clients-per-query
I keep seeing messages in my named.log file that say things like clients-per-query increased to 30, then later it says clients-per-query decreased to a lower number. When this happens, lookups seem to not be working.What is an acceptable value for a large network? ddh -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: clients-per-query
Sorry, My spambox grabbed your earlier reply, my apologies.My clients are a mixed enviroment of macs,windows 7/xp, androids, etc. At any one time I'll have over 3000 devices connected to the network. I actually have one internal dns server for internal network and 2 external dns servers. I turned on logging for queries on all the dns servers and will monitor that. Im currently searching the logs to see if some clients query more than others to try and figure out if one is infected with somekind of malware. -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: clients-per-query
3000 devices isn't much, even for a modest BIND server. Did this configuration work in the past? What changed? Is there a network rate limiting device in place that could be affecting the queries to the authoritative servers? Have you talked to your networking team? They would never make changes without informing, I'm sure. :) Actually I am the network team and Ive made no changes. Which is why this has be very puzzled. ddh -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
clients-per-query increased to 15
Ive started having some issues with one of my subnets. Im seeing messages like the following in my log files: clients-per-query increased to 15 I did a little googling and found where this is adjustable per the named.conf. I currently dont have anything in my named.conf that outlines this. Im currently running BIND 9.9.1-P2 with 31 zone files (all on a seperate subnet). The server has 8 virtual interfaces that answer for each subnet. This worked fine in the past, but I think I may have reached my limit. DNS and DHCP run on the same server. Can I increase this limit to help my dns issue, or is this going to be counterproductive. Should I seperate and run a physical dns server at each site, instead of using one for all 8 sites? There is gig links between each site and my dns server. ddh -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
cname record
I would like for users inside my network to not be able to do ssl searches with google, because of cipa compliance issues. I added a cname record to my zone file: www.google.com CNAME nosslsearch.google.com To try and get it to redirect. Since Im not authoritive for google, I dont think this will work no matter how I tweak it. Am I right in this assumption? thanks, ddh -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dhcpd
I recently setup a new dhcp server. In my logfiles yesterday I noticed the following message: BOOTP from dynamic client and no dynamic leases I checked the mac addresses of these clients and thus far they are all ipads, ipods or iphones. These devices have gotten ip's in the past. In my dhcpd.conf file I have: deny dynamic bootp clients; . I see that Im handing out IP's for for the subnets, and my range should be plenty big. Has anyone else seen these messages with ipods, ipads or iphones? We have quite a few of these devices on the network now and I want to ensure that they work correctly. Im running dhcpd version 3.0.5 built from rpm on Centos 6. -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dhcpd
Great to hear Im not the only one seeing this. Havent seen any androids yet. I dont think it is any that are jailbroke. One of the devices is division owned so I know it isnt. Just crappy os's. The settings on the ipads actually have a tab for bootp, but no way to change that. ddh On Thu, Oct 18, 2012 at 9:28 AM, Jim Glassford jmgl...@iup.edu wrote: Hi, Running 4.1.1-P1 and we these also from iThings and androids. Tried to verify if the ones doing it where jail broke or something else in common but never got to the bottom of it. Enabling bootp, they continued to ask. We just continue to deny bootp for subnets that have no need for it and ignore them. Five doing it so far today out of 4200. dhcpd: BOOTREQUEST from 14:5a:05:eb:dc:f3 via 144.80.36.19: bootp disallowed jim On 10/18/2012 8:42 AM, Dwayne Hottinger wrote: I recently setup a new dhcp server. In my logfiles yesterday I noticed the following message: BOOTP from dynamic client and no dynamic leases I checked the mac addresses of these clients and thus far they are all ipads, ipods or iphones. These devices have gotten ip's in the past. In my dhcpd.conf file I have: deny dynamic bootp clients; . I see that Im handing out IP's for for the subnets, and my range should be plenty big. Has anyone else seen these messages with ipods, ipads or iphones? We have quite a few of these devices on the network now and I want to ensure that they work correctly. Im running dhcpd version 3.0.5 built from rpm on Centos 6. -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools __**_ Please visit https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-usersto unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-users __**_ Please visit https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-usersto unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-users -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
10.40.9.170#63429: error sending response: not enough free resources
I installed a replacement dns/dhcp server in May.I started seeing these messages in my named.log: 10.40.9.170#63429: error sending response: not enough free resources Ip addresses varied. Messages usually corresponded to periods when I would expect there to be a higher load (after class changes, lab logins, etc.). I googled around and found some info relating to network cards either being bad, not having enough buffers, etc. So I spent a couple of days building a new dns.dhcp server with gig cards. Just got everything online, server is handing out ip's and answering dns query's. Im seeing the same behaviour.Is this something I should worry about, or is there some way to fix it? Im not able to correspond it to any network issues at this time. The server is service 8 vlans through 8 virtual interfaces plugged into a cisco layer 3 switch. thanks, ddh -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dhcp error messages
I have started getting error sending response: not enough free resources on my dhcp server during random times during the day. Google isnt providing much other than it could be an issue with the switch, or a network card issue. top on the server doesnt show it using hardly any resources at all. Are there settings in dhcp that I can set that will give it more resources to use? -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What can cause excessive amount of _dns-sd queries?
