Re: jails bind ip
Hi, First of all usage of 127.0.0.1 as second address is nothing but wrong, as this is the loopback address :) For the second part of the question - I suppose it has nothing to do with the BSD and the jail subsystem. I am not sure why you have eth1 tbh, you should only have eth0, maybe because of this binding to 127.0.0.1, which fails as you already have this address on lo0. But from your logs: INFO 2013-01-26 16:03:03.085 Created socket: /127.0.0.1:5001 [main] ERROR 2013-01-26 16:03:03.186 A serious error occurred during PMS init org.jboss.netty.channel.ChannelException: Failed to bind to: /127.0.0.1:5001 Obviously you have error in your config, as you are not binding to address, but on local socket at the root of the system. So my guess is you must eighter change your software configuration or you should giva access to root folder to the user running the application. Regards, Ivailo Tanusheff "Zyumbilev, Peter" Sent by: owner-freebsd-questi...@freebsd.org 26.01.2013 15:18 To "freebsd-questions@freebsd.org" cc Subject jails bind ip Hi, I have successfully run multiple jails on freebsd 9.1 Two of the jails are FreeBSD and I have no problems with them. However I havesome strange problem with Debian 6.0 Jail. This is my config jail_debian_rootdir="/jail/debian" jail_debian_hostname="debian.bivol.net" jail_debian_ip="192.168.30.12,127.0.0.1" jail_debian_interface="bge0" jail_debian_devfs_enable="YES" jail_debian_devfs_ruleset="devfsrules_jail" jail_debian_flags="-n debian" #jail_debian_mount_enable="YES" # mount YES|NO jail_debian_fstab="/jail/conf/fstab.debian" # File with Filesystems to mount I tried with and without 127.0.0.1. This is how ifconfig looks from inside debian: root@debian:/# ifconfig eth0 Link encap:Ethernet HWaddr e8:39:35:25:d2:ef inet addr:192.168.30.12 Bcast:192.168.30.12 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:425676061 errors:0 dropped:0 overruns:0 frame:0 TX packets:483122783 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:478459387769 (445.6 GiB) TX bytes:190485214007 (177.4 GiB) eth1 Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MULTICAST MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) lo0 Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MULTICAST MTU:16384 Metric:1 RX packets:1273268 errors:0 dropped:0 overruns:0 frame:0 TX packets:1273274 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:103125473 (98.3 MiB) TX bytes:103125585 (98.3 MiB) usbus0Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus1Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus2Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus3Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus4Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus5Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) However, applications have problem binding. Two applications that fail are plexmedia server and psmedia server. 1. PS3 media server throws crazy errors like that it canncot bind - no matter which IP I choose: [main] INFO 2013-01-26 16:03:02.833 Loading configuration file: Panasonic.conf [
Re: jails bind ip
On 26/01/2013 23:06, Fbsd8 wrote: > Zyumbilev, Peter wrote: >>> Are you saying you installed the Debian 6.0 operating system >>> inside of a Freebsd jail and expect it to function? >>> >>> >> >> >> on top of all works ;-) Look at mailing list archives earlier ...See >> mails from me. >> >> >> Peter > > > Ok I read the archive thread subject "jails". > You read a reply pointing you to a French howto. > > http://blog.etoilebsd.net/post/Emprisonner_une_debian_dans_un_FreeBSD > > I don't read French so have no idea what you did. > In another post you said you did this procedure > 1. Use > http://download.openvz.org/template/precreated/debian-6.0-x86.tar.gz > instead of the file listed in the French howto. > 2. Run sysctl compat.linux.osrelease=2.6.32 in Freebsd shell before > starting the jail, otherwise you will get error "kernel too old". > > Don't understand what you mean by "shell" in the the above #2 sentence. > > The info you provided is so lacking in details. People here on the list > are not going to try to duplicate your steps just to get a understanding > of your situation. > > When asking a question it's your job to describe in detail what your > situation is. What your trying to achieve by using a jail. What > applications you installed in your jail. The jail statements you used to > create your jail. So on and so forth. > > No details results in no replies. > If you want helpful replies start with more and better details. > > From a very general point of view. You can populate a jails directory > tree with anything you want and the jail will still start. Having the > jail start does not mean anything you put in side of the jail is > working. Which is what I think is happening in your case. > > With out details I can not help you any further. > > Good luck. > > Hi, I know chances are slim someone to help. I believe my question is asked right. Even if noone can help it was worth asking - at least you learned that debian can run inside Freebsd :-) You know the idea is everyone to learn from this. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jails bind ip
Zyumbilev, Peter wrote: Are you saying you installed the Debian 6.0 operating system inside of a Freebsd jail and expect it to function? on top of all works ;-) Look at mailing list archives earlier ...See mails from me. Peter Ok I read the archive thread subject "jails". You read a reply pointing you to a French howto. http://blog.etoilebsd.net/post/Emprisonner_une_debian_dans_un_FreeBSD I don't read French so have no idea what you did. In another post you said you did this procedure 1. Use http://download.openvz.org/template/precreated/debian-6.0-x86.tar.gz instead of the file listed in the French howto. 2. Run sysctl compat.linux.osrelease=2.6.32 in Freebsd shell before starting the jail, otherwise you will get error "kernel too old". Don't understand what you mean by "shell" in the the above #2 sentence. The info you provided is so lacking in details. People here on the list are not going to try to duplicate your steps just to get a understanding of your situation. When asking a question it's your job to describe in detail what your situation is. What your trying to achieve by using a jail. What applications you installed in your jail. The jail statements you used to create your jail. So on and so forth. No details results in no replies. If you want helpful replies start with more and better details. From a very general point of view. You can populate a jails directory tree with anything you want and the jail will still start. Having the jail start does not mean anything you put in side of the jail is working. Which is what I think is happening in your case. With out details I can not help you any further. Good luck. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jails bind ip
> Are you saying you installed the Debian 6.0 operating system > inside of a Freebsd jail and expect it to function? > > on top of all works ;-) Look at mailing list archives earlier ...See mails from me. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: jails bind ip
Zyumbilev, Peter wrote: Hi, I have successfully run multiple jails on freebsd 9.1 Two of the jails are FreeBSD and I have no problems with them. However I havesome strange problem with Debian 6.0 Jail. This is my config jail_debian_rootdir="/jail/debian" jail_debian_hostname="debian.bivol.net" jail_debian_ip="192.168.30.12,127.0.0.1" jail_debian_interface="bge0" jail_debian_devfs_enable="YES" jail_debian_devfs_ruleset="devfsrules_jail" jail_debian_flags="-n debian" #jail_debian_mount_enable="YES" # mount YES|NO jail_debian_fstab="/jail/conf/fstab.debian" # File with Filesystems to mount I tried with and without 127.0.0.1. This is how ifconfig looks from inside debian: root@debian:/# ifconfig eth0 Link encap:Ethernet HWaddr e8:39:35:25:d2:ef inet addr:192.168.30.12 Bcast:192.168.30.12 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:425676061 errors:0 dropped:0 overruns:0 frame:0 TX packets:483122783 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:478459387769 (445.6 GiB) TX bytes:190485214007 (177.4 GiB) eth1 Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MULTICAST MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) lo0 Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MULTICAST MTU:16384 Metric:1 RX packets:1273268 errors:0 dropped:0 overruns:0 frame:0 TX packets:1273274 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:103125473 (98.3 MiB) TX bytes:103125585 (98.3 MiB) usbus0Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus1Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus2Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus3Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus4Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus5Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) However, applications have problem binding. Two applications that fail are plexmedia server and psmedia server. 1. PS3 media server throws crazy errors like that it canncot bind - no matter which IP I choose: [main] INFO 2013-01-26 16:03:02.833 Loading configuration file: Panasonic.conf [main] DEBUG 2013-01-26 16:03:02.833 Base path set to file:///etc/ps3mediaserver/renderers/Panasonic.conf [main] INFO 2013-01-26 16:03:02.855 Loading configuration file: PS3.conf [main] DEBUG 2013-01-26 16:03:02.855 Base path set to file:///etc/ps3mediaserver/renderers/PS3.conf [main] INFO 2013-01-26 16:03:02.861 Loading configuration file: AirPlayer.conf [main] DEBUG 2013-01-26 16:03:02.862 Base path set to file:///etc/ps3mediaserver/renderers/AirPlayer.conf [main] INFO 2013-01-26 16:03:02.864 Checking MPlayer font cache. It can take a minute or so. [main] DEBUG 2013-01-26 16:03:02.865 launching: /usr/lib/ps3mediaserver/linux/mplayer [main] INFO 2013-01-26 16:03:03.008 Done! [main] INFO 2013-01-26 16:03:03.016 Searching for plugins in /usr/lib/ps3mediaserver/plugins [main] INFO 2013-01-26 16:03:03.029 No plugins found [main] INFO 2013-01-26 16:03:03.060 Registering transcoding engine: FFmpeg Audio [main] INFO 2013-01-26 16:03:03.078 Registering transcoding engine: MEncoder [main] INFO 2013-01-26 16:03:03.079 Registering transcoding engine: MPlayer Aud
jails bind ip
Hi, I have successfully run multiple jails on freebsd 9.1 Two of the jails are FreeBSD and I have no problems with them. However I havesome strange problem with Debian 6.0 Jail. This is my config jail_debian_rootdir="/jail/debian" jail_debian_hostname="debian.bivol.net" jail_debian_ip="192.168.30.12,127.0.0.1" jail_debian_interface="bge0" jail_debian_devfs_enable="YES" jail_debian_devfs_ruleset="devfsrules_jail" jail_debian_flags="-n debian" #jail_debian_mount_enable="YES" # mount YES|NO jail_debian_fstab="/jail/conf/fstab.debian" # File with Filesystems to mount I tried with and without 127.0.0.1. This is how ifconfig looks from inside debian: root@debian:/# ifconfig eth0 Link encap:Ethernet HWaddr e8:39:35:25:d2:ef inet addr:192.168.30.12 Bcast:192.168.30.12 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:425676061 errors:0 dropped:0 overruns:0 frame:0 TX packets:483122783 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:478459387769 (445.6 GiB) TX bytes:190485214007 (177.4 GiB) eth1 Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MULTICAST MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) lo0 Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MULTICAST MTU:16384 Metric:1 RX packets:1273268 errors:0 dropped:0 overruns:0 frame:0 TX packets:1273274 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:103125473 (98.3 MiB) TX bytes:103125585 (98.3 MiB) usbus0Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus1Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus2Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus3Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus4Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) usbus5Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) However, applications have problem binding. Two applications that fail are plexmedia server and psmedia server. 1. PS3 media server throws crazy errors like that it canncot bind - no matter which IP I choose: [main] INFO 2013-01-26 16:03:02.833 Loading configuration file: Panasonic.conf [main] DEBUG 2013-01-26 16:03:02.833 Base path set to file:///etc/ps3mediaserver/renderers/Panasonic.conf [main] INFO 2013-01-26 16:03:02.855 Loading configuration file: PS3.conf [main] DEBUG 2013-01-26 16:03:02.855 Base path set to file:///etc/ps3mediaserver/renderers/PS3.conf [main] INFO 2013-01-26 16:03:02.861 Loading configuration file: AirPlayer.conf [main] DEBUG 2013-01-26 16:03:02.862 Base path set to file:///etc/ps3mediaserver/renderers/AirPlayer.conf [main] INFO 2013-01-26 16:03:02.864 Checking MPlayer font cache. It can take a minute or so. [main] DEBUG 2013-01-26 16:03:02.865 launching: /usr/lib/ps3mediaserver/linux/mplayer [main] INFO 2013-01-26 16:03:03.008 Done! [main] INFO 2013-01-26 16:03:03.016 Searching for plugins in /usr/lib/ps3mediaserver/plugins [main] INFO 2013-01-26 16:03:03.029 No plugins found [main] INFO 2013-01-26 16:03:03.060 Registering transcoding engine: FFmpeg Audio [main] INFO 2013-01-26 16:03:03.078 Registering transcoding engine: MEncoder [main] INFO 2013-01-26 16:03:03.079 Registering transcoding engine: MPlayer Audio [main] INFO 2013-01-
Re: bind 192.168.1.1 to all interfaces
Eugen Konkov yandex.ru> writes: > ... > So in my vlan I have two DHCP servers. One is mine and > second is on that router. Some users get wrong IPs from that router. > ... > Or s there any other method to prevent such ilegal DHCP servers on LAN? http://www.tcpipguide.com/free/t_DHCPSecurityIssues.htm jb ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re[2]: bind 192.168.1.1 to all interfaces
Здравствуйте, Patrick. Вы писали 23 декабря 2012 г., 15:17:43: PL> Le Sun, 23 Dec 2012 14:17:47 +0200, PL> Eugen Konkov a écrit : PL> Hello, >> Or s there any other method to prevent such ilegal DHCP servers on >> LAN? PL> At work we use "dhcp_probe" PL> http://www.net.princeton.edu/software/dhcp_probe/ PL> It works quite fine, when someone plug a dhcp server it is detected and PL> we shutdown the switch port. PL> I don't know if it runs on FreeBSD, it runs on Centos 6. PL> Regards. Unfortunately we use unmanaged switches -- С уважением, Eugen mailto:kes-...@yandex.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: bind 192.168.1.1 to all interfaces
Le Sun, 23 Dec 2012 14:17:47 +0200, Eugen Konkov a écrit : Hello, > Or s there any other method to prevent such ilegal DHCP servers on > LAN? At work we use "dhcp_probe" http://www.net.princeton.edu/software/dhcp_probe/ It works quite fine, when someone plug a dhcp server it is detected and we shutdown the switch port. I don't know if it runs on FreeBSD, it runs on Centos 6. Regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
bind 192.168.1.1 to all interfaces
Hi, FreeBSD. I have many vlans on server. IPs on those vlans are like 10.X.X.X/Y I have run DHCP. But some times users on vlan can ON their soho router like DIR-300 or so and connect their internet cable to LAN port of that router. So in my vlan I have two DHCP servers. One is mine and second is on that router. Some users get wrong IPs from that router. Can I bind 192.168.1.1 address of router to server so restrict such router to work normally? Or s there any other method to prevent such ilegal DHCP servers on LAN? -- Eugen mailto:kes-...@yandex.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: BIND - slaving the root zone and signature expired
On 25 October 2012 18:55, Damien Fleuriot wrote:
> On 25 October 2012 18:33, Warren Block wrote:
>> On Thu, 25 Oct 2012, Damien Fleuriot wrote:
>>
>>> Anyone else experienced this problem today ?
>>>
>>> We slave the root zone and have received "signature expired" errors.
>>
>>
>> Found this:
>>
>> https://lists.dns-oarc.net/pipermail/dns-operations/2011-March/007116.html
>>
>> which leads to this:
>>
>> http://in-addr-transition.icann.org/
>
>
>
> Hi Warren and thanks for your reply,
>
>
> I've dug around some more and identified the problem we've been having.
>
>
>
> Apparently, from a given netblock, we can't AXFR the "." and "arpa"
> zones anymore with F.ROOT-SERVERS.NET.
> We can from some other boxes.
> I suspect we might have been firewalled or something, although we
> don't query them very often , but that's beyond the point.
>
>
> I've now transitioned all our PF boxes to slave from
> "xfr.lax.dns.icann.org" and "xfr.cjr.dns.icann.org" as per the
> documentation found in /etc/namedb/named.conf
>
> What bothers me is that the commented lines from named.conf say to use
> the ICANN XFR servers, while the actual commented configuration uses
> F.ROOT-SERVERS.NET
>
>
>
>
> See below a freshly SVNup'd copy on 10.0:
>
> % svn info named.conf
> Path: named.conf
> Name: named.conf
> Working Copy Root Path: /data/freebsd/src/head
> URL: svn://svn.freebsd.org/base/head/etc/namedb/named.conf
> Repository Root: svn://svn.freebsd.org/base
> Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
> Revision: 242082
> Node Kind: file
> Schedule: normal
> Last Changed Author: uqs
> Last Changed Rev: 229783
> Last Changed Date: 2012-01-07 16:10:32 + (Sat, 07 Jan 2012)
> Text Last Updated: 2012-09-01 11:43:31 + (Sat, 01 Sep 2012)
> Checksum: 598add209c192aac1dc4d973ce31922dff8b93c9
>
>
> I SVNup'd it just today, and yet:
>
> ===
> As documented at http://dns.icann.org/services/axfr/ these zones:
> "." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and ROOT-SERVERS.NET
> are available for AXFR from these servers on IPv4 and IPv6:
> xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org
> */
> /*
> zone "." {
> type slave;
> file "/etc/namedb/slave/root.slave";
> masters {
> 192.5.5.241;// F.ROOT-SERVERS.NET.
> };
> notify no;
> };
> ===
>
>
>
>
> I'm going to file a PR with a small diff to use the ICANN's XFR
> servers instead of F.
>
>
>
> Thanks for your feedback regardless :)
If anyone cares to take it, filed as conf/173077
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: BIND - slaving the root zone and signature expired
On 25 October 2012 18:33, Warren Block wrote:
> On Thu, 25 Oct 2012, Damien Fleuriot wrote:
>
>> Anyone else experienced this problem today ?
>>
>> We slave the root zone and have received "signature expired" errors.
>
>
> Found this:
>
> https://lists.dns-oarc.net/pipermail/dns-operations/2011-March/007116.html
>
> which leads to this:
>
> http://in-addr-transition.icann.org/
Hi Warren and thanks for your reply,
I've dug around some more and identified the problem we've been having.
