Re: windows client request timed out

2015-06-22 Thread Fr34k
Put a dot at the end of the query hostname so that Windows doesn't add whatever 
the domain name suffix/es the Windows client may be configured with.That is, 
  nslookup google.com.
It may be the case that the windows client is adding whatever domain name 
suffix/es it has been configured with (e.g., google.com.vivacell.com) and 
perhaps those queries are timing out until it finally tries google.com as the 
FQDN.

If a mystery remains, one can turn on nslookup debugging via:
  set d2whose additional output may explain what is going on.  That is, enter 
nslookup, then enter set d2, then enter a query such as google.com
Nslookup

|   |
|   |   |   |   |   |
| NslookupNslookup is a useful tool for troubleshooting DNS problems, such as 
host name resolution.  |
|  |
| View on technet.microsoft.com | Preview by Yahoo |
|  |
|   |


 I hope this helps.


 On Monday, June 22, 2015 7:36 AM, Niall O'Reilly niall.orei...@ucd.ie 
wrote:
   

 On Mon, 22 Jun 2015 12:07:31 +0100,
Zelalem Fanta Woldesemayat wrote:
 
 Dear all,
 
 I’ve configured BIND 9.9.4. as a cache only server on our DMZ so that
 it can serve as a DNS server for the internal network. Inside the DMZ
 zone the request time out is very fast and the DNS service resolves
 very quickly. But the problem is from the inside network. When I tried
 nslookup it gives the following message. Would you please help me to
 resolve this issue.

  Perhaps you need to configure named to allow access from the client
  network.  The ISC Knowledge Base has an article which may be useful:
  
https://kb.isc.org/article/AA-00269/0/What-has-changed-in-the-behavior-of-allow-recursion-and-allow-query-cache.html

  Best regards,
  Niall O'Reilly
  
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ASSERT messages

2014-04-10 Thread Fr34k
Maybe this:

3212.   [bug]   rbtdb.c: failed to remove a node from the deadnodes
list prior to adding a reference to it leading a
possible assertion failure. [RT #23219] 

source: ftp://ftp.isc.org/isc/bind9/9.8.6/CHANGES 


Note:  I stopped looking once I found this.  Feel free to dig deeper.

On Thursday, April 10, 2014 3:28 PM, Bischof, Ralph F. (MSFC-IS40)[NICS] 
ralph.bisc...@nasa.gov wrote:
 
Hello,

    We have ~125 servers. About 1330 Central yesterday, the named of 6 of these 
crashed in 2 hours time (not at the same time, but within two hours). Since 
then, there have been other asserts at the same machines and with several other 
machines (total of 11 now). There hves been no changes to the configuration, no 
updates to software or hardware, nothing to point as to why this started up all 
of a sudden. The assert message is below. Anyone know of why this may have 
started?

Note Replaced server IP address with xxx.xxx.xxx.xxx

BIND 9.8.5-P2
RHEL 5.10

10-Apr-2014 17:36:00.119 general: ../../../lib/dns/rbtdb.c:1150: 
REQUIRE(rbtdb-future_version == ((void *)0)) failed, back trace
10-Apr-2014 17:36:00.119 general: #0 0x413c1f in assertion_failed()+0x5f
10-Apr-2014 17:36:00.119 general: #1 0x64fbfa in isc_assertion_failed()+0xa
10-Apr-2014 17:36:00.119 general: zone ksc.nasa.gov/IN: refused notify from 
non-master: xxx.xxx.xxx.xxx#6675
10-Apr-2014 17:36:00.119 general: #2 0x4b6c9c in newversion()+0x4c
10-Apr-2014 17:36:00.119 general: #3 0x4467ea in update_action()+0x29a
10-Apr-2014 17:36:00.119 general: #4 0x66e08c in run()+0x2dc
10-Apr-2014 17:36:00.119 general: #5 0x2b00f98a483d in _fini()+0x2b00f92221d5
10-Apr-2014 17:36:00.119 general: #6 0x2b00fa36526d in _fini()+0x2b00f9ce2c05
10-Apr-2014 17:36:00.119 general: exiting (due to assertion failure)

Thank you,
Ralph F. Bischof, Jr.
NASA Agency DDI
SAIC/NICS
256-544-3982


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.9.1-P4 is now available

2012-10-26 Thread Fr34k
Hello Jeremy,

Thank you for your reply.
I plan to send more information to ISC when I have it - FYI

Looks like my response didn't make it out yesterday, so here is another attempt.
Please see my responses within below:




- Original Message -
 From: Jeremy C. Reed jr...@isc.org
 To: Fr34k freaknet...@yahoo.com
 Cc: Bindlist bind-us...@isc.org
 Sent: Thursday, October 25, 2012 3:29 PM
 Subject: Re: BIND 9.9.1-P4 is now available
 
  Let me define what hung means in our experience:  We find that 
 named is
  running but will not respond to queries, rndc status will 
 respond with
  output but that output shows that named is not processing any queries (see
  below), other rndc commands appear to work as well (e.g., rndc 
 dumpdb).
 
 Does it work if you restart named?

Yes.  That is, when we restart named/9.9.1-P3 it works as well as it did since 
it was installed 10/3/2012

 
 If not, can you confirm it is listening on your intended interfaces 
 (including 127.0.0.1) even if not working?
 
  $ time host www.google.com 127.0.0.1
  ;; connection timed out; no servers could be reached
 
 Can you confirm that you can query for that without? (Such as  dig 
 @216.239.34.10 www.google.com  or dig @8.8.8.8 www.google.com)
 

Yes, and I just didn't provide any of those examples (sorry).
That is, I can say that any query (localhost or 3rd party hostnames) results in 
same outcome of connection timed out; no servers could be reached.

  $ time host localhost 127.0.0.1
  ;; connection timed out; no servers could be reached
 
 Do you have a localhost zone defined? (Sometimes the messages from host 
 like the one above are misleading and even the named may be working 
 correctly but it is slow.)

While do have a localhost zone defined, any of our spot checks for local vs. 
off-network queries would fail.
Once we restart 9.9.1-P3, everything works again

 
   Jeremy C. Reed
   ISC
 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: BIND 9.9.1-P4 is now available

2012-10-25 Thread Fr34k
Hello,

We are finding several of our recursive BIND 9.9.1-P3 servers (on Solaris 
10 OS) hung and I want to be able to qualify the symptoms in order to 
convince others that P4 (or 9.9.2?) will (or will not) address this.

Let me define what hung means in our experience:  We find that named is 
running but will not respond to queries, rndc status will respond with output 
but that output shows that named is not processing any queries 
(see below), other rndc commands appear to work as well (e.g., rndc dumpdb).


From what I understand, P4 offers this known bug fix:

*  A deliberately constructed combination of records could cause named
   to hang while populating the additional section of a response.
   [RT #31090] -- CVE-2012-5166: Specially crafted DNS data can cause a lockup 
in named

Additional details are mentioned in 
https://kb.isc.org/article/AA-00801/74/CVE-2012-5166%3A-Specially-crafted-DNS-data-can-cause-a-lockup-in-named.html: 
 A nameserver that has become locked-up due to the problem reported in 
this advisory will not respond to queries or control commands.

So, our hang issue qualifies for the ...will not respond to queries; 
however, it seems that our issue does *not* qualify for the ... will 
not respond to... control commands piece if the responses from rndc 
are considered control command.

Thoughts?

Thank you.


$ rndc status
version: 9.9.1-P3
(version.bind/txt/ch disabled)
CPUs found: 2
worker threads: 2
UDP listeners per interface: 2
number of zones: 36
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/3900/4000
tcp clients: 0/100
server is up and running

$ time host www.google.com 127.0.0.1
;; connection timed out; no
servers could be reached
 
real    0m10.035s
user    0m0.017s
sys
0m0.017s
$ time host localhost 127.0.0.1
;; connection timed out; no
servers could be reached
 
real    0m10.034s
user    0m0.017s
sys
0m0.017s

$ truss -p 17657
/4:
lwp_park(0xFE9AFD48, 0)
(sleeping...)
/3:
lwp_park(0x, 0) (sleeping...)
/1:
sigtimedwait(0xFFBFFBE8, 0xFFBFFB68, 0x) (sleeping...)
/2:
lwp_park(0x, 0)
(sleeping...)
/5:
ioctl(8, DP_POLL, 0xFE98FF80)   (sleeping...)___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.9.1-P4 is now available

2012-10-25 Thread Fr34k
Hello Again,

I could have made my question a bit more clear as I try to understand the 
details behind what P4 addresses.


Perhaps I am having an internal battle between logic vs. interpretation around 
or.  Let me explain.


I'm wondering if a named process affected by CVE-2012-5166 has symptoms of both 
(1) not respond to queries and (2) not respond to control commands at the 
same time, all the time.  If that is the case, then P4 will not address my 
issue as I am only seeing (1) and so there may be another bug affecting BIND 
stability which I would like to report.


Thank you.





 From: Fr34k freaknet...@yahoo.com
To: Bindlist bind-us...@isc.org 
Sent: Thursday, October 25, 2012 9:51 AM
Subject: Re: BIND 9.9.1-P4 is now available
 

Hello,


We are finding several of our recursive BIND 9.9.1-P3 servers (on Solaris 
10 OS) hung and I want to be able to qualify the symptoms in order to 
convince others that P4 (or 9.9.2?) will (or will not) address this.


Let me define what hung means in our experience:  We find that named is 
running but will not respond to queries, rndc status will respond with output 
but that output shows that named is not processing any queries 
(see below), other rndc commands appear to work as well (e.g., rndc dumpdb).



From what I understand, P4 offers this known bug fix:


*  A deliberately constructed combination of records could cause named
   to hang while populating the additional section of a response.
   [RT #31090] -- CVE-2012-5166: Specially crafted DNS data can cause a lockup 
in named


Additional details are mentioned in 
https://kb.isc.org/article/AA-00801/74/CVE-2012-5166%3A-Specially-crafted-DNS-data-can-cause-a-lockup-in-named.html: 
 A nameserver that has become locked-up due to the problem reported in 
this advisory will not respond to queries or control commands.


So, our hang issue qualifies for the ...will not respond to queries; 
however, it seems that our issue does *not* qualify for the ... will 
not respond to... control commands piece if the responses from rndc 
are considered control command.


Thoughts?


Thank you.



$ rndc status
version: 9.9.1-P3
(version.bind/txt/ch disabled)
CPUs found: 2
worker threads: 2
UDP listeners per interface: 2
number of zones: 36
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/3900/4000
tcp clients: 0/100
server is up and running


$ time host www.google.com 127.0.0.1
;; connection timed out; no
servers could be reached
 
real    0m10.035s
user    0m0.017s
sys
0m0.017s
$ time host localhost 127.0.0.1
;; connection timed out; no
servers could be reached
 
real    0m10.034s
user    0m0.017s
sys
0m0.017s


$ truss -p 17657
/4:
lwp_park(0xFE9AFD48, 0)
(sleeping...)
/3:
lwp_park(0x, 0) (sleeping...)
/1:
sigtimedwait(0xFFBFFBE8, 0xFFBFFB68, 0x) (sleeping...)
/2:
lwp_park(0x, 0)
(sleeping...)
/5:
ioctl(8, DP_POLL, 0xFE98FF80)   (sleeping...)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.9.1-P4 is now available

2012-10-25 Thread Fr34k
Hello Jeremy,

Thank you for your reply.


 Let me define what hung means in our experience:  We find that named is
 running but will not respond to queries, rndc status will respond with
 output but that output shows that named is not processing any queries (see
 below), other rndc commands appear to work as well (e.g., rndc dumpdb).

Does it work if you restart named?

Yes.  That is, everything is up and running again after we restart named.

9.9.1-P3 has been running on several servers since 10/3 without any known 
issues... until today.



If not, can you confirm it is listening on your intended interfaces 
(including 127.0.0.1) even if not working?

 $ time host www.google.com 127.0.0.1
 ;; connection timed out; no servers could be reached

Can you confirm that you can query for that without? (Such as  dig 
@216.239.34.10 www.google.com  or dig @8.8.8.8 www.google.com)

 $ time host localhost 127.0.0.1
 ;; connection timed out; no servers could be reached

Do you have a localhost zone defined? (Sometimes the messages from host 
like the one above are misleading and even the named may be working 
correctly but it is slow.)

Yes, we do have a localhost zone defined.
However, queries for 3rd party hostnames (e.g., www.google.com) were failing as 
well.



  Jeremy C. Reed
  ISC


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: A lot of queries from a customer.

