txt.example.com 500IN TXT"Test 500" Test-txt.example.com 600IN TXT"Test 600" Test-txt.example.com 700IN TXT"Test 700" I tried it, and BIND set the TTL for all five records to 300 (or more specifically, the TTL of the first one of the RRs in the file). I looked for a BIND directive in the manual to change this behavior but could find no obvious candidate. Thanks, Ben Bridges Springfield, MO ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CVE-2015-7547: getaddrinfo() stack-based buffer overflow
Cyber folks asked if there was any way for the DNS servers to "protect" the vulnerable clients. The only thing i could see from the explanation was disabling or limiting edns0 sizes. That is obviously not a long term option. On Feb 17, 2016 11:39 AM, "Alan Clegg"wrote: > On 2/17/16, 11:34 AM, "Reindl Harald" behalf of h.rei...@thelounge.net> wrote: > > >Am 17.02.2016 um 17:22 schrieb Dominique Jullier: > >> Are they any thoughts around, how to handle yesterday's glibc > >> vulnerability[1][2] from the side bind? > >> > >> Since it is a rather painful task in order to update all hosts to a new > >> version of glibc, we were thinking about other possible workarounds > > > >Fedora, RHEL and Debian as well as likely all other relevant > >distributions are providing a patched glibc - dunno what is "rather > >painful" to apply a ordinary update like kernel security updates and > >restart all network relevant processes or reboot > > While I agree that the "major distributions" (and even the minor ones) are > getting patches out, I'd like to point out something that Alan Cox posted > over on G+: > > "You can upgrade all your servers but if that little cheapo plastic box on > your network somewhere has a vulnerable post 2008 glibc and ever does DNS > lookups chances are it's the equivalent of a trapdoor into your network." > > https://plus.google.com/+AlanClegg/posts/R1UkJjHMMB6 > > There does need to be something a bit deeper than "patch your servers".. > > AlanC > > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About CVE-2015-5477 (An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure)
Is it safe to say the only vulnerable hosts would be those accepting queries from the outside world, or would this also pertain servers getting responses from the outside world with no inbound queries? On Jul 28, 2015 5:42 PM, Michael McNally mcna...@isc.org wrote: As the security incident manager for this particular vulnerability notification, I'd like to say a little extra, beyond our official vulnerability disclosure (https://kb.isc.org/article/AA-01272) about this critical defect in BIND. Many of our bugs are limited in scope or affect only users having a particular set of configuration choices. CVE-2015-5477 does not fall into that category. Almost all unpatched BIND servers are potentially vulnerable. We know of no configuration workarounds. Screening the offending packets with firewalls is likely to be difficult or impossible unless those devices understand DNS at a protocol level and may be problematic even then. And the fix for this defect is very localized to one specific area of the BIND code. The practical effect of this is that this bug is difficult to defend against (except by patching, which is completely effective) and will not be particularly difficult to reverse-engineer. I have already been told by one expert that they have successfully reverse-engineered an attack kit from what has been divulged and from analyzing the code changes, and while I have complete confidence that the individual who told me this is not intending to use his kit in a malicious manner, there are others who will do so who may not be far behind. Please take steps to patch immediately. This bug is designated Critical and it deserves that designation. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Diagnostic help
The default for allow query is local host local nets. Basically the server itself and directly connected networks On Sep 29, 2014 8:03 PM, Bill Christensen billc_li...@greenbuilder.com wrote: Hi folks, Something got sideways on one of my DNS servers, and I would appreciate some help in figuring out what's going on. I'm running BIND 9.10.1. This server is authoritative master for a number of domains. First off, I may have the allow-query set incorrectly. Currently I have: acl query-permit { (range of IP address on the local LAN which are allowed to use this server as their query server) }; acl recursive-permit { (range of IP address on the local LAN which are allowed to use this server for recursive queries) }; acl transfer-permit { (IP addresses of a couple other name servers allowed to do transfers with this one) }; and at the beginning of the options section: allow-recursion { recursive-permit; }; allow-transfer { transfer-permit; }; // allow-query { query-permit; }; Allow-query is commented out, which I assume will allow anyone to query this server for the domains for which it has master or slave records, but does not allow the general public to do recursive queries or queries on domains not hosted here. Let me know if I've got that right, or how to correct it if I don't. If this part is correct I'll continue the questioning. Thanks! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slave zero-TTL on CNAMES
Cisco routers do have the ability to doctor DNS packets when doing NAT. When it doctors it sets the TTL to 0 but I dont know why it would only do it on CNAME records. On Jun 5, 2014 12:43 PM, Reindl Harald h.rei...@thelounge.net wrote: Am 05.06.2014 17:58, schrieb /dev/rob0: On Thu, Jun 05, 2014 at 05:21:47PM +0200, Reindl Harald wrote: what the hell invents $TTL 0 ; 0 seconds lines before each CNAME block while on the master there is exactly one TTL line with 86400 on top of the file? The way named writes a zone file is not the way I would do it. Records are strictly in alphabetic order, and $TTL blocks are made around all RRSETs where TTL varies. The zone FILE is not your problem. I don't know exactly what the problem might be. It seems that something is intercepting and filtering the zone transfers? You could try transfers manually from the slave: dig [key auth if required] rhsoft.net. axfr @91.118.73.16 Does that show any zero TTLs? If so I suggest you place a couple of sniffers at strategic spots, one leaving the master, another entering the slave, and force a zone transfer. as yolu can see clearly below any CNAME record comes with a zero TTL the dotted line are a lot of CNAMES, all with zero TTL after them the first A-record has again the desired 86400 the SOA at the end comes also with 86400 and the CNAME block before again has a TTL of zero i can't imagine anyhting which would sit between the transfer and change things - h wait there was a Zyxel router in front of ns1 which was exploitable and now is replaced by a small Cisco from the ISP oh, no, don't tell me that my ISP clutters DNS again :-( [root@ns2:~]$ dig rhsoft.net. axfr @91.118.73.16 ; DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-15.P2.fc19 rhsoft.net. axfr @91.118.73.16 ;; global options: +cmd rhsoft.net. 86400 IN SOA ns2.thelounge.net. hostmaster.thelounge.net. 1226095186 3600 1800 1814400 3600 rhsoft.net. 86400 IN MX 10 barracuda.thelounge.net . rhsoft.net. 86400 IN TXT v=spf1 ip4:91.118.73.0/24 ip4:89.207.144.27 ip4:62.178.103.85 -all rhsoft.net. 86400 IN SPF v=spf1 ip4:91.118.73.0/24 ip4:89.207.144.27 ip4:62.178.103.85 -all rhsoft.net. 86400 IN NS ns2.thelounge.net. rhsoft.net. 86400 IN NS ns1.thelounge.net. rhsoft.net. 86400 IN A 91.118.73.4 **.rhsoft.net. 0 IN CNAME **.rhsoft.net. **.rhsoft.net. 0 IN CNAME **.rhsoft.net. testserver.rhsoft.net. 86400 IN A 84.113.92.77 **.rhsoft.net. 0 IN CNAME **.rhsoft.net. rhsoft.net. 86400 IN SOA ns2.thelounge.net. hostmaster.thelounge.net. 1226095186 3600 1800 1814400 3600 ;; Query time: 22 msec ;; SERVER: 91.118.73.16#53(91.118.73.16) ;; WHEN: Do Jun 05 18:35:08 CEST 2014 ;; XFR size: 58 records (messages 1, bytes 1545) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.1 forward zone local
I would imagine your issue is a lack of an NS delegation in the root zone you are slaving. If you load a parent and then try to forward a child of that parent you must have a delegation in the parent. The delegation doesn't have to match the forwarders but it must exist. On Mar 25, 2014 1:57 PM, Андрей Ветров proukorn...@gmail.com wrote: Hello. I have a problem with forwarding zone local to ISP resolvers. My config is: options { directory /tmp; disable-empty-zone .; }; zone . { type slave; masters { 192.0.32.132; 193.0.14.129;}; masterfile-format text; file /etc/bind/db.root; allow-query { any; }; }; zone local. IN { type forward; forwarders {DNS_IP_ISP;}; forward only; }; zone opendns.com IN { type forward; forwarders {208.67.222.222; 208.67.222.220; 208.67.220.220; 208.67.220.222;}; forward only; }; Forwarding to opendns works, dig +short myip.opendns.com returns ip address correctly. Forwarding to local doesnt works, dig return nxdomain. Commenting zone . leads to correct work of zone local ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: which Name sever is selected?