Apparently, from a given netblock, we can't AXFR the "." and "arpa"
zones anymore with F.ROOT-SERVERS.NET.
We can from some other boxes.
I suspect we might have been firewalled or something, although we
don't query them very often , but that's beyond the point.
I've now transitioned all our PF boxes to slave from
"xfr.lax.dns.icann.org" and "xfr.cjr.dns.icann.org" as per the
documentation found in /etc/namedb/named.conf
What bothers me is that the commented lines from named.conf say to use
the ICANN XFR servers, while the actual commented configuration uses
F.ROOT-SERVERS.NET
See below a freshly SVNup'd copy on 10.0:
% svn info named.conf
Path: named.conf
Name: named.conf
Working Copy Root Path: /data/freebsd/src/head
URL: svn://svn.freebsd.org/base/head/etc/namedb/named.conf
Repository Root: svn://svn.freebsd.org/base
Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
Revision: 242082
Node Kind: file
Schedule: normal
Last Changed Author: uqs
Last Changed Rev: 229783
Last Changed Date: 2012-01-07 16:10:32 + (Sat, 07 Jan 2012)
Text Last Updated: 2012-09-01 11:43:31 + (Sat, 01 Sep 2012)
Checksum: 598add209c192aac1dc4d973ce31922dff8b93c9
I SVNup'd it just today, and yet:
===
As documented at http://dns.icann.org/services/axfr/ these zones:
"." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and ROOT-SERVERS.NET
are available for AXFR from these servers on IPv4 and IPv6:
xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org
*/
/*
zone "." {
type slave;
file "/etc/namedb/slave/root.slave";
masters {
192.5.5.241;// F.ROOT-SERVERS.NET.
};
notify no;
};
===
I'm going to file a PR with a small diff to use the ICANN's XFR
servers instead of F.
Thanks for your feedback regardless :)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: BIND - slaving the root zone and signature expired
On Thu, 25 Oct 2012, Damien Fleuriot wrote: Anyone else experienced this problem today ? We slave the root zone and have received "signature expired" errors. Found this: https://lists.dns-oarc.net/pipermail/dns-operations/2011-March/007116.html which leads to this: http://in-addr-transition.icann.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
BIND - slaving the root zone and signature expired
Hello list,
Anyone else experienced this problem today ?
We slave the root zone and have received "signature expired" errors.
We slave the root zone like so:
zone "." {
type slave;
file "/etc/namedb/slave/root.slave";
masters {
192.5.5.241;// F.ROOT-SERVERS.NET.
};
notify no;
};
zone "arpa" {
type slave;
file "/etc/namedb/slave/arpa.slave";
masters {
192.5.5.241;// F.ROOT-SERVERS.NET.
};
notify no;
};
And got the following errors:
messages.2:Oct 25 08:25:46 pf1 named[23251]: starting BIND 9.6.-ESV-R7
-t /var/named -u bind
messages.2:Oct 25 08:25:46 pf1 named[23251]: built with
'--prefix=/usr' '--infodir=/usr/share/info' '--mandir=/usr/share/man'
'--enable-threads' '--enable-getifaddrs' '--disable-linux-caps'
'--with-openssl=/usr' '--with-randomdev=/dev/random' '--without-idn'
'--without-libxml2'
messages.2:Oct 25 08:25:46 pf1 named[23251]:
messages.2:Oct 25 08:25:46 pf1 named[23251]: BIND 9 is maintained by
Internet Systems Consortium,
messages.2:Oct 25 08:25:46 pf1 named[23251]: Inc. (ISC), a non-profit
501(c)(3) public-benefit
messages.2:Oct 25 08:25:46 pf1 named[23251]: corporation. Support and
training for BIND 9 are
messages.2:Oct 25 08:25:46 pf1 named[23251]: available at
https://www.isc.org/support
messages.2:Oct 25 08:25:46 pf1 named[23251]:
messages.2:Oct 25 08:25:46 pf1 named[23251]: command channel listening
on 127.0.0.1#953
messages.2:Oct 25 08:25:46 pf1 named[23251]: command channel listening
on ::1#953
messages.2:Oct 25 08:25:46 pf1 named[23251]:
/etc/namedb/slave/root.slave:10: signature has expired
messages.2:Oct 25 08:25:46 pf1 named[23251]:
/etc/namedb/slave/arpa.slave:10: signature has expired
messages.2:Oct 25 08:25:46 pf1 named[23251]: running
messages.2:Oct 25 08:25:46 pf1 named[23251]: zone ./IN: expired
messages.2:Oct 25 08:25:46 pf1 named[23251]: zone arpa/IN: expired
messages.2:Oct 25 08:27:16 pf1 named[23251]: transfer of 'arpa/IN'
from 192.5.5.241#53: failed while receiving responses: connection
reset
messages.2:Oct 25 08:27:17 pf1 named[23251]: transfer of './IN' from
192.5.5.241#53: failed while receiving responses: connection reset
messages.2:Oct 25 08:28:47 pf1 named[23251]: transfer of './IN' from
192.5.5.241#53: failed while receiving responses: connection reset
messages.2:Oct 25 08:28:47 pf1 named[23251]: transfer of 'arpa/IN'
from 192.5.5.241#53: failed while receiving responses: connection
reset
messages.2:Oct 25 08:30:37 pf1 named[23251]: transfer of 'arpa/IN'
from 192.5.5.241#53: failed while receiving responses: connection
reset
messages.2:Oct 25 08:30:42 pf1 named[23251]: transfer of './IN' from
192.5.5.241#53: failed while receiving responses: connection reset
messages.2:Oct 25 08:32:47 pf1 named[23251]: stopping command channel
on 127.0.0.1#953
messages.2:Oct 25 08:32:47 pf1 named[23251]: stopping command channel on ::1#953
messages.2:Oct 25 08:32:47 pf1 named[23251]: exiting
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: 8-STABLE base BIND version number typo ?
I seem to have seen no replies. Would anyone kindly confirm they've got the same problem so we can get a PR filled ? # named -V BIND 9.6.-ESV-R5-P1 built with '--prefix=/usr' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--enable-threads' '--enable-getifaddrs' '--disable-linux-caps' '--with-openssl=/usr' '--with-randomdev=/dev/random' '--without-idn' '--without-libxml2' # uname -a FreeBSD xxx.xx 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: Mon Jun 11 23:52:38 UTC 2012 r...@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: 8-STABLE base BIND version number typo ?
On 27 August 2012 10:11, Damien Fleuriot wrote: > Hello list, > > > > We're currently running Nessus PCI DSS scans on our infrastructure to > eliminate known vulnerabilities and problems. > > The scan reports that my version of BIND is vulnerable to exploits I > *know* it isn't. > > The problem, to me, seems to be with the version number as reported by > named -V : > BIND 9.6.-ESV-R7-P2 built with '--prefix=/usr' > '--infodir=/usr/share/info' '--mandir=/usr/share/man' > '--enable-threads' '--enable-getifaddrs' '--disable-linux-caps' > '--with-openssl=/usr' '--with-randomdev=/dev/random' '--without-idn' > '--without-libxml2' > > (notice the .- notation) > > > This is the base's BIND running on 8.3-STABLE 64 bits compiled and > built on 22/08/12 : > FreeBSD pf1-dmz-gs.[snip] 8.3-STABLE FreeBSD 8.3-STABLE #2: Wed Aug 22 > 10:41:47 CEST 2012 > > > I have verified that building the exact same version from the ports, > at /usr/ports/dns/bind96 yields the correct version number and the > vulnerabilities are no longer reported by the scan, which uses BIND's > version number as a reference. > > > > Has anyone else noticed the same oddity, that I might fill a PR ? Hello list, I seem to have seen no replies. Would anyone kindly confirm they've got the same problem so we can get a PR filled ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
8-STABLE base BIND version number typo ?
Hello list, We're currently running Nessus PCI DSS scans on our infrastructure to eliminate known vulnerabilities and problems. The scan reports that my version of BIND is vulnerable to exploits I *know* it isn't. The problem, to me, seems to be with the version number as reported by named -V : BIND 9.6.-ESV-R7-P2 built with '--prefix=/usr' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--enable-threads' '--enable-getifaddrs' '--disable-linux-caps' '--with-openssl=/usr' '--with-randomdev=/dev/random' '--without-idn' '--without-libxml2' (notice the .- notation) This is the base's BIND running on 8.3-STABLE 64 bits compiled and built on 22/08/12 : FreeBSD pf1-dmz-gs.[snip] 8.3-STABLE FreeBSD 8.3-STABLE #2: Wed Aug 22 10:41:47 CEST 2012 I have verified that building the exact same version from the ports, at /usr/ports/dns/bind96 yields the correct version number and the vulnerabilities are no longer reported by the scan, which uses BIND's version number as a reference. Has anyone else noticed the same oddity, that I might fill a PR ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Problem installing bind in jail
On 04/06/12 03:24, bsd wrote: Hi, I have followed the tutorial provided in http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-application.html I have now five jails up and running and I am very happy with the system. One of my jail is acting as an important DNS server and It needs to be up to date. I have decided to recompile bind in the latest version and I am running into a problem which is caused by bind port not following the FreeBSD requisites and trying to install things in /usr/include/isc making all in /s/portbuild/usr/ports/dns/bind98/work/bind-9.8.2/lib/isc/x86_32 making all in /s/portbuild/usr/ports/dns/bind98/work/bind-9.8.2/lib/isc/x86_32/include making all in /s/portbuild/usr/ports/dns/bind98/work/bind-9.8.2/lib/isc/x86_32/include/isc making install in /s/portbuild/usr/ports/dns/bind98/work/bind-9.8.2/lib/isc/include making all in /s/portbuild/usr/ports/dns/bind98/work/bind-9.8.2/lib/isc/include/isc making install in /s/portbuild/usr/ports/dns/bind98/work/bind-9.8.2/lib/isc/include/isc /bin/sh ../../../../mkinstalldirs /usr/include/isc mkdir /usr/include/isc mkdir: /usr/include/isc: Read-only file system *** Error code 1 Stop in /s/portbuild/usr/ports/dns/bind98/work/bind-9.8.2/lib/isc/include/isc. […] I am not certain of the path I should take to solve this issue… Most probably I should simlink from the RO part of the system to the RW… but I am not 100% sure how to proceed. Why is ISC trying to setup things in this location and not on /usr/local/include/ ? I think I would need to simlink from the RO portion of the system /usr/include/isc to /usr/local/include/isc but I am not certain how to proceed. Assuming your replacing the base version, you cannot use symlinks but you can use a nullfs mount. You can make any part RW this way as long as its a directory. As Matthew pointed out, all is in order here. No rule breaks happening... :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Problem installing bind in jail
On 05/04/2012 18:24, bsd wrote: > I have decided to recompile bind in the latest version and I am > running into a problem which is caused by bind port not following the > FreeBSD requisites and trying to install things in /usr/include/isc What on earth gives you the idea that dns/bind98 doesn't conform to hier(7)? The bind ports are all installing stuff correctly: the only files that get installed in an 'isc' or 'isccc' sub-directory are c-language header files. That's perfectly legal according to the rules. No problem there. I suggest turning off the REPLACE_BASE option in the port. You really don't need it -- install as normal under /usr/local (which I guess should fix the writablity problems). Then all you need to enable the ports version of named is to put the following in /etc/rc.conf: named_enable="YES" named_program="/usr/local/sbin/named" That's it. You can now start up the ports version of named by: /etc/rc.d/named start The bind port creates symlinks for named.conf, rndc.conf and rndc.key in /usr/local/etc so you can control the ports version of bind in the usual way using rndc(8). (Well, assuming you've set up /etc/namedb/named.conf properly.) Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey signature.asc Description: OpenPGP digital signature
Problem installing bind in jail
Hi, I have followed the tutorial provided in http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-application.html I have now five jails up and running and I am very happy with the system. One of my jail is acting as an important DNS server and It needs to be up to date. I have decided to recompile bind in the latest version and I am running into a problem which is caused by bind port not following the FreeBSD requisites and trying to install things in /usr/include/isc making all in /s/portbuild/usr/ports/dns/bind98/work/bind-9.8.2/lib/isc/x86_32 making all in /s/portbuild/usr/ports/dns/bind98/work/bind-9.8.2/lib/isc/x86_32/include making all in /s/portbuild/usr/ports/dns/bind98/work/bind-9.8.2/lib/isc/x86_32/include/isc making install in /s/portbuild/usr/ports/dns/bind98/work/bind-9.8.2/lib/isc/include making all in /s/portbuild/usr/ports/dns/bind98/work/bind-9.8.2/lib/isc/include/isc making install in /s/portbuild/usr/ports/dns/bind98/work/bind-9.8.2/lib/isc/include/isc /bin/sh ../../../../mkinstalldirs /usr/include/isc mkdir /usr/include/isc mkdir: /usr/include/isc: Read-only file system *** Error code 1 Stop in /s/portbuild/usr/ports/dns/bind98/work/bind-9.8.2/lib/isc/include/isc. […] I am not certain of the path I should take to solve this issue… Most probably I should simlink from the RO part of the system to the RW… but I am not 100% sure how to proceed. Why is ISC trying to setup things in this location and not on /usr/local/include/ ? I think I would need to simlink from the RO portion of the system /usr/include/isc to /usr/local/include/isc but I am not certain how to proceed. Thanks for your help. G.B. –– -> Grégory Bernard Director <- ---> www.osnet.eu <--- --> Your provider of OpenSource appliances <-- –– OSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetOSnetO ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
BIND SPF/TXT Questions
I know this is a bit off topic from CentOS itself, but are there any DNS experts that would be able to e-mail me on the side and assist with some questions I have regarding TXT/SPF records? I want to ensure my mail doesn't bounce. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: inetd[1081]: ssh/tcp: bind: address already in use
On Feb 8, 2012, at 11:39 AM, Henry Olyer wrote: > Second, I am getting: inetd[1081]: ssh/tcp: bind: address already in use. > What's the fix, please? Don't try to run sshd via inetd when you're already starting it as a daemon. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
inetd[1081]: ssh/tcp: bind: address already in use
First, thank you folks for your help. Each of you. I been pretty much a glass terminal UN*X user since I started. Now, because of you guys and the people behind X and oh!, all those programs that get linked in (three hours of package loading plus six hours of ports downloading and compilation, I have a pretty nice Fvwm environment with some nifty plotting. (Though I wonder, is it better to be forced to visualize the underlying curve's of a system without looking. A philosophical problem for another day...) Second, I am getting: inetd[1081]: ssh/tcp: bind: address already in use. What's the fix, please? And third, about the intrusion. I have already wiped the machine to rebuild it. But I noted the requested files, if their is a future incident. I had used null passwords while I was loading FBSD software. A practice I shall never repeat. me bad... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: best way to bind webserver to port 80 without running as root
On Wed 2012-01-04 (02:10), Dino Vliet wrote: > suddenly I'm facing this quest on freebsd 8. I need to bind my little > webserver running aolserver to port 80. In the past I was always using port > 8080 and had my router configured to forward requests on port 80 to the > server on port 8080. However, I am planning to host my little site on a > virtual server with a hosting company and figuredI can't use the workaround I > always used. So my question is, how to bind aolserver to port 80 without > running?as root as I understood ports below 1024 can only be used by root. > I found a sysctl net.inet.ip.portrange.reservedhigh which enables me to set > it to 0. However, I don't know what the security ramifications are of using > that. Are there any other options I could consider? Hi, if your server isn't able to bind as root and then drop its ownership then you can just run the process on a higher port number and use something like pf or portfwd to forward requests to port 80 to that higher port. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: best way to bind webserver to port 80 without running as root
On 04/01/2012 10:10, Dino Vliet wrote: > suddenly I'm facing this quest on freebsd 8. I need to bind my little > webserver running aolserver to port 80. In the past I was always > using port 8080 and had my router configured to forward requests on > port 80 to the server on port 8080. However, I am planning to host my > little site on a virtual server with a hosting company and figuredI > can't use the workaround I always used. So my question is, how to > bind aolserver to port 80 without running as root as I understood > ports below 1024 can only be used by root. I found a sysctl > net.inet.ip.portrange.reservedhigh which enables me to set it to 0. > However, I don't know what the security ramifications are of using > that. Are there any other options I could consider? There are lots of ways to do this. The hard part is deciding which one is most appropriate. Lets see... * Allow non-root to bind to port 80 Yes, this does have security implications, but they may not be relevant in your situation. If you can guarantee that any non-root process on your system is as trustworthy as a root owned process then it should be OK. Meaning you don't have any other users and the system is secured against code injection attacks, etc. Probably the hardest to get right, and not really anything I'd recommend. * Use one of the built-in firewalls to do port redirection. Similarly to the way you were using your router previously. So, for example in pf(4) you could do something like this: rdr pass inet proto tcp from any to $ext_if port 80 -> 127.0.0.1 port 8080 Arrange for your aolserver instance to bind to the loopback interface port 8080 and you're all set. You can use ipfw(8) to the same effect if preferred. Note: this probably won't work if your virtual server is a jail, as in that case (a) you won't have a loopback interface you can use like that and (b) firewall rules would have to be setup in the host environment, not the jail. * Use a proxy server bound to port 80, that internally redirects queries to your aolserver on port 8080. You can just do a direct proxy using eg. pound or apache or nginx or lighttpd so that every request is simply forwarded to the aolserver on port 80. Or you can get clever and -- serve static content (eg images, CSS etc.) by type directly from the proxy webserver. This relieves your heavyweight app-server from dealing with all the trivial stuff and is much more efficient. -- Use the reverse proxy for SSL offload, if you're using HTTPS. This can both simplify the configuration of your app server and provide a performance boost for some sites. -- Implement a reverse proxy /cache/. Instead of going back to the origin server and regenerating each page every time anyone asks for it, cache a copy of the response the last time that page was requested and reply with that. apache has a reasonably good proxy module, but consider also such packages as squid or varnish which are specifically written to do this. Done right, this can make a huge difference to webserver performance. Note: if you implement a reverse proxy cache, generally you don't need to also implement the dispatching requests by type thing as well. Static content should have a long TTL and be preferentially served out of the cache thus achieving the same effect automatically. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: best way to bind webserver to port 80 without running as root