2012-07-17 Thread Fr34k
We have been monitoring the same.

Google found an unrelated, yet similar, issue a few years ago:  
http://pages.cs.wisc.edu/~plonka/netgear-sntp/#ToC16






 From: Rafael Molina rafael.mol...@interlink.net.ve
To: bind-users@lists.isc.org 
Sent: Thursday, June 28, 2012 8:30 AM
Subject: A lot of queries from a customer.
 

 Hi,
 
 Recently, I have been watching on one DNS server a lot of queries from a 
 customer to ¨time-b.netgear.com¨  (Maybe a Netgear´s NTP server).
 
 About 1000 queries per minute.
 
 tail -f /var/log/bind9-query.log | grep time-b.netgear.com
 
 21-Jun-2012 12:50:53.003 client 186.14.xx.xx#32770: query: 
 time-b.netgear.com IN A + (10.1.xx.xx)
 21-Jun-2012 12:50:53.003 client 186.14.xx.xx#32770: query: 
 time-b.netgear.com IN A + (10.1.xx.xx)
 21-Jun-2012 12:50:53.003 client 186.14.xx.xx#32770: query: 
 time-b.netgear.com IN A + (10.1.xx.xx)
 21-Jun-2012 12:50:53.008 client 186.14.xx.xx#32770: query: 
 time-b.netgear.com IN A + (10.1.xx.xx)
 21-Jun-2012 12:50:53.009 client 186.14.xx.xx#32770: query: 
 time-b.netgear.com IN A + (10.1.xx.xx)
 21-Jun-2012 12:50:53.009 client 186.14.xx.xx#32770: query: 
 time-b.netgear.com IN A + (10.1.xx.xx)
 21-Jun-2012 12:50:53.015 client 186.14.xx.xx#32770: query: 
 time-b.netgear.com IN A + (10.1.xx.xx)
 21-Jun-2012 12:50:53.015 client 186.14.xx.xx#32770: query: 
 time-b.netgear.com IN A + (10.1.xx.xx)
 21-Jun-2012 12:50:53.015 client 186.14.xx.xx#32770: query: 
 time-b.netgear.com IN A + (10.1.xx.xx)
 
 tcpdump -i eth0 port 53 and host 186.14.xx.xx
 
 12:54:28.375374 IP 186.14.xx.xx.32770  inter.net.ve.domain: 16150+ A? 
 time-b.netgear.com. (36)
 12:54:28.375479 IP 186.14.xx.xx.32770  inter.net.ve.domain: 16150+ A? 
 time-b.netgear.com. (36)
 12:54:28.375507 IP 186.14.xx.xx.32770  inter.net.ve.domain: 16150+ A? 
 time-b.netgear.com. (36)
 12:54:28.375553 IP 186.14.xx.xx.32770  inter.net.ve.domain: 16150+ A? 
 time-b.netgear.com. (36)
 12:54:28.375638 IP 186.14.xx.xx.32770  inter.net.ve.domain: 44669+ A? 
 time-b.netgear.com. (36)
 12:54:28.376424 IP inter.net.ve.domain  186.14.xx.xx.32770: 16150 2/13/3 
 CNAME nsone.netgear.com., A 209.249.181.21 (343)
 12:54:28.376525 IP inter.net.ve.domain  186.14.xx.xx.32770: 16150 2/13/3 
 CNAME nsone.netgear.com., A 209.249.181.21 (343)
 12:54:28.376807 IP inter.net.ve.domain  186.14.xx.xx.32770: 16150 2/13/3 
 CNAME nsone.netgear.com., A 209.249.181.21 (343)
 12:54:28.376845 IP inter.net.ve.domain  186.14.xx.xx.32770: 16150 2/13/3 
 CNAME nsone.netgear.com., A 209.249.181.21 (343)
 12:54:28.376906 IP inter.net.ve.domain  186.14.xx.xx.32770: 44669 2/13/3 
 CNAME nsone.netgear.com., A 209.249.181.21 (343)
 12:54:28.381638 IP 186.14.xx.xx.32770  inter.net.ve.domain: 44669+ A? 
 time-b.netgear.com. (36)
 12:54:28.381693 IP 186.14.xx.xx.32770  inter.net.ve.domain: 62683+ A? 
 time-b.netgear.com. (36)
 12:54:28.381745 IP 186.14.xx.xx.32770  inter.net.ve.domain: 50898+ A? 
 time-b.netgear.com. (36)
 12:54:28.381869 IP inter.net.ve.domain  186.14.xx.xx.32770: 44669 2/13/3 
 CNAME nsone.netgear.com., A 209.249.181.21 (343)
 12:54:28.382011 IP inter.net.ve.domain  186.14.xx.xx.32770: 62683 2/13/3 
 CNAME nsone.netgear.com., A 209.249.181.21 (343)
 12:54:28.382058 IP inter.net.ve.domain  186.14.xx.xx.32770: 50898 2/13/3 
 CNAME nsone.netgear.com., A 209.249.181.21 (343)
 
 I don´t find the ways to limit of queries per minutes on this customer
 Is it possible in Bind9 a filtering these queries, to limit the responses ?
 
 Thank in advance,
 
 Below, I´ve attached my configuration
 
 OS: ubuntu 11.10
 Bind: 9.7.3.dfsg-1ubuntu4.1
 
 named.conf.options
 
 allow-recursion { corp; };
 allow-query-cache { corp; };
 
 corp : clients.
 
 allow-query { any; };
         clients-per-query 10 ;
         max-clients-per-query 20 ;
         blackhole { bogusnets; };
         version I hope this is a joke !;
         edns-udp-size 512;
         max-udp-size 512;
         recursive-clients 1000;
   max-cache-size 500M;
         tcp-clients 500;
         max-cache-ttl 43200; # 12 Hours
         max-ncache-ttl 900; # 15 min
 
 Saludos,
 
 Atentamente,
 Rafael J. Molina Q.
 www.inter.com.ve
 
 



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Loaded zone files query

2012-07-10 Thread Fr34k
rndc status

Is this a trick question?





 From: Kirk Hoganson kirkhogan...@gmail.com
To: bind-users@lists.isc.org 
Sent: Tuesday, July 10, 2012 3:22 PM
Subject: Loaded zone files query
 

Does anyone know of a simple way to discover how many zone files bind has 
successfully loaded after the daemon starts?


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Loaded zone files query

2012-07-10 Thread Fr34k
Thanks.

There's the named.conf option of zone-statistics yes;
With that enabled, rndc stats will dump all kinds of neat per zone query 
statistics

Not sure what that looks like with incomplete transferred zones mentioned below.

Perhaps OP can explore and tweak to taste.





 From: David Dowdle
Subject: Re: Loaded zone files query
 
Actually, that gives the number of zones its supposed to be serving. if 
say a zone hasn't been transfered yet, it'll still show in status, (and 
will authoritivly answer nosuch* for it).

As best as I can tell
number of zones: X
x=number of zones listed in named.conf + any automatically added zones


not quite what he's asking for, but I've not been able to find a better 
answer either.

On Tue, 10 Jul 2012, Fr34k wrote:

 rndc status

 Is this a trick question?




 
 From: Kirk Hoganson
 To: bind-users@lists.isc.org
 Sent: Tuesday, July 10, 2012 3:22 PM
 Subject: Loaded zone files query


 Does anyone know of a simple way to discover how many zone files bind has 
 successfully loaded after the daemon starts?


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users





___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation bit-rot detection?

2012-06-14 Thread Fr34k
We are exploring similar audits and opportunities for cleanup.

For domains we delegate PTRs, we track NS hostnames (e.g. IN NS  
ns1.bogus.customer.tld) that have gone NXDOMAIN.

If ns1.bogus.customer.tld remains NXDOMAIN for 30+ days, we remove the 
delegation.
The idea behind 30+ days is to allow for a grace period.  Why?  If the domain 
expired and caught the owner by surprise, then 30 days allows time for the 
domain owner to renew before we make any changes (so that we do not waste time 
removing the delegation to only have to reinstate it).

Perhaps a similar approach be worthwhile for auditing the secondary services.  
That is, parse BIND's config file (source of truth) for all secondary configs, 
run dedicated auditing tests (e.g. AXFR), record the outcomes, and act upon the 
defunct configurations per Policy.

All that said, I am also interested in what others are doing.  I am sure there 
are better methods out there.

Thanks.





 From: Phil Mayers p.may...@imperial.ac.uk
To: bind-users@lists.isc.org bind-users@lists.isc.org 
Sent: Thursday, June 14, 2012 9:19 AM
Subject: Delegation bit-rot detection?
 
All,

Over the years, we have offered DNS secondary services to various 
organisations. Some of those organisations are (ahem) fairly small, and lots 
of the delegations and zone transfers have suffered bit-rot - there are zones 
delegated to us that I have no records on, and certainly can't AXFR from the 
masters (in some cases, the masters answer REFUSED as well).

I'm wondering if anyone knows of a script that will process our logs looking 
for refused queries, and then post-process these by tracing the delegations 
and telling me what the nearest enclosing zone is, the NS records that led 
inbound queries to us, and (if any of the other NS records are responding) the 
SOA.

I could write something, but there are a lot of corner cases, and I'm feeling 
lazy!

OTOH if anyone has any suggestions (other than ignore the refused, which is 
what we're currently doing) for dealing with these kinds of things...

Cheers,
Phil
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Exclude a domain from DNSSEC validation, like Unbound's domain-insecure.

2012-04-26 Thread Fr34k
Great question (Augie) and great feedback (JP).


As DNSSEC is adopted, some type of mitigation process will be welcomed.
For that reason, I think this is on topic.







 From: Jan-Piet Mens jpmens@gmail.com
To: bind-users@lists.isc.org 
Sent: Thursday, April 26, 2012 2:51 PM
Subject: Re: Exclude a domain from DNSSEC validation, like Unbound's 
domain-insecure.
 
Augie,

 Is there a way to exclude a domain from DNSSEC validation, like
 Unbound's domain-insecure?

That is regrettably not possible at the moment, at least not in BIND
9.9.0.

The only (quite impracticable) workaround would be to define the zone
authoritatively yourself and populate it somehow... (I did say
impracticable, didn't I?)

 For example if a popular site ( say nasa.gov ) updates their keys
 incorrectly so that their domain fails validation, you contact their
 admins. and with a high level of confidence you determine this is a
 configuration mistake and  not a security breach, you can then
 exclude them from DNSSEC validation so your customers can access their
 site while they fix their error.

From a Comcast talk at SATIN 2012 I believe they called that a negative
trust anchor, and IIRC, the author wanted to publish a draft of its
operation. Haven't seen it yet though, and it's probably off topic as
regards BIND.

        -JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

9.9.x Train Inquiry for ISC

2012-04-24 Thread Fr34k
Dear ISC et al.,


Within the last month, we've seen new versions for the 9.8.x, 9.7.x, and 9.6.x 
trains.

http://www.isc.org/software/bind/versions

Should we expect a 9.9.0 update in the near future (e.g., 9.9.1)?
Any status would be appreciated.

Thank you for all your support!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SERVFAIL with ocsp.entrust.net.

2012-04-24 Thread Fr34k
Perhaps provide the ocsp.entrust.net folks 3rd party evaluation tool(s) to 
identify areas of concerns?

For example, here are two:

http://www.dnsvalidation.com/reports/4f96bdec7d79ee78db44

http://www.intodns.com/ocsp.entrust.net
These find more than one critical item to fix.

Why is everyone else in the worldgetting NOERROR?  In my experience, BIND is 
less forgiving for configuration related-issues than some of DNS peers out 
there.

Hope this helps.





 From: Bischof, Ralph F. (MSFC-IS40)[NICS] ralph.bisc...@nasa.gov
To: bind-users@lists.isc.org bind-users@lists.isc.org 
Sent: Tuesday, April 24, 2012 10:06 AM
Subject: SERVFAIL with ocsp.entrust.net.
 
Hello,

    I have been trying to find out why my caching servers are giving SERVFAIL 
as an answer for any type of query except for an A record for the domain in 
the subject. Whether I try a , TXT, SOA, PTR, TXT, etc, I get a SERVFAIL 
answer. Yet, it seems that anyone else in the world is getting NOERROR. Now, 
when I direct the query to the Microsoft DNS servers (8.8.8.8), I also get 
NOERROR. I have tried different versions of clients (9.4.3-P5 and 
9.6-ESV-R4-P3) and get the same response, so I do not think that is the issue.