By decaying I mean they take some percent of time off of the rtt of the name servers that aren't used when there is a successful query to the fastest. Eventually the slower servers will be faster than the fastest and get queried. That query will set the rtt again for that server and will go back to being slower. On Mar 3, 2014 8:24 AM, houguanghua houguang...@hotmail.com wrote: Hi Ben, What's the meaning of bind decaying? Where can I find the detailed description? Thanks! Guanghua Date: Fri, 28 Feb 2014 11:39:54 -0500 From: Ben Croswell ben.crosw...@gmail.com To: bind-users@lists.isc.org Subject: Re: which Name sever is selected? Message-ID: cajga8zsug2nrznufuxetbpkvzqkjczzred5u2qxw+uqw0pm...@mail.gmail.com Content-Type: text/plain; charset=iso-8859-1 RTT banding was removed in early versions of 9.8 due to the performance hit being larger than any security benefit. So it would depend what version of bind is being used in this case. https://www.isc.org/blogs/rtt-banding-removal-from-bind-9/ It is important to note that all ns records will take some percent of the traffic even if they are not the fastest. This is due to bind decaying the RTT on the ns records that were not used when it gets a successful query from the fastest ns. That way if there is a failure on a box it can eventually be tried again and make back into the top position. On Feb 28, 2014 11:07 AM, Barry Margolin bar...@alum.mit.edu wrote: In article mailman.2368.1393596895.20661.bind-us...@lists.isc.org, houguanghua houguang...@hotmail.com wrote: If there is a list of NS records, the local name server uses the RTT (round trip time) algorithm to find the fatest, and queries that server. But I found it's not right. In the testing, the local name server doesn't query the fastest authority name server. Some one tells me that if the local name server gets the RTT to one remote server is les than 30ms, it will not test RTT to other remote servers, even if the RTT is more less. In other words, the local server will only query the first remote server with the RTT less than 30ms. Who would tell me the truth? Thanks! Guanghua I believe the RTT values are grouped into ranges, and it prefers servers that are in a better range. 30 ms might be in the lowest range, so another server can't be better. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: which Name sever is selected?
RTT banding was removed in early versions of 9.8 due to the performance hit being larger than any security benefit. So it would depend what version of bind is being used in this case. https://www.isc.org/blogs/rtt-banding-removal-from-bind-9/ It is important to note that all ns records will take some percent of the traffic even if they are not the fastest. This is due to bind decaying the RTT on the ns records that were not used when it gets a successful query from the fastest ns. That way if there is a failure on a box it can eventually be tried again and make back into the top position. On Feb 28, 2014 11:07 AM, Barry Margolin bar...@alum.mit.edu wrote: In article mailman.2368.1393596895.20661.bind-us...@lists.isc.org, houguanghua houguang...@hotmail.com wrote: If there is a list of NS records, the local name server uses the RTT (round trip time) algorithm to find the fatest, and queries that server. But I found it's not right. In the testing, the local name server doesn't query the fastest authority name server. Some one tells me that if the local name server gets the RTT to one remote server is les than 30ms, it will not test RTT to other remote servers, even if the RTT is more less. In other words, the local server will only query the first remote server with the RTT less than 30ms. Who would tell me the truth? Thanks! Guanghua I believe the RTT values are grouped into ranges, and it prefers servers that are in a better range. 30 ms might be in the lowest range, so another server can't be better. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind vs flood
I guess I am missing why anyone on the internet should be able to open queries against your caching resolver. Why would in bound queries be allowed to servers that are for your people to get out? On Feb 27, 2014 10:13 AM, Ivo i...@nic.lv wrote: Hi Dmitry, We observed that similar requests are landing on our cache resolver mostly from various home routers running dns server as open resolver and that also masquerades the original request source. We have a collection of ~60 domains involved and most of them are related to China. The problem is that attacker selects few domains and generates queries with random hostnames which therefore are not in the cache and server has to perform recursion for each query. So each query will consume one udp or tcp socket for at least 10 seconds because remote DNS server is responding slowly or is down and based on a query volume it can effectively overload the cache server. Initially we thought we could fix it with resolver-query-timeout, but after bind code analysis it seems that everything less that 10 seconds would be ignored, it would be great to mention this in the documentation. So one solution is to change MINIMUM_QUERY_TIMEOUT in resolver.c and recompile named, but it would be nice to understand why 10 seconds as minimum value were selected in the first place, see /lib/dns/resolver.c #define MAX_SINGLE_QUERY_TIMEOUT 9U #define MINIMUM_QUERY_TIMEOUT (MAX_SINGLE_QUERY_TIMEOUT + 1U) snip void dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) { REQUIRE(VALID_RESOLVER(resolver)); if (seconds == 0) seconds = DEFAULT_QUERY_TIMEOUT; if (seconds MAXIMUM_QUERY_TIMEOUT) seconds = MAXIMUM_QUERY_TIMEOUT; if (seconds MINIMUM_QUERY_TIMEOUT) seconds = MINIMUM_QUERY_TIMEOUT; resolver-query_timeout = seconds; } We also tried to create local dummy zones for all these domains but since domains change frequently we started to block most active open resolvers and coordinate with local CERT. It would be nice to have some kind of rate limits for query volume of different hosts inside a single zone. Best regards, Ivo On 2/27/14 7:59 AM, Dmitry Rybin wrote: Over 2 weeks ago begins flood. A lot of queries: niqcs.www.84822258.com vbhea.www.84822258.com abpqeftuijklm.www.84822258.com adcbefmzidmx.www.84822258.com and many others. Bind answers with Server failure. On high load (4 qps) all normal client can get Servfail on good query. Or query can execute more 2-3 second. Recursion clients via rnds status 300-500. I can try to use rate limit: rate-limit { nxdomains-per-second 10; errors-per-second 10; nodata-per-second 10; }; I do not see an any improvement. Found one exit in this situation, add flood zones local. What can we do in this situation? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind vs flood
Ah I see you are in provider situation. Shows my assumption you were in an enclosed enterprise environment. On Feb 27, 2014 10:57 AM, Ivo i...@nic.lv wrote: Ben, No, our server is not an open resolver, we have a large user community and the problem is that users install their own wifi box like Zyxel or similar which may have open resolver by default. Ivo On 2/27/14 5:18 PM, Ben Croswell wrote: I guess I am missing why anyone on the internet should be able to open queries against your caching resolver. Why would in bound queries be allowed to servers that are for your people to get out? On Feb 27, 2014 10:13 AM, Ivo i...@nic.lv wrote: Hi Dmitry, We observed that similar requests are landing on our cache resolver mostly from various home routers running dns server as open resolver and that also masquerades the original request source. We have a collection of ~60 domains involved and most of them are related to China. The problem is that attacker selects few domains and generates queries with random hostnames which therefore are not in the cache and server has to perform recursion for each query. So each query will consume one udp or tcp socket for at least 10 seconds because remote DNS server is responding slowly or is down and based on a query volume it can effectively overload the cache server. Initially we thought we could fix it with resolver-query-timeout, but after bind code analysis it seems that everything less that 10 seconds would be ignored, it would be great to mention this in the documentation. So one solution is to change MINIMUM_QUERY_TIMEOUT in resolver.c and recompile named, but it would be nice to understand why 10 seconds as minimum value were selected in the first place, see /lib/dns/resolver.c #define MAX_SINGLE_QUERY_TIMEOUT 9U #define MINIMUM_QUERY_TIMEOUT (MAX_SINGLE_QUERY_TIMEOUT + 1U) snip void dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) { REQUIRE(VALID_RESOLVER(resolver)); if (seconds == 0) seconds = DEFAULT_QUERY_TIMEOUT; if (seconds MAXIMUM_QUERY_TIMEOUT) seconds = MAXIMUM_QUERY_TIMEOUT; if (seconds MINIMUM_QUERY_TIMEOUT) seconds = MINIMUM_QUERY_TIMEOUT; resolver-query_timeout = seconds; } We also tried to create local dummy zones for all these domains but since domains change frequently we started to block most active open resolvers and coordinate with local CERT. It would be nice to have some kind of rate limits for query volume of different hosts inside a single zone. Best regards, Ivo On 2/27/14 7:59 AM, Dmitry Rybin wrote: Over 2 weeks ago begins flood. A lot of queries: niqcs.www.84822258.com vbhea.www.84822258.com abpqeftuijklm.www.84822258.com adcbefmzidmx.www.84822258.com and many others. Bind answers with Server failure. On high load (4 qps) all normal client can get Servfail on good query. Or query can execute more 2-3 second. Recursion clients via rnds status 300-500. I can try to use rate limit: rate-limit { nxdomains-per-second 10; errors-per-second 10; nodata-per-second 10; }; I do not see an any improvement. Found one exit in this situation, add flood zones local. What can we do in this situation? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to modify the cache