On 01/04/2012 11:10 AM, Dino Vliet wrote: Hi all, suddenly I'm facing this quest on freebsd 8. I need to bind my little webserver running aolserver to port 80. In the past I was always using port 8080 and had my router configured to forward requests on port 80 to the server on port 8080. However, I am planning to host my little site on a virtual server with a hosting company and figuredI can't use the workaround I always used. So my question is, how to bind aolserver to port 80 without running as root as I understood ports below 1024 can only be used by root. I found a sysctl net.inet.ip.portrange.reservedhigh which enables me to set it to 0. However, I don't know what the security ramifications are of using that. Are there any other options I could consider? Thanks Dino ___ freebsd-po...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org" http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac-portacl.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
best way to bind webserver to port 80 without running as root
Hi all, suddenly I'm facing this quest on freebsd 8. I need to bind my little webserver running aolserver to port 80. In the past I was always using port 8080 and had my router configured to forward requests on port 80 to the server on port 8080. However, I am planning to host my little site on a virtual server with a hosting company and figuredI can't use the workaround I always used. So my question is, how to bind aolserver to port 80 without running as root as I understood ports below 1024 can only be used by root. I found a sysctl net.inet.ip.portrange.reservedhigh which enables me to set it to 0. However, I don't know what the security ramifications are of using that. Are there any other options I could consider? Thanks Dino ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: mutual forwarders in ISC BIND
On 12/29/11 12:45, Kevin Wilcox wrote: On Dec 28, 2011 9:26 PM, "Victor Sudakov" wrote: And the reason for the whole thread. One of the customers told me that 8.8.8.8 is faster than our own DNS servers which are located on the same 100 MBit/s LAN with them. I was shocked but it seems true, at least for the answers which are not yet cached. That actually makes perfect sense. That's one of the Google DNS IP addresses and they see a LOT of traffic, they're probably going to have the majority of the domains your clients want to look up (assuming your clients are like mine and most of their lookups are general web traffic) already in cache - your servers will need to go through the whole lookup process. Still, after a day or two of use, I would think your servers would have the bulk of what they needed in their caches. You may want to enable logging to see which domains are being looked up (if it won't break any applicable laws or policies) and do some spot-checks to see why they may not be in your cache. A rather amusing observation would be that they're not in the cache because the clients are using 8.8.8.8 ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: mutual forwarders in ISC BIND
2011/12/29 Victor Sudakov : > Peter Andreev wrote: >> >> >> > Victor, we researched this topic and learned that response time >> >> >> > highly >> >> >> > depends on distance between user and resolver, while cache influence >> >> >> > on this value is lesser. >> >> >> > So I advice you to keep all as is. >> >> >> >> >> >> Be it so. Thank you. >> >> > >> >> > And the reason for the whole thread. One of the customers told me that >> >> > 8.8.8.8 is faster than our own DNS servers which are located on the >> >> > same 100 MBit/s LAN with them. I was shocked but it seems true, at >> >> > least for the answers which are not yet cached. >> >> >> >> I don't know what software google uses on its resolvers, but I suppose >> >> something with shared or synchronizing cache. May be they also make >> >> preventive lookups on popular domains to fill this cache. And the >> >> reason why 8.8.8.8 seems faster - it answered from cache while your >> >> resolver made full lookup chain. >> > >> > Duh! That is why I started thinking about some cache synchronizing >> > technique for my resolvers. >> >> Preventive lookups can be made via self-written scripts. > > Sure, after query log analysis. > >> >> AFAIK there is no free open source implementations providing cache >> synchronization between different resolvers. > > Unbound cannot do that, can it? It has options "dump-cache" and "load-cache" for debugging purposes, but I don't recommend using it in production. May be "cache-min-ttl" and "cache-max-ttl" would be useful, but I doubt what is better - get fast response or get right response. > > I am surprised. After all, squid siblings are quite common. > > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > sip:suda...@sibptus.tomsk.ru > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" -- -- AP ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: mutual forwarders in ISC BIND
Peter Andreev wrote: > >> >> > Victor, we researched this topic and learned that response time highly > >> >> > depends on distance between user and resolver, while cache influence > >> >> > on this value is lesser. > >> >> > So I advice you to keep all as is. > >> >> > >> >> Be it so. Thank you. > >> > > >> > And the reason for the whole thread. One of the customers told me that > >> > 8.8.8.8 is faster than our own DNS servers which are located on the > >> > same 100 MBit/s LAN with them. I was shocked but it seems true, at > >> > least for the answers which are not yet cached. > >> > >> I don't know what software google uses on its resolvers, but I suppose > >> something with shared or synchronizing cache. May be they also make > >> preventive lookups on popular domains to fill this cache. And the > >> reason why 8.8.8.8 seems faster - it answered from cache while your > >> resolver made full lookup chain. > > > > Duh! That is why I started thinking about some cache synchronizing > > technique for my resolvers. > > Preventive lookups can be made via self-written scripts. Sure, after query log analysis. > > AFAIK there is no free open source implementations providing cache > synchronization between different resolvers. Unbound cannot do that, can it? I am surprised. After all, squid siblings are quite common. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: mutual forwarders in ISC BIND
2011/12/29 Victor Sudakov : > Peter Andreev wrote: >> >> >> >> > Victor, we researched this topic and learned that response time highly >> >> > depends on distance between user and resolver, while cache influence >> >> > on this value is lesser. >> >> > So I advice you to keep all as is. >> >> >> >> Be it so. Thank you. >> > >> > And the reason for the whole thread. One of the customers told me that >> > 8.8.8.8 is faster than our own DNS servers which are located on the >> > same 100 MBit/s LAN with them. I was shocked but it seems true, at >> > least for the answers which are not yet cached. >> >> I don't know what software google uses on its resolvers, but I suppose >> something with shared or synchronizing cache. May be they also make >> preventive lookups on popular domains to fill this cache. And the >> reason why 8.8.8.8 seems faster - it answered from cache while your >> resolver made full lookup chain. > > Duh! That is why I started thinking about some cache synchronizing > technique for my resolvers. Preventive lookups can be made via self-written scripts. AFAIK there is no free open source implementations providing cache synchronization between different resolvers. > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > sip:suda...@sibptus.tomsk.ru > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" -- -- AP ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: mutual forwarders in ISC BIND
Peter Andreev wrote: > >> > >> > Victor, we researched this topic and learned that response time highly > >> > depends on distance between user and resolver, while cache influence > >> > on this value is lesser. > >> > So I advice you to keep all as is. > >> > >> Be it so. Thank you. > > > > And the reason for the whole thread. One of the customers told me that > > 8.8.8.8 is faster than our own DNS servers which are located on the > > same 100 MBit/s LAN with them. I was shocked but it seems true, at > > least for the answers which are not yet cached. > > I don't know what software google uses on its resolvers, but I suppose > something with shared or synchronizing cache. May be they also make > preventive lookups on popular domains to fill this cache. And the > reason why 8.8.8.8 seems faster - it answered from cache while your > resolver made full lookup chain. Duh! That is why I started thinking about some cache synchronizing technique for my resolvers. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: mutual forwarders in ISC BIND
2011/12/29 Victor Sudakov : > Victor Sudakov wrote: >> >> > Victor, we researched this topic and learned that response time highly >> > depends on distance between user and resolver, while cache influence >> > on this value is lesser. >> > So I advice you to keep all as is. >> >> Be it so. Thank you. > > And the reason for the whole thread. One of the customers told me that > 8.8.8.8 is faster than our own DNS servers which are located on the > same 100 MBit/s LAN with them. I was shocked but it seems true, at > least for the answers which are not yet cached. I don't know what software google uses on its resolvers, but I suppose something with shared or synchronizing cache. May be they also make preventive lookups on popular domains to fill this cache. And the reason why 8.8.8.8 seems faster - it answered from cache while your resolver made full lookup chain. > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > sip:suda...@sibptus.tomsk.ru > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" -- -- AP ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: mutual forwarders in ISC BIND
On Dec 28, 2011 9:26 PM, "Victor Sudakov" wrote: > And the reason for the whole thread. One of the customers told me that > 8.8.8.8 is faster than our own DNS servers which are located on the > same 100 MBit/s LAN with them. I was shocked but it seems true, at > least for the answers which are not yet cached. That actually makes perfect sense. That's one of the Google DNS IP addresses and they see a LOT of traffic, they're probably going to have the majority of the domains your clients want to look up (assuming your clients are like mine and most of their lookups are general web traffic) already in cache - your servers will need to go through the whole lookup process. Still, after a day or two of use, I would think your servers would have the bulk of what they needed in their caches. You may want to enable logging to see which domains are being looked up (if it won't break any applicable laws or policies) and do some spot-checks to see why they may not be in your cache. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: mutual forwarders in ISC BIND
Victor Sudakov wrote: > > > Victor, we researched this topic and learned that response time highly > > depends on distance between user and resolver, while cache influence > > on this value is lesser. > > So I advice you to keep all as is. > > Be it so. Thank you. And the reason for the whole thread. One of the customers told me that 8.8.8.8 is faster than our own DNS servers which are located on the same 100 MBit/s LAN with them. I was shocked but it seems true, at least for the answers which are not yet cached. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: mutual forwarders in ISC BIND
Peter Andreev wrote: [dd] > Victor, we researched this topic and learned that response time highly > depends on distance between user and resolver, while cache influence > on this value is lesser. > So I advice you to keep all as is. Be it so. Thank you. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: mutual forwarders in ISC BIND
Damien Fleuriot wrote: > > > >> > >> If you're trying to build up a cache to improve performance and response > >> time, here's your scenario: > >> > >> DNS C, forward to DNS A,B for all queries > >> DNS D, forward to DNS B,A for all queries > >> > >> Your cache will start building up and only responses that are not cached > >> will be taken from your NS A and B servers. > > > > Sorry, I fail to see how this is any better than two independent DNS > > servers. Perhaps a variant like > > > > DNS C, forward to DNS A > > DNS D, forward to DNS A > > > > would be close to the goal of cache consolidation. > > > > DNS A suffers an outage ; you're fucked, to put it bluntly. Nope. DNS C and D will do the queries on their own. I don't suggest a "forward only" setup. I just want the servers to share the cache. [dd] > > On a side note, have you considered unbound ? > > It may be better suited to your needs and scale. I would read a comparison of BIND and Unbound with great interest. Do you perchance have a link? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
mutual forwarders in ISC BIND
2011/12/28 Damien Fleuriot : > > > On 12/28/11 2:07 PM, Victor Sudakov wrote: >> Damien Fleuriot wrote: >>> >>> If you're trying to build up a cache to improve performance and response >>> time, here's your scenario: >>> >>> DNS C, forward to DNS A,B for all queries >>> DNS D, forward to DNS B,A for all queries >>> >>> Your cache will start building up and only responses that are not cached >>> will be taken from your NS A and B servers. >> >> Sorry, I fail to see how this is any better than two independent DNS >> servers. Perhaps a variant like >> >> DNS C, forward to DNS A >> DNS D, forward to DNS A >> >> would be close to the goal of cache consolidation. >> > > DNS A suffers an outage ; you're fucked, to put it bluntly. BIND can be configured to deal with such troubles. But still Victor's idea isn't very good. First of all because response time increasing in case of using forwarders. Victor, we researched this topic and learned that response time highly depends on distance between user and resolver, while cache influence on this value is lesser. So I advice you to keep all as is. > > >> Matthew Seaman wrote: >>> >>> If you want to consolidate caches then probably your best bet is to have >>> fewer, but larger resolvers. A pretty standard server class machine >>> dedicated to recursive DNS should be easily capable of supporting many >>> thousands of clients. >> >> You are certainly right. >> >>> >>> DNS is not really a fruitful target for reducing traffic volume -- there >>> really isn't that much of it compared to all other types in any case. >>> It's also pretty critical to the perceived performance of your networks. >>> Complicating and slowing down the DNS lookup path just makes everything >>> look slow. >> >> I just wanted the servers to benefit from each other's caches. That >> could speed up the lookups. >> >> > > On a side note, have you considered unbound ? > > It may be better suited to your needs and scale. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" -- -- AP -- -- AP ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: mutual forwarders in ISC BIND
On 12/28/11 2:07 PM, Victor Sudakov wrote: > Damien Fleuriot wrote: >> >> If you're trying to build up a cache to improve performance and response >> time, here's your scenario: >> >> DNS C, forward to DNS A,B for all queries >> DNS D, forward to DNS B,A for all queries >> >> Your cache will start building up and only responses that are not cached >> will be taken from your NS A and B servers. > > Sorry, I fail to see how this is any better than two independent DNS > servers. Perhaps a variant like > > DNS C, forward to DNS A > DNS D, forward to DNS A > > would be close to the goal of cache consolidation. > DNS A suffers an outage ; you're fucked, to put it bluntly. > Matthew Seaman wrote: >> >> If you want to consolidate caches then probably your best bet is to have >> fewer, but larger resolvers. A pretty standard server class machine >> dedicated to recursive DNS should be easily capable of supporting many >> thousands of clients. > > You are certainly right. > >> >> DNS is not really a fruitful target for reducing traffic volume -- there >> really isn't that much of it compared to all other types in any case. >> It's also pretty critical to the perceived performance of your networks. >> Complicating and slowing down the DNS lookup path just makes everything >> look slow. > > I just wanted the servers to benefit from each other's caches. That > could speed up the lookups. > > On a side note, have you considered unbound ? It may be better suited to your needs and scale. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: mutual forwarders in ISC BIND
Damien Fleuriot wrote: > > If you're trying to build up a cache to improve performance and response > time, here's your scenario: > > DNS C, forward to DNS A,B for all queries > DNS D, forward to DNS B,A for all queries > > Your cache will start building up and only responses that are not cached > will be taken from your NS A and B servers. Sorry, I fail to see how this is any better than two independent DNS servers. Perhaps a variant like DNS C, forward to DNS A DNS D, forward to DNS A would be close to the goal of cache consolidation. Matthew Seaman wrote: > > If you want to consolidate caches then probably your best bet is to have > fewer, but larger resolvers. A pretty standard server class machine > dedicated to recursive DNS should be easily capable of supporting many > thousands of clients. You are certainly right. > > DNS is not really a fruitful target for reducing traffic volume -- there > really isn't that much of it compared to all other types in any case. > It's also pretty critical to the perceived performance of your networks. > Complicating and slowing down the DNS lookup path just makes everything > look slow. I just wanted the servers to benefit from each other's caches. That could speed up the lookups. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: mutual forwarders in ISC BIND