    When I use a 'dig +trace', the end of the chain shows a server that does 
not exist in the last answer consisting of the SOA record. In fact, since 
Sungard is involved, the whole chain makes no sense to me. I have edited out 
the extra stuff, but here is what I try to do.

First, here is the 'dig +trace' with an A query. I left out the list of the 
root and gtld servers. 
[bischrf@nsc1 ~]$ dig +trace ocsp.entrust.net. a
;; Received 300 bytes from 192.149.130.101#53(192.149.130.101) in 0 ms
;; Received 491 bytes from 192.5.5.241#53(f.root-servers.net) in 26 ms

entrust.net.            172800  IN      NS      secondary-ns1.allstream.com.
entrust.net.            172800  IN      NS      secondary-ns2.allstream.com.
entrust.net.            172800  IN      NS      ns1.entrust.net.
entrust.net.            172800  IN      NS      ns2.entrust.net.
;; Received 203 bytes from 192.42.93.30#53(g.gtld-servers.net) in 115 ms

ocsp.entrust.net.       7200    IN      NS      gns1.sungardns.com.
ocsp.entrust.net.       7200    IN      NS      gns2.sungardns.com.
;; Received 85 bytes from 216.13.122.23#53(secondary-ns1.allstream.com) in 120 
ms

ocsp.entrust.net.       30      IN      A       216.191.247.139
;; Received 50 bytes from 207.19.96.22#53(gns1.sungardns.com) in 109 ms

Then a 'dig +trace' looking for the  record.
[bischrf@nsc1 ~]$ dig +trace ocsp.entrust.net. 
;; Received 344 bytes from 192.149.130.101#53(192.149.130.101) in 0 ms
;; Received 491 bytes from 199.7.83.42#53(l.root-servers.net) in 160 ms

entrust.net.            172800  IN      NS      secondary-ns1.allstream.com.
entrust.net.            172800  IN      NS      secondary-ns2.allstream.com.
entrust.net.            172800  IN      NS      ns1.entrust.net.
entrust.net.            172800  IN      NS      ns2.entrust.net.
;; Received 203 bytes from 192.26.92.30#53(c.gtld-servers.net) in 34 ms

ocsp.entrust.net.       7200    IN      NS      gns1.sungardns.com.
ocsp.entrust.net.       7200    IN      NS      gns2.sungardns.com.
;; Received 85 bytes from 216.191.247.202#53(ns2.entrust.net) in 125 ms

entrust.net.            60      IN      SOA    phlig3.oamp.sgns.net. 
hostmaster.phlig3.oamp.sgns.net. 42 10800 3600 604800 60
;; Received 98 bytes from 207.19.96.22#53(gns1.sungardns.com) in 111 ms
NOTE: phlig3.oamp.sgns.net does not exist.
--

Here is the query that works.
[bischrf@nsc1 ~]$ dig ocsp.entrust.net. a

;; -HEADER- opcode: QUERY, status: NOERROR, id: 29329
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; ANSWER SECTION:
ocsp.entrust.net.       24      IN      A       216.191.247.203

;; AUTHORITY SECTION:
ocsp.entrust.net.       1675    IN      NS      gns1.sungardns.com.
ocsp.entrust.net.       1675    IN      NS      gns2.sungardns.com.
---

Now a  query. Note there is no authority.
[bischrf@nsc1 ~]$ dig ocsp.entrust.net. 

;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 20073
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
--

So now I try to follow the chain. 
1) Query entrust.net. for the NS records. I get 4.
[bischrf@nsc1 ~]$ dig entrust.net. ns

;; -HEADER- opcode: QUERY, status: NOERROR, id: 17958
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4

;; ANSWER SECTION:
entrust.net.            1617    IN      NS      ns2.entrust.net.
entrust.net.            1617    IN      NS      secondary-ns1.allstream.com.
entrust.net.            1617    IN      NS      ns1.entrust.net.
entrust.net.            1617    IN      NS      secondary-ns2.allstream.com.
-

2) I pick one of those and ask for the NS records for 

Re: DNS Amplification Attack Mitigation

2012-03-13 Thread Fr34k
Hello,

Did I miss any feedback on this, or perhaps there isn't any to offer (?)
Thank you.





 From: Fr34k freaknet...@yahoo.com
To: Bindlist bind-us...@isc.org 
Sent: Friday, March 9, 2012 10:30 AM
Subject: DNS Amplification Attack Mitigation
 


All,

I am (we all are (?)) interested in techniques for mitigating DNS 
amplification attacks for both recursive and authoritative BIND servers 
(versions 9.x).


Google found http://www.secureworks.com/research/threats/dns-amplification/ 
and http://www.publicsafety.gc.ca/prg/em/ccirc/2009/av09-011-eng.aspx
which mention limiting clients via ACLs and using additional-from-cache no; 
as mitigation techniques.


Good articles, but written several years ago so there might be additional 
configuration suggestions from the community since 2009.
Are there and, if so, what are they?
Perhaps said another way, what other named.conf settings could we be looking 
at in this effort?


Thank you.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

max-cache-ttl usage and best-practices

2012-03-13 Thread Fr34k


Hi All,


I wanted some feedback on max-cache-ttl usage and best-practices, please.


The BIND 9 ARM says:
max-cache-ttl Sets the maximum time for which the server will cache ordinary 
(positive) answers. The
default is one week (7 days). A value of zero may cause all queries to return 
SERVFAIL, because
of lost caches of intermediate RRsets (such as NS and glue /A records) in 
the resolution
process.

I was considering changing this setting to something less than the default of a 
week with the following potential positive outcomes in mind:

 1 - mitigating cache abuse (e.g., ghost domains),
 2 - reducing the caching of bad records (e.g., poor hostname migration 
planning on the part of external party turns into an emergency on our part to 
flush the bad record(s) from the cache),
 3- or something else for which others may be using this setting for (?)

Perhaps regardless of the above, anyone have some experiences to share?

Thank you.



ADDITIONAL INFO: 


http://dyn.com/dyn-tech-everything-you-ever-wanted-to-know-about-ttls/
 A good rule of thumb is never have any TTL higher than 1 day as the 
benefits of DNS caching really diminish after that point and it makes 
propagation waits extremely long.


http://en.wikipedia.org/wiki/Time_to_live
 An older common TTL value for DNS was 86400 seconds, which is 24 hours.  
and  Newer DNS methods that are part of a DR (Disaster Recovery) system may 
have some records deliberately set extremely low on TTL. For example a 
300 second TTL...


It would not be fair to exclude the negative aspects of some too low 
setting.  For example, contributing to cache misses and, thus, a decrease in 
performance (a la http://code.google.com/speed/public-dns/docs/performance.html 
and, to some extent, the data found in the research for 
http://lib.tkk.fi/Diss/2006/isbn9512282151/article2.pdf).
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


DNS Amplification Attack Mitigation

2012-03-09 Thread Fr34k


All,

I am (we all are (?)) interested in techniques for mitigating DNS amplification 
attacks for both recursive and authoritative BIND servers (versions 9.x).


Google found http://www.secureworks.com/research/threats/dns-amplification/ and 
http://www.publicsafety.gc.ca/prg/em/ccirc/2009/av09-011-eng.aspx
which mention limiting clients via ACLs and using additional-from-cache no; 
as mitigation techniques.


Good articles, but written several years ago so there might be additional 
configuration suggestions from the community since 2009.
Are there and, if so, what are they?
Perhaps said another way, what other named.conf settings could we be looking at 
in this effort?


Thank you.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: variable dig results

2012-01-06 Thread Fr34k
I suspect that dig is confused.  Let me explain.


Looks like WHOIS says that these (2) servers are authoritative for this domain:

ns1.thehartford.com.   ['162.136.188.1']   [TTL=172800] 
ns2.thehartford.com.   ['162.136.190.1']   [TTL=172800] 


However, the DNS configuration says something different, which lists these (4) 
servers instead:


hfdns3.thehartford.com  ['162.136.188.3']   [TTL=120] 
hfdns4.thehartford.com  ['162.136.188.4']   [TTL=120] 
simns3.thehartford.com  ['162.136.190.3']   [TTL=120] 
simns4.thehartford.com  ['162.136.190.4']   [TTL=120] 


As one can see, they do not match nor even overlap nor even agree.
Someone needs to decide which servers are really supposed to be authoritative 
for this domain and have alignment in all configurations.

http://www.intodns.com/thehartford.com

Hope this helps.









 From: M. Meadows sun-g...@live.com
To: bind-users bind-users@lists.isc.org 
Sent: Friday, January 6, 2012 8:28 AM
Subject: variable dig results
 

 
 
Wondering why we get variable results from the following command:    dig 
eftc.thehartford.com
(sometimes we get authority section and additional section feedback ... 
sometimes we don't)
 
Usually we see the following:
 
;  DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2  eftc.thehartford.com
;; global options:  printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 35955
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;eftc.thehartford.com.  IN  A
;; ANSWER SECTION:
eftc.thehartford.com.   120 IN  A   162.136.189.173
;; Query time: 94 msec
;; SERVER: 172.25.17.185#53(172.25.17.185)
;; WHEN: Fri Jan  6 07:23:07 2012
;; MSG SIZE  rcvd: 54

 
But occasionally we see :
 

;  DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2  eftc.thehartford.com ;; 
global options:  printcmd ;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 64958 ;; flags: qr aa; 
QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
 
;; QUESTION SECTION:
;eftc.thehartford.com.   IN   A
 
;; ANSWER SECTION:
eftc.thehartford.com. 120    IN   A 162.136.189.173
 
;; AUTHORITY SECTION:
thehartford.com. 120    IN   NS  
hfdns3.thehartford.com.
thehartford.com. 120    IN   NS  
hfdns4.thehartford.com.
thehartford.com. 120    IN   NS  
simns3.thehartford.com.
thehartford.com. 120    IN   NS  
simns4.thehartford.com.
 
;; ADDITIONAL SECTION:
hfdns3.thehartford.com.   120    IN   A 
162.136.188.3
hfdns4.thehartford.com.   120    IN   A 
162.136.188.4
simns3.thehartford.com.   120    IN   A 
162.136.190.3
simns4.thehartford.com.   120    IN   A 
162.136.190.4
 
;; Query time: 52 msec
;; SERVER: 172.25.17.185#53(172.25.17.185) ;; WHEN: Fri Jan  6 00:10:02 2012 
;; MSG SIZE  rcvd: 202
 
 
I assume this is due to differences in response from different auth 
nameservers. If that's the case ... what does one have set up to return the 
2nd response?
 
Thanks!
Martin Meadows
 
 

 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Trouble looking up dacspro.com

2011-12-23 Thread Fr34k


Hello,

Having trouble looking up dacspro.com.

This domain has three NS servers, one of which is not responding (ns02) to my 
queries.


dacspro.com.    172800  IN  NS  ns01.gnenc.org.
dacspro.com.    172800  IN  NS  ns02.gnenc.org.
dacspro.com.    172800  IN  NS  ns03.gnenc.org.


That's okay because the others are responding.

However, 9.8.1-P1 seems like it was not trying the other working NS servers 
until after I ran rndc flushname.

Either may understanding on how this should work is flawed, some other force is 
at work, or something else.


What am I missing?

Thanks.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Trouble looking up dacspro.com

2011-12-23 Thread Fr34k
Disregard.  PEBKAC issue.
Happy Holidays.

- Original Message -
 From: Fr34k 
 To: Bindlist bind-us...@isc.org
 Cc: 
 Sent: Friday, December 23, 2011 2:09 PM
 Subject: Trouble looking up dacspro.com
 
 
 
 Hello,
 
 Having trouble looking up dacspro.com.
 
 This domain has three NS servers, one of which is not responding (ns02) to my 
 queries.
 
 
 dacspro.com.    172800  IN  NS  ns01.gnenc.org.
 dacspro.com.    172800  IN  NS  ns02.gnenc.org.
 dacspro.com.    172800  IN  NS  ns03.gnenc.org.
 
 
 That's okay because the others are responding.
 
 However, 9.8.1-P1 seems like it was not trying the other working NS servers 
 until after I ran rndc flushname.
 
 Either may understanding on how this should work is flawed, some other force 
 is 
 at work, or something else.
 
 
 What am I missing?
 