You can't modify cache. If that was allowed you could cache poison any domain you wanted. On Feb 14, 2014 8:52 AM, houguanghua houguang...@hotmail.com wrote: Hi all, Bind provides rndc tools to operate the cache. But how to change a record in the cache. For example: to modify origin record *www.abc.com* http://www.abc.com/* A IN 219.142.3.1 * into *www abc.com http://abc.com A IN 143.3.1.20*. I just know that using rndc flush to clear the cache, but don't know how to modify the cache. Who can tell me how to do?Thanks. Guanghua ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to modify the cache
What you say is true, but the OP wasn't clear in who owned the record he wanted to override. I assumed it was someone else's or you would just change authoritative source that you own. On Feb 14, 2014 10:20 AM, Barry Margolin bar...@alum.mit.edu wrote: In article mailman.2257.1392386898.20661.bind-us...@lists.isc.org, Ben Croswell ben.crosw...@gmail.com wrote: You can't modify cache. If that was allowed you could cache poison any domain you wanted. poisoning refers to putting incorrect records into the cache of some *other* server. If you operate the server itself, you can put anything you want into its memory. If you want to override a particular record that would normally be cached, just make the server authoritative for that name. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I may be confused regarding sub delegated zone
A freshly started server with no cache will be directed to nd1 first which will give a referral to ns2 for the subdomain. After that it will go to ns2 directly until the ns records time out in cache. On Jan 23, 2014 12:30 PM, Blason R blaso...@gmail.com wrote: Hello friends, I may sound like novice but have basic question regarding Sub-zone which is an delegated zone. lets say I have zone example.com whose NS are ns1.example.com and then I have delegated sub-zone subdom.example.comwhose ns record would be say ns2.example.com. So people who will be querying to A record for subdom.example.com [which @] will first be forwarded to ns1.example.com and then from there ns record of subdom.example.com will be given? Or will it directly be forwarded to n2.example.com? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Delegation and Forwarding
The basic answer is that you use null forwarders for any domains that you want to turn off the global forwarders. If you have a global forwarder and then you have bob.com with a null forwarder, bob.com and the domains below is will follow delegation. On Dec 11, 2013 7:10 AM, Bob McDonald bmcdonal...@gmail.com wrote: I'm a bit confused on the need for a blank forwarders statement inside of a zone statement in the named.conf file. Given an internal zone on a recursive server with global forwarders, what are the situations which would require me to code a blank forwarders statement inside of a zone statement in a named.conf? I have internal zones which 1) do not delegate children, 2) delegate children on the same server, and delegate children on different servers (and different versions of bind). I know that delegation is not affected on servers without global forwarders. The documentation around this is not clear (at least to me grin). Is there a difference if the parent is local and the child is forwarded? (or both forwarded but to different addresses?) Thanks, Bob ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Confused about a basic concept
Everything you listed is pretty close to accurate. A couple points of clarification. 8) The master needs UDP/TCP 53 open to the slaves. Before a zone transfer can happen the slave needs to get the SOA RR from the master to see if the serial number has changed. This normally happens over UDP 53(see my point on 9). So The slaves need to also be in the allow-query ACL on the master, if they cant query for SOA they can never determine the serial number and cant transfer. 9) You should always have UDP/TCP 53 open to DNS servers. Normal queries happen on UDP 53, but if an answer is too large to fit in a single packet the answer will be truncated and the TC bit will be set. This bit tells the client they didnt get the full answer and that they may want to try the same query via TCP. On you last points you are pretty much spot on the answer but are wondering the mechanics. Most best practices state that you should not have recursion and authoritative on the same DNS server. That is a should, but not a must. What you said is the normal answer you run DNS servers that host zones, and you run DNS servers that serve direct client queries. The client caching DNS servers would need to know where your authoritative servers are via NS records or forwarding. One big reason for the split is DNSSEC. An authoritative DNS server cant validate DNSSEC for a query sent directly to it from a client. There has to be another step in between. For instance if I ask you if you are Bryan and you say yes, why should I believe you. However, if I ask a trusted friend if you are Bryan I will believe you because there is third party verification. On Wed, Jun 5, 2013 at 10:02 AM, Bryan Harris bryanlhar...@me.com wrote: Hi all, I think I may be confused about a very basic DNS concept. Sorry if this has been asked before. 1. I have a master and two slaves. 2. The master server is the SOA for my zone. The SOA record points to the master server. 3. Each of the two slaves are authoritative for my zone. 4. There are 2 NS records for my zone. The first NS = slave1 and the second NS = slave2. 5. The Master server is not listed in the NS records for my zone. 6. The master does not receive any queries from the clients. 7. The slaves receive queries from the clients. 8. The master - slaves relationship is via tcp/53 (notifies zone transfers) 9. The slaves - clients relationship is via udp/53 (queries) Is this correct so far? I'm being told our authoritative DNS servers should not receive any queries, as well as DNS slaves respond to queries. These statements seem like a conflict to me, but maybe I'm simply confused? I don't see how a slave could respond to a query unless it's authoritative. The only thing I can imagine is adding some more caching servers just for queries and have them forward+recurse to the authoritative slave servers (but they're not slaves themselves). But even in that case, the authoritative servers would still need to respond to queries, no? Otherwise how would the caching servers get any answers in the first place? Bryan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- -Ben Croswell ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.4.x and check-names
Isn't it time to upgrade? Yes, it is. In fact, adding these statements to the options clause is in preparation for our migration to a later version. It seems from my testing that while BIND 9.4 was very passive about these type of records, and would load a zone despite illegal chars, later versions of BIND would actually fail to start. This is a fundamental difference between BIND 9.4 and 9.7.3, for example. I am dealing with about 14 BIND servers so the more preparation steps I can take prior to cutover, the better. bind 9.4 has also check-names response; Ok, I'm reading up on that now. Should I be able to suppress the logging using: check-names response ignore; ? Thanks -Original Message- Date: Wed, 17 Apr 2013 17:58:30 +0200 From: Matus UHLAR - fantomas uh...@fantomas.sk To: bind-users@lists.isc.org Subject: Re: BIND 9.4.x and check-names Message-ID: 20130417155830.ga14...@fantomas.sk Content-Type: text/plain; charset=us-ascii; format=flowed On 17.04.13 06:39, Ben-Eliezer, Tal (ITS) wrote: Subject: BIND 9.4.x and check-names Isn't it time to upgrade? I recently implemented a change in our DNS environment with the intention of suppressing the log events related to AD-integrated zones, and their Non-RFC compliant nature. check-names slave ignore; check-names master ignore; bind 9.4 has also check-names response; However, I still see these entries appear in the logs. Could someone please chime in and let me know if my expectation or implementation was incorrect? Many thanks!! default.log:12-Apr-2013 00:45:37.447 general: warning: zone /IN: gc._msdcs./A: bad owner name (check-names) default.log:12-Apr-2013 00:45:37.447 general: warning: zone /IN: gc._msdcs./A: bad owner name (check-names) Hmm, aren't those supposed to be SRV records? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete -- Message: 2 Date: Wed, 17 Apr 2013 09:02:44 -0700 From: Chris Buxton cli...@buxtonfamily.us To: Matus UHLAR - fantomas uh...@fantomas.sk Cc: bind-users@lists.isc.org Subject: Re: BIND 9.4.x and check-names Message-ID: 9a8b8bf0-e675-4959-97ac-c9cf2007a...@buxtonfamily.us Content-Type: text/plain; charset=us-ascii On Apr 17, 2013, at 8:58 AM, Matus UHLAR - fantomas wrote: On 17.04.13 06:39, Ben-Eliezer, Tal (ITS) wrote: default.log:12-Apr-2013 00:45:37.447 general: warning: zone /IN: gc._msdcs./A: bad owner name (check-names) default.log:12-Apr-2013 00:45:37.447 general: warning: zone /IN: gc._msdcs./A: bad owner name (check-names) Hmm, aren't those supposed to be SRV records? No, they are the addresses of the global catalog servers. If they were SRV records, check-names would not complain. Chris Buxton -- Message: 3 Date: Wed, 17 Apr 2013 12:07:07 -0400 From: Barry Margolin bar...@alum.mit.edu To: comp-protocols-dns-b...@isc.org Subject: Re: “Foreign” name in the reverse lookup zone Message-ID: barmar-c85efa.12070717042...@news.eternal-september.org In article mailman.146.1366210213.20661.bind-us...@lists.isc.org, PAVLOV Misha misha.pav...@socgen.com wrote: Folks, Wonder if someone can kindly confirm that there is nothing wrong with having a PTR record in one of the subnet zone file (we are authorative for) with PTR to the name owned by another office (domain). A server exchange.north.our.company (owned and registered in north.our.company domain) installed here, on the same network as all local south.our.company machines. We own, are authorative and maintain the db.1.2.3 subnet reverse zone, but not the north.our.company name registered far away. There's nothing wrong with it, and it's done all the time. Consider the case where www.company.com server is hosted at a third party. The A record will be in the company's domain, but the PTR record will be in the hosting service's reverse domain. Just make sure that there is a corresponding A record. Some software will check for this before believing the PTR record. This is mostly done in software that uses reverse lookups in security checks; for instance, if a hosts.allow file allows access from *.company.com, it can't just believe the PTR record because anyone can put some-addr PTR foo.company.com. in their reverse zone. -- Barry Margolin Arlington, MA -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users End of bind-users Digest, Vol 1502, Issue 1 *** ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users