On 28/12/2011 07:54, Victor Sudakov wrote: > This question is not directly related to FreeBSD, but perhaps some > network administrators reading this list know the answer. > > Can I setup several ISC BIND servers to be each other's mutual forwarders? > Will it work or create an endless loop of DNS queries? > > I have customers using several DNS servers as recursive resolvers. The > usage pattern is pretty much equal between all the servers. What I > want is create a cache common to all the recursive servers to reduce > traffic and response time (much like squid siblings work). Hmmm I've a feeling that the end result will be a forwarding loop as you suspect, although eventually your resolvers will go and do the lookup correctly and return the answers. That will probably add quite a lot to the latency of cache misses and on the whole not help at all. This is not a configuration I've ever heard of in use successfully, which might be a clue as to it's efficacy and desirability. DNS delays are almost always due to one or more of the nameservers listed in resolv.conf being uncommunicative. Or because there's a dumb firewall between the client and the resolver or between the resolver and the rest of the net that does stupid things like assume that DNS packets are limited to 512 bytes -- so blocking eDNS0 and forcing the resolver to eventually fall back to using TCP. [Cisco, I'm looking at you...] You can use tcpdump or wireshark to capture DNS traffic and diagnose this sort of problem, plus bind will log information about problems with eDNS0 packet sizes. Also this: https://www.dns-oarc.net/oarc/services/replysizetest If you want to consolidate caches then probably your best bet is to have fewer, but larger resolvers. A pretty standard server class machine dedicated to recursive DNS should be easily capable of supporting many thousands of clients. DNS is not really a fruitful target for reducing traffic volume -- there really isn't that much of it compared to all other types in any case. It's also pretty critical to the perceived performance of your networks. Complicating and slowing down the DNS lookup path just makes everything look slow. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: mutual forwarders in ISC BIND
On 12/28/11 8:54 AM, Victor Sudakov wrote: > Colleagues, > > This question is not directly related to FreeBSD, but perhaps some > network administrators reading this list know the answer. > > Can I setup several ISC BIND servers to be each other's mutual forwarders? > Will it work or create an endless loop of DNS queries? > > I have customers using several DNS servers as recursive resolvers. The > usage pattern is pretty much equal between all the servers. What I > want is create a cache common to all the recursive servers to reduce > traffic and response time (much like squid siblings work). > > Thank you for any input. > If your planned setup is: DNS A, forward to DNS B on query fail DNS B, forward to DNS A on query fail Then this will indeed create a loop in case a query cannot be answered by both servers. Also, you won't want to do that. If you're trying to build up a cache to improve performance and response time, here's your scenario: DNS C, forward to DNS A,B for all queries DNS D, forward to DNS B,A for all queries Your cache will start building up and only responses that are not cached will be taken from your NS A and B servers. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
mutual forwarders in ISC BIND
Colleagues, This question is not directly related to FreeBSD, but perhaps some network administrators reading this list know the answer. Can I setup several ISC BIND servers to be each other's mutual forwarders? Will it work or create an endless loop of DNS queries? I have customers using several DNS servers as recursive resolvers. The usage pattern is pretty much equal between all the servers. What I want is create a cache common to all the recursive servers to reduce traffic and response time (much like squid siblings work). Thank you for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Replacing FreeBSD Base System's BIND
Hi Matthew, thanks a lot for your detailed reply, as I will be using BIND for standard task. regular SOA for domain names no domain keys or DNSSEC. I think I'll stick with the version that comes pre-installed. Best Regards * -- * *Iqbal Aroussi* *+212 665 025 032* *iq...@aroussi.name* On Fri, Dec 16, 2011 at 12:22, Matthew Seaman < m.sea...@infracaninophile.co.uk> wrote: > On 16/12/2011 10:04, Iqbal Aroussi wrote: > > After installing FreeBSD 8.2, I noticed it's using BIND 9.6 but in ports > > collection there is newer versions 9.7 and 9.8. > > I'd like to know if there is any advantages in upgrading BIND to 9.8 > > instead of using the base install version. > > I'd really appreciate if you can give me some hints of the best way to do > > it for future needs while retaining all the advantages > > of the base install configuration. > > I found this article on the net " > > http://static.closedsrc.org/articles/dn-articles/bind9.html"; but it's > seems > > to be outdated > > * > > > > PS: I'm new FreeBSD convert user coming from Linux world :) > > It depends what you're using bind for. > > If you are serving domains to the public in something more than a > trivial way, then yes, using the latest ports version is recommended. > > Otherwise, there's little to choose one way versus the other. Using the > base system bind is less effort, and you'll get automatic patching of > any significant problems assuming you're keeping the system up to date > by any of the recognised methods. > > Also, if you do choose to use the ports version, to keep things simple, > I'd recommend not *replacing* the base system bind. This means you'll > still be able to use services like freebsd-update(8) without any hassle. > Simply install the ports version dns/bind98 under /usr/local, and then > something like this in your /etc/rc.conf will switch to using that > version. Note -- still uses the standard /etc/rc.d/named startup script. > > named_enable="YES" > named_program="/usr/local/sbin/named" > > You'll tend to get the base system version of applications like dig(1) > with this unless you tweak $PATH or some such. However, there's very > little difference between the client-side apps in recent bind versions, > and if you do happen to run into an area where there are significant > changes, all you need to do is run /usr/local/bin/dig instead. > >Cheers, > >Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > JID: matt...@infracaninophile.co.uk Kent, CT11 9PW > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Replacing FreeBSD Base System's BIND
On 16/12/2011 10:04, Iqbal Aroussi wrote: > After installing FreeBSD 8.2, I noticed it's using BIND 9.6 but in ports > collection there is newer versions 9.7 and 9.8. > I'd like to know if there is any advantages in upgrading BIND to 9.8 > instead of using the base install version. > I'd really appreciate if you can give me some hints of the best way to do > it for future needs while retaining all the advantages > of the base install configuration. > I found this article on the net " > http://static.closedsrc.org/articles/dn-articles/bind9.html"; but it's seems > to be outdated > * > > PS: I'm new FreeBSD convert user coming from Linux world :) It depends what you're using bind for. If you are serving domains to the public in something more than a trivial way, then yes, using the latest ports version is recommended. Otherwise, there's little to choose one way versus the other. Using the base system bind is less effort, and you'll get automatic patching of any significant problems assuming you're keeping the system up to date by any of the recognised methods. Also, if you do choose to use the ports version, to keep things simple, I'd recommend not *replacing* the base system bind. This means you'll still be able to use services like freebsd-update(8) without any hassle. Simply install the ports version dns/bind98 under /usr/local, and then something like this in your /etc/rc.conf will switch to using that version. Note -- still uses the standard /etc/rc.d/named startup script. named_enable="YES" named_program="/usr/local/sbin/named" You'll tend to get the base system version of applications like dig(1) with this unless you tweak $PATH or some such. However, there's very little difference between the client-side apps in recent bind versions, and if you do happen to run into an area where there are significant changes, all you need to do is run /usr/local/bin/dig instead. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Replacing FreeBSD Base System's BIND
Hi, After installing FreeBSD 8.2, I noticed it's using BIND 9.6 but in ports collection there is newer versions 9.7 and 9.8. I'd like to know if there is any advantages in upgrading BIND to 9.8 instead of using the base install version. I'd really appreciate if you can give me some hints of the best way to do it for future needs while retaining all the advantages of the base install configuration. I found this article on the net " http://static.closedsrc.org/articles/dn-articles/bind9.html"; but it's seems to be outdated * PS: I'm new FreeBSD convert user coming from Linux world :) -- * *Iqbal Aroussi* *+212 665 025 032* *iq...@aroussi.name* ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: BIND and LDAP support
Hello, thanks for replying. Regarding building BIND, are you sure the setting should go in make.conf and not src.conf - here is the relevant text from the src.conf man page: "WITHOUT_BIND Setting this variable will prevent any part of BIND from being built. When set, it also enforces the following options: WITHOUT_BIND_DNSSEC WITHOUT_BIND_ETC WITHOUT_BIND_LIBS_LWRES WITHOUT_BIND_MTREE WITHOUT_BIND_NAMED WITHOUT_BIND_UTILS" Thankyou for the web link for the DLZ driver however I had already seen it; my confusion is what is the difference between BIND built with the DLZ LDAP driver and BIND built with the 'sdb' (simplified database interface) option as specified in http://bind9-ldap.bayour.com/ and as built in the dns/bind97-sdb port? If these are two different ways for BIND to use LDAP, which one should I choose? Thanks. On 7 December 2011 20:04, Damien Fleuriot wrote: > On 12/7/11 8:15 PM, Kernel Panic wrote: >> Apologies if this is not the appropriate list but I can't seem to find >> one pertaining to the installation and configuration of BIND. I posted >> the following message on the FreeBSD forums a few weeks back but have >> had no replies, so I thought I'd try here on the lists: >> >> System: FreeBSD 8.2-RELEASE 64-bit >> >> Hello, I'm going to attempt to install the latest BIND port >> (dns/bind98) and have a couple of questions about the available >> install options: >> >> WITH_REPLACE_BASE=true >> >> Does this delete the base BIND version and if so would I need to edit >> src.conf to tell the compiler not to reinstall base BIND when I do a >> buildworld cycle? >> >> WITH_DLZ_LDAP=true >> >> Does this actually enable LDAP backend support or is it something >> else? The reason I ask is because there seems to be a separate port >> for BIND LDAP support but it's for an older version of BIND >> (dns/bind97-sdb) >> >> Thanks for any assistance. > > > Hi, > > > Regarding WITH_REPLACE_BASE, yes, this will make "make install" install > the files in place of the base system's ones, as opposed to in /usr/local/ . > > > If you do this, you will indeed want to add the following to your > /etc/make.conf : > NO_BIND= true > > > Regarding your LDAP question, I'm still at work and it's 9PM so I'm a > bit in a rush, but a quick google search turned up the following: > http://bind-dlz.sourceforge.net/ldap_driver.html > > > Regards, > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: BIND and LDAP support
On 12/7/11 8:15 PM, Kernel Panic wrote: > Apologies if this is not the appropriate list but I can't seem to find > one pertaining to the installation and configuration of BIND. I posted > the following message on the FreeBSD forums a few weeks back but have > had no replies, so I thought I'd try here on the lists: > > System: FreeBSD 8.2-RELEASE 64-bit > > Hello, I'm going to attempt to install the latest BIND port > (dns/bind98) and have a couple of questions about the available > install options: > > WITH_REPLACE_BASE=true > > Does this delete the base BIND version and if so would I need to edit > src.conf to tell the compiler not to reinstall base BIND when I do a > buildworld cycle? > > WITH_DLZ_LDAP=true > > Does this actually enable LDAP backend support or is it something > else? The reason I ask is because there seems to be a separate port > for BIND LDAP support but it's for an older version of BIND > (dns/bind97-sdb) > > Thanks for any assistance. Hi, Regarding WITH_REPLACE_BASE, yes, this will make "make install" install the files in place of the base system's ones, as opposed to in /usr/local/ . If you do this, you will indeed want to add the following to your /etc/make.conf : NO_BIND= true Regarding your LDAP question, I'm still at work and it's 9PM so I'm a bit in a rush, but a quick google search turned up the following: http://bind-dlz.sourceforge.net/ldap_driver.html Regards, ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
BIND and LDAP support
Apologies if this is not the appropriate list but I can't seem to find one pertaining to the installation and configuration of BIND. I posted the following message on the FreeBSD forums a few weeks back but have had no replies, so I thought I'd try here on the lists: System: FreeBSD 8.2-RELEASE 64-bit Hello, I'm going to attempt to install the latest BIND port (dns/bind98) and have a couple of questions about the available install options: WITH_REPLACE_BASE=true Does this delete the base BIND version and if so would I need to edit src.conf to tell the compiler not to reinstall base BIND when I do a buildworld cycle? WITH_DLZ_LDAP=true Does this actually enable LDAP backend support or is it something else? The reason I ask is because there seems to be a separate port for BIND LDAP support but it's for an older version of BIND (dns/bind97-sdb) Thanks for any assistance. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: BIND 9.8.1-P1 with OpenSSL 1.0.0 issues..
On 23/11/2011 14:01, Jerry wrote: > On Wed, 23 Nov 2011 13:18:45 + > Matthew Seaman articulated: > >> I've been using the attached patch with the dns/bind98 port and >> openssl-1.0.x from ports for months. This disables using the GOST >> cipher plugins -- which is no big deal as far as I'm concerned. GOST >> ciphers are only supplied as plugin modules unlike all other ciphers >> in openssl, which is a new thing with version 1.0.0 in ports. It's >> that libgost.so plugin shlib not playing well with chroot that >> apparently causes named to crash. > > Mathew, has anyone filed a PR either here or upstream regarding this > phenomena? I sent my patch to Doug Barton (bind maintainer in src/ports) but he didn't accept it. Discussions I've seen around this are that the OpenSSL guys say that it's not a bug from their side, and that bind is doing it wrong. I believe the ISC guys are aware but I don't know if they have a fix in the works or not. Possibly some advanced combination of LDFLAGS at compile-time might sort things, but I really have no idea. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: BIND 9.8.1-P1 with OpenSSL 1.0.0 issues..
On Wed, 23 Nov 2011 13:18:45 + Matthew Seaman articulated: > I've been using the attached patch with the dns/bind98 port and > openssl-1.0.x from ports for months. This disables using the GOST > cipher plugins -- which is no big deal as far as I'm concerned. GOST > ciphers are only supplied as plugin modules unlike all other ciphers > in openssl, which is a new thing with version 1.0.0 in ports. It's > that libgost.so plugin shlib not playing well with chroot that > apparently causes named to crash. Mathew, has anyone filed a PR either here or upstream regarding this phenomena? -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: BIND 9.8.1-P1 with OpenSSL 1.0.0 issues..
On Wed, November 23, 2011 08:18, Matthew Seaman wrote: > I've been using the attached patch with the dns/bind98 port and > openssl-1.0.x from ports for months. This disables using the GOST > cipher plugins -- which is no big deal as far as I'm concerned. GOST > ciphers are only supplied as plugin modules unlike all other ciphers in > openssl, which is a new thing with version 1.0.0 in ports. It's that > libgost.so plugin shlib not playing well with chroot that apparently > causes named to crash. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > JID: matt...@infracaninophile.co.uk Kent, CT11 9PW > You, sir, are correct about the chroot. Bind 9.8.1 and OpenSSL 1.0.0 don't play nicely in a chroot environment. This also isn't limited to FreeBSD, as I experienced the problem on Solaris 10. James ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: BIND 9.8.1-P1 with OpenSSL 1.0.0 issues..
On 23/11/2011 12:53, Howard Leadmon wrote:
> I just ran through on one of my older FreeBSD servers, and updated from
> BIND 9.8.1 to 9.8.1-P1 to get the security patches for BIND online, and
> after doing this bind crashes.
>
> I am seeing:
>
>
> Nov 23 06:35:19 named[24537]: starting BIND 9.8.1-P1 -u bind -t /var/named
> -u bind
> Nov 23 06:35:19 named[24537]: built with '--localstatedir=/var'
> '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random'
> '--with-openssl=/usr/local' '--with-libxml2=/usr/local'
> '--with-idn=/usr/local' '--with-libiconv=/usr/local'
> 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-ipv6' '--enable-threads'
> '--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man'
> '--infodir=/usr/share/info/' '--build=i386-portbld-freebsd6.4'
> 'build_alias=i386-portbld-freebsd6.4' 'CC=cc' 'CFLAGS=-O2
> -fno-strict-aliasing -pipe' 'LDFLAGS= -rpath=/usr/local/lib' 'CPPFLAGS='
> 'CPP=cpp' 'CXX=c++' 'CXXFLAGS=-O2 -fno-strict-aliasing -pipe'
> Nov 23 06:35:19 named[24537]: found 4 CPUs, using 4 worker threads
> Nov 23 06:35:19 named[24537]: using up to 4096 sockets
> Nov 23 06:35:19 named[24537]: initializing DST: openssl failure
> Nov 23 06:35:19 named[24537]: exiting (due to fatal error)
>
>
> Now as I knew my this older machine (on my hitlist to be upgraded) and the
> supplied OpenSSL had issues of it's own, I also installed the current
> OpenSSL from the ports to use, which BIND is built against.After doing
> the update to the -P1 version, I now find that when trying to start it dies
> with the above error.
I've been using the attached patch with the dns/bind98 port and
openssl-1.0.x from ports for months. This disables using the GOST
cipher plugins -- which is no big deal as far as I'm concerned. GOST
ciphers are only supplied as plugin modules unlike all other ciphers in
openssl, which is a new thing with version 1.0.0 in ports. It's that
libgost.so plugin shlib not playing well with chroot that apparently
causes named to crash.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
--- Makefile.orig 2011-05-05 22:40:37.198878075 +0100
+++ Makefile2011-05-05 22:46:57.116962017 +0100
@@ -209,6 +209,11 @@
${WRKSRC}/bin/named/Makefile.in.Dist > \
${WRKSRC}/bin/named/Makefile.in
+.if defined(WITH_OPENSSL_PORT)
+post-configure:
+ ${SED} -i~ -e 's:^#define HAVE_OPENSSL_GOST.*:/* #undef
HAVE_OPENSSL_GOST */:' ${WRKSRC}/config.h
+.endif
+
PKGMESSAGE=${.CURDIR}/../bind97/pkg-message
PKGINSTALL=${.CURDIR}/../bind97/pkg-install
post-install:
signature.asc
Description: OpenPGP digital signature
BIND 9.8.1-P1 with OpenSSL 1.0.0 issues..