 Thanks.
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Question About max-clients-per-query

2011-11-18 Thread Fr34k
Hello,

Read the BIND ARM (Admin Ref. Manual) about these settings, but here is an 
example of what I use:
    clients-per-query 10 ;
    max-clients-per-query 20 ;

http://www.isc.org/software/bind/documentation


Previously, this resource was posted on this list which is good info to have 
when investigating BIND behavior:
https://deepthought.isc.org/article/AA-00341/0

HTH



From: Alan Shackelford ashac...@jhmi.edu
To: bind-users@lists.isc.org bind-users@lists.isc.org
Sent: Friday, November 18, 2011 10:32 AM
Subject: Question About max-clients-per-query

I had a situation a couple of days ago where a compromised machine in the DMZ 
portion of my network began sending an incredible number of queries to a 
couple of the primary internal DNS servers. The traffic was so intense that 
legitimate queries were unable to get through, or the customer timed out 
before the response came back. It took me a while to diagnose, because tailing 
the logs with querylog on was not possible. The data were coming too fast for 
my terminal to display them. Only after several Cntl-C commands was I able to 
escape from the tail, and a portion of the logs was displayed. Only queries 
from the compromised machine were visible. Nothing else got through during 
that time period. My customers and bosses are naturally furious.

So is it possible to limit the number of queries for one name from one client, 
or even better, limit the number in a certain time, or the number of queries 
in a row from one client. If not we are going to have to be creative with 
some iptables or firewall rules.

Thanks for any help you can lend.

Alan V. Shackelford                   Sr. Systems Software Engineer
The Johns Hopkins University and Johns Hopkins Medical Institutions
Baltimore, Maryland USA       410-735-4773        ashac...@jhmi.edu



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Sinkhole in BIND

2011-10-17 Thread Fr34k
http://www.sans.org/reading_room/whitepapers/dns/dns-sinkhole_33523

Perhaps the above link target may help.

Thanks.




From: Lightner, Jeff jlight...@water.com
To: Ryan Novosielski novos...@umdnj.edu; babu dheen babudh...@yahoo.co.in; 
Bind Users Mailing List bind-users@lists.isc.org; c...@cam.ac.uk 
c...@cam.ac.uk
Sent: Monday, October 17, 2011 4:05 PM
Subject: RE: DNS Sinkhole in BIND


  
I’m confused – does the OP want to block or does he want to redirect.  
“block/redirect” are two different things.   What I wrote will block.   If he 
wants to redirect that’s fine but I don’t think he’d want to redirect to his 
real webserver – why send bogus traffic there and also take the risk that 
being so directed the bad user will be able to hack?   Dropping the packet in 
DNS stops it cold.   (Not saying they can’t get to web server’s via legitimate 
paths but it appears the OP has know malefactors.)   Is the OP building a 
honeypot?
 
 
 


 
From:bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Ryan Novosielski
Sent: Monday, October 17, 2011 3:52 PM
To: babu dheen; Bind Users Mailing List; c...@cam.ac.uk
Subject: Re: DNS Sinkhole in BIND
 
I do this. There may now be a smarter way, but I have a small number so this 
is manageable for me: configure zones for each of the evil zones. Your server 
will appear authoritative and you can direct clients wherever you like. I 
direct some of mine to a virtualhost handing out 503 errors.


-- Sent from my Palm Pre





 
On Oct 17, 2011 13:46, babu dheen babudh...@yahoo.co.in wrote: 
YOu are obsolutely correct Chris.. I want to block/redirect all malware domain 
request intiated by clients by setting up DNS SINKHOLE in Redhat BIND server.
 


--- On Mon, 17/10/11, 
Chris Thompson c...@cam.ac.uk wrote:

From: Chris Thompson c...@cam.ac.uk
Subject: Re: DNS Sinkhole in BIND
To: Bind Users Mailing List  bind-users@lists.isc.org 
Cc: babu dheen babudh...@yahoo.co.in
Date: Monday, 17 October, 2011, 8:19 PM
On Oct 16 2011, babu dheen wrote:

 Can anyone help me how to setup DNS Sinkhole in BIND on Linux 32 bit 
 edition.

All the replies to this so far seem to assume that he wants to block evil
entities from using his nameservers. But Google seems to suggest that
DNS Sinkhole usually refers to redirecting names that are being used
for evil purposes to e.g. a local monitoring station - not the same thing
at all.

-- Chris Thompson
Email: c...@cam.ac.uk

 
 
 
 
Athena®, Created for the Cause™ 
Making a Difference in the Fight Against Breast Cancer
 
-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information
 is prohibited and may be unlawful. If you have received this electronic 
transmission in error, please reply immediately to the sender that you have 
received the message in error, and delete it. Thank you.
--
 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named crashed (mem.c:1099: INSIST(ctx-stats[i].gets == 0U) failed)

2011-05-05 Thread Fr34k
Hello All,

Thanks Evan.

Should the Community expect a BIND 9.7.3 train update/maintenance release 
which, 
among other things, addresses this mem.c issue?

If so, any ETA?

It is not my intent to sound pushy.  Let me explain.

We were in the process of rolling 9.7.3 out but we stopped figuring a 
maintenance release may be available in the near future.
We have a sense of urgency as 9.7.3 fixes some things broke in 9.7.2-P2; 
however, we'd like to deploy the latest/greatest 9.7 version available.

Alternatively, I would entertain the idea of rolling out an update/maintenance 
release of 9.8 if such an animal may emerge soon.
I mention this in case this is relevant to any recommendations ISC may have.

Thoughts?


Thank you.


- Original Message 
 From: Evan Hunt e...@isc.org
 To: Khuu, Linh   Contractor linh.k...@ssa.gov
 Cc: Bind Users Mailing List bind-users@lists.isc.org
 Sent: Tue, April 12, 2011 10:50:05 AM
 Subject: Re: named crashed (mem.c:1099: INSIST(ctx-stats[i].gets == 0U) 
failed)
 
  daemon:crit named[221184]: mem.c:1099: INSIST(ctx-stats[i].gets == 0U)  
failed
  daemon:crit named[221184]: exiting (due to assertion  failure)
  
  named restarted fine and running without any problem.  Does anyone have
  any idea why named crashed with these errors??? Is it a  bug in bind??
  We're running bind 9.7.3.
 
 Yes, it's definitely a  bug (named should never have an assertion failure).
 Please send as much  information as you can (named -V output, named.conf,
 logs, etc) to bind9-b...@isc.org.
 
 In this case,  that doesn't look like a crash to me, though.  That's the
 error you see  when you're shutting down named in the usual way (i.e.,
 kill -INT or rndc  stop) and it detects during shutdown that some memory
 had been allocated but  not freed.  If you run named with the -m record
 option, it will list  in the log exactly where all the unfreed blocks of
 memory had been  allocated.  That record-keeping has an impact on
 performance, but it can  help a lot with locating the problem.
 
 -- 
 Evan Hunt -- e...@isc.org
 Internet Systems Consortium,  Inc.
 ___
 bind-users mailing  list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: BIND 9.7 behavior - lack of response causes

2011-04-05 Thread Fr34k


- Original Message 
 From: Mark Andrews ma...@isc.org
 To: Fr34k freaknet...@yahoo.com
 Cc: Bindlist bind-us...@isc.org
 Sent: Mon, April 4, 2011 9:02:35 PM
 Subject: Re: BIND 9.7 behavior - lack of response causes
 
 
 What do you have lame-ttl set to?

I don't.  That is, I don't have lame-ttl explicitly listed in my named.conf.

 
 In message 361220.19486...@web121407.mail.ne1.yahoo.com,  Fr34k writes:
  Hello,
  
  Given:  BIND 9.7.2-P2 on  Solaris 10.
  
  For about an hour, I had a network event where a  caching DNS server could 
not
   
  get recursive queries back  from authoritative DNS servers on the Internet.
  
  Obviously, this  is a problem.
  
  Moreover, the authority for our most popular  hostnames have set very low 
TTLs
   
  (less than a minute), so  nothing in cache for the server to call upon 
  during 

  this hour long  event.
  
  Yuck.
  
  A snoop of port 53 traffic at the  time shows client PCs requested hostname 
  resolution -- as they would  normally do.
  
  Now, for the interesting part.
  
   From the same snoop of traffic, the caching DNS server did not send ANY  
resp
  onse 
  back to these PC clients for these low TTL popular  hostnames.
  
  Keep in mind that I did snoop until *after* the  event started.
  
  So, it may be the case that some BIND mechanism  was behaving appropriate 
  for 

  queries which it could not act upon.   I can appreciate that BIND makes 
decisi
  ons 
  with network  performance in mind.
  
  In my attempts to understand negative  caching, Sections 7.1 and 7.2 of RFC 
23
  08 
  list Server Failure  and Dead / Unreachable Server as (OPTIONAL) 
utilities.
  
  Bind  9.7 ARM says that the server stores negative answers for (default) 
  3 

   hours; however, I'm not sure what the expected BIND behavior is.
  
  Would some mechanism, such has max-ncache-ttl or clients-per-query, be 
  responsible for this lack of return traffic?
  
  Anyone  have ideas to share?
  
  Thank you.
  
   ___
  bind-users mailing  list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 -- 
 Mark Andrews,  ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871  4742 INTERNET: ma...@isc.org
 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


BIND 9.7 behavior - lack of response causes

2011-04-04 Thread Fr34k
Hello,

Given:  BIND 9.7.2-P2 on Solaris 10.

For about an hour, I had a network event where a caching DNS server could not 
get recursive queries back from authoritative DNS servers on the Internet.

Obviously, this is a problem.

Moreover, the authority for our most popular hostnames have set very low TTLs 
(less than a minute), so nothing in cache for the server to call upon during 
this hour long event.

Yuck.

A snoop of port 53 traffic at the time shows client PCs requested hostname 
resolution -- as they would normally do.

Now, for the interesting part.

From the same snoop of traffic, the caching DNS server did not send ANY 
response 
back to these PC clients for these low TTL popular hostnames.

Keep in mind that I did snoop until *after* the event started.

So, it may be the case that some BIND mechanism was behaving appropriate for 
queries which it could not act upon.  I can appreciate that BIND makes 
decisions 
with network performance in mind.

In my attempts to understand negative caching, Sections 7.1 and 7.2 of RFC 2308 
list Server Failure and Dead / Unreachable Server as (OPTIONAL) utilities.

Bind 9.7 ARM says that the server stores negative answers for (default) 3 
hours; however, I'm not sure what the expected BIND behavior is.

Would some mechanism, such has max-ncache-ttl or clients-per-query, be 
responsible for this lack of return traffic?

Anyone have ideas to share?

Thank you.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Q on clients-per-query, max-clients-per-query

2011-03-24 Thread Fr34k
- Original Message 

 From: Mark Andrews 
 To: Fr34k 
 Cc: Bindlist 
 Sent: Wed, March 23, 2011 9:04:00 PM
 Subject: Re: Q on clients-per-query, max-clients-per-query
 
 
 In message ,  Fr34k writes:
  Hello,
  
  # The ARM says: #
   clients-per-query, max-clients-per-query
  These set the initial value  (minimum) and maximum number of recursive 
  simultaneous clients for any  given query (qname,qtype,qclass) that the 
serv
  er 
  will  accept before dropping additional clients. named will attempt to self 
tu
   ne 
  this value and changes will be logged.  The default values are  10 and 100.
  If clients-per-query is set to zero, then there is no limit  on the number 
  of 

  clients per query and no queries will be  dropped.  If 
  max-clients-per-query 
i
  s 
  set to zero, then  there is no upper bound other than imposed by 
   recursive-clients.
  
  
  # Consider that I have: #
   clients-per-query 10 ; max-clients-per-query 20 ;
  
  
  #  What I think this means in hypothetical situations: #
  1.  If I have  100 customer Windows machines requesting A record(s) for 
   non-responsive-domain.com, then my caching server will only recurs the 
  first 

  20 
  of such requests and drop the other 80.  Is this  correct, or what is the 
like
  ly 
  process?
  
   2.  If I have 100 customer Windows machines requesting A record(s) for 
  very-slow-to-respond.com, then my caching server will only recurs   the 
  first 

  20 
  of such requests and drop the other 80.  Is  this correct, or what is the 
like
  ly 
  process?
  
   Let's say the name servers authoritative for this domain finally respond,  
the
  n 
  my bind server will respond to the 20 queries.
  Is  this correct, or what is the likely process?
  
  Now that I have  the A record for www.very-slow-to-respond.com in cache 
  (say 
T
  TL 
  is 24h) and it is likely that the 80 unsatisfied customer Windows  machines 
wi
  ll 
  make another query attempt and, because I have  this cached, finally get a 
  response.
  Is this correct, or what  is the likely process?
  
  It won't hurt my feeling if someone  rather provide a better example that 
  may 

  demonstrate how these settings  work.
 