RE: bind-users Digest, Vol 1485, Issue 1
Hi Kevin- Thank you for the further elaboration on how you use the include statements in your environment. Oddly enough this may be a way for me to accomplish what I'd like to do. Thanks again for the help! I'll report back with any further issues I may experience. Have a great day all! Tal -Original Message- From: bind-users-bounces+tal.ben-eliezer=its.ny@lists.isc.org [mailto:bind-users-bounces+tal.ben-eliezer=its.ny@lists.isc.org] On Behalf Of bind-users-requ...@lists.isc.org Sent: Monday, April 1, 2013 8:00 AM To: bind-users@lists.isc.org Subject: bind-users Digest, Vol 1485, Issue 1 Send bind-users mailing list submissions to bind-users@lists.isc.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.isc.org/mailman/listinfo/bind-users or, via email, send a message with subject or body 'help' to bind-users-requ...@lists.isc.org You can reach the person managing the list at bind-users-ow...@lists.isc.org When replying, please edit your Subject line so it is more specific than Re: Contents of bind-users digest... Today's Topics: 1. Re: Forward First on Master Zone (bypass SOA) (Kevin Darcy) 2. Re: Lots of RSA_verify failed after upgrade to 9.7.7 (Noel Butler) 3. Re: Lots of RSA_verify failed after upgrade to 9.7.7 (Mark Andrews) 4. Re: Lots of RSA_verify failed after upgrade to 9.7.7 (Noel Butler) -- Message: 1 Date: Sun, 31 Mar 2013 18:01:36 -0400 From: Kevin Darcy k...@chrysler.com To: bind-users@lists.isc.org Subject: Re: Forward First on Master Zone (bypass SOA) Message-ID: 5158b240.70...@chrysler.com Content-Type: text/plain; charset=UTF-8; format=flowed On 3/29/2013 6:12 PM, Lawrence K. Chen, P.Eng. wrote: - Original Message - On Mar 28, 2013, at 12:28 PM, Ben-Eliezer, Tal (ITS) wrote: I?ve spent hours researching a way to accomplish this without any luck. Is there any way to accomplish what I?m trying to do? No, not unless you want to monkey around with static zones and $INCLUDE directives -- something like this: Internal zone file: $INCLUDE internal.zone.apex $INCLUDE example.com.common-records $TTL 86400 some.internal.host A 192.0.2.1 [...] External zone file: $INCLUDE external.zone.apex $INCLUDE example.com.common-records $TTL 86400 some.external.host A 192.0.2.254 [...] where the *.zone.apex files look something like this: $TTL 86400 @SOA [... 7 data fields ...] NS ns1.example.com. NS ns2.example.com. MX 10 mx1.example.com. This way, you mostly maintain 3 files of DNS records for the zone -- external, internal, and common. Note that this is not compatible with dynamic zones. If you need to support dynamic zones (and who doesn't, these days?), you're out of luck. Chris Buxton BlueCat Networks I/we maintain a 'single' zone file (with help of subversion/cfengine) which is then processed into 4 different zone files through a Makefile on my master nameserver. Basically, the as-is zone file is the external view state. All the internal (campus) view lines/$includes are prefixed with: ;CAMPUS; where sed removes those comments to generate the 'campus' view zone file. There there are lines that will have different comments after the line. one is ;GUEST_NETWORK and another is ;DISASTER_RECOVERY sed script will replace the IP part of ;GUEST_NETWORK with the IP of a static page informing the user that the resource is available from the guest network. (this is for services where we couldn't have the service owner to do this within their application.) And, ;DISASTER_RECOVERY replaces the IP with the IP of the server at our DR site. With the intent that the result is sent by alternate means to our off-campus secondaries, where they can switch to using this fileetc. Due to DNSSEC, we have to generate a DR version of our zone file (instead of have secondary edit the transfer file and present that.) These are also based off the external view (since internal services aren't exposed to the guest network, and DR is an alternate external). All the different zone files are signed using dnssec-signzone with the '-N unixtime' optionto avoid serial number issues. (especially now that I'm not the only one handling dns requests) Before split-DNS, we had created our own TLD ... but the problem with that was we couldn't buy SSL certificates for these services, and there was no interest in having our users to accept self-signed certs or to add a private CA to everything so the TLD became a subdomain that was only in the internal view (originally)...though later added a stub in the external view to publish an MX record so that users/apps sending mail without setting a correct from address would still work. (sure I've told people they need to do
Forward First on Master Zone (bypass SOA)
Hello, My organization is evaluating the use of split-view DNS in our environment. One of the challenges I've yet to overcome in my trials, is the ability to minimize the administrative overhead of maintaining two copies of the zone. Upon reviewing some of the BIND options, forward first; caught my eye. Below is the description of this feature I found on Zytrax: forward is only relevant in conjunction with a valid forwarders statement. If set to 'only' the server will only forward queries, if set to 'first' (default) it will send the queries to the forwarder and if not answered will attempt to answer the query. This statement may be used in a zone, view or a global options clause. If I understand this correctly, BIND should handle a query for host.example.com by first passing it through the configured forwarder, which should succeed (the record exists on the Internet). However, I believe since this server is also authoritative for this domain (the internal copy), and the record is not in this view of the zone file, I receive an NXDOMAIN. I've spent hours researching a way to accomplish this without any luck. Is there any way to accomplish what I'm trying to do? Thanks, Tal Ben-Eliezer ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Forward First on Master Zone (bypass SOA)
Hi Chris, this looks interesting, I'll do some testing and report back! Thank you, Tal -Original Message- From: Chris Buxton [mailto:cli...@buxtonfamily.us] Sent: Thursday, March 28, 2013 5:02 PM To: Ben-Eliezer, Tal (ITS) Cc: bind-users@lists.isc.org Subject: Re: Forward First on Master Zone (bypass SOA) On Mar 28, 2013, at 12:28 PM, Ben-Eliezer, Tal (ITS) wrote: I've spent hours researching a way to accomplish this without any luck. Is there any way to accomplish what I'm trying to do? No, not unless you want to monkey around with static zones and $INCLUDE directives -- something like this: Internal zone file: $INCLUDE internal.zone.apex $INCLUDE example.com.common-records $TTL 86400 some.internal.host A 192.0.2.1 [...] External zone file: $INCLUDE external.zone.apex $INCLUDE example.com.common-records $TTL 86400 some.external.host A 192.0.2.254 [...] where the *.zone.apex files look something like this: $TTL 86400 @ SOA [... 7 data fields ...] NS ns1.example.com. NS ns2.example.com. MX 10 mx1.example.com. This way, you mostly maintain 3 files of DNS records for the zone -- external, internal, and common. Note that this is not compatible with dynamic zones. If you need to support dynamic zones (and who doesn't, these days?), you're out of luck. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Most specific match on PTR records
You need to ensure if the resolver that is doing the forwarding also loads the blank 10/8 that you have the smaller /24 delegated in the 10/8. The reason being if it loads the /8 with no /24 delegation it will ignore the forward because it believes the /24 doesn't exist. On Feb 21, 2013 1:21 PM, Nikita Koshikov koshi...@gmail.com wrote: Hello list, I'm trying to cut /24 network from the scope of /8 network, here is example: zone 11.2.10.in-addr.arpa { type forward; forwarders { 192.168.1.23; 192.168.1.24; }; }; zone 10.in-addr.arpa { type master; file master/int/10.in-addr.arpa; }; 10.in-addr.arpa is just a file that returns NXDOMAIN for any 10.0.0.0/8ip address. But I need to forward requests for 10.2.11.0/24 net to other dns servers and the above config not working. I got empty responses for 10.2.11.0/24 net. This is right: (192.168.1.8 - server with bind) $ host -t ptr 10.1.1.1 192.168.1.8 Using domain server: Name: 192.168.1.8 Address: 192.168.1.8#53 Aliases: Host 1.1.1.10.in-addr.arpa. not found: 3(NXDOMAIN) This is wrong: $ host -t ptr 10.2.11.10 192.168.1.8 Using domain server: Name: 192.168.1.8 Address: 192.168.1.8#53 Aliases: Host 10.11.2.10.in-addr.arpa. not found: 3(NXDOMAIN) This is expected answer from the forwarded server - 192.168.1.23 $ host -t ptr 10.2.11.10 192.168.1.23 Using domain server: Name: 192.168.1.23 Address: 192.168.1.23#53 Aliases: 10.11.2.10.in-addr.arpa domain name pointer hawk-agent.local.intranet. Can someone help with this ? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What causes 'zone transfer setup failed' ?