I just ran through on one of my older FreeBSD servers, and updated from BIND 9.8.1 to 9.8.1-P1 to get the security patches for BIND online, and after doing this bind crashes. I am seeing: Nov 23 06:35:19 named[24537]: starting BIND 9.8.1-P1 -u bind -t /var/named -u bind Nov 23 06:35:19 named[24537]: built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-openssl=/usr/local' '--with-libxml2=/usr/local' '--with-idn=/usr/local' '--with-libiconv=/usr/local' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--enable-ipv6' '--enable-threads' '--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info/' '--build=i386-portbld-freebsd6.4' 'build_alias=i386-portbld-freebsd6.4' 'CC=cc' 'CFLAGS=-O2 -fno-strict-aliasing -pipe' 'LDFLAGS= -rpath=/usr/local/lib' 'CPPFLAGS=' 'CPP=cpp' 'CXX=c++' 'CXXFLAGS=-O2 -fno-strict-aliasing -pipe' Nov 23 06:35:19 named[24537]: found 4 CPUs, using 4 worker threads Nov 23 06:35:19 named[24537]: using up to 4096 sockets Nov 23 06:35:19 named[24537]: initializing DST: openssl failure Nov 23 06:35:19 named[24537]: exiting (due to fatal error) Now as I knew my this older machine (on my hitlist to be upgraded) and the supplied OpenSSL had issues of it's own, I also installed the current OpenSSL from the ports to use, which BIND is built against.After doing the update to the -P1 version, I now find that when trying to start it dies with the above error. So I fired up my google-fu and found refrences stating I needed to get the shared libs from the OpenSSL engines directory over into the chrooted /var/named directory, so this I did: /var/named/usr: local /var/named/usr/local: lib /var/named/usr/local/lib: engines /var/named/usr/local/lib/engines: lib4758cca.so libcapi.so libgmp.so libpadlock.so libaep.so libchil.so libgost.so libsureware.so libatalla.solibcswift.solibnuron.so libubsec.so Again I tried to start named, but no love. So I tried starting it without the chroot environment, and sure enough it worked fine!As another test, I backed out the OpenSSL 1.0.0 port, and recompiled bind98 and tried starting in a chroot under the OS supplied OpenSSL 0.9.7, and that also started up just fine! So at this point, I had to run without chroot, and have a current OpenSSL which I think I may need as I am doing DNSSEC, or I can back off to the OS supplied ancient version of SSL and then have a working chroot. Not sure what is up with this, but if anyone has any hints or tips on how to resolve this issue, I would sure be thankful for the pointers.Not sure why this all of a sudden decided to break, but it was sure driving me up a wall for a bit today.. --- Howard Leadmon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Help with Bind Weirdness & Logging
DD-WRT.COM !!! Stock linksys firmware sucks, go check out the dd-wrt project, you will not be dissapointed! http://www.dd-wrt.com/phpBB2/viewforum.php?f=1 http://dd-wrt.com/wiki/index.php/Linksys_E3000 - Original Message - From: "Drew Tomlinson" To: "FreeBSD" Cc: "Jerry" Sent: Friday, August 05, 2011 2:30 PM Subject: Re: Help with Bind Weirdness & Logging On 8/5/2011 10:55 AM, Jerry wrote: On Fri, 05 Aug 2011 10:25:13 -0700 Drew Tomlinson articulated: On 8/5/2011 9:40 AM, Mark Felder wrote: On Fri, 05 Aug 2011 11:15:21 -0500, Drew Tomlinson wrote: Just recently, I noticed that my server can't resolve for some names. The ones I've noticed are for Microsoft domains, specifically go.microsoft.com and time.windows.com. For example: What kind of firewall stuff are you doing? Is it possible you're dropping the DNS replies when they're TCP? This happens when the reply is a certain size. Thanks Mark. That may have something to do with it. I upgraded my wireless router to a Linksys E3000 a couple of days ago which is also my "firewall". This thing is a piece of crap! Lots of weirdness regarding port forwarding. Some works. Some doesn't. Tech support is worthless. I'm going to take it back and exchange for another. Hopefully a new one will work right. Anyway, put my previous router/firewall back in place and now my DNS server is able to resolve. Thus the firewalling thing was likely the problem. Any ideas on how to get Bind logging going? I have experience with both the E3200 and E4200 models. I have not worked with an E3000 before though. In any case, they are both Wireless-N routers. FreeBSD does not play well with "N" wireless devices. In any case, have you tried doing a hard reset of the router and then rebooting it and then you system? In regards to tech support, at least in my experience with Linksys, if you don't ask a specific question you are not going to get anywhere. I have found e-mail support to be better or even the live support if available. In any case, you can and I have requested a new support representative and have received one. Sometimes it is just the individual whom you are talking to cannot understand the question correctly. Thank you Jerry. In my case, the FreeBSD boxes are hard wired so I don't think this will be a problem. I use the wireless for two Windows laptops, a Lexmark printer, and a Motorola Droid X. My specific issues with the E3000 were that even though remote management was properly configured and enabled, I could not access it remotely via https. I even tried disabling to SPI firewall with no success. Also in the single port forwarding, I had enabled the predefined SMTP service to point to my FreeBSD box on my local LAN. This worked. However I also enabled the predefined HTTP service to the same FreeBSD box and it wouldn't work. Additionally, I tried to forward some other ports as well like PPTP and IMAP/IMAPS but those wouldn't forward either. Using a packet sniffer on the PC on the Internet, I could see SYN packets leaving my PC but no ACKs returning. This same PC had no problems accessing all defined services with the old router in place. I had tried what I thought was a hard reset by pressing the reset button on the back of the e3000 and then reconfiguring. No luck. However I just read about a "30-30-30" reset on the DD-WRT wiki where you hold the reset for 30 sec, then power off for 30 sec, and then power on with reset pressed for another 30 sec. I'll try that when I get home. Otherwise this thing is going back to the store! Do you have any further suggestions? Cheers, Drew -- Like card tricks? Visit The Alchemist's Warehouse to learn card magic secrets for free! http://alchemistswarehouse.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Help with Bind Weirdness & Logging
On Fri, 05 Aug 2011 11:30:39 -0700 Drew Tomlinson articulated: > Thank you Jerry. In my case, the FreeBSD boxes are hard wired so I > don't think this will be a problem. I use the wireless for two > Windows laptops, a Lexmark printer, and a Motorola Droid X. > > My specific issues with the E3000 were that even though remote > management was properly configured and enabled, I could not access it > remotely via https. I even tried disabling to SPI firewall with no > success. Also in the single port forwarding, I had enabled the > predefined SMTP service to point to my FreeBSD box on my local LAN. > This worked. However I also enabled the predefined HTTP service to > the same FreeBSD box and it wouldn't work. Additionally, I tried to > forward some other ports as well like PPTP and IMAP/IMAPS but those > wouldn't forward either. Using a packet sniffer on the PC on the > Internet, I could see SYN packets leaving my PC but no ACKs > returning. This same PC had no problems accessing all defined > services with the old router in place. > > I had tried what I thought was a hard reset by pressing the reset > button on the back of the e3000 and then reconfiguring. No luck. > However I just read about a "30-30-30" reset on the DD-WRT wiki where > you hold the reset for 30 sec, then power off for 30 sec, and then > power on with reset pressed for another 30 sec. I'll try that when I > get home. Otherwise this thing is going back to the store! > > Do you have any further suggestions? Off hand, no. I am assuming that you turned on https remote access in the router. Did you actually confirm that? I would suggest that you re-access your router and check it. If it is turned on, turn it off and save the setting then exit. Now reenter the router, re-enable the setting and save it. Now exit again. I have seen all types of devices, and I am sure you have also, that need to be "tricked" into working correctly. Did you configure the router to reserve the IP address of the FreeBSD box? If not, that could be a problem. I have seen it before. I am sure you have; however, are you absolutely sure you have the right IP addresses configured? Is "DMZ" turned on? If it is set to the FreeBSD box, turn off any other port forwarding to that box. If not, try turning it on and removing all the other port forwarding settings. See if it makes any difference. Without actually accessing the router all I can really do is guess. I do doubt that there is really a problem with it though; however, trying a new one might be a good idea. If possible, get the E4200 model. It is one "bad ass" router. Maybe someday FreeBSD will develop drivers for Wireless-N devices so that you can take advantage of its full potential. If all else fails, create a detailed BUG report and submitted it to linksys. It certainly cannot hurt and you might even get an answer directly from their tech department. One other idea, are you sure you have the latest firmware installed? It wouldn't hurt to double check. -- Jerry ✌ jerry+f...@seibercom.net Disclaimer: off-list followups get on-list replies or ignored. Do not CC this poster. Please do not ignore the "Reply-To" header. http://www.catb.org/~esr/faqs/smart-questions.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Help with Bind Weirdness & Logging
On Fri, 05 Aug 2011 12:25:13 -0500, Drew Tomlinson
wrote:
Any ideas on how to get Bind logging going?
Here's how we do it.
named.conf:
logging {
channel "my_syslog" {
syslog daemon;
severity info;
//print-time yes;
//print-severity yes;
//print-category yes;
};
// below added for bind logging graphs
http://www.cs.ait.ac.th/laboratory/monitor/bind/modif.shtml
channel "querylog" {
// this is in a chroot, so it's actually at
/var/named/var/log/query.log
file "/var/log/query.log" versions 3 size 1m;
};
category queries { querylog; };
// don't log things that aren't our fault:
category lame-servers { null; };
category update { null; };
};
syslog.conf:
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;daemon.none
/var/log/messages
daemon.*/var/log/daemon.log
newsyslog.conf:
/var/log/daemon.log 644 7 *@T00 JC
This seems to work great for us. Logs are in /var/log/daemon.log and get
rotated.
Regards,
Mark
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Help with Bind Weirdness & Logging
On 8/5/2011 10:55 AM, Jerry wrote: On Fri, 05 Aug 2011 10:25:13 -0700 Drew Tomlinson articulated: On 8/5/2011 9:40 AM, Mark Felder wrote: On Fri, 05 Aug 2011 11:15:21 -0500, Drew Tomlinson wrote: Just recently, I noticed that my server can't resolve for some names. The ones I've noticed are for Microsoft domains, specifically go.microsoft.com and time.windows.com. For example: What kind of firewall stuff are you doing? Is it possible you're dropping the DNS replies when they're TCP? This happens when the reply is a certain size. Thanks Mark. That may have something to do with it. I upgraded my wireless router to a Linksys E3000 a couple of days ago which is also my "firewall". This thing is a piece of crap! Lots of weirdness regarding port forwarding. Some works. Some doesn't. Tech support is worthless. I'm going to take it back and exchange for another. Hopefully a new one will work right. Anyway, put my previous router/firewall back in place and now my DNS server is able to resolve. Thus the firewalling thing was likely the problem. Any ideas on how to get Bind logging going? I have experience with both the E3200 and E4200 models. I have not worked with an E3000 before though. In any case, they are both Wireless-N routers. FreeBSD does not play well with "N" wireless devices. In any case, have you tried doing a hard reset of the router and then rebooting it and then you system? In regards to tech support, at least in my experience with Linksys, if you don't ask a specific question you are not going to get anywhere. I have found e-mail support to be better or even the live support if available. In any case, you can and I have requested a new support representative and have received one. Sometimes it is just the individual whom you are talking to cannot understand the question correctly. Thank you Jerry. In my case, the FreeBSD boxes are hard wired so I don't think this will be a problem. I use the wireless for two Windows laptops, a Lexmark printer, and a Motorola Droid X. My specific issues with the E3000 were that even though remote management was properly configured and enabled, I could not access it remotely via https. I even tried disabling to SPI firewall with no success. Also in the single port forwarding, I had enabled the predefined SMTP service to point to my FreeBSD box on my local LAN. This worked. However I also enabled the predefined HTTP service to the same FreeBSD box and it wouldn't work. Additionally, I tried to forward some other ports as well like PPTP and IMAP/IMAPS but those wouldn't forward either. Using a packet sniffer on the PC on the Internet, I could see SYN packets leaving my PC but no ACKs returning. This same PC had no problems accessing all defined services with the old router in place. I had tried what I thought was a hard reset by pressing the reset button on the back of the e3000 and then reconfiguring. No luck. However I just read about a "30-30-30" reset on the DD-WRT wiki where you hold the reset for 30 sec, then power off for 30 sec, and then power on with reset pressed for another 30 sec. I'll try that when I get home. Otherwise this thing is going back to the store! Do you have any further suggestions? Cheers, Drew -- Like card tricks? Visit The Alchemist's Warehouse to learn card magic secrets for free! http://alchemistswarehouse.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Help with Bind Weirdness & Logging
On Fri, 05 Aug 2011 10:25:13 -0700 Drew Tomlinson articulated: > On 8/5/2011 9:40 AM, Mark Felder wrote: > > On Fri, 05 Aug 2011 11:15:21 -0500, Drew Tomlinson > > wrote: > >> Just recently, I noticed that my server can't resolve for some > >> names. The ones I've noticed are for Microsoft domains, > >> specifically go.microsoft.com and time.windows.com. For example: > >> > > > > What kind of firewall stuff are you doing? Is it possible you're > > dropping the DNS > > replies when they're TCP? This happens when the reply is a certain > > size. > > Thanks Mark. That may have something to do with it. I upgraded my > wireless router to a Linksys E3000 a couple of days ago which is also > my "firewall". This thing is a piece of crap! Lots of weirdness > regarding port forwarding. Some works. Some doesn't. Tech support > is worthless. I'm going to take it back and exchange for another. > Hopefully a new one will work right. > > Anyway, put my previous router/firewall back in place and now my DNS > server is able to resolve. Thus the firewalling thing was likely the > problem. > > Any ideas on how to get Bind logging going? I have experience with both the E3200 and E4200 models. I have not worked with an E3000 before though. In any case, they are both Wireless-N routers. FreeBSD does not play well with "N" wireless devices. In any case, have you tried doing a hard reset of the router and then rebooting it and then you system? In regards to tech support, at least in my experience with Linksys, if you don't ask a specific question you are not going to get anywhere. I have found e-mail support to be better or even the live support if available. In any case, you can and I have requested a new support representative and have received one. Sometimes it is just the individual whom you are talking to cannot understand the question correctly. -- Jerry ✌ jerry+f...@seibercom.net Disclaimer: off-list followups get on-list replies or ignored. Do not CC this poster. Please do not ignore the "Reply-To" header. http://www.catb.org/~esr/faqs/smart-questions.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Help with Bind Weirdness & Logging
On 8/5/2011 9:40 AM, Mark Felder wrote: On Fri, 05 Aug 2011 11:15:21 -0500, Drew Tomlinson wrote: Just recently, I noticed that my server can't resolve for some names. The ones I've noticed are for Microsoft domains, specifically go.microsoft.com and time.windows.com. For example: What kind of firewall stuff are you doing? Is it possible you're dropping the DNS replies when they're TCP? This happens when the reply is a certain size. Thanks Mark. That may have something to do with it. I upgraded my wireless router to a Linksys E3000 a couple of days ago which is also my "firewall". This thing is a piece of crap! Lots of weirdness regarding port forwarding. Some works. Some doesn't. Tech support is worthless. I'm going to take it back and exchange for another. Hopefully a new one will work right. Anyway, put my previous router/firewall back in place and now my DNS server is able to resolve. Thus the firewalling thing was likely the problem. Any ideas on how to get Bind logging going? Cheers, Drew -- Like card tricks? Visit The Alchemist's Warehouse to learn card magic secrets for free! http://alchemistswarehouse.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Help with Bind Weirdness & Logging
On Fri, 05 Aug 2011 11:15:21 -0500, Drew Tomlinson wrote: Just recently, I noticed that my server can't resolve for some names. The ones I've noticed are for Microsoft domains, specifically go.microsoft.com and time.windows.com. For example: What kind of firewall stuff are you doing? Is it possible you're dropping the DNS replies when they're TCP? This happens when the reply is a certain size. Cheers, Mark ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Help with Bind Weirdness & Logging
I'm running bind 9.3.5 and have been running some version of Bind for
years. The purpose of this server is to resolve for my home LAN and to
do regular queries for things outside my LAN.
Just recently, I noticed that my server can't resolve for some names.
The ones I've noticed are for Microsoft domains, specifically
go.microsoft.com and time.windows.com. For example:
# dig go.microsoft.com
; <<>> DiG 9.3.5-P2 <<>> go.microsoft.com
;; global options: printcmd
;; connection timed out; no servers could be reached
Yet if I ask my ISP's server, I get resolution:
# dig @66.60.130.158 go.microsoft.com
; <<>> DiG 9.3.5-P2 <<>> @66.60.130.158 go.microsoft.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40919
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;go.microsoft.com. IN A
;; ANSWER SECTION:
go.microsoft.com. 2364IN CNAME www.go.microsoft.akadns.net.
www.go.microsoft.akadns.net. 462 IN A 64.4.11.160
;; Query time: 39 msec
;; SERVER: 66.60.130.158#53(66.60.130.158)
;; WHEN: Fri Aug 5 09:02:56 2011
;; MSG SIZE rcvd: 91
But for all other domains I've tried, DNS resolution works just fine
from my server. Here's an example:
# dig yahoo.com
; <<>> DiG 9.3.5-P2 <<>> yahoo.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60582
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 7, ADDITIONAL: 2
;; QUESTION SECTION:
;yahoo.com. IN A
;; ANSWER SECTION:
yahoo.com. 21600 IN A 69.147.125.65
yahoo.com. 21600 IN A 72.30.2.43
yahoo.com. 21600 IN A 98.137.149.56
yahoo.com. 21600 IN A 209.191.122.70
yahoo.com. 21600 IN A 67.195.160.76
;; AUTHORITY SECTION:
yahoo.com. 172800 IN NS ns5.yahoo.com.
yahoo.com. 172800 IN NS ns6.yahoo.com.
yahoo.com. 172800 IN NS ns8.yahoo.com.
yahoo.com. 172800 IN NS ns1.yahoo.com.
yahoo.com. 172800 IN NS ns2.yahoo.com.
yahoo.com. 172800 IN NS ns3.yahoo.com.
yahoo.com. 172800 IN NS ns4.yahoo.com.