 You have a empty cache.  You get a query for google.com.   You send
 a query to the root servers for google.com.  Another query  for
 google.com comes in.  You add it to the existing query for  google.com.
 You get the answer back from the root servers.  You ask the  com
 servers for google.com.  You get another 3 query for  google.com,
 you add these to the original query.  You get a response  from the
 com servers. You ask the google.com servers for google.com.   You
 get more queries for google.com.  You get a answer back from  the
 google.com servers and you send the answers back to all the  clients
 that asked you for google.com.  Future queries for google.com  will
 be answered from the cache until the record expires.
 
 Now if more  than 10 clients ask you for google.com while this is
 happening you will just  drop the new clients (they should retry).
 Named will remember that it dropped  clients and as it got a answer
 it will increase the number of clients that it  serve for the next
 query.  It's a little more complicted than this but  this will do
 for this explaination. This lets named adjust to the normal  query
 rate and how far it is from the usual nameservers it talks to  round
 trip wise.  This normally take less than a second.
 
 Now lets  say the servers for a zone are unreachable.  Named will
 only queue up 10  clients before it starts dropping them.  This stops
 the recursive client  slots all being taken on queries talking to
 these servers.
 
 Similar a  flash crowd of queries for the same name will be mostly
 dropped until the  answer is received.

So, does BIND behave the same whether it is a single PC making 100 queries for 
the same record compared to 555 PCs making queries for the same record?
That is, how does BIND treat clients-per-query, max-clients-per-query 
differently based upon the query requesters' IP address(es)?

(I want to assume I know the answer, but I have an interesting network event 
and 
I want to be able to understand/communicate the snoop logs we captured)

I'm using  9.7.2-P2, if version is significant.

Thank you.
 
 Mark
 
  Thank you.
  
   ___
  bind-users mailing  list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 -- 
 Mark Andrews,  ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871  4742 INTERNET: 
 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Q on clients-per-query, max-clients-per-query

2011-03-23 Thread Fr34k
Hello,

# The ARM says: #
clients-per-query, max-clients-per-query
These set the initial value (minimum) and maximum number of recursive 
simultaneous clients for any given query (qname,qtype,qclass) that the server 
will accept before dropping additional clients. named will attempt to self tune 
this value and changes will be logged.  The default values are 10 and 100.
If clients-per-query is set to zero, then there is no limit on the number of 
clients per query and no queries will be dropped.  If max-clients-per-query is 
set to zero, then there is no upper bound other than imposed by 
recursive-clients.


# Consider that I have: #
clients-per-query 10 ; max-clients-per-query 20 ;


# What I think this means in hypothetical situations: #
1.  If I have 100 customer Windows machines requesting A record(s) for 
non-responsive-domain.com, then my caching server will only recurs the first 20 
of such requests and drop the other 80.  Is this correct, or what is the likely 
process?

2.  If I have 100 customer Windows machines requesting A record(s) for 
very-slow-to-respond.com, then my caching server will only recurs  the first 20 
of such requests and drop the other 80.  Is this correct, or what is the likely 
process?

Let's say the name servers authoritative for this domain finally respond, then 
my bind server will respond to the 20 queries.
Is this correct, or what is the likely process?

Now that I have the A record for www.very-slow-to-respond.com in cache (say TTL 
is 24h) and it is likely that the 80 unsatisfied customer Windows machines will 
make another query attempt and, because I have this cached, finally get a 
response.
Is this correct, or what is the likely process?

It won't hurt my feeling if someone rather provide a better example that may 
demonstrate how these settings work.

Thank you.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: [OT] does deliveragent must have a PTR RR

2011-02-01 Thread Fr34k
See RFC1123 and RFC1912 which suggest that legitimate nodes on the Internet 
have 
appropriate forward/reverse DNS entries.

By appropriate, I mean DNS entires which distinguish which hosts are 
static/business space from residential/dhcp space.
Reason:  So others on the Internet can make informed decisions on 3rd party 
source traffic.
Example:  Email admins seeing SMTP connections from foo.dynamic.bar verses 
foo.static.bar.  One of these is most likely abusive.
This is what AOL is doing to protect their customers.





- Original Message 
 From: Mark Andrews ma...@isc.org
 To: Lyle Giese l...@lcrcomputer.net
 Cc: bind-users bind-us...@isc.org
 Sent: Tue, February 1, 2011 12:40:11 AM
 Subject: Re: [OT] does deliveragent must have a PTR RR
 
 
 In message 4d4784c4.2020...@lcrcomputer.net,  Lyle Giese writes:
  p...@mail.nsbeta.info wrote:
Hi list,
   I can't setup a ptr RR for my mailserver's IP.
Here the main ISPs who are owned by this garbage state take  expensive
   price for setup a reverse record for a public IP. It's  about 30 USD
   each month for each IP.
   But some MTAs  does require the peer deliveragent has a PTR RR,like
   AOL's email  systems.
   Is there a special RFC for this requirement?
Regards.
   Mail Delivery System writes:
   This is the  mail system at host mail.nsbeta.info.
   I'm sorry  to have to inform you that your message could not
   be delivered  to one or more recipients. It's attached below.
   For further  assistance, please send mail to postmaster.
   If you do so,  please include this problem report. You can
   delete your own  text from the attached returned message.
   The mail  system
   dono...@beth.k12.pa.us: host mx1.beth.k12.pa.us[209.96.96.11]  said:
   450 4.7.1
   Client host rejected: cannot  find your reverse hostname, [121.9.221.212]
   (in reply to RCPT  TO command)
  I do not believe this to be fully covered in an RFC, but  came about as
  Best Practices as we fight SPAM. The best source for the  Best Practices
  for this is at http://postmaster.aol.com
 
 And is  also against RFC requirements.
 
  Wonder through ALL of the pages that  this area at AOL has to offer or
  you will miss some important points,  like that 12 hrs is considered the
  min TTL for A and PTR records for  mail servers. Less than 12 hrs TTL on
  these records are considered by  default indicators of dynamic IP addresses.
 
 You can't infer diddly squat  from a TTL.  There are plenty of reasons
 to want a low ttl other than it  was assigned dynamically.
 
 * I'm going to renumber my whole network  because I'm switchinhg
 ISP's so I've reduced my TTL's to 5 minutes to reduce  the impact
 of the renumbering.
 
 * I have a warm spare in a different  data center and as most client
 behave badly when one of the addresses is  unreachable I only advertise
 one address.
 
 More stupid unrealistic  hoops to jump through.
 
 Mark
 -- 
 Mark Andrews, ISC
 1 Seymour St.,  Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org
 ___
 bind-users  mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: out of place mx records.

2010-10-28 Thread Fr34k




- Original Message 
 From: Mark Andrews ma...@isc.org
 To: Barry Margolin bar...@alum.mit.edu
 Cc: comp-protocols-dns-b...@isc.org
 Sent: Thu, October 28, 2010 9:49:46 PM
 Subject: Re: out of place mx records.
 
 
 In message barmar-ed15c5.21262028102...@news.eternal-september.org,  Barry 
Mar
 golin writes:
  In article mailman.585.1288263412.555.bind-us...@lists.isc.org,
Tony Finch d...@dotat.at wrote:
  
   On  Thu, 28 Oct 2010, Gregory Machin wrote:
   
My  question is why would INMX10 mcvpemr01 and INMX
 10 mcvpemr02 be repeated trough the zone file surely this is
 redundant ?
   
   Some hostmasters like to ensure that mail  is not directed to hosts that 
do
   not listen on SMTP. They prefer  misdirected mail to be rejected
   immediately rather than waiting  days for the sending system to time out.
   Some of my colleagues have  this setup on the zones they manage
   (eng.cam.ac.uk and  cl.cam.ac.uk).
  
  But configuring MX records won't necessarily  accomplish this.  It will 
  cause mail for all these hosts to be  delivered to mcvpemr01 or mcvpemr02.
 
 And they can do a SMTP level  rejection rather than waiting for the
 sending server to abandon sending the  email due to multiple timeouts.
 Just return 550 for all mail directed to  users at those hosts.   It
 would be nice if we could standardise a MX  target of . as saying
 that this domain doesn't accept email e.g. MX 0 .  the same way
 as SRV 0 0 0 . means that there is no service for the  named
 protocol.  That way the sending MTA or the MSA can reject the  email.
 

Hello,

Is there an advantage to process email just to have the destination MX reject 
it?

Why not use  IN MX 100 localhost so the email doesn't even leave the source?

Or, am I confused?


 Every time it get suggested people shoot it down worrying  about
 private nets that have addresses at . or get worried about  thousands
 of machines making A/ queries for . where the MTA  doesn't
 check that the MX target is a valid host name.
 
 Mark
 -- 
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117,  Australia
 PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org
 ___
 bind-users  mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Notice regarding BIND 9.7.2

2010-09-28 Thread Fr34k
I was about to ask again, but figured I had better check isc.org first.

Behold:

http://www.isc.org/software/bind/972-p2

FYI.
Thanks.



- Original Message 
From: Hauke Lampe la...@hauke-lampe.de
To: Larissa Shapiro laris...@isc.org; bind-us...@isc.org
Sent: Mon, September 27, 2010 1:07:39 PM
Subject: Re: Notice regarding BIND 9.7.2



 Were there ... more information on these developments early next week?

I was just about to ask the same question. ;)

I noticed the absence of 9.7.2 on ftp.isc.org, read the announcement here a day 
later and rolled back my 9.7.2rc1 servers to 9.7.1-P2.

It would be good to know the nature of the bug, though. The complete removal of 
9.7.2* from the ftp site left me a bit worried.


Hauke.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Notice regarding BIND 9.7.2

2010-09-27 Thread Fr34k
Hello,

Were there ... more information on these developments early next week?

My apologies if I missed them.

Thank you.




- Original Message 
From: Larissa Shapiro laris...@isc.org
To: bind-us...@isc.org
Sent: Sun, September 19, 2010 5:54:15 PM
Subject: Notice regarding BIND 9.7.2

Dear User Community,

ISC has learned of a late-breaking bug in the BIND 9.7.2 code base, so
we have removed it from our website and ftp site as it is not currently
recommend for deployment. BIND 9.7.1-P2 is our current recommended
release for Production. We will provide more information on these
developments early next week, as soon as they are available.

Larissa Shapiro
ISC Product Manager
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: bind multi-threaded question

2010-04-28 Thread Fr34k
Hello,

http://en.wikipedia.org/wiki/Process_%28computing%29 may help to explain what 
is going on.

HTH







From: max power el_shersh...@hotmail.com
To: bind-users@lists.isc.org
Sent: Wed, April 28, 2010 4:38:06 AM
Subject: bind multi-threaded question

  Hi
i am deploying a new dns server using bind 9.7.0-p1 the latest version
i am running bind on chroot jail, every thing is working fine
when i use the command rndc status i got the following ,
CPUs found: 8
worker threads: 8
this is right info , however when i try to ps aux | grep named 
i only got one bind process ?
multi-threaded is enabled when compile , but should i find 8 processes when 
doing ps command or that is normal,
how can i be sure that bind is using 8 threads

thanks in advance


Hotmail is redefining busy with tools for the New Busy. Get more from your 
inbox. See how.___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Apparent BIND problem doing RBL lookups for Postfix

2010-04-15 Thread Fr34k
Hello,

Looks like NXDOMAIN can be one of the responses.
http://www.spamhaus.org/faq/answers.lasso?section=DNSBL%20Usage#252

That said, I think it is working correctly (a la 
name=33.229.242.205.zen.spamhaus.org type=A: Host not found, try again).
However, perhaps tweak the number of queries so that the MTA doesn't waste too 
many cycles on RBL lookups which are NXDOMAIN.

Or, I may be missing something. I'm not an MTA guru, but I know sendmail more 
than I know Postfix.

Hope this helps.




- Original Message 
From: listserv.traf...@sloop.net listserv.traf...@sloop.net
To: bind-users@lists.isc.org
Sent: Wed, April 14, 2010 8:33:55 PM
Subject: Apparent BIND problem doing RBL lookups for Postfix

My apologies if I'm posting the wrong place, or am asking a common
question. All my looking so far hasn't turned up anything very useful
in knowing what to look at, or what to modify.

---
CentOS 5, running BIND 9.3.6
i386

Hardware:
P4, 2.8Ghz, 1G memory
Sata drives - non mirrored etc.

Load is light, usually under 0.1

--
This box is running Postfix as our mail server. BIND (9.3.6) [Latest.]

--
Problem:
Postfix is doing RBL lookups on zen.spamhaus.org.
Everything goes along groovy - but then lookups start failing.