A common issue is the secondary not being allowed to query the master for the SOA of the zone. Ensure the master has an allow-query that includes the secondary. On Jan 25, 2013 6:06 AM, Jan-Piet Mens jpmens@gmail.com wrote: Hello, I'm seeing quite a number of messages like xfer-out: debug 3: client 192.168.1.2#54688 (example.com): zone transfer setup failed BIND 9.9.2P1 here, configured with: request-ixfr no; transfer-format many-answers; transfers-in 100; transfers-per-ns 100; max-transfer-time-in 60; BIND has a lot of zones to transfer; does this have something to do with too many TCP connections? FWIW, BIND is running on Centos 6.3 in an OpenVZ container. Regards, -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Define an internal zone with only a couple of A records, then forward to an external dns server
If you load the zone your server will believe it knows everything about the zone and not forward anything below it. If you load foo.com with two records, nothing but those two records will ever resolve on that server for foo.com. One way to make it work would be to load two zones. Vpn1.foo.com and vpn2.foo.com each with their A records. Then you would only blackhole things below vpn1.foo.com and vpn2.foo.com. On Jan 17, 2013 10:09 AM, Alberto Zanon alberto.za...@edistar.com wrote: Hi all, I googled all the morning without success :( I'm using Bind 9.9.1 and i'm a newbie of Bind. This is my goal: - I want to define in my dns server a zone external_partner.com, which is the domain of our partner who manages it with his dns public server dns.external_partner.com. - I need to define into this zone a couple of servers (vpn_host_1. external_partner.com, vpn_host_2.external_partner.com) because we connect via vpn to our partner. - I want that the rest of the names, e.g. www.external_partner.com, are resolved forwarding the requests to the dns of our partner. I tried this without success: - in named.conf: zone external_partner.com { type master; file master/ external_partner.com.zon; forwarders {xxx.xxx.xxx.xxx;}; }; and I have recursion yes in the options. - in external_partner.com.zon I have only the two entries: $TTL300 @ IN SOA dns.edistar.com. admin.dns.edistar.com. ( 2013011701 ; Serial 300 ; Refresh 300 ; Retry every hour 300 ; Expire after a week 300 ) ; Minimum ttl of 1 day IN NS dns.edistar.com. TXT vpn servers vpn_host_1.external_partner.com. IN A xxx.xxx.xxx.xxx vpn_host_2.external_partner.com. IN A xxx.xxx.xxx.xxx I read about forward first option but is the opposite of my goal, correct? Thanks in advance for your responses. Alberto Zanon ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: MNAME not a listed NS record
There is no issue with a configuration like this. It is the very definition of a stealth master and is a very common configuration. Any DDNS updates will continue to reach the stealth master via the mname and no resolvers will find the master via NS records so it won't be queried. On Jan 16, 2013 3:42 PM, Dave Warren li...@hireahit.com wrote: Is there anything technically wrong with having a SOA MNAME field that isn't listed as a NS record? The server listed as MNAME will host the zone and is authoritative for the zone, but out of latency concerns it isn't ideal to have other resolvers querying this server. Various online DNS diagnostic tools throw warnings, but as far as I can tell from the RFCs, this is a valid configuration. Is it valid? Are there any operational gotchas to be aware of or can I ignore the warnings? -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/**davejwarrenhttp://ca.linkedin.com/in/davejwarren __**_ Please visit https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-usersto unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Name resolution fails if not forwarding
My first thought would be lack of firewall rules and connectivity to the Internet. On Jan 8, 2013 9:35 AM, Daniele d.imbrog...@gmail.com wrote: If I use BIND9 forwarding all the queries not belonging to my local zones, it works. But if I don't forward those queries, `dig` sometimes (and this is weird) fails (with connection timed out; no servers could be reached) and the logs are full of lame server, FORMERR. Why? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind not forwarding all requests
It is probably related to forward first versus forward only. Forward first is default but will fall back to no forwarding if the forwarders fail. On Dec 7, 2012 12:06 PM, Romgo ro...@free.fr wrote: Hello, I am currently running two bind9 server on Debian Squeeze. 1:9.7.3.dfsg-1~squeeze8 Server 1 is internal dns server and serve some local zone. This server should forward all unknown requests to our public DNS server. So I configured this server as follow : /etc/bind/named.conf.options forward only; forwarders { ip_server_2; }; The second server is allowed to do DNS request on the internet, so there is no forwarder configured. The issue is that I see on my firewall that server1 is trying to do DNS requests on DNS ROOT server. Any idea why I do have this issue ? wrong configuration ? Regards, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Performance tuning
I did digs to both names from my work DNS infrastructure. The response was 58ms to resolve the WWW entry and 44ms for the non WWW entry. Would not appear to be a resolution related slow down. -Ben Croswell On Nov 26, 2012 1:25 PM, Lightner, Jeff jlight...@water.com wrote: For question 1: “Loading” is a function of the web site not DNS. Your first question could have to do what the default site is in your web configuration and what kind of rewrite rules are getting you to the other. ** ** If it were me I’d probably do some timed “host” or “dig” commands for the two records to verify name resolution itself wasn’t a problem. ** ** I guess it MIGHT be a minutely slower to resolve www if it is a CNAME to the other as opposed to both being A records. However, since this is a fairly common practice I doubt it is likely to be of major importance in overall timing. ** ** *From:* bind-users-bounces+jlightner=water@lists.isc.org [mailto: bind-users-bounces+jlightner=water@lists.isc.org] *On Behalf Of *Adamiec, Lawrence *Sent:* Monday, November 26, 2012 1:13 PM *To:* bind-users@lists.isc.org *Subject:* Re: Performance tuning ** ** To the best of my knowledge, there are no problems with our DNS. We only host 25 domains. ** ** The report must also address these two specific questions: ** ** 1. Why does www.kentlaw.iit.edu load quicker than kentlaw.iit.edu in any browser? 2. What happens if we remove the forwarders option from named.conf? I can't duplicate the issue in Q1 and I'm trying to determine a way of testing Q2. ** ** Larry ** ** On Mon, Nov 26, 2012 at 11:39 AM, Doug Barton do...@dougbarton.us wrote: What a delightfully vague requirement. :) I would push back a bit on exactly what problems are attempted to be solved here. The BIND defaults are about as efficient as they can be, especially so in later versions. Doug On 11/26/2012 11:01 AM, Adamiec, Lawrence wrote: Hi, I have been tasked with authoring a DNS report to achieve optimal performance. The report must include: CPU usage memory usage bandwidth usage throughput latency I have found some information regarding the number of queries processed per minute but nothing of value for the above areas. Is there some documentation that discusses the above areas? We are running BIND 9.6-ESV-R5-P1, Solaris 10 on a SPARC server. My report will include the fact we must upgrade from BIND 9.6-ESV-R5-P1 Thank you in advance. Larry Lawrence Adamiec UNIX Mgr IIT Chicago-Kent College of Law ** ** Athena®, Created for the Cause™ Making a Difference in the Fight Against Breast Cancer *How and Why I Should Support Bottled Water! *Do not relinquish your right to choose bottled water as a healthy alternative to beverages that contain sugar, calories, etc. Your support of bottled water will make a difference! Your signatures count! Go to http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a petition to support your right to always choose bottled water. Help fight federal and state issues, such as bottle deposits (or taxes) and organizations that want to ban the sale of bottled water. Support community curbside recycling programs. Support bottled water as a healthy way to maintain proper hydration. Our goal is 50,000 signatures. Share this petition with your friends and family today! - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarder is ignored when authoritative zone is added
The one thing I can think of off the top of my head is to ensure the child subdomain is properly delegated in the parent. If you try to zone level forward a child domain on a server that loads the parent it will ignore the forward if it can see the child doesn't exist as a true delegation. I assume the logic is, why would I forward a subdomain I know doesn't exist. -Ben Croswell On Oct 26, 2012 2:17 AM, Frank Even lists+isc@elitists.org wrote: I've recently had an issue that I'm having some issues finding information on solving. I have internal DNS resolvers...they act as recursive name servers for general internet queries, but we have forwarders explicitly defined for specific internal zones being served by other name servers. My configuration has one particular zone configured as such: zone internal.organization.com IN { type forward; forward only; forwarders {172.x.x.x; 172.x.x.x; }; }; I have our main zone, organization.com, hosted in an external area outside of a firewall with a wildcard record contained in it for anything that is not explicitly defined. I have some services that I need to reach using names that are in this external zone internally. What I'm trying to do is to slave the organization.com zone to my internal recursive resolver to mitigate any possible network issues. So I setup the internal resolver as a slave for the organization.com zone and found that queries against internal.organization.com were getting answered with the wildcard for the external organization.com zone. I can't seem to figure out why the forwarders are getting ignored. Is it an order of precedence, say authoritative zones are respected over forwarders...or something else?? Thanks for any assistance anyone can provide, or point me to some documentation I'm missing, Frank ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarder is ignored when authoritative zone is added