box is a HTTP origin server... I'd look into what programs they're running and how those are configured. Other than that, no: there is no reason for a typical DNS client to attempt TCP/443 unless your clients are running dnssec-trigger [1] -JP [1] http://www.nlnetlabs.nl/projects/dnssec-trigger/ -- Message: 5 Date: Thu, 23 Aug 2012 13:43:32 +0200 From: Eivind Olsen eiv...@aminor.no To: bind-users@lists.isc.org Subject: What can cause excessive amount of _dns-sd queries? Message-ID: f1b6bb7cae5eb19a9c6014f2898661e7.squir...@webmail.aminor.no Content-Type: text/plain;charset=iso-8859-1 Hello. I haven't seen this before.. I'm currently seeing someone (1 ip address) do about 2.1 million queries / hour where a majority of the queries seem to be: b._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR + db._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR + r._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR + talk.l.google.com IN A + gmail-pop.l.google.com IN A + gmail-imap.l.google.com IN A + ...and similar variations of these. Have any of you seen something like this before? Regards Eivind Olsen -- Message: 6 Date: Thu, 23 Aug 2012 13:58:57 +0200 From: Torsten Segner tors...@segner.eu To: bind-users@lists.isc.org Subject: Re: What can cause excessive amount of _dns-sd queries? Message-ID: 20120823135857.5f1cc...@hp-tsegner.adoffice.local.de.easynet.net Content-Type: text/plain; charset=US-ASCII Am Thu, 23 Aug 2012 13:43:32 +0200 schrieb Eivind Olsen eiv...@aminor.no: Hello. I haven't seen this before.. I'm currently seeing someone (1 ip address) do about 2.1 million queries / hour where a majority of the queries seem to be: b._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR + db._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR + r._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR + talk.l.google.com IN A + gmail-pop.l.google.com IN A + gmail-imap.l.google.com IN A + ...and similar variations of these. Have any of you seen something like this before? Hi Eivind, these seem to be DNS Service Discovery requests and yes, we see loads of them on our servers. http://files.dns-sd.org/draft-cheshire-dnsext-dns-sd.txt Ciao Torsten -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users End of bind-users Digest, Vol 1292, Issue 1 *** ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 2 dns records for same server
in my case my clients are getting all dns servers. which is what my issue was. glad for all the help. thanks, ddh On Mon, Aug 20, 2012 at 9:33 AM, wbr...@e1b.org wrote: Lightner, Jeff jlight...@water.com wrote on 08/20/2012 08:56:56 AM: That is to say don't put the external servers in /etc/resolv.conf on your clients - only put the internal one there. (Or the Windows equivalent setup should only see your internal DNS server.) Or push via DHCP as in this case. I would correct the prior post not to say EVER but rather not directly. Often in an internal/external configuration only the external server queries the internet and the internal one forwards requests it gets to the external one. It doesn't matter if the external server the internal DNS server is pointing to also has records for the domains because the internal server would already have answered for the domains it is authoritative for before trying to forward. We have internal/external setup here for one domain and have no problems doing this. (Oddly enough we also have views but that's another story...) We're using different semantics here. I meant that the workstation should only send queries to the internal server and get answers from same. Where that data comes from, is not important, at least from the perspective of the workstation as long as it is correct. Put another way, packets are only exchanged between workstation and the internal name server. Also, this is only for normal operations. Use of host/dig/nslookup directed at any specific DNS servers not included. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 2 dns records for same server