Early in the process, we get stuff like this: [We have a successful
lookup, and then a failure...]
---
Apr 14 14:25:05 mail postfix/smtpd[22281]: NOQUEUE: reject: RCPT from 
bzq-79-183-5-119.red.bezeqint.net[79.183.5.119]: 554 5.7.1 Service unavailable; 
Client host [79.183.5.119] blocked using zen.spamhaus.org; 
from=contriveclau...@royalmoore.com to=contriveclau...@royalmoore.com 
proto=SMTP helo=bzq-79-183-5-119.red.bezeqint.net

Apr 14 14:25:07 mail postfix/smtpd[22804]: warning: 
33.229.242.205.zen.spamhaus.org: RBL lookup error: Host or domain name not 
found. Name service error for name=33.229.242.205.zen.spamhaus.org type=A: Host 
not found, try again
---
As you can see, we had a lookup succeed and then just right after, one fail - 
claiming it got no answer from BIND. I get others after this that SUCCEED - so 
it's not in 100% failure mode yet.
After time [how much, I don't know] eventually all the zen queries
[or most all] fail.

A bind restart fixes the problem. [Hmmm...]

---
I do some logging in bind, and I don't see any reason for them to fail. Here's 
a bind debug log of 5 on that failure above.

---
14-Apr-2010 14:24:57.654 queries: info: client 127.0.0.1#42018: query: 
33.229.242.205.zen.spamhaus.org IN A +
14-Apr-2010 14:24:57.654 security: debug 3: client 127.0.0.1#42018: query 
(cache) '33.229.242.205.zen.spamhaus.org/A/IN' approved
14-Apr-2010 14:24:57.654 resolver: debug 1: createfetch: 
33.229.242.205.zen.spamhaus.org A
14-Apr-2010 14:24:57.654 resolver: debug 3: fctx 
0x932e140(33.229.242.205.zen.spamhaus.org/A'): create
14-Apr-2010 14:24:57.654 resolver: debug 3: fctx 
0x932e140(33.229.242.205.zen.spamhaus.org/A'): join
14-Apr-2010 14:24:57.654 resolver: debug 3: fetch 0x94a0b20 (fctx 
0x932e140(33.229.242.205.zen.spamhaus.org/A)): created
14-Apr-2010 14:24:57.655 resolver: debug 3: fctx 
0x932e140(33.229.242.205.zen.spamhaus.org/A'): start
14-Apr-2010 14:24:57.655 resolver: debug 3: fctx 
0x932e140(33.229.242.205.zen.spamhaus.org/A'): try
14-Apr-2010 14:24:57.655 resolver: debug 3: fctx 
0x932e140(33.229.242.205.zen.spamhaus.org/A'): cancelqueries
14-Apr-2010 14:24:57.655 resolver: debug 3: fctx 
0x932e140(33.229.242.205.zen.spamhaus.org/A'): getaddresses
14-Apr-2010 14:24:57.655 resolver: debug 3: fctx 
0x932e140(33.229.242.205.zen.spamhaus.org/A'): query
14-Apr-2010 14:24:57.655 resolver: debug 3: resquery 0x940ec38 (fctx 
0x932e140(33.229.242.205.zen.spamhaus.org/A)): send
14-Apr-2010 14:24:57.655 resolver: debug 3: resquery 0x940ec38 (fctx 
0x932e140(33.229.242.205.zen.spamhaus.org/A)): sent
14-Apr-2010 14:24:57.655 resolver: debug 3: resquery 0x940ec38 (fctx 
0x932e140(33.229.242.205.zen.spamhaus.org/A)): udpconnected
14-Apr-2010 14:24:57.655 resolver: debug 3: resquery 0x940ec38 (fctx 
0x932e140(33.229.242.205.zen.spamhaus.org/A)): senddone
14-Apr-2010 14:24:59.657 resolver: debug 3: fctx 
0x932e140(33.229.242.205.zen.spamhaus.org/A'): timeout
14-Apr-2010 14:24:59.657 resolver: debug 3: fctx 
0x932e140(33.229.242.205.zen.spamhaus.org/A'): cancelquery
14-Apr-2010 14:24:59.657 resolver: debug 3: fctx 
0x932e140(33.229.242.205.zen.spamhaus.org/A'): try
14-Apr-2010 14:24:59.657 resolver: debug 3: fctx 
0x932e140(33.229.242.205.zen.spamhaus.org/A'): query
14-Apr-2010 14:24:59.657 resolver: debug 3: resquery 0x940ec38 (fctx 
0x932e140(33.229.242.205.zen.spamhaus.org/A)): send
14-Apr-2010 14:24:59.657 resolver: debug 3: resquery 0x940ec38 (fctx 
0x932e140(33.229.242.205.zen.spamhaus.org/A)): sent
14-Apr-2010 14:24:59.657 resolver: debug 3: resquery 0x940ec38 (fctx 
0x932e140(33.229.242.205.zen.spamhaus.org/A)): udpconnected
14-Apr-2010 14:24:59.657 resolver: debug 3: resquery 0x940ec38 (fctx 
0x932e140(33.229.242.205.zen.spamhaus.org/A)): senddone

Re: Bind Clustering

2010-04-08 Thread Fr34k
Hello,

We used rsync to copy our master/primary data to the secondary servers.

Using some script magic, the primary is still the master (via named.conf) 
since, as with most DBs, there can only be one source of truth.
However, the secondary servers were almost mirror copies of the primary. Only 
difference was their slave designation as defined in named.conf

We never had a primary failure, but if we did minor script/named.conf changes 
would have made any of the secondary servers the new primary.

Depending upon the environment, risk, needs, and hardware -- one could create 
such clusters.
Furthermore, introduce load-balancers to mask the clusters.

http://en.wikipedia.org/wiki/Rsync

HTH




- Original Message 
From: Arnoud Tijssen atijs...@ram.nl
To: bind-users@lists.isc.org bind-users@lists.isc.org
Sent: Thu, April 8, 2010 7:18:33 AM
Subject: Bind Clustering

We use bind for DNS.
At the moment we have one primary server that delegates updates to it`s two 
slave servers.

Since everything nowadays is dependant on DNS I would like to cluster my 
primary server in case of a hardware failure or error.

So, how do I setup two primary bind servers that keep each other in sync one 
way or the other.
I`ve been surfing the internet, but couldn`t find any satisfactory solution.

Any help is greatly appreciated.
Arnoud
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Using an MX record from a different domain

2010-03-30 Thread Fr34k
Hello,

named-checkzone is warning you that the MX has a different FQDN than the zone 
it is in.
This is fine so long as the out of zone MX record is valid, but 
named-checkzone wants you to know that it can't verify for sure.
So, it is a heads up message and why the ultimate response is OK.

I could be missing something else, but it looks okay to me.

It might make sense to lower the TTL test, verify, then restore the TTL once 
the change has been blessed.
The intent here being that with a sufficiently low TTL, one could make 
adjustments without waiting 7200 each time.

Hope this helps.





From: Lear, Karen (Evolver) karen.l...@uspto.gov
To: bind-users@lists.isc.org bind-users@lists.isc.org
Sent: Tue, March 30, 2010 4:57:58 PM
Subject: Using an MX record from a different domain 

  
 
I'm adding a new domain to my existing authoritative name
servers, and need to add an MX record for a device residing on existing
domain.  When I run named-checkzone, I get a message about the MX record
being out of zone and not having an A record.  However, at the end of my
named-checkzone output, I get OK.  Can I restart named as is
without causing problems or do I need to address these messages?
 
[kl...@dns1 conf]$ sudo named-checkzone -t /dns/chroot/conf
-D usptoenews.gov db.usptoenews
zone usptoenews.gov/IN: usptoenews.gov/MX
'smtpedge1.uspto.gov' (out of zone) has no addresses records (A or )
zone usptoenews.gov/IN: usptoenews.gov/MX
'smtpedge2.uspto.gov' (out of zone) has no addresses records (A or )
zone usptoenews.gov/IN: loaded serial 2010033000
usptoenews.gov.  
7200 IN SOA   dns1.uspto.gov. nmb.uspto.gov.
2010033000 10800 3600 604800 86400
usptoenews.gov.  
7200 IN NSdns1.uspto.gov.
usptoenews.gov.  
7200 IN NSdns2.uspto.gov.
usptoenews.gov.  
7200 IN MX5 smtpedge1.uspto.gov.
usptoenews.gov.  
7200 IN MX5 smtpedge2.uspto.gov.
dns1.usptoenews.gov. 
7200 IN A 151.207.240.50
dns2.usptoenews.gov. 
7200 IN A 151.207.246.51
enews.usptoenews.gov.
7200 IN A 151.207.244.68
localhost.usptoenews.gov.
7200 IN A 127.0.0.1
OK
 
 
Karen Lear
Evolver EUS - Network Operations
Phone:  571-272-5314
email:   karen.l...@uspto.gov___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse DNS on a /27 delegation and zone files

2010-03-29 Thread Fr34k
Hello,

Sufficient resources on the Internet may be helpful.

For example, http://www.indelible.org/ink/classless/

Searching for RFC2317 or classless in-addr.arpa delegation may result in 
additional references.

Hope this helps.


- Original Message 
From: Alex mysqlstud...@gmail.com
To: bind-users@lists.isc.org
Sent: Sun, March 28, 2010 9:52:38 PM
Subject: Re: Reverse DNS on a /27 delegation and zone files

Hi,

To follow up with my own email, I found a mistake that I made have corrected it.

 Do I also need to provide PTR records for these name servers? If so,
 how can I modify my reverse zone file to include that information? My

It seems I do need to provide PTR records. I confused the CNAMEs that
my provider creates with the PTRs that I create.

I'd still be interested in knowing:

 zone 0/27.yy.3.64.in-addr.arpa {

 On a somewhat-related note, does bind-v9.4.2 support the '-' zone
 syntax notation? I was getting bad data (check-names) (from memory)

Was there a change between 9.4.2 and the current that provided the
ability to use the hypens versus the slash as a subnet separator?

Does anyone know if this format is documented well in O'Reilly's
DNSBIND v5? Do you know up to what specific version it's applicable,
or perhaps even it's current?

Thanks again,
Alex
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: what is a SPF (type 99) record and who do I implement?

2010-03-24 Thread Fr34k
http://www.openspf.org/ is pretty good.
Not only does it build the file for you, but it can test your live record.






From: Security Admin (NetSec) secad...@netsecdesign.com
To: bind-users@lists.isc.org bind-users@lists.isc.org
Sent: Wed, March 24, 2010 4:26:46 PM
Subject: RE: what is a SPF (type 99) record and who do I implement?

  
Correction.  I found many
sites which discuss what it is, but none that explicitly tell me how to
implement in my hosts file.
 
If the below implementation is
correct, let me know.
 
Thanks again in advance!!
 
Edward Ray
 
From:Baird, Josh
[mailto:jba...@follett.com] 
Sent: Wednesday, March 24, 2010 11:55 AM
To: Security Admin (NetSec); bind-users@lists.isc.org
Subject: RE: what is a SPF (type 99) record and who do I implement?
 
You struggled to find anything
about SPF?
 
http://www.zytrax.com/books/dns/ch9/spf.html
 
Josh
 
From:bind-users-bounces+jbaird=follett@lists.isc.org
[mailto:bind-users-bounces+jbaird=follett@lists.isc.org] On Behalf Of 
Security
Admin (NetSec)
Sent: Wednesday, March 24, 2010 1:54 PM
To: bind-users@lists.isc.org
Subject: what is a SPF (type 99) record and who do I implement?
 
Struggled to find anything explicit on this subject via
google to no avail.  Best Explanation I could find was 
http://www.enyo.de/fw/software/exim/spf-update.html#6
 
Currently hosts file looks like:
 
 
Mydomain.com  
172800  IN TXT  v=spf1 mx -all
Mydomain.com  
172800  IN SPF  v=spf1 mx -all
Mydomain.com  
172800  IN MX   10 Mail.Mydomain.com  
Mail.Mydomain.com 
172800  IN Avvv.xxx.yyy.zzz
 
 
Is this correct?  FYI not using DNSSEC
 
Thanks in advance!___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: blockhole'd IP receiving referral?

2009-12-19 Thread Fr34k
Hello,

Chris, I believe you are correct. That is, blackhole applies to the sending of 
queries in addition to the receiving of queries.

Let me explain.

I discovered this the hard way. I had a /24 in the blackhole because it 
contained abusive clients. Within this /24 sat two legitimate authoritative 
name servers (ANS). Our clients could not get responses from these ANS servers 
because they were within the /24 blackhole.