The thing that brings me back to a delegation issue is the statement of slaving an external version of the second level domain the internal DNS server. I know if I was splitting a domain I would not put internal only delegations external. -Ben Croswell On Oct 26, 2012 7:23 AM, Sten Carlsen st...@s-carlsen.dk wrote: On 26/10/12 12:56, Ben Croswell wrote: The one thing I can think of off the top of my head is to ensure the child subdomain is properly delegated in the parent. If you try to zone level forward a child domain on a server that loads the parent it will ignore the forward if it can see the child doesn't exist as a true delegation. I assume the logic is, why would I forward a subdomain I know doesn't exist. I should think that internal.org... is properly delegated, so the forward will not be concerned about a subdomain, only about the domain, that is actually forwarded. internal.org... will then be looked up in the normal recursive way, so another forward statement might solve this issue. -Ben Croswell On Oct 26, 2012 2:17 AM, Frank Even lists+isc@elitists.org wrote: I've recently had an issue that I'm having some issues finding information on solving. I have internal DNS resolvers...they act as recursive name servers for general internet queries, but we have forwarders explicitly defined for specific internal zones being served by other name servers. My configuration has one particular zone configured as such: zone internal.organization.com IN { type forward; forward only; forwarders {172.x.x.x; 172.x.x.x; }; }; I have our main zone, organization.com, hosted in an external area outside of a firewall with a wildcard record contained in it for anything that is not explicitly defined. I have some services that I need to reach using names that are in this external zone internally. What I'm trying to do is to slave the organization.com zone to my internal recursive resolver to mitigate any possible network issues. So I setup the internal resolver as a slave for the organization.com zone and found that queries against internal.organization.com were getting answered with the wildcard for the external organization.com zone. I can't seem to figure out why the forwarders are getting ignored. Is it an order of precedence, say authoritative zones are respected over forwarders...or something else?? Thanks for any assistance anyone can provide, or point me to some documentation I'm missing, Frank ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Queries aborted due to Quota
Hi, I am monitoring rndc stats output and got ++ Resolver Statistics ++ [Common] 82121 queries aborted due to quota 5987 failures in opening query sockets What does it mean by queries aborted due to quota and failing in opening query socket ? Is there any OS resource limitation or ? BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 Regards, Ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries aborted due to Quota
added one question: i found some logs in syslog, Jul 28 03:13:42 ns1 named[20922]: adb: grow_entries finished Jul 28 03:13:42 ns1 named[20922]: adb: grow_names to 2039 starting Jul 28 03:13:42 ns1 named[20922]: adb: grow_names finished what does it mean by adb growing..? Is there any document or link from which, we can read about rndc stats commands in deep or any FAQ/Information about general error messages regarding bind services. Best Regards, Ben Hi, I am monitoring rndc stats output and got ++ Resolver Statistics ++ [Common] 82121 queries aborted due to quota 5987 failures in opening query sockets What does it mean by queries aborted due to quota and failing in opening query socket ? Is there any OS resource limitation or ? BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 Regards, Ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: global forwarders - current BIND9 behaviour documentation
All forwarders in the list will tried at least some. Every time the fastest forwarder responds the srtt of the remaining forwarders are decayed. Eventually they will be lower and get tried. If they are slower than the original fastest their srtt go back up and the original will be used again. It's the method for retrying a forwarder after it was set high due to a timeout etc. -Ben Croswell On Jul 25, 2012 2:36 PM, ip admin ipm...@googlemail.com wrote: Hi, anybody there who can provide a definitive answer on the current BIND 9.7 (or higher) global forwarder behaviour? I did find the following info before on using multiple forwarders: https://lists.isc.org/pipermail/bind-users/2007-September/067830.html My expectation based on that is that the fastest responding forwarder will basically always be used until a timeout may occur, i.e. when specifying three forwarders one will be the prefered one based on SRTT and the others are only used if the prefered one goes down. First of all when doing 'rndc dumpdb -all' I cannot find my forwarders' IP addresses in the named_dump.db at all as explained in the posting above (BIND 9.7.3-P3 on Linux), so I cannot verify the SRTTs. 'rndc stats' / named.stats does not show any info on the forwarders as well. Also by doing a tcpdump I can see that all three forwarders I have specified are constantly used. However it is not a real round-robin but roughly a 3:2:1 ratio instead (i.e. one receives approx 3 times the number of queries compared to the third one, the other one receives 2 times the number of queries compared to the 3rd one). In fact the 3:2:1 distribution reflects the response time I can manually determine by running dig against all forwarders - the one which responds quickest gets the most queries and the one which is slowest gets the fewest queries. My server receives quite a few queries (approx 10.000 within a minute). Any idea if the DNS-Server will send every 10th query or so the slower forwarders? I also tried to set the logging level to debug 10 for category resolver but no luck at all in finding out which forwarder is used (and why). So . . . if somebody could explain what the current behaviour is supposed to be that would be helpful. Regards Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc stats command
Hi, Thanks for your kind response. sorry for the delay. Currently i make a logic with shell scripts is that i run my statistics.sh by cron via every 1 minute and collect INCOMING QUERY AND CACHE HIT RATIO. CACHE HIT RATIO = (IN COMING QUERY - RECURSION ) / INCOMING QUERY. Let say i run first time : 10.00 AM First i clean named_Stat file and then run rndc stats command so it will write statistics to named_stat file and then i collect incoming query numbers and cache hit ratio. Second time run same logic : 10.01 AM so this time i again get incoming query numbers and hit ratio value and while plotting these by rrdtool, i remove old value ( 10.00 AM ) from current value ( 10.01 AM) and get actual value. same fashion, i run above logic for time frame. Kindly correct me , if i am running wrong logic. when i run rndc stats , it gives me full outpur.can i get only certain output from it by any command or something? My concern is that to find QPS / no. of queries per RR / hit ratio. Best Regards, Ben On Jul 18 2012, Ben wrote: Hi, As per man page and my understanding rndc stats writes a current named statistics into defined file in named.conf so suppose, if i run rndc stats command and then i take required information from named statistics file. And after some time, ( after 5 minutes or approx.) when i do again rndc stats , so that times it provides new statistics.? My understanding is that while running rndc stats , it writes current named statistics to defined file and internally it flush named statistics ( which wrote into file as per named.conf ) And while second time run same command , again it append fresh/new named statistics to defined fiel, is it so? Or is there any interval for rndc / named to generate fresh/new statistics.? Kindly correct me if I am missing something... I think you are missing at least the following: rndc stats *appends* to the statistics file. It doesn't overwrite any previous contents. rndc stats does not reset the internal statistics counters (I take it that was what you meant by flush). They are always accumulative from when named was last started. From two successive set of ststistics written by rndc stats, you can deduce what happened during the interval by taking the difference in the values of corresponding counters, and to deduce rates you divide by the length of the interval which you can deduce from the difference in their timestamps +++ Statistics Dump +++ (1342566900) ... --- Statistics Dump --- (1342566900) ^^ which are in time_t format (seconds since the Unix epoch). [What's annoyingly missing, by the way, is the time when named was in fact started. That's present in the XML on the statistics channel, but not in the file written by rndc stats.] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
rndc stats command
Hi, As per man page and my understanding rndc stats writes a current named statistics into defined file in named.conf so suppose, if i run rndc stats command and then i take required information from named statistics file. And after some time, ( after 5 minutes or approx.) when i do again rndc stats , so that times it provides new statistics.? My understanding is that while running rndc stats , it writes current named statistics to defined file and internally it flush named statistics ( which wrote into file as per named.conf ) And while second time run same command , again it append fresh/new named statistics to defined fiel, is it so? Or is there any interval for rndc / named to generate fresh/new statistics.? Kindly correct me if I am missing something... Regards, Ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Operation Cancelled Error
How to check from 10 queries, which are on cache and which are not ? Still, my question is open.. Dear ISC team, can you please suggest what happend with my caching DNS load test.? I mean, want to find root cause of it. Den 12. juli 2012 kl. 01:49 skrev Ben benjo11...@gmail.com: If someone share his experience with it, What are the maximum QPS handled by bind? that is good to understand more. Well, it depends. If you test with a freshly restarted BIND (nothing cached yet), and ask for only external data, you will get one result and be at the mercy of the external nameservers. You will probably get the highest result if you only ask for pre-cached answers, in which case reaching 100k qps (and higher) on a single server should be easy (with some not-too-old hardware) Regards Eivind Olsen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Operation Cancelled Error