;; ADDITIONAL SECTION:
ns6.yahoo.com. 172800 IN A 202.43.223.170
ns8.yahoo.com. 172800 IN A 202.165.104.22
;; Query time: 236 msec
;; SERVER: 192.168.1.4#53(192.168.1.4)
;; WHEN: Fri Aug 5 09:05:32 2011
;; MSG SIZE rcvd: 265
So to try and diagnose this, I investigated logging. My
/var/named/etc/namedb/named.conf file had this default logging section:
logging {
category default { default_syslog; default_debug; };
category security{ default_syslog; default_debug; };
category xfer-in { default_syslog; default_debug; };
category xfer-out{ default_syslog; default_debug; };
category notify { default_syslog; default_debug; };
category update { default_syslog; default_debug; };
category update-security { default_syslog; default_debug; };
category lame-servers{ default_syslog; default_debug; };
};
But I couldn't find any logging in any of my log files like
/var/log/messages or /var/log/all.log and there were no files in
/var/named/var/log. I did some Googling, commented out the above, added
the section below, and restarted named:
logging{
channel simple_log {
file "/var/log/named.log" versions 3 size 5m;
severity warning;
print-time yes;
print-severity yes;
print-category yes;
};
category default { simple_log; };
category network { simple_log; };
category queries { simple_log; };
category resolver { simple_log; };
category general { simple_log; };
};
This did create a log file called /var/named/var/log/named.log. However
I'm not getting much info in this log. I only get this text upon restart:
05-Aug-2011 07:39:22.583 general: error: the working directory is not
writable
What must I do to get more detailed logging that might help diagnose
this problem? Or better yet, what is going on with my Bind installation? ;)
Cheers,
Drew
--
Like card tricks?
Visit The Alchemist's Warehouse to
learn card magic secrets for free!
http://alchemistswarehouse.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Admin-tools for BIND DNS?
On 21.04.11 19:56, Ewald Jenisch wrote: > Hi, > > I'm looking for graphical tools easing configuration of a bind > DNS-server. Ideally this tool should be capable of editing > IPv6-related records like too. > > Is there anything available out there for FreeBSD (I already checked > the ports collection, but couldn't find anything). > webmin it's in ports collection already.. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Admin-tools for BIND DNS?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/21/11 1:56 PM, Ewald Jenisch wrote: > Hi, > > I'm looking for graphical tools easing configuration of a bind > DNS-server. Ideally this tool should be capable of editing > IPv6-related records like too. > > Is there anything available out there for FreeBSD (I already checked > the ports collection, but couldn't find anything). > > Thanks much in advance for any clue, > -ewald > Hi Ewald, I didn't check if any of these are already part of the ports tree, but there's a decent selection of tools here. http://www.debianhelp.co.uk/bindweb.htm If you use one and like it, please consider creating and submitting a port for it. Cheers, Greg - -- Greg Larkin http://www.FreeBSD.org/ - The Power To Serve http://www.sourcehosting.net/ - Ready. Set. Code. http://twitter.com/sourcehosting/ - Follow me, follow you -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2weFwACgkQ0sRouByUApCqQgCeKMUsSRkuSTnm1FJIUFycxyRw rqAAn3ecxGeY1XtAunroJGmMsrb/7VcK =SKAt -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Admin-tools for BIND DNS?
Hi, I'm looking for graphical tools easing configuration of a bind DNS-server. Ideally this tool should be capable of editing IPv6-related records like too. Is there anything available out there for FreeBSD (I already checked the ports collection, but couldn't find anything). Thanks much in advance for any clue, -ewald ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for
On 03/18/11 17:02, Dan Nelson wrote: In the last episode (Mar 18), O. Hartmann said: I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an UBUNTU 10.10 server (using openldap 2.4.23). Most of the installation on the Ubuntu server has been successfully done (I'm not familiar with Linux, but it seems that things like pam and ldap are quite similar to FreeBSD's installation). From the Linux/Ubuntu server, I'm able to get all users and groups via 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up user is successfully. But when it comes to a login via sshd, login fails with this error (loged on Linux Ubuntu in /var/log/auth.log): Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2 Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user "uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality required) "Confidentiality required" means that the server is refusing to authenticate over a non-encrypted connection. Try switching pam_ldap to ldaps (in your pam ldap.conf, either change your "uri" lines to ldaps:// or add the line "ssl on") and see if that works. I managed it! My FreeBSD OpenLDAP-server have had in it's config DIT (cn=config) the follwoing entries, which seems to confuse Linux (but not the FreeBSD clients, no matter why): olcSecurity: simple_bind=256 After reducing this security strenth value down to olcSecurity: simple_bind=128 everything works fine so far. At the moment, I have no explanation for this. Either FreeBSD clients are always binding with a higher security strength level or ignoring this. Thanks, Oliver ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for
On 03/18/11 17:02, Dan Nelson wrote: In the last episode (Mar 18), O. Hartmann said: I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an UBUNTU 10.10 server (using openldap 2.4.23). Most of the installation on the Ubuntu server has been successfully done (I'm not familiar with Linux, but it seems that things like pam and ldap are quite similar to FreeBSD's installation). From the Linux/Ubuntu server, I'm able to get all users and groups via 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up user is successfully. But when it comes to a login via sshd, login fails with this error (loged on Linux Ubuntu in /var/log/auth.log): Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2 Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user "uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality required) "Confidentiality required" means that the server is refusing to authenticate over a non-encrypted connection. Try switching pam_ldap to ldaps (in your pam ldap.conf, either change your "uri" lines to ldaps:// or add the line "ssl on") and see if that works. Well, I tried several things now and I do not understand this world anymore :-( For short again: The conceptional setup I use is a working concept within all FreeBSD boxes around here autheticating users via our OpenLDAP server, also ran by FreeBSD (8.2-STABLE/amd64). On the Linux/Ubuntu 10.10 server I tried the following: ldapsearch: ldap_sasl_interactive_bind_s: Confidentiality required (13) additional info: TLS confidentiality required ldapsearch -xZ: ...listing of the DIT of the LDAP server looking up an user ID definitely within the DIT: positive response from the LDAP server. I also can obtain passwd/group informations via getent passwd/group. I also checked the connection to the LDAPserver with the SSL credetials by openssl s_client -connect LDAPserver:636 -showcerts and receive a lot of informations CONNECTED(0003) depth=1 /C [...] verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=DE/ST [...] -BEGIN CERTIFICATE- MIIDljCCAv+gAwIBA [...] -END CERTIFICATE- 1 s:/C [...] i:/C=DE [...] -BEGIN CERTIFICATE- MIIDojCC[...] -END CERTIFICATE- --- Server certificate subject=/C [...] issuer=/C [...] --- No client certificate CA names sent --- SSL handshake has read 2175 bytes and written 421 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES256-SHA Session-ID: 2FCAD4AAFD18AD13013AE6A8BFF872036DAC94174F0DE626E8FF0C7F98FC7EE3 Session-ID-ctx: Master-Key: X Key-Arg : None TLS session ticket: - b5 48 c7 cc 09 99 fb a5-0e 1e 75 1b 4f aa a1 69 .Hu.O..i 0010 - 37 a5 4f c7 [...] Start Time: 1300547707 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- I guess this signals everything is all right with the certificate connecting via SSL/TLS. I'm not familiar with Linux/Ubuntu's PAM setup, the setup has been done via apt-get/installation of the appropriate tools and facilities (ldap, pam_ldap, nss_ldap). I've no idea what's going wrong ... There is also some kind of weirdness around here. While login in via ssh (or better: trying to login via ssh), I received this: Mar 19 16:44:39 freyja sshd[1625]: Did not receive identification string from 125.88.109.121 Mar 19 16:44:40 freyja sshd[1623]: Failed password for ohartmann from XXX.XXX.XXX.XXX port 52686 ssh2 Mar 19 16:45:01 freyja CRON[1626]: pam_unix(cron:session): session opened for user root by (uid=0) Mar 19 16:45:01 freyja CRON[1626]: pam_unix(cron:session): session closed for user root IP 125.88.109.121 is located in China, 125.88.109.121 Server Details IP address: 125.88.109.121 Server Location: Guangzhou, Guangdong in China ISP: ChinaNet Guangdong Province Network ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for
On 03/18/11 17:02, Dan Nelson wrote: In the last episode (Mar 18), O. Hartmann said: I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an UBUNTU 10.10 server (using openldap 2.4.23). Most of the installation on the Ubuntu server has been successfully done (I'm not familiar with Linux, but it seems that things like pam and ldap are quite similar to FreeBSD's installation). From the Linux/Ubuntu server, I'm able to get all users and groups via 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up user is successfully. But when it comes to a login via sshd, login fails with this error (loged on Linux Ubuntu in /var/log/auth.log): Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2 Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user "uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality required) "Confidentiality required" means that the server is refusing to authenticate over a non-encrypted connection. Try switching pam_ldap to ldaps (in your pam ldap.conf, either change your "uri" lines to ldaps:// or add the line "ssl on") and see if that works. Well, in /etc/ldap.conf there is "ssl start_tls" and this should do the thing. I use nearly exact the same configuration as I do on all the FreeBSD boxes connecting to the same OpenLDAP server. I tried issuing 'ldapsaerach -xZZ -h hostIP' and I get ldap_start_tls: Connect error (-11) additional info: (unknown error code) looking deeper into the debug stuff with 'ldapsaerach -xZZ -h hostIP' I receive at the end TLS: peer cert untrusted or revoked (0x42) TLS: can't connect: (unknown error code). ldap_err2string ldap_start_tls: Connect error (-11) additional info: (unknown error code) Obviously, my certificate (self signed, openssl verify cacert.pem gives: OK) isn't found or there is something wrong with it. The certificate is located in /usr/local/etc/cacerts/cacert.pem and in Ubuntu's /etc/ldap.conf there is this line: tls_cacertfile usr/local/etc/cacerts/cacert.pem is referring to the certificate. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for
In the last episode (Mar 18), O. Hartmann said: > I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent > OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an > UBUNTU 10.10 server (using openldap 2.4.23). > > Most of the installation on the Ubuntu server has been successfully done > (I'm not familiar with Linux, but it seems that things like pam and ldap > are quite similar to FreeBSD's installation). > > From the Linux/Ubuntu server, I'm able to get all users and groups via > 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up > user is successfully. > > But when it comes to a login via sshd, login fails with this error > (loged on Linux Ubuntu in /var/log/auth.log): > > Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from > 192.168.0.128 port 40734 ssh2 > Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user > "uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality required) "Confidentiality required" means that the server is refusing to authenticate over a non-encrypted connection. Try switching pam_ldap to ldaps (in your pam ldap.conf, either change your "uri" lines to ldaps:// or add the line "ssl on") and see if that works. -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
User authentication on Linux with FreeBSD OpenLDAP backend fails: pam_ldap: error trying to bind as user/Failed password for
Hello. I try to use a FreeBSD OpenLDAP (FreeBSD 8.2-STABLE/amd64, most recent OpenLDAP/openldap-sasl-server-2.4.24) as an authentication backend for an UBUNTU 10.10 server (using openldap 2.4.23). Most of the installation on the Ubuntu server has been successfully done (I'm not familiar with Linux, but it seems that things like pam and ldap are quite similar to FreeBSD's installation). From the Linux/Ubuntu server, I'm able to get all users and groups via 'getent passwd' and 'getent group', even 'id' on an OpenLDAP backed up user is successfully. But when it comes to a login via sshd, login fails with this error (loged on Linux Ubuntu in /var/log/auth.log): Mar 18 12:01:00 freyja sshd[26824]: Failed password for testuser from 192.168.0.128 port 40734 ssh2 Mar 18 12:01:23 freyja sshd[26854]: pam_ldap: error trying to bind as user "uid=testuser,ou=users,dc=geoinf,dc=freyja,dc=com" (Confidentiality required) Mar 18 12:01:25 freyja sshd[26854]: Failed password for testuser from 192.168.0.128 port 54156 ssh2 I'm able to login from other systems (FreeBSD 9 and 8) via this specific OpenLDAP server. Does anyone has a glue? Please set me CC, I'm not subscribing this list. Thanks in advance and regards, Oliver ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
bind 98 make fails
FreeBSD 8.2 i386 kern dev distribution as 42-bit VM on host ESXi 4.1 portsnap fetch extract cd /usr/ports/dns/bind98 make Options for bind98 9.8.0 | | ++ | [X] SSL Building without OpenSSL removes DNSSEC | | [X] LINKS Create conf file symlinks in /usr/local | | [X] XML Support for xml statistics output | | [X] IDN Add IDN support to dig, host, etc. | | [X] REPLACE_BASEReplace base BIND with this version | | [ ] LARGE_FILE 64-bit file support | | [X] SIGCHASEdig/host/nslookup will do DNSSEC validation | | [X] IPV6IPv6 Support (autodetected by default) | | [X] THREADS Compile with thread support | | [ ] DLZ_POSTGRESQL DLZ Postgres driver | | [ ] DLZ_MYSQL DLZ MySQL driver (single-threaded BIND) | | [ ] DLZ_BDB DLZ BDB driver | | [ ] DLZ_LDAPDLZ LDAP driver | | [ ] DLZ_FILESYSTEM DLZ filesystem driver | | [ ] DLZ_STUBDLZ stub driver make: don't know how to make /usr/ports/dns/bind98 /work/.build_done.bind98._usr_local. Stop *** Error code 2 thanks Len ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: recient problem with bind en 7.4-PRERELEASE FreeBSD 7.4-PRERELEASE #1180:
On Mon, Mar 07, 2011 at 05:34:40PM -0600, Edwin L. Culp W. wrote: > Out of the clear, I can no longer start named from /etc/rc.d/named > start. The only error message that I get is in log/messages > > Mar 7 17:13:59 unixmania named[99841]: starting BIND 9.4.-ESV-R4 -u > bind -4 -t /var/named -u bind > Mar 7 17:14:00 unixmania named[99841]: could not configure root hints > from 'named.root': file not found > Mar 7 17:14:00 unixmania named[99841]: loading configuration: file not found > Mar 7 17:14:00 unixmania named[99841]: exiting (due to fatal error) > Mar 7 17:14:05 unixmania named[99940]: starting BIND 9.4.-ESV-R4 -u > bind -4 -t /var/named -u bind > Mar 7 17:14:05 unixmania named[99940]: could not configure root hints > from 'named.root': file not found > Mar 7 17:14:05 unixmania named[99940]: loading configuration: file not found > Mar 7 17:14:05 unixmania named[99940]: exiting (due to fatal error > > named.root is in /var/named/etc/namedb and contains the same as my > bind 9.6 on current. adding an ls to named.root > > ls -l /var/named/etc/namedb/named.root /etc/namedb/named.root > > -rw-r--r-- 1 bind wheel 3074 Jun 28 2010 /etc/namedb/named.root > -rw-r--r-- 1 bind wheel 3074 Jun 28 2010 /var/named/etc/namedb/named.root > > I can't find any major differences with this and 9.6 that works fine. > > when I try to start it notes that it isn't running and isn't abel to start. > > Thanks for any suggestions. > > I am running > > 7.4-PRERELEASE FreeBSD 7.4-PRERELEASE #1180: Wed Jan 26 04:33:51 CST 2011 > > Thanks, > > ed Unfortunately, I don't have any answers to this problem. I only know that the same thing happened to me when I tried to upgrade from the older, no-longer-supported bind9-3 [My solution was to reinstall the older bind9 ] I am running 7.3, altho that shouldn't make any difference... . > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix Journey Toward the Dawn, E-Book: http://www.thought.org The 7.98a release of Jottings: http://jottings.thought.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
recient problem with bind en 7.4-PRERELEASE FreeBSD 7.4-PRERELEASE #1180:
Out of the clear, I can no longer start named from /etc/rc.d/named start. The only error message that I get is in log/messages Mar 7 17:13:59 unixmania named[99841]: starting BIND 9.4.-ESV-R4 -u bind -4 -t /var/named -u bind Mar 7 17:14:00 unixmania named[99841]: could not configure root hints from 'named.root': file not found Mar 7 17:14:00 unixmania named[99841]: loading configuration: file not found Mar 7 17:14:00 unixmania named[99841]: exiting (due to fatal error) Mar 7 17:14:05 unixmania named[99940]: starting BIND 9.4.-ESV-R4 -u bind -4 -t /var/named -u bind Mar 7 17:14:05 unixmania named[99940]: could not configure root hints from 'named.root': file not found Mar 7 17:14:05 unixmania named[99940]: loading configuration: file not found Mar 7 17:14:05 unixmania named[99940]: exiting (due to fatal error named.root is in /var/named/etc/namedb and contains the same as my bind 9.6 on current. adding an ls to named.root ls -l /var/named/etc/namedb/named.root /etc/namedb/named.root -rw-r--r-- 1 bind wheel 3074 Jun 28 2010 /etc/namedb/named.root -rw-r--r-- 1 bind wheel 3074 Jun 28 2010 /var/named/etc/namedb/named.root I can't find any major differences with this and 9.6 that works fine. when I try to start it notes that it isn't running and isn't abel to start. Thanks for any suggestions. I am running 7.4-PRERELEASE FreeBSD 7.4-PRERELEASE #1180: Wed Jan 26 04:33:51 CST 2011 Thanks, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
can't make port BIND 9.7.3
7.2-RELEASE-p1-jc2 trying to make in /usr/ports/dns/bind97 distinfo shows bind-9.7.3.tar.gz make options: SSL IDN replace_base sigchase ipv6 threads links xml exiting the options, an immediate stop: make: don't know how to make /usr/ports/dns/bind97/work/.build_done.bind97._usr_local. Stop *** Error code 2 Stop in /usr/ports/dns/bind97. thanks Len ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
need help with bind; either the originial, or the new
release. Reply-To: X-Organization: Thought Unlimited. Public service Unix since 1986. X-Of_Interest: With 24 years of service to the Unix community. Guys, I need some feedback from those DNS wizards onlist. The trouble I've been having has to do with bind/named. My server failed when the old bind9 reached its end-of-life. Thr new bind97 is not a drop-in replacement and from the troubles I See in my /var/log/messages, I don't understand why things are suddenly breaking. Can I go back to the original, builtin bind in /contrib? Else, how can I go to the dns/bind9 that has worked for years? thanks for any insights, gary -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix Journey Toward the Dawn, E-Book: http://www.thought.org The 7.97a release of Jottings: http://jottings.thought.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: named/bind problems....