The solution was to make an exception for these two ANS servers. This is fine 
in that the blackhole function is doing its job well!
However, we have a few /16s among our blackhole networks and to manage an 
exception list of legitimate ANS servers contained within will be unmanageable.

So, how to stop the abuse without impacting legitimate client queries?

I think the solution here would be to permit allow-recursion ( mynets;) 
clients to query and get responses from blackhole ( badnets; } networks in 
some way.
Does such a solution, or equivalent, exist? If so, can someone share?

Otherwise, I'll buy a case of beer for the BIND developer that builds this 
functionality into 9.6.x, or greater.
NOTE: I would prefer that a new type of ACL be greated for this solution. Say, 
call it greyhole, because blackhole does such a great job of dumping ALL 
traffic when needed.

Thanks.



- Original Message 
From: Chris Buxton cbux...@menandmice.com
To: lcon...@go2france.com
Cc: bind-users@lists.isc.org
Sent: Fri, December 18, 2009 5:33:22 PM
Subject: Re: blockhole'd IP receiving referral?

On Dec 18, 2009, at 12:33 PM, Len Conrad wrote:
 bind 9.6.1-P1
 
 named-checkconf /etc/namedb/named.conf
 ... ok
 
 (in global options)
 
 options {
 allow-recursion {  mynets; };
 blackhole   { !mynets; };
 };

I could be wrong, but wouldn't that be:

blackhole{ ! mynets; any; };

? To my understanding, without the any item, the ACL doesn't match anything 
at all - no IP is blackholed.

Of course, if you blackhole anything not local, your server will not be able to 
recurse out to the Internet - blackhole applies to the sending of queries in 
addition to the receiving of queries. I believe you will need to settle for 
allow-query instead of blackhole. Something like this:

options {
allow-query { mynets; };
};

Again, I could be wrong, but I don't think allow-recursion is needed in this 
case.

Chris Buxton
Professional Services
Men  Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


BIND 9.x and hint file

2009-08-31 Thread Fr34k
Hi All,

I thought with some version of BIND 9, one no longer needed a root hints file.
I can't recall the details and my google searches are finding how to set up a 
hints file (instead of suggesting this is, say, deprecated).

Can someone shed some light on this?

Thanks

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: BIND 9.x and hint file

2009-08-31 Thread Fr34k
That's exactly what I was recalling -- thanks for your time and response Mr. 
Reed.



- Original Message 
From: Jeremy C. Reed jr...@isc.org
To: Fr34k freaknet...@yahoo.com
Cc: Bindlist bind-us...@isc.org
Sent: Monday, August 31, 2009 12:37:05 PM
Subject: Re: BIND 9.x and hint file

On Mon, 31 Aug 2009, Fr34k wrote:

 I thought with some version of BIND 9, one no longer needed a root hints 
 file.
 I can't recall the details and my google searches are finding how to set 
 up a hints file (instead of suggesting this is, say, deprecated).
 
 Can someone shed some light on this?

I am not sure what you are asking for. The ARM documentation says about 
hint zone:

The initial set of root name servers is specified using a hint 
zone. When the server starts up, it uses the root hints to find a 
root name server and get the most recent list of root name 
servers. If no hint zone is specified for class IN, the server 
uses a compiled-in default set of root servers hints.  Classes 
other than IN have no built-in defaults hints.

The CHANGES entry is:

701.   [func]  Root hints are now fully optional.  Class IN
views use compiled-in hints by default, as
before.  Non-IN views with no root hints now
provide authoritative service but not recursion.
A warning is logged if a view has neither root
hints nor authoritative data for the root. [RT 
#696]

(That was in 9.2.0.)

The built-in hints are in the source code at ./lib/dns/rootns.c

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: BIND 9.x and hint file

2009-08-31 Thread Fr34k
Thank you Chris! This is what I was looking for.



- Original Message 
From: Chris Thompson c...@cam.ac.uk
To: Fr34k freaknet...@yahoo.com
Cc: Bind Users Mailing List bind-users@lists.isc.org
Sent: Monday, August 31, 2009 12:33:57 PM
Subject: Re: BIND 9.x and hint file

On Aug 31 2009, Fr34k wrote:

I thought with some version of BIND 9, one no longer needed a root hints file.
I can't recall the details and my google searches are finding how to set up a
hints file (instead of suggesting this is, say, deprecated).

Can someone shed some light on this?

BIND has had a compiled-in hints file (for class IN) that it will use if
none is provided via the configuration file, since (I think) 9.2.0. Anyway,
if you are still running any version that doesn't have it, you have worse
problems.

Of course, an old version of BIND may have an out-of-date compiled-in hints
file. Usually this doesn't matter too much. There will be warnings logged 
if BIND finds that what it gets from the root servers doesn't match what is
in the hints file (whether compiled-in of externally-provided), and it will
subsequently believe the former.

Of course, you need an external hints file if you are using a fake root for
a network isolated from the Internet. Otherwise, it's largely a matter of
taste. Personally, I prefer to keep one in my configurations for the small
amount of extra flexibility that provides.

-- 
Chris Thompson
Email: c...@cam.ac.uk

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: about tcp port 53

2009-07-29 Thread Fr34k

Hello,

Doing a search on this at www.google.com offers this first link:

http://www.tcpipguide.com/free/t_DNSMessageGenerationandTransport-2.htm

HTH



- Original Message 
From: Tech W. tech...@yahoo.com.cn
To: Stephane Bortzmeyer bortzme...@nic.fr
Cc: bind-users@lists.isc.org
Sent: Wednesday, July 29, 2009 12:35:31 AM
Subject: Re: about tcp port 53






--- On Tue, 28/7/09, Stephane Bortzmeyer bortzme...@nic.fr wrote:

 
  what's the use of bind's tcp port 53?
 
 DNS requests and responses.
 

oh, I was always thinking dns requests and responses are going with udp 
protocal. under what condition it uses tcp protocal?


Regards,
Wah.


  

Access Yahoo!7 Mail on your mobile. Anytime. Anywhere.
Show me how: http://au.mobile.yahoo.com/mail
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Truncated, retrying in TCP on Reverse lookup

2009-07-09 Thread Fr34k

Yeah, and what Kevin said :)

Another example for why friends don't let friends use more than one PTR per IP 
address.



- Original Message 
From: Kevin Darcy k...@chrysler.com
To: bind-us...@isc.org
Sent: Thursday, July 9, 2009 12:35:54 PM
Subject: Re: Truncated, retrying in TCP on Reverse lookup

The SERVFAIL/timeout is probably because the original poster's firewall is 
misconfigured and doesn't allow TCP DNS transactions.

                                                                                
              - Kevin
                                                                                
                    Fr34k wrote:
 Hello,
  As I understand it, there are so many PTRs for that IP address, that DNS 
will change protocol from UDP to TCP.
 So, the message you are getting is informational because of this protocol 
 change.
 See the long list of PTRs below.
  There should be one and only one PTR for that IP.
 Making an SMTP connection to that IP address results in that host saying that 
 it calls itself minserv.co.za
 Therefore, there should be only on PTR for that IP address with that hostname.
  Note that none of the 15 PTRs match this hostname, which is even more silly.
  HTH
  $ host 196.7.126.38
 ;; Truncated, retrying in TCP mode.
 38.126.7.196.in-addr.arpa domain name pointer www.adventureservices.co.za 
 http://www.adventureservices.co.za.
 38.126.7.196.in-addr.arpa domain name pointer mail.penoc.org.za.
 38.126.7.196.in-addr.arpa domain name pointer mail.travelsense.net.
 38.126.7.196.in-addr.arpa domain name pointer mail.mantlemapper.com.
 38.126.7.196.in-addr.arpa domain name pointer mail.quintessentia.net.
 38.126.7.196.in-addr.arpa domain name pointer mail.datanetsolutions.co.za.
 38.126.7.196.in-addr.arpa domain name pointer mail.spatialdimension.co.za.
 38.126.7.196.in-addr.arpa domain name pointer mail.spatialwebserver.co.za.
 38.126.7.196.in-addr.arpa domain name pointer mail.spatialwebserver.com.
 38.126.7.196.in-addr.arpa domain name pointer mail.adventureservices.co.za.
 38.126.7.196.in-addr.arpa domain name pointer mail.explorationservices.co.za.
 38.126.7.196.in-addr.arpa domain name pointer 
 spa004-1.cust-gw.za.mtnbusiness.net.
 38.126.7.196.in-addr.arpa domain name pointer www.thewash.co.za 
 http://www.thewash.co.za.
 38.126.7.196.in-addr.arpa domain name pointer www.gisstaff.co.za 
 http://www.gisstaff.co.za.
 38.126.7.196.in-addr.arpa domain name pointer www.cheaprentalcars.co.za 
 http://www.cheaprentalcars.co.za.
 telnet 196.7.126.38 25
 Trying 196.7.126.38...
 Connected to 196.7.126.38.
 Escape character is '^]'.
 220 minserv.co.za Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready 
 at  Thu, 9 Jul 2009 14:45:58 +0200
 rset
 q250 2.0.0 Resetting
 uit
 221 2.0.0 minserv.co.za Service closing transmission channel
 Connection closed by foreign host.
 
  
 
 *From:* Erisan Nyamutenha erisan.nyamute...@uct.ac.za
 *To:* bind-users-requ...@lists.isc.org
 *Cc:* bind-us...@isc.org
 *Sent:* Thursday, July 9, 2009 3:34:09 AM
 *Subject:* Truncated, retrying in TCP on Reverse lookup
 
 Hi All
  In order for my email server to accept mail from an external source, it does 
a reverse lookup on the source. I have email coming from a sender whose ip 
address maps to several hostnames i.e there PTR records pointing to the same 
IP. when I try to reverse lookup with my own DNS I get the following 
;;Truncated, retrying in TCP mode then eventually I get a time out or server 
can't find 38.126.7.196.in-addr.arpa: SERVFAIL. What could this be?
  
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: bind 9.6.1 under perform after running for a couple of hours

2009-07-08 Thread Fr34k
Hello,

A few of the default settings changed from 9.4.x to 9.6.x
The appropriate README files, change logs, and BIND ARM will provide details 
about them.

Below are some options and logging configurations you may want to investigate.
Ye Ole Disclaimer: Please be sure to understand what these do and the DNS 
environment these alter before making changes.

options suggestions: (set some limits)
    allow-query { file-a; file-b; }; #Employ ACLs to limit who can 
query the server
    allow-recursion { file-a; file-b; }; #Employ ACLs to 
limit recursion - may or may not be the same files as in the previous statement
    blackhole { file-c; }; #Employ ACLs to drop abusive queries. Note: 
This will affect legitimate responses from any networks listed, too. Keep this 
in mind.
    recursive-clients   X000;  #Understand how many recursive clients 
the hware should handle at a time
    tcp-clients X00;  # Understand how many TCP clients should be handled 
at a time.
    clients-per-query X0 ; #Limit the number of clients-per-query. This 
helps to limit bogus queries (especially from malware). We use 10.
    max-clients-per-query X0 ; # Same as above. That is, we hard set 
to deal with bogus queries from malware. I believe BIND automagically adjusts 
this by default.We use 20.
    max-cache-size 0 ; #Setting to 0 makes this model older behavior. I 
believe 9.5+ new default is 32MB. Setting to 0 is unlimited, if memory serves, 
and is what we want in our environment.

logging suggestions: (throw away certain things from logging IF you are not 
interested in them)
    channel secure_messages { file /dev/null;   }; #If null is not 
understood, one can define it using this method.
    category security { secure_messages; }; #Fancy way of sending these 
logs to the garbage can using the previous definition. Setting ACLs generates a 
lot of log chatter. A good thing while one tweaks ACLs to check the logs. Once 
ACLs are tweaked, no need to waste CPU and HDD seak time logging data we no 
longer need = trash can.
    category lame-servers { null; }; #Nice info about lame servers, but 
since we can't fix the Internet = toss to the garbage can for now.
    category edns-disabled { null; }; #Again, nice info about EDNS, but it 
isn't something our environment needs us to act upon at this time = trash can 
for now.

HTH.





From: Imri Zvik im...@inter.net.il
To: bind-users@lists.isc.org
Sent: Wednesday, July 8, 2009 2:24:17 PM
Subject: bind 9.6.1 under perform after running for a couple of hours


Hi,
 
After a couple of hours, performance of bind 9.6.1 suddenly drops. While the 
server remains responsive, the response time increases, the rate of the failed 
queries increases, and CPU/load average usage increases. Restarting named 
solves the problem.
 