Hi, On Jul 10, 2012, at 2:25 AM, Ben wrote: Hi, We deploy BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 and trying to do load test while doing it we got so many erros logs in named.run. I must admit to being a little confused… It *looks* to me like you are forwarding all queries to 8.8.8.8? (If so, I'm a little confused by the load test bit). You will almost certainly get rate limited with this setup (assuming you have more than one or two users behind this server… Actually, I am doing load testing with my CACHING DNS SERVER, and for that i setup one client machine which sent queries to CACHING DNS SERVER, and while doing this , i got below given erros in log.So is point to any network problem or any fine tunning / configuration required to bind? I am using google public dns ips as forwarder in named.conf lame server operation cancelled : it means bind cancelled queries which got from client ...is it so ? Regards, Ben W What does it mean by lam servers operation canceled? Is it due to network rechability problem or bandwidth problem or anything others which related to bind? Kindly guide me solve it. 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'osnews.com/MX/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'campaignjobs.asia/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'couponbuddy.s3.amazonaws.com/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'ms-frontend.hse.ru/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'chriss2d.deviantart.com/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'www.cintegral.cl/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'krisknits.blogspot.com/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'css3.info/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'aventuras.isladejuegos.es/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'aliner.com/MX/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'uprl.kandk.ru/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'hospiceheart.org.s8a1.psmtp.com/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'orig-10060.conduit.cotcdn.net/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) resolving 'sjc-dns1.ebaydns.com/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) resolving 'sisar4k.com/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) resolving 'musica.itematika.com/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) resolving 'video-6.filmix.net/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) resolving 'shop.ebay.com/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) resolving 'mediawiki-lb.eqiad.wikimedia.org/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) resolving 'www.carascorridas.com/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) resolving 'technologie.gazeta.pl/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) resolving 'ns1.kasperskylabs.net/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.732 lame-servers: info: error (operation canceled) resolving '142.192.186.24.in-addr.arpa/PTR/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.732 lame-servers: info: error (operation canceled) resolving 'geo.tp-cdn.com/A/IN': 8.8.8.8#53 Regards, Ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Operation Cancelled Error
I am doing load testing on our local caching dns.But while doing it , i added google dns and some other dns ips as forwarder to test QPS. Even if I am not using any forwarder in that case also, I am having those same error which i was getting. I am confusing that those errors are due to bind misconfiguration or something else? If someone share his experience with it, What are the maximum QPS handled by bind? that is good to understand more. Regards, Ben Hi Ben, At 05:37 11-07-2012, Ben wrote: Actually, I am doing load testing with my CACHING DNS SERVER, and for that i setup one client machine which sent queries to CACHING DNS SERVER, and while doing this , i got below given erros in log.So is point to any network problem or any fine tunning / configuration required to bind? I am using google public dns ips as forwarder in named.conf Are you doing load testing on Google's DNS server? Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Operation Cancelled Error
Hi, We deploy BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6 and trying to do load test while doing it we got so many erros logs in named.run. What does it mean by lam servers operation canceled? Is it due to network rechability problem or bandwidth problem or anything others which related to bind? Kindly guide me solve it. 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'osnews.com/MX/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'campaignjobs.asia/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'couponbuddy.s3.amazonaws.com/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'ms-frontend.hse.ru/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'chriss2d.deviantart.com/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'www.cintegral.cl/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'krisknits.blogspot.com/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'css3.info/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'aventuras.isladejuegos.es/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'aliner.com/MX/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'uprl.kandk.ru/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'hospiceheart.org.s8a1.psmtp.com/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.730 lame-servers: info: error (operation canceled) resolving 'orig-10060.conduit.cotcdn.net/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) resolving 'sjc-dns1.ebaydns.com/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) resolving 'sisar4k.com/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) resolving 'musica.itematika.com/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) resolving 'video-6.filmix.net/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) resolving 'shop.ebay.com/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) resolving 'mediawiki-lb.eqiad.wikimedia.org/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) resolving 'www.carascorridas.com/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) resolving 'technologie.gazeta.pl/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.731 lame-servers: info: error (operation canceled) resolving 'ns1.kasperskylabs.net/A/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.732 lame-servers: info: error (operation canceled) resolving '142.192.186.24.in-addr.arpa/PTR/IN': 8.8.8.8#53 10-Jul-2012 11:47:42.732 lame-servers: info: error (operation canceled) resolving 'geo.tp-cdn.com/A/IN': 8.8.8.8#53 Regards, Ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: getting edns disabling message in logs
Hi Tony, Thanks for your kind response. Disabling EDNS due to firewall misconfiguration, raise any problem to DNS activity.? I mean my users face any name resolution problesms or ...? Is there any way that we can show that current disabling EDNS happens by firewall issue ? Regards, Ben Ben benjo11...@gmail.com wrote: We run bind as caching only dns server for our customers. In logs, i can see so many entries which tells success resolving 'x.y.z/A' (in '.'?) after disabling EDNS How to check that current bind installation has EDNS enabled or ? what could be reason behind it? BIND has EDNS enabled by default. These log messages indicate that BIND is trying and failing to make EDNS queries. This is usually caused by a misconfigured firewall between the name server and the rest of the Internet. Tony. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
getting edns disabling message in logs
Hi, We run bind as caching only dns server for our customers.In logs, i can see so many entries which tells success resolving 'malayalam.samachar.com/A' (in '.'?) after disabling EDNS success resolving 'm.sify.com/A' (in '.'?) after disabling EDNS success resolving 'planetradiocity.com/A' (in '.'?) after disabling EDNS success resolving 'ns-3.2o7.net/A' (in '.'?) after disabling EDNS success resolving 'ns-2.2o7.net/A' (in '.'?) after disabling EDNS success resolving 'sifycorp.com/A' (in '.'?) after disabling EDNS How to check that current bind installation has EDNS enabled or ? what could be reason behind it? we do not disable any EDNS in named.conf. Please suggest me to resolve it. Bind version : BIND 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.3 Regards, Ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Operation cancelled Error
Dear ISC Team, Any input please, if is there anything from my side, kindly suggest me. Best Regards, Ben Dear ISC Team, Any suggestions please. Regards, Ben Hi, I tried all things to avoid current problem, but still same.Can we have information that why bind shows Operation canceled error in named.run file? and why bind does not take full power?when i do load test and same time watching rndc status command , it only tries to reach to 6000-6500 , and then goes back to 0.. Is there anything remaining in bind to configure or any issue in OS? I would request you to please suggest me to solve this. Regards, Be Hi Jeremy, Thanks for your kind response. On Thu, 24 May 2012, Ben wrote: version: 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 CPUs found: 8 worker threads: 8 number of zones: 19 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON recursive clients: 6400/29900/3 tcp clients: 0/100 server is up and running i constanly watch rndc status command , and at recuresive-clients tab , first values increases maximum up to 6000-6500, why it is not going to maximum which i define 3..? I don't know why it never reached the maximum. resperf should try to scale up to attempting 100,000 questions in its last second. (At 60th second I think; the final 40 seconds is waiting for responses.) It only tries 74038 during its total time, but I am not sure what is limiting it. Maybe your datafile is not unique enough? Maybe your source port range is not large enough? So then BIND 9 is matching existing requests and dropping. My source port range is cat /proc/sys/net/ipv4/ip_local_port_range 102465535 I downloaded data file from resperf provider site. It depends a lot on the dataset. (I think I have seen around 17,000 queries with resperf and as low as 236 qps -- in this case it was depending on number of ACLs.) I do not using more acl for testing purpose. I don't know why you have the burst of operation canceled. (The ISC_R_CANCELED can happen from different problems.) Please suggest us that what are reasons generate operation canceled error comes in named.run log file rndc status shows 8 worker process, when i checked by pgrep named , it shows only single instance.so does it need to show 8 instance or ? 8 worker threads is different than 8 processes. Currently we use bind as caching name server , so why rndc status shows number of zones 19..? The 19 zones are built-in zones. (See the ARM for the list.) By the way, to set some comparison maximum baseline you can try having resperf query the built-in zones. (It won't be real recursive work, but should show you some potential maximum qps.) Is there anything which we need to mind on OS kernel tuning parameters or from bind configuration side to achieve more QPS? By the way, what is highest benchmark for bind with no. of QPS in production servers? I would request you , if someone has getting high QPS with bind in production servers, kindly suggest your inputs. Jeremy C. Reed ISC Regards, Ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Operation cancelled Error