HEy:: I quit out of portupgrade when it tried to pull over 200MB of stuff, did a pkgdb -Fv; then found the the new xdm actually works! So I am back with two or more xterms/Konsoles and able to type for legibally. Dunno what happened but aint asking no questions At least now I will be able to use my 4-port KVM switch to mv back and forth from here on ethic [Server] to tao [Desktop], and have fewer troubles. :_) On Wed, Jan 19, 2011 at 06:11:23PM -0500, Robert Boyer wrote: > Sorry to see you are still having issues. I thought you were set when we > fixed your resolv last night. > > Okay - let's start from scratch here > > Are you sure you need a named? Are you actually serving dns for your own IP > addresses or are you using it as a caching server. i am actually serving my own DNS for 209.180.213.209-//213. No ethic, my doomain disappeares from the world. Note that friends say that I am a bit nuts to do this myself; they thingk I should just pay somebody to host my sites. There is www, jottings, journey, transfinite, the site that hosts my library writing group, and the site that hosts my friends busuiness site. > Getting a new named working/installed is not an issue. Config files are > usually and issue. If you can explain your network topology and what you are > trying to make work I can probably point you in the right direction. > > > We did get your local resolution issue solved didn't we? Somehow, with "^nameserver 8.8.8.8" added to my /etc/resolv.conf got even my firfox webserver working on "tao". Not now. Now that you know that I acutally have ns1.thought.org [[ ==ethic.thought.org ]]; that is serves my DNS, what next? I admit to only having glanced at the new bind97. At 01:30 I was helping my daughter with an English paper. gary > > RB > > On Jan 19, 2011, at 6:03 PM, Gary Kline wrote: > > > Yesterday noon my time I rebooted my server. Things seemed to be slow. > > Several streams were hanging or stopping, and because ethic.thought.org had > > been up for 61 days I figured it wouldn't hurt to reinitialize stuff. > > > > Well, nutshell, disaster. For hours it wasn't clear whether the server > > would > > survive, but eventually i got a portupgrade -avOPk going and now I am close > > to > > having every port rebuilt. > > > > Now host kuow.org gives the the IP address of the U/Washington. Etc. last > > night for unknown reasons even this failed. I remembered that late last > > fall > > I was warned the "bind9" was nearing its end/life. I okayed the > > portupgrade > > to remove bind9 and install whatever its follow up would be. > > > > Since then, my kill9named script[s] and my restartnamed script[s] have > > failed. > > Can anyone save me from hours of tracking down whatever I have to to put > > things right? > > > > Everything I get in trouble with this bind stuff it occurs how significant > > an > > achievement it is to have a > > service that automagically maps quad/dotted-decimals to actual words. > > > > Sorry if this sounds disjoint; it is past time for a lollipop and a blanket > > and a *nap* > > > > gary > > > > > > > > -- > > Gary Kline kl...@thought.org http://www.thought.org Public Service Unix > >The 7.97a release of Jottings: http://jottings.thought.org/index.php > > http://journey.thought.org > > ethic > > ___ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix The 7.97a release of Jottings: http://jottings.thought.org/index.php http://journey.thought.org ethic ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: named/bind problems....
okay, lets start from the beginning here... 1) Do you have your own IP address and IP address block that you are hosting DMS for or is it local only? 2) from talking with you last night I want to make sure you are aware of two things... A) resolv.conf is used for name resolution on EVERY system it tells ALL of the software to get name services from. We fixed this last night for one of your systems by pointing it at a name server that works (the one you had did not work) B) named provides name services (as well as forwarding to other dns services) and can be pointed to by resolv.conf on you local systems - if it is not working AND your local resolv.conf files are pointing there your name resolution will not work. C) you can get internet name services working temporarily by using some of the servers I have you 8.8.8.8 and 8.8.4.4 in all of your resolv.conf files - you don't need named to work for this. You can also use /etc/hosts for your couple of local name/address translations as a work around until you get named working again. 3) dig is your friend for debugging named - you can use dig @local-dns-address lookup-name to debug your named while still using external name servers in your resolv.conf and local naming in /etc/hosts until you ACTUALLY are sure your local named is working. 4) The only thing you really really need a local named for is if you have a real IP block that you are responsible for providing name services on the internet for - rarely the case and even if you do you can temporarily jamb the names you care about in another DNS server somewhere out there like zoneedit or free dns temporarily. Get your stuff working then debug your named. RB On Jan 19, 2011, at 6:55 PM, Gary Kline wrote: > On Wed, Jan 19, 2011 at 06:11:23PM -0500, Robert Boyer wrote: >> Sorry to see you are still having issues. I thought you were set when we >> fixed your resolv last night. >> >> Okay - let's start from scratch here >> >> Are you sure you need a named? Are you actually serving dns for your own IP >> addresses or are you using it as a caching server. Getting a new named >> working/installed is not an issue. Config files are usually and issue. If >> you can explain your network topology and what you are trying to make work I >> can probably point you in the right direction. >> > > > Last night I was on the right track; then suddenly things broke and I > have no idea w hy. From the modem/router, the wire goes thru my > firewa that runs pfSense. Then output from the firewall plugs > into my switch. > > My DNS/Mail/web server is a seperate box that plugs into the > hub/switch as well. [i think; it is hard for me to get down > and crawl around under the desk.] The server has been running named > since April, '01. I read DNS AND BIND to get things going; then in > late '07 serious network troubles and help from someone in the Dallas > Ft-Worth area reconfigured my network.This fellow mostly edited > the /etc/namedb/named.conf and related files. I also host a friend's > site, gratis. He is a builder; we have been friends for nearly > twenty years. His site is a vvery small part of the picture; I > mention it only to emphasize that my setup is not entirely trivial. > > Would it help to shar or tarball up my namedb files? > > FWIW, I am logged into ethic ona console. Usually I work in X11 > and have xset r off set to prevent key bounces. > > >> >> We did get your local resolution issue solved didn't we? > > > Ithink in KVM'ing from tao to ethic and back, the configuration we > set up last night broke. At least, in watching portupgrade draw in > more and more files [on ethic], when I KVM back to my desktop, the > mutt settings get lost > > -gary > >> >> RB >> >> On Jan 19, 2011, at 6:03 PM, Gary Kline wrote: >> >>> Yesterday noon my time I rebooted my server. Things seemed to be slow. >>> Several streams were hanging or stopping, and because ethic.thought.org had >>> been up for 61 days I figured it wouldn't hurt to reinitialize stuff. >>> >>> Well, nutshell, disaster. For hours it wasn't clear whether the server >>> would >>> survive, but eventually i got a portupgrade -avOPk going and now I am close >>> to >>> having every port rebuilt. >>> >>> Now host kuow.org gives the the IP address of the U/Washington. Etc. last >>> night for unknown reasons even this failed. I remembered tha
Re: named/bind problems....
On Wed, Jan 19, 2011 at 06:11:23PM -0500, Robert Boyer wrote: > Sorry to see you are still having issues. I thought you were set when we > fixed your resolv last night. > > Okay - let's start from scratch here > > Are you sure you need a named? Are you actually serving dns for your own IP > addresses or are you using it as a caching server. Getting a new named > working/installed is not an issue. Config files are usually and issue. If you > can explain your network topology and what you are trying to make work I can > probably point you in the right direction. > Last night I was on the right track; then suddenly things broke and I have no idea w hy. From the modem/router, the wire goes thru my firewa that runs pfSense. Then output from the firewall plugs into my switch. My DNS/Mail/web server is a seperate box that plugs into the hub/switch as well. [i think; it is hard for me to get down and crawl around under the desk.] The server has been running named since April, '01. I read DNS AND BIND to get things going; then in late '07 serious network troubles and help from someone in the Dallas Ft-Worth area reconfigured my network.This fellow mostly edited the /etc/namedb/named.conf and related files. I also host a friend's site, gratis. He is a builder; we have been friends for nearly twenty years. His site is a vvery small part of the picture; I mention it only to emphasize that my setup is not entirely trivial. Would it help to shar or tarball up my namedb files? FWIW, I am logged into ethic ona console. Usually I work in X11 and have xset r off set to prevent key bounces. > > We did get your local resolution issue solved didn't we? Ithink in KVM'ing from tao to ethic and back, the configuration we set up last night broke. At least, in watching portupgrade draw in more and more files [on ethic], when I KVM back to my desktop, the mutt settings get lost -gary > > RB > > On Jan 19, 2011, at 6:03 PM, Gary Kline wrote: > > > Yesterday noon my time I rebooted my server. Things seemed to be slow. > > Several streams were hanging or stopping, and because ethic.thought.org had > > been up for 61 days I figured it wouldn't hurt to reinitialize stuff. > > > > Well, nutshell, disaster. For hours it wasn't clear whether the server > > would > > survive, but eventually i got a portupgrade -avOPk going and now I am close > > to > > having every port rebuilt. > > > > Now host kuow.org gives the the IP address of the U/Washington. Etc. last > > night for unknown reasons even this failed. I remembered that late last > > fall > > I was warned the "bind9" was nearing its end/life. I okayed the > > portupgrade > > to remove bind9 and install whatever its follow up would be. > > > > Since then, my kill9named script[s] and my restartnamed script[s] have > > failed. > > Can anyone save me from hours of tracking down whatever I have to to put > > things right? > > > > Everything I get in trouble with this bind stuff it occurs how significant > > an > > achievement it is to have a > > service that automagically maps quad/dotted-decimals to actual words. > > > > Sorry if this sounds disjoint; it is past time for a lollipop and a blanket > > and a *nap* > > > > gary > > > > > > > > -- > > Gary Kline kl...@thought.org http://www.thought.org Public Service Unix > >The 7.97a release of Jottings: http://jottings.thought.org/index.php > > http://journey.thought.org > > ethic > > ___ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix The 7.97a release of Jottings: http://jottings.thought.org/index.php http://journey.thought.org ethic ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: named/bind problems....
Sorry to see you are still having issues. I thought you were set when we fixed your resolv last night. Okay - let's start from scratch here Are you sure you need a named? Are you actually serving dns for your own IP addresses or are you using it as a caching server. Getting a new named working/installed is not an issue. Config files are usually and issue. If you can explain your network topology and what you are trying to make work I can probably point you in the right direction. We did get your local resolution issue solved didn't we? RB On Jan 19, 2011, at 6:03 PM, Gary Kline wrote: > Yesterday noon my time I rebooted my server. Things seemed to be slow. > Several streams were hanging or stopping, and because ethic.thought.org had > been up for 61 days I figured it wouldn't hurt to reinitialize stuff. > > Well, nutshell, disaster. For hours it wasn't clear whether the server would > survive, but eventually i got a portupgrade -avOPk going and now I am close to > having every port rebuilt. > > Now host kuow.org gives the the IP address of the U/Washington. Etc. last > night for unknown reasons even this failed. I remembered that late last fall > I was warned the "bind9" was nearing its end/life. I okayed the portupgrade > to remove bind9 and install whatever its follow up would be. > > Since then, my kill9named script[s] and my restartnamed script[s] have failed. > Can anyone save me from hours of tracking down whatever I have to to put > things right? > > Everything I get in trouble with this bind stuff it occurs how significant an > achievement it is to have a > service that automagically maps quad/dotted-decimals to actual words. > > Sorry if this sounds disjoint; it is past time for a lollipop and a blanket > and a *nap* > > gary > > > > -- > Gary Kline kl...@thought.org http://www.thought.org Public Service Unix >The 7.97a release of Jottings: http://jottings.thought.org/index.php > http://journey.thought.org > ethic > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
named/bind problems....
Yesterday noon my time I rebooted my server. Things seemed to be slow. Several streams were hanging or stopping, and because ethic.thought.org had been up for 61 days I figured it wouldn't hurt to reinitialize stuff. Well, nutshell, disaster. For hours it wasn't clear whether the server would survive, but eventually i got a portupgrade -avOPk going and now I am close to having every port rebuilt. Now host kuow.org gives the the IP address of the U/Washington. Etc. last night for unknown reasons even this failed. I remembered that late last fall I was warned the "bind9" was nearing its end/life. I okayed the portupgrade to remove bind9 and install whatever its follow up would be. Since then, my kill9named script[s] and my restartnamed script[s] have failed. Can anyone save me from hours of tracking down whatever I have to to put things right? Everything I get in trouble with this bind stuff it occurs how significant an achievement it is to have a service that automagically maps quad/dotted-decimals to actual words. Sorry if this sounds disjoint; it is past time for a lollipop and a blanket and a *nap* gary -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix The 7.97a release of Jottings: http://jottings.thought.org/index.php http://journey.thought.org ethic ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: BIND: could not configure root hints from 'named.root': file not found
Krad,
Thank you for the tip. I've changed the "." to the correct value.
Matthew
On 1 October 2010 21:16, CyberLeo Kitsana wrote:
On 10/01/2010 12:52 PM, Matthew wrote:
I would be grateful for any pointers on how to resolve this. I suspect
the error message may not be exactly descriptive of whats happening.
Kinda.
Here's a few points to keep in mind when working with bind in FreeBSD:
* By default, named runs in a chroot jail rooted at /var/named/.
* For security reasons, named cannot write to anything in that tree,
except the dynamic, slave, and working directories.
* named uses its current working directory to resolve relative pathnames
in the configuration file.
* With a recent change to ISC Bind 9, named started complaining if it
couldn't write to its current working directory. At the time, this was
(chroot)/etc/namedb/; this was subsequently changed to
(chroot)/etc/namedb/working/ to make named happy without compromising
security.
When the working directory for named was (chroot)/etc/namedb/,
everything was peachy. Since this was changed, relative pathnames no
longer work as expected because the reference point is different. The
easiest solution is to alter your configuration file to include only
absolute pathnames, relative to the root of the jail.
The default named config file (in /var/named/etc/namedb/named.conf) is
an excellent source of examples for this.
--
Fuzzy love,
-CyberLeo
Technical Administrator
CyberLeo.Net Webhosting
http://www.CyberLeo.Net
Furry Peace! - http://.fur.com/peace/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "
freebsd-questions-unsubscr...@freebsd.org"
Hmm,
options {
directory".";
that doesnt look ideal. Not sure if you are meaning to do that but put an
explicit direcorty in eg /etc/namedb. Otherwise it will be looking in
whatever current directory you are in at that time. The main named.conf will
be found as its supplied via a cli switch by the rc script. However all
subsequent files will come from the current dir
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: BIND: could not configure root hints from 'named.root': file not found
CyberLeo Kitsana, Thank you so much for the history and evolution on Bind expected directory structures. It enabled me to jump through that tough spot. Thanks again, Matthew On 10/01/2010 12:52 PM, Matthew wrote: I would be grateful for any pointers on how to resolve this. I suspect the error message may not be exactly descriptive of whats happening. Kinda. Here's a few points to keep in mind when working with bind in FreeBSD: * By default, named runs in a chroot jail rooted at /var/named/. * For security reasons, named cannot write to anything in that tree, except the dynamic, slave, and working directories. * named uses its current working directory to resolve relative pathnames in the configuration file. * With a recent change to ISC Bind 9, named started complaining if it couldn't write to its current working directory. At the time, this was (chroot)/etc/namedb/; this was subsequently changed to (chroot)/etc/namedb/working/ to make named happy without compromising security. When the working directory for named was (chroot)/etc/namedb/, everything was peachy. Since this was changed, relative pathnames no longer work as expected because the reference point is different. The easiest solution is to alter your configuration file to include only absolute pathnames, relative to the root of the jail. The default named config file (in /var/named/etc/namedb/named.conf) is an excellent source of examples for this. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: BIND: could not configure root hints from 'named.root': file not found
On 1 October 2010 21:16, CyberLeo Kitsana wrote:
> On 10/01/2010 12:52 PM, Matthew wrote:
> > I would be grateful for any pointers on how to resolve this. I suspect
> > the error message may not be exactly descriptive of whats happening.
>
> Kinda.
>
> Here's a few points to keep in mind when working with bind in FreeBSD:
>
> * By default, named runs in a chroot jail rooted at /var/named/.
>
> * For security reasons, named cannot write to anything in that tree,
> except the dynamic, slave, and working directories.
>
> * named uses its current working directory to resolve relative pathnames
> in the configuration file.
>
> * With a recent change to ISC Bind 9, named started complaining if it
> couldn't write to its current working directory. At the time, this was
> (chroot)/etc/namedb/; this was subsequently changed to
> (chroot)/etc/namedb/working/ to make named happy without compromising
> security.
>
> When the working directory for named was (chroot)/etc/namedb/,
> everything was peachy. Since this was changed, relative pathnames no
> longer work as expected because the reference point is different. The
> easiest solution is to alter your configuration file to include only
> absolute pathnames, relative to the root of the jail.
>
> The default named config file (in /var/named/etc/namedb/named.conf) is
> an excellent source of examples for this.