I cannot find anything useful in the logs, but a quick search in this mailing 
list archive shows that other users reported somewhat similar problems with 
this version of BIND :(
 
The operating system is Linux (Linux ns1 2.6.18-128.el5 #1 SMP Wed Dec 17 
11:41:38 EST 2008 x86_64 x86_64 x86_64 GNU/Linux) , Red Hat Enterprise Linux 
Server release 5.3 (Tikanga).
 
Output of named –V:
BIND 9.6.1 built with '--enable-threads' '--enable-largefile' 
'--prefix=/usr/local'
 
/usr/local/sbin/named: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), 
for GNU/Linux 2.6.9, dynamically linked (uses shared libs), for GNU/Linux 
2.6.9, not stripped
 
It is important to state that we just upgraded from 9.4.3-P2.
 
Any ideas?___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SPF/TXT records

2009-06-19 Thread Fr34k

Hello,

Do I dare comment on this? Okay, I do...

RE: Advogato:
If security was easy and conveinent, then everything would be secure. Someone 
tell Advogato!
Advogato is complaining because they want an unmanagable environment of dynamic 
outbound relays and expect SPF, static DNS records, to keep up.
Solution: SPF has syntax in place to suggest to the destination MTA that email 
might come from other sources.
Or, just don't use SPF because it will not work in such an enivornment.
Friends don't let friend forward email -- with or without SPF, but that's 
another story.
Either way, nothing is wrong with SPF and Advogato needs to stop complaining 
about it when he/she is setting SPF up to fail.


RE: Circlied:
Yes yes yes. Welcome to real life. Jerks will be jerks and there's nothing to 
stop them from calling/emailing/FAXing scams to the world be abusing the same 
methods honest folks sue.
SPF is not here to solve everything. SPF add another layer abuse prevention.
No one should blindly accept email just because it passes SPF checks. I feel 
for any email users for a system configure as such - yuck!
Solution: Use all email best practices, including filters, RBLs, monitoring 
logs, PTR checks, user complaints, etc., and SPF as appropriate for the 
administrator's environment.


None of this is an attack on you, Jeff, and I would hope you realize that but I 
want to mention it to be sure.
I realize you are sharing info on other view points and I appreciate that. In 
light of this, I had to share mine.

Summary: SPF may, or may not, work in all environments. Everyone needs to 
decide on his/her own, but there's nothing wrong with SPF.

Thanks.



- Original Message 
From: Jeff Lightner jlight...@water.com
To: Mike Bernhardt bernha...@bart.gov; Matus UHLAR - fantomas 
uh...@fantomas.sk; bind-users@lists.isc.org
Sent: Friday, June 19, 2009 12:41:50 PM
Subject: RE: SPF/TXT records

Or moreover not to bother with SPF at all as suggested in these
documents?:

Why you shouldn't jump on the SPF bandwagon:
http://www.advogato.org/article/816.html

How spammers get around SPF:
http://www.circleid.com/posts/782012_spammer_get_around_spf/


-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mike Bernhardt
Sent: Friday, June 19, 2009 12:37 PM
To: 'Matus UHLAR - fantomas'; bind-users@lists.isc.org
Subject: RE: SPF/TXT records

So is the general recommendation in this group to NOT implement an empty
SPF2.0 record (i.e., spf2.0/pra) just in case, as recommended in the
5-year-old openspf document referenced below?

-Original Message-
From: Matus UHLAR - fantomas [mailto:uh...@fantomas.sk] 
Sent: Friday, June 19, 2009 12:31 AM
To: bind-users@lists.isc.org
Subject: Re: SPF/TXT records

On 18.06.09 16:22, Jeffrey Collyer wrote:
 M$ has their own take on SPF called Sender ID, which uses a very
similar  
 record -

 v=spf2.0 rather than v=spf1

 so be sure to read up on them both before publishing records for one
or  
 the other.

It has downfalls so I recommend not even studying it, just remember that
spf2 is some M$ crap...

v=spf1 is just enough for now.

 http://www.openspf.org/SPF_vs_Sender_ID

 Hotmail in particular is picky about what it rejects and why.

Yes, hotmail uses to reject mail for many strange reasons.

But I don't recommend playing with spf2 just to get mail to hotmail, I
think
there are better ways to get your mail anywhere.

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states. 


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Make changes en mass

2009-03-24 Thread Fr34k

Hello,

Some folks prefer to script something.
Some may find this tool helpful:
http://www.laffeycomputer.com/rpl.html

I'm sure there are other ways.

HTH



- Original Message 
From: John D. Vo j...@eagle.net
To: bind-users@lists.isc.org
Sent: Tuesday, March 24, 2009 1:03:22 PM
Subject: Make changes en mass

Greetings:

According to http://thednsreport.com, my expire time for my zones are too 
short (recommended 2-4 weeks) and
my SOA record is not good.

Is there a tool that I can use to make changes to all my zones in one swoop?

Thanks,

Solaris/Bind 9.2.2. (yes, it is ancient)

-- 

Best Regards,

John D. Vo
Eagle Teleconferencing Services, Inc.
Network-System Administrator
j...@eagle.net
Office: (212) 200-2000 Ext. 105
Cell:    (212) 200-3016

---


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: DNS server can resolve some domains - BIND 9.4.2-P1

2009-02-26 Thread Fr34k
For Solaris9 kernal tunables, this may help:
http://docs.sun.com/app/docs/doc/816-7137/6md5pauj7?l=ena=view

But note that in my experience BIND 9.4.x will not use these OS limits, but 
what how many FDs have compiled BIND with.

For our purposes, 9.5.1b2 worked great on Solaris9
We are now running 9.6.0-P1 (for us, 9.5 to 9.6 was easy).
There are some changes between 9.4.x and 9.5.x, which you should review on 
isc.org should you decide to upgrade.

Search this list archive for socket or file descriptor issue threads as all of 
this has been discussed before.



- Original Message 
From: Prabhat Rana prana9...@yahoo.com
To: Linux Addict linuxaddi...@gmail.com
Cc: sergiot...@gmail.com; comp-protocols-dns-b...@isc.org
Sent: Thursday, February 26, 2009 1:24:33 PM
Subject: Re: DNS server can resolve some domains - BIND 9.4.2-P1

Sorry. Yes I meant /etc/system file.


--- On Thu, 2/26/09, Linux Addict linuxaddi...@gmail.com wrote:

 From: Linux Addict linuxaddi...@gmail.com
 Subject: Re: DNS server can resolve some domains - BIND 9.4.2-P1
 To: prana9...@yahoo.com
 Cc: comp-protocols-dns-b...@isc.org, sergiot...@gmail.com
 Date: Thursday, February 26, 2009, 12:18 PM
 On Thu, Feb 26, 2009 at 1:11 PM, Prabhat Rana
 prana9...@yahoo.com wrote:
 
 
  Also you may want to increase the File descriptor
 limits in /etc/service
  file
  *  Set File descriptor (FD) limits
  set rlim_fd_max=
 
 
 Its /etc/system
 
 
 
 
  --- On Thu, 2/26/09, JINMEI Tatuya / 神明達哉
 jinmei_tat...@isc.org wrote:
 
   From: JINMEI Tatuya / 神明達哉
 jinmei_tat...@isc.org
   Subject: Re: DNS server can resolve some domains
 - BIND 9.4.2-P1
   To: comp-protocols-dns-b...@isc.org
   Cc: sergiot...@gmail.com
   Date: Thursday, February 26, 2009, 11:49 AM
   At Wed, 25 Feb 2009 12:27:29 -0800 (PST),
   sergiot...@gmail.com wrote:
   
I have a server installed, with Solaris 9
 and BIND
   9.4.2-P1, 1 week
ago, i began to receive some messages in the
 message
   logs:
   
25-Feb-2009 15:30:35.826 general: error:
 socket: too
   many open file
descriptors
25-Feb-2009 15:30:35.827 general: error:
 socket: too
   many open file
descriptors
25-Feb-2009 15:30:36.210 general: error:
 socket: too
   many open file
descriptors
25-Feb-2009 15:30:36.228 general: error:
 socket: too
   many open file
descriptors
   
I guess that's why my server is working
 abnormally
   right now and
cannot resolve some domains, i've read a
 lots of
   posts that there is a
patch for this issue, and also some people
 try to fix
   the problem
increasing the FTD_Size value, but i
 don't know
   what exactly can i
aply, could you help me please, because our
 dns server
   is the master
and it cannot be stay with this kind a
 problems a long
   time.
  
   9.4.2-P1 has known scalability issues.  Please
 upgrade to
   9.4.3-P1.
  
   ---
   JINMEI, Tatuya
   Internet Systems Consortium, Inc.
   ___
   bind-users mailing list
   bind-users@lists.isc.org
   https://lists.isc.org/mailman/listinfo/bind-users
 
 
 
 
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 


      
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SERVFAIL issues

2009-01-16 Thread Fr34k
Hello,

Has the max-cache-size setting in named.conf been considered?

If not, note that in early releases of 9.5.x max-cache-size is 32M by default 
instead of unlimited as in 9.4.x

From the CHANGES file with the bind-9.5.0-P2 source:
max-cache-size defaults to 32M

Using:
max-cache-size 0 ;
will restore previous behavior (unlimited).

The ultimate setting would need to be considered for the environment BIND is 
running in.

FWIW, we use max-cache-size 0 ; without issue.

You can search this list archives for max-cache-size for previous discussions 
on this.

Thanks.



- Original Message 
From: Frank Bulk frnk...@iname.com
To: bind-users@lists.isc.org
Sent: Thursday, January 15, 2009 6:57:10 PM
Subject: SERVFAIL issues

http://marc.info/?l=bind-usersm=122239920822324w=2
http://marc.info/?l=bind-usersm=122243068905656w=2

We upgraded to 9.5.0-P1 when the Kaminsky DNS vulnerability was announced
and have had intermittent issues with SERVFAIL problems for some DSL modems
that don't properly fail over to a secondary DNS server.  A packet capture
showed that certain domains would result in a SERVFAIL, and once that domain
was identified, if we did a dig against it we had the same result.  We've
had to stop and start the named service about half a dozen times this fall
to resolve the issue.

We upgraded to 9.5.0-P2 in early November, hoping that this issue would be
resolved.  But today we experienced the problem again.  A customer couldn't
query a site, although everything seemed correct.  I captured all their
traffic and the trace showed that the DNS server was issuing a SERVFAIL.  I
stopped and then started named and immediately all was well.  Since we
sometimes reload named when adding/modifying domains, or at other times use
rndc, I'm not sure if that cleared things up such that this is the first
time I recall having this problem in 2 months.

Is this intermittent SERVFAIL issue resolved in 9.5.1-P1?

Frank


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


9.5.1b2 rbtdb.c assertion failure

2008-12-31 Thread Fr34k
Hello,

Running 9.5.1b2 on Solaris9.
Crashed with this info:

Dec 31 13:04:25 named[308]: [ID 873579 daemon.crit] rbtdb.c:1482: 
REQUIRE((node)-references  0) failed
Dec 31 13:04:25 named[308]: [ID 873579 daemon.crit] exiting (due to assertion 
failure)
Dec 31 13:05:07 genunix: [ID 603404 kern.notice] NOTICE: core_log: named[308] 
core dumped: /var/core/core.named.308.server.0.0.1230746686
 
[r...@server root]# named -v
BIND 9.5.1b2

Below is what I found among BIND versions regarding rbtdb.c issues, but I don't 
see a match to what affected us.
Anyone have any ideas?

Thanks!


--- 9.6.0b1 released ---
2481. [bug] rbtdb.c:matchparams() failed to handle 
NSEC3 chain
    collisions.  [RT #18812]
--- 9.6.0a1 released ---
--- 9.5.1b2 released ---
2415. [bug] 'rndc dumpdb' could trigger various 
assertion failures
    in rbtdb.c. [RT #18455]
--- 9.5.1b1 released ---
--- 9.5.0b3 released ---
2327. [bug] It was possible to dereference a NULL 
pointer in
    rbtdb.c.  Implement dead node 
processing in zones as
    we do for caches. [RT #17312]
--- 9.5.0a2 released ---
2156. [bug] Fix node reference leaks in 
lookup.c:lookup_find(),
    resolver.c:validated() and 
resolver.c:cache_name().
    Fix a memory leak in 
rbtdb.c:free_noqname().
    Make lookup.c:lookup_find() 
robust against
    event leaks. [RT #16685]

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users