Doug, My problem lies in the way my dns/dhcp is setup. My internal wan is setup with each site in its own zone. I have an internal dns server (10.) that is authoritive for its zones. When I add the internal ip of the server in question to internal it works great. Comes back with correct ip and webpages load. I need the box in question to also have an external ip. SO Im natting its external public ip through my firewall. Add the server to my external dns servers (which are authoritive to my external ip's), resolve fine with external and internal. My hosts get the ip's of all 3 dns servers when they recieve dhcp information. Also, my internal dns sends updates to my external. Some clients inside will connect fine everytime to the right ip. Some try to connect to the public ip everytime. My firewall doesnt know what to do with traffic coming from inside to the ip that it is natting to an inside address. Essentially what I need is for my inside clients to only see the 10. when querying, and outsides to only see outside, not both. It was mentioned I needed to look at views. I think that and a rework of my dns/dhcp in general would solve the issue. However, I do have a dmz setup for my public ip's. I essentially dodged this issue by putting the server in the dmz and giving it the ip I was trying to nat, and only have one dns entry. I appreciate all the insite and nudging in the right direction that this overworked sysadmin got from the list. As always very, very grateful. thanks, ddh On Sun, Aug 19, 2012 at 6:21 PM, Doug Barton do...@dougbarton.us wrote: On 08/18/2012 05:49, Dwayne Hottinger wrote: I need to have 2 seperate dns records for the same servername. You're focusing on what you think the solution should be. What I'd like to do is to look more closely at the problem. My dns is setup with a dns server inside my network (serving the 10) and 2 dns servers for my public ip's.My lan is setup that each of my sites (schools) are in a different dns zone. What I want to happen is the url or name of the server to be the same regardless of where the user is either inside or outside my network. What do you mean when you say that the servers are serving either the 10 net, or the public addresses? Do you mean that they are authoritative-only name servers that have different views of the same zones? Or are they recursive? So far I have tried setting up a seperate zone file for my internal dns and adding the entry to my external like I normally do. I don't understand what you did here. Can you show the actual text you put in the files? Given that I'm not sure what you are trying to accomplish, take this suggestion with a grain of salt. But it sounds to me like you could solve your problem by making the resolving name server(s) for the internal network authoritative for the 10-net versions of your zones. That way you don't have to give the name server in question an A record in the 10-net at all. hth, Doug -- I am only one, but I am one. I cannot do everything, but I can do something. And I will not let what I cannot do interfere with what I can do. -- Edward Everett Hale, (1822 - 1909) -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
2 dns records for same server
I need to have 2 seperate dns records for the same servername. Essentially when inside my network (10.) I need it to resolve to a 10. ip address. When outside it needs to resolve to my public ip. Everything Ive done so far with my dns records has returned 2 ip's. In otherwords when doing a host servername or nslookup servername I get both the external and internal ip's of the server. This seems to be causing issues with the applicatons on the server. Some computers inside my network are trying to connect to the public ip (which is being natted from my firewall), those that are connecting are extremely slow. The slowness leads me to believe that they are first trying the public ip before hitting the private. My dns is setup with a dns server inside my network (serving the 10) and 2 dns servers for my public ip's.My lan is setup that each of my sites (schools) are in a different dns zone. What I want to happen is the url or name of the server to be the same regardless of where the user is either inside or outside my network. So far I have tried setting up a seperate zone file for my internal dns and adding the entry to my external like I normally do. This is what resolves with 2 ip's. Is there anyway to get my dns servers to do this? thanks, ddh -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users