Dear ISC Team, Any suggestions please. Regards, Ben Hi, I tried all things to avoid current problem, but still same.Can we have information that why bind shows Operation canceled error in named.run file? and why bind does not take full power?when i do load test and same time watching rndc status command , it only tries to reach to 6000-6500 , and then goes back to 0.. Is there anything remaining in bind to configure or any issue in OS? I would request you to please suggest me to solve this. Regards, Be Hi Jeremy, Thanks for your kind response. On Thu, 24 May 2012, Ben wrote: version: 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 CPUs found: 8 worker threads: 8 number of zones: 19 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON recursive clients: 6400/29900/3 tcp clients: 0/100 server is up and running i constanly watch rndc status command , and at recuresive-clients tab , first values increases maximum up to 6000-6500, why it is not going to maximum which i define 3..? I don't know why it never reached the maximum. resperf should try to scale up to attempting 100,000 questions in its last second. (At 60th second I think; the final 40 seconds is waiting for responses.) It only tries 74038 during its total time, but I am not sure what is limiting it. Maybe your datafile is not unique enough? Maybe your source port range is not large enough? So then BIND 9 is matching existing requests and dropping. My source port range is cat /proc/sys/net/ipv4/ip_local_port_range 102465535 I downloaded data file from resperf provider site. It depends a lot on the dataset. (I think I have seen around 17,000 queries with resperf and as low as 236 qps -- in this case it was depending on number of ACLs.) I do not using more acl for testing purpose. I don't know why you have the burst of operation canceled. (The ISC_R_CANCELED can happen from different problems.) Please suggest us that what are reasons generate operation canceled error comes in named.run log file rndc status shows 8 worker process, when i checked by pgrep named , it shows only single instance.so does it need to show 8 instance or ? 8 worker threads is different than 8 processes. Currently we use bind as caching name server , so why rndc status shows number of zones 19..? The 19 zones are built-in zones. (See the ARM for the list.) By the way, to set some comparison maximum baseline you can try having resperf query the built-in zones. (It won't be real recursive work, but should show you some potential maximum qps.) Is there anything which we need to mind on OS kernel tuning parameters or from bind configuration side to achieve more QPS? By the way, what is highest benchmark for bind with no. of QPS in production servers? I would request you , if someone has getting high QPS with bind in production servers, kindly suggest your inputs. Jeremy C. Reed ISC Regards, Ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Operation cancelled Error
Hi Jeremy, Thanks for your kind response. On Thu, 24 May 2012, Ben wrote: version: 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 CPUs found: 8 worker threads: 8 number of zones: 19 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON recursive clients: 6400/29900/3 tcp clients: 0/100 server is up and running i constanly watch rndc status command , and at recuresive-clients tab , first values increases maximum up to 6000-6500, why it is not going to maximum which i define 3..? I don't know why it never reached the maximum. resperf should try to scale up to attempting 100,000 questions in its last second. (At 60th second I think; the final 40 seconds is waiting for responses.) It only tries 74038 during its total time, but I am not sure what is limiting it. Maybe your datafile is not unique enough? Maybe your source port range is not large enough? So then BIND 9 is matching existing requests and dropping. My source port range is cat /proc/sys/net/ipv4/ip_local_port_range 102465535 I downloaded data file from resperf provider site. It depends a lot on the dataset. (I think I have seen around 17,000 queries with resperf and as low as 236 qps -- in this case it was depending on number of ACLs.) I do not using more acl for testing purpose. I don't know why you have the burst of operation canceled. (The ISC_R_CANCELED can happen from different problems.) Please suggest us that what are reasons generate operation canceled error comes in named.run log file rndc status shows 8 worker process, when i checked by pgrep named , it shows only single instance.so does it need to show 8 instance or ? 8 worker threads is different than 8 processes. Currently we use bind as caching name server , so why rndc status shows number of zones 19..? The 19 zones are built-in zones. (See the ARM for the list.) By the way, to set some comparison maximum baseline you can try having resperf query the built-in zones. (It won't be real recursive work, but should show you some potential maximum qps.) Is there anything which we need to mind on OS kernel tuning parameters or from bind configuration side to achieve more QPS? By the way, what is highest benchmark for bind with no. of QPS in production servers? I would request you , if someone has getting high QPS with bind in production servers, kindly suggest your inputs. Jeremy C. Reed ISC Regards, Ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Operation cancelled Error
Hi, I tried all things to avoid current problem, but still same.Can we have information that why bind shows Operation canceled error in named.run file? and why bind does not take full power?when i do load test and same time watching rndc status command , it only tries to reach to 6000-6500 , and then goes back to 0.. Is there anything remaining in bind to configure or any issue in OS? I would request you to please suggest me to solve this. Regards, Ben Hi Jeremy, Thanks for your kind response. On Thu, 24 May 2012, Ben wrote: version: 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 CPUs found: 8 worker threads: 8 number of zones: 19 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON recursive clients: 6400/29900/3 tcp clients: 0/100 server is up and running i constanly watch rndc status command , and at recuresive-clients tab , first values increases maximum up to 6000-6500, why it is not going to maximum which i define 3..? I don't know why it never reached the maximum. resperf should try to scale up to attempting 100,000 questions in its last second. (At 60th second I think; the final 40 seconds is waiting for responses.) It only tries 74038 during its total time, but I am not sure what is limiting it. Maybe your datafile is not unique enough? Maybe your source port range is not large enough? So then BIND 9 is matching existing requests and dropping. My source port range is cat /proc/sys/net/ipv4/ip_local_port_range 102465535 I downloaded data file from resperf provider site. It depends a lot on the dataset. (I think I have seen around 17,000 queries with resperf and as low as 236 qps -- in this case it was depending on number of ACLs.) I do not using more acl for testing purpose. I don't know why you have the burst of operation canceled. (The ISC_R_CANCELED can happen from different problems.) Please suggest us that what are reasons generate operation canceled error comes in named.run log file rndc status shows 8 worker process, when i checked by pgrep named , it shows only single instance.so does it need to show 8 instance or ? 8 worker threads is different than 8 processes. Currently we use bind as caching name server , so why rndc status shows number of zones 19..? The 19 zones are built-in zones. (See the ARM for the list.) By the way, to set some comparison maximum baseline you can try having resperf query the built-in zones. (It won't be real recursive work, but should show you some potential maximum qps.) Is there anything which we need to mind on OS kernel tuning parameters or from bind configuration side to achieve more QPS? By the way, what is highest benchmark for bind with no. of QPS in production servers? I would request you , if someone has getting high QPS with bind in production servers, kindly suggest your inputs. Jeremy C. Reed ISC Regards, Ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Operation cancelled Error
Hello, Any reply please... Regards, Ben Hi, I am doing load testing for bind as caching dns server.Fro that i configure one machine as client and one as server.I setup bind as caching dns server and set recursive-clients 3. While doing load test from client machine via resperf, i got many errors in named.run file which shows,I checked that time there is no cpu high usage / memory high usage on server and clients.Why server is not permitted operation. 23-May-2012 23:30:12.085 error (operation canceled) resolving 'www.thethreadexchange.com//IN': 192.33.14.30#53 23-May-2012 23:30:12.085 error (operation canceled) resolving 'c2.nstld.net/A/IN': 192.42.93.31#53 23-May-2012 23:30:12.085 error (operation canceled) resolving 'nothirst.com/A/IN': 192.54.112.30#53 23-May-2012 23:30:12.085 error (operation canceled) resolving '172.153.42.186.in-addr.arpa/PTR/IN': 199.212.0.53#53 23-May-2012 23:30:12.085 error (operation canceled) resolving 'xxy.com/MX/IN': 192.12.94.30#53 23-May-2012 23:30:12.086 error (operation canceled) resolving '192.140.138.187.in-addr.arpa/PTR/IN': 193.0.9.3#53 23-May-2012 23:30:12.086 error (operation canceled) resolving 'mail.n-u-c.ru/A/IN': 193.232.128.6#53 23-May-2012 23:30:12.086 error (operation canceled) resolving 'www.gayteacher.net/A/IN': 108.59.10.134#53 23-May-2012 23:30:12.086 error (operation canceled) resolving 'www.forever-christies.com/A/IN': 192.12.94.30#53 23-May-2012 23:30:12.086 error (operation canceled) resolving '166.98.232.189.in-addr.arpa/PTR/IN': 200.3.13.10#53 23-May-2012 23:30:12.086 error (operation canceled) resolving '89.140.112.200.in-addr.arpa/PTR/IN': 202.12.28.140#53 23-May-2012 23:30:12.086 error (operation canceled) resolving '9z772drlt.89ys/A/IN': 192.228.79.201#53 23-May-2012 23:30:12.087 error (operation canceled) resolving 'video327.myfreecams.com/A/IN': 192.26.92.30#53 23-May-2012 23:30:12.087 error (operation canceled) resolving 'ns1.thny.bbc.co.uk/A/IN': 194.83.244.131#53 23-May-2012 23:30:12.087 error (operation canceled) resolving '6.246.26.190.in-addr.arpa/PTR/IN': 200.3.13.10#53 23-May-2012 23:30:12.087 error (operation canceled) resolving 'instagram.com/A/IN': 192.54.112.30#53 23-May-2012 23:30:12.087 error (operation canceled) resolving 'acriacao.com/A/IN': 192.12.94.30#53 23-May-2012 23:30:12.087 error (operation canceled) resolving 'technologie.gazeta.pl/A/IN': 192.203.230.10#53 rndc status shows, version: 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 CPUs found: 8 worker threads: 8 number of zones: 19 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON recursive clients: 6400/29900/3 tcp clients: 0/100 server is up and running i constanly watch rndc status command , and at recuresive-clients tab , first values increases maximum up to 6000-6500, why it is not going to maximum which i define 3..? rndc status shows 8 worker process, when i checked by pgrep named , it shows only single instance.so does it need to show 8 instance or ? Currently we use bind as caching name server , so why rndc status shows number of zones 19..? Kindly guide me to resolve above confusion. Bind build info: named -V BIND 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE' From client machine : /usr/local/nom/bin/resperf -s 10.115.1.231 -d /root/dnsperf_test_queries.tsv DNS Resolution Performance Testing Tool Nominum Version 2.0.0.0 [Status] Command line: resperf -s 10.115.1.231 -d /root/dnsperf_test_queries.tsv [Status] Sending [Status] Reached 65536 outstanding queries [Status] Waiting for more responses [Status] Testing complete Statistics: Queries sent: 74038 Queries completed:74038 Queries lost: 0 Run time (s): 100.00 Maximum throughput: 2838.00 qps Lost at that point: 24.32% what are the configuration parameter required to increase QPS for server? I mean any fine tuning in bind / OS side