>
> --
> Fuzzy love,
> -CyberLeo
> Technical Administrator
> CyberLeo.Net Webhosting
> http://www.CyberLeo.Net
>
>
> Furry Peace! - http://.fur.com/peace/
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscr...@freebsd.org"
>
Hmm,
options {
directory".";
that doesnt look ideal. Not sure if you are meaning to do that but put an
explicit direcorty in eg /etc/namedb. Otherwise it will be looking in
whatever current directory you are in at that time. The main named.conf will
be found as its supplied via a cli switch by the rc script. However all
subsequent files will come from the current dir
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: BIND: could not configure root hints from 'named.root': file not found
On 10/01/2010 12:52 PM, Matthew wrote: > I would be grateful for any pointers on how to resolve this. I suspect > the error message may not be exactly descriptive of whats happening. Kinda. Here's a few points to keep in mind when working with bind in FreeBSD: * By default, named runs in a chroot jail rooted at /var/named/. * For security reasons, named cannot write to anything in that tree, except the dynamic, slave, and working directories. * named uses its current working directory to resolve relative pathnames in the configuration file. * With a recent change to ISC Bind 9, named started complaining if it couldn't write to its current working directory. At the time, this was (chroot)/etc/namedb/; this was subsequently changed to (chroot)/etc/namedb/working/ to make named happy without compromising security. When the working directory for named was (chroot)/etc/namedb/, everything was peachy. Since this was changed, relative pathnames no longer work as expected because the reference point is different. The easiest solution is to alter your configuration file to include only absolute pathnames, relative to the root of the jail. The default named config file (in /var/named/etc/namedb/named.conf) is an excellent source of examples for this. -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net Furry Peace! - http://.fur.com/peace/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
BIND: could not configure root hints from 'named.root': file not found
Hello, I noticed my email client was taking just over two minutes to start up, with the mail folder being accessed from a share on an NFS server. After rebuilding my workstation (due to h/w heating problems), I deleted my 50,000 emails from freebsd-questions, and ipfw folders. Now the email client opens the NFS share and starts up in under two seconds :) However, now I must use mmsearch at lists.freebsd.org to search mailing list archives. This gives me Internal Server Error on most of my searches, so I decided to post my question here. I have been running a FreeBSD server in my basement for nearly a decade, and like some on this email list, I also ran into trouble when rebuilding my bind environment in a new server environment. (Server ran out of space and my root partition was too small, so I decided to rebuild the box, only to be reminded BIND is tricky to configure.) The BIND files look like Greek to me (no offense intended to Grecians.) Its been at least eight years since I read much of "DNS and Bind" and my copy is now languishing at some former client or employer. I've been reading man pages, handbooks, and the like for days. Here's my immediate problem: After building the server, with jails, before putting BIND in the jail, I decided to get it working in the host FreeBSD environment. # uname -a FreeBSD www.mbpesecurity.com 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010 r...@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 From this dir: # pwd /var/named/etc/namedb (symlinked to /etc/namedb) When I start bind: # /etc/rc.d/named onestart Starting named. /etc/rc.d/named: WARNING: failed to start named # pwd /var/named/etc/namedb www# ls named.root named.root Syslogs Show: Oct 1 12:36:35 www named[4663]: starting BIND 9.6.2-P2 -t /var/named -u bind Oct 1 12:36:35 www named[4663]: built with '--prefix=/usr' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--enable-threads' '--disable-ipv6' '--enable-getifaddrs' '--disable-linux-caps' '--with-openssl=/usr' '--with-randomdev=/dev/random' '--without-idn' '--without-libxml2' Oct 1 12:36:35 www named[4663]: *could not configure root hints from 'named.root': file not found* Oct 1 12:36:35 www named[4663]: loading configuration: file not found Oct 1 12:36:35 www named[4663]: exiting (due to fatal error) Oct 1 12:36:35 www mpope: /etc/rc.d/named: WARNING: failed to start named This perplexes me since 'named.root' is in the starting dir: /etc/namedb, and the 'master' subdir: /etc/namedb/master. # pwd /var/named/etc/namedb (symlinked dir for /etc/namedb) www# ls -ald * drwxr-xr-x 3 root wheel 512 Oct 1 12:28 aborted drwxr-xr-x 2 bind wheel 512 Oct 1 12:33 dynamic drwxr-xr-x 2 root wheel 512 Oct 1 12:36 master -rw-r--r-- 1 root wheel 1783 Oct 1 12:29 named.conf -rw-r--r-- 1 named named 3082 Sep 30 17:44 *named.root* -rw--- 1 bind wheel97 Sep 30 17:20 rndc.key drwxr-xr-x 2 bind wheel 512 Oct 1 12:33 slave drwxr-xr-x 2 bind wheel 512 Oct 1 12:36 working # ls master 0.0.127.IN-ADDR.ARPAempty.db *named.root* 171.248.206.IN-ADDR.ARPAmbpesecurity.com db.bindnamed.localhost Perhaps BIND is actually starting from some other directory? Here is a list of all namedb hits. Since I'm not starting from the jail yet, the only other named dir is in /usr/src/etc/named, the build dir, see listing below. # pwd /var/named/etc/namedb # find / -name namedb /usr/src/etc/namedb <== only other named dir /usr/home/j/mroot/usr/src/etc/namedb = START of JAIL Related dirs /usr/home/j/mroot/var/named/etc/namedb| /usr/home/j/skel/var/named/etc/namedb | /usr/home/j/ns/s/etc/namedb | /usr/home/j/ns/s/var/named/etc/namedb | /usr/home/j/ns/usr/src/etc/namedb | /usr/home/j/ns/var/named/etc/namedb | /usr/home/j/mail/s/var/named/etc/namedb | /usr/home/j/mail/usr/src/etc/namedb | /usr/home/j/mail/var/named/etc/namedb | /usr/home/j/www/s/var/named/etc/namedb| /usr/home/j/www/usr/src/etc/namedb| /usr/home/j/www/var/named/etc/namedb | /usr/home/js/ns/etc/namedb| /usr/home/js/ns/var/named/etc/namedb | /usr/home/js/mail/var/named/etc/namedbV /usr/home/js/www/var/named/etc/namedb = END of JAIL dirs /etc/namedb << -Sym link dest /var/named/etc/namedb <<- Sym link src In the unlikely event BIND were running from the build dir (/usr/src/etc/named), th
Re: How do you automatically start Apache, Bind, etc. in a jail?
On 7/22/10 7:19 PM, Ed Flecko wrote: Oh, O.K., so I CAN just download the tarball (from http://httpd.apache.org/), unpack and install it (just like any other source install) and specify the jail as the target or did I misinterpret you? Do it from _inside_ the jail, not from the host. Regards, -- Glen Barber ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: How do you automatically start Apache, Bind, etc. in a jail?
Oh, O.K., so I CAN just download the tarball (from http://httpd.apache.org/), unpack and install it (just like any other source install) and specify the jail as the target or did I misinterpret you? Sorry if I've missed your point! :-) Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: How do you automatically start Apache, Bind, etc. in a jail?
On 7/22/10 7:07 PM, Glen Barber wrote: Also, do you know for sure that compiling from source and specifying the install target (i.e., ./configure --prefix=/PathToJail --enable-ssl...etc., etc., etc???) won't work? It will work, sure, but make(1) and the port Makefile does this for you. To be clear, you'd need the apache22 source tarball for that to work. That isn't in the port directory (/usr/ports/www/apache22). make(1) in the port directory fetches the source tarball when the build starts.\ Regards, -- Glen Barber ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: How do you automatically start Apache, Bind, etc. in a jail?
On 7/22/10 6:51 PM, Ed Flecko wrote: Thanks Glen. :-) I'm not clear how I get the 'make config' to show the configuration screen or the 'make install' to compile and install??? Depending on what you've previously done in the www/apache22 directory, a configuration may already exist. 'make showconfig' will tell you. If so, you can run 'make rmconfig' in the apache22 port directory, and a subsequent 'make config' will display the configuration screen. (Actually, I believe www/apache22 does this automatically if a configuration doesn't already exist.) That might allow me to install Apache (with a limited number of modules) like I want, but I don't understand what you're suggesting. The config screen will allow you to select/deselect various build-time options, such as DAV, AUTH_BASIC, etc. Also, do you know for sure that compiling from source and specifying the install target (i.e., ./configure --prefix=/PathToJail --enable-ssl...etc., etc., etc???) won't work? It will work, sure, but make(1) and the port Makefile does this for you. Thank you again! You're welcome. Regards, -- Glen Barber ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: How do you automatically start Apache, Bind, etc. in a jail?
Thanks Glen. :-) I'm not clear how I get the 'make config' to show the configuration screen or the 'make install' to compile and install??? That might allow me to install Apache (with a limited number of modules) like I want, but I don't understand what you're suggesting. Also, do you know for sure that compiling from source and specifying the install target (i.e., ./configure --prefix=/PathToJail --enable-ssl...etc., etc., etc???) won't work? Thank you again! Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: How do you automatically start Apache, Bind, etc. in a jail?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 7/22/10 6:20 PM, Ed Flecko wrote: > Hi folks, > I have Apache installed in a "qjail" named "webserver" (I.P. address > 192.168.225.130) using the "pkg_add -r apache22" command, but how do > you get Apache (or Bind, etc.) to automatically start upon boot? > > I got the jail to start by adding qjail_enable="YES" to hosts' > /etc/rc.conf and I also added apache22_enable="YES", but that doesn't > seem to work. > You would need to add apache22_enable="YES" to the jail's rc.conf, not the host's. > Suggestions? > > > > Also, when I console into the jail, and issue an "apachectl start" > command, I get the following error: > > httpd: apr_sockaddr_info_get() failed for webserver > httpd: Could not reliably determine the server's fully qualified > domain name, using 127.0.0.1 for ServerName > Edit httpd.conf, adding a ServerName directive. (An example exists in the file, so you can model after that.) If you don't have a FQDN, use the jail's hostname, and add that hostname to the jail's /etc/hosts. > I figured out if I add the IP address of the jail as well as > "webserver" to the jails' hosts file, I can start Apache, but I still > get this error: > > httpd: Could not reliably determine the server's fully qualified > domain name, using 192.168.225.130 for ServerName > > What am I doing wrong? > > > > Finally, rather than installing Apache using the typical "pkg_add -r > apache22" command, is there a way to install Apache using the > ./configure script? In MY case, I know the EXACT parameters I want to > pass to the ./configure script (like enabling SSL, etc), but I don't > know how to do this in a "jail". > You can build from source if you like, but ports are easier, IMHO. Have a look here for more information on the ports tree: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ports.html >>From the jail console, I tried: > > cd /usr/ports/www/apache22 > ./configure --enable-ssl...etc., etc., etc.??? > 'make config' to show the configuration screen; 'make install' to compile and install. > but this doesn't work. > > Do I need to do the opposite, i.e., from the HOST console: > > ./configure --prefix=/PathToJail --enable-ssl...etc., etc., etc??? > Nope; have a look at the link I pasted above. I think you might like the ports tree rather than compiling from source, since all of the "hard work" has already been taken care of for you. Regards, - -- Glen Barber -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxIyKEACgkQeHhHJjlriYVw0QCeMvja3z3manD9lHgBk7VTfocI iCoAn1F4ycv7P+dPv6GhWpghEIOgOxRm =wLii -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
How do you automatically start Apache, Bind, etc. in a jail?
Hi folks, I have Apache installed in a "qjail" named "webserver" (I.P. address 192.168.225.130) using the "pkg_add -r apache22" command, but how do you get Apache (or Bind, etc.) to automatically start upon boot? I got the jail to start by adding qjail_enable="YES" to hosts' /etc/rc.conf and I also added apache22_enable="YES", but that doesn't seem to work. Suggestions? Also, when I console into the jail, and issue an "apachectl start" command, I get the following error: httpd: apr_sockaddr_info_get() failed for webserver httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName I figured out if I add the IP address of the jail as well as "webserver" to the jails' hosts file, I can start Apache, but I still get this error: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.225.130 for ServerName What am I doing wrong? Finally, rather than installing Apache using the typical "pkg_add -r apache22" command, is there a way to install Apache using the ./configure script? In MY case, I know the EXACT parameters I want to pass to the ./configure script (like enabling SSL, etc), but I don't know how to do this in a "jail". >From the jail console, I tried: cd /usr/ports/www/apache22 ./configure --enable-ssl...etc., etc., etc.??? but this doesn't work. Do I need to do the opposite, i.e., from the HOST console: ./configure --prefix=/PathToJail --enable-ssl...etc., etc., etc??? Thank you! Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: BIND Refusing to Resolve for External Hosts
In freebsd-questions Digest, Vol 317, Issue 13, Message: 14
On Sat, 3 Jul 2010 14:20:01 -0700 Chris Maness wrote:
> Ok, it is working for the local net now, but it is no longer working
> as an authoritative server for my zones.
>
> Here is the current config:
>
> // $FreeBSD: src/etc/namedb/named.conf,v 1.26.2.2.2.1 2008/11/25
> 02:59:29 kensmith Exp $
> //
> // Refer to the named.conf(5) and named(8) man pages, and the documentation
> // in /usr/share/doc/bind9 for more details.
Indeed, the ARM be deep and wide, but pretty well essential reading ..
[..]
> // Set up an ACL called our-nets. Replace this with the real IP numbers.
>
> acl our-nets { 192.168.1.0/24; 76.238.148.145/24; 127.0.0.1; };
>
> options {
> // Relative to the chroot directory, if any
> directory "/etc/namedb";
> pid-file"/var/run/named/pid";
> dump-file "/var/dump/named_dump.db";
> statistics-file "/var/stats/named.stats";
> allow-transfer {
> 76.238.148.146; };
> allow-query { our-nets; };
> allow-recursion { our-nets; };
> };
What Matthew said, of course .. just to add that:
Anything set in options is global, so here 'allow-query { our-nets; };'
is why you later found the need, in Message: 15 :)
[..]
> Ahhh, I see I need to add:
>
> allow-query { any; };
>
> to my authoritative zones.
>
> Thanks it all works now.
>
> Chris Maness
>
>
> p.s. So was this a change in the default behavior of BIND over the
> years? Because I don't think my named.conf has been changed, and this
> used to work for any hosts.
I gather you didn't have that acl limiting queries to our-net before ..
and yes bind is always on the move, keeping ahead of the moving badguys.
cheers, Ian
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: BIND Refusing to Resolve for External Hosts
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/07/2010 22:29:46, Chris Maness wrote:
> Ahhh, I see I need to add:
>
> allow-query { any; };
>
> to my authoritative zones.
>
> Thanks it all works now.
Great.
> p.s. So was this a change in the default behavior of BIND over the
> years? Because I don't think my named.conf has been changed, and this
> used to work for any hosts.
The built-in access control rules have evolved over time, certainly.
However, this hasn't changed since BIND 9.6 was released, and possibly
longer than that. RELENG_8 and above have contained BIND 9.6.x from the
point where the branch was created, but RELENG_7 contains BIND 9.4.x --
so if you've done an upgrade from 7.x to 8.x recently it might explain
your experiences.
The pre-canned configuration that comes with FreeBSD is suitable for use
as a localhost-only recursive resolver: if you want to serve a whole
network of machines or add authoritative data then you will need to
modify it or craft your own named.conf, an important part of which is
setting up ACLs to control what you will serve to who. This is a very
useful reference:
http://www.cymru.com/Documents/secure-bind-template.html
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwwG9kACgkQ8Mjk52CukIyPdwCeKKNIRAl3xfGRlyRovx4tMu/f
flcAn1aoYlhHv1VO4hCrLFKCyBGG8N/R
=3N80
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: BIND Refusing to Resolve for External Hosts
Ahhh, I see I need to add:
allow-query { any; };
to my authoritative zones.
Thanks it all works now.
Chris Maness
p.s. So was this a change in the default behavior of BIND over the
years? Because I don't think my named.conf has been changed, and this
used to work for any hosts.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: BIND Refusing to Resolve for External Hosts
Ok, it is working for the local net now, but it is no longer working
as an authoritative server for my zones.
Here is the current config:
// $FreeBSD: src/etc/namedb/named.conf,v 1.26.2.2.2.1 2008/11/25
02:59:29 kensmith Exp $
//
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/share/doc/bind9 for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works. Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.
// Set up an ACL called our-nets. Replace this with the real IP numbers.
acl our-nets { 192.168.1.0/24; 76.238.148.145/24; 127.0.0.1; };
options {
// Relative to the chroot directory, if any
directory "/etc/namedb";
pid-file"/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
allow-transfer {
76.238.148.146; };
allow-query { our-nets; };
allow-recursion { our-nets; };
};
// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
// listen-on { 127.0.0.1; };
// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver. To give access to the network, specify
// an IPv6 address, or the keyword "any".
// listen-on-v6{ ::1; };
// These zones are already covered by the empty zones listed below.
// If you remove the related empty zones below, comment these lines out.
/*
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
disable-empty-zone
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
disable-empty-zone
"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
*/
// In addition to the "forwarders" clause, you can force your name
// server to never initiate queries of its own, but always ask its
// forwarders only, by enabling the following line:
//
// forward only;
// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below. This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
/*
forwarders {
127.0.0.1;
};
*/
/*
Modern versions of BIND use a random UDP port for each outgoing
query by default in order to dramatically reduce the possibility
of cache poisoning. All users are strongly encouraged to utilize
this feature, and to configure their firewalls to accommodate it.
AS A LAST RESORT in order to get around a restrictive firewall
policy you can try enabling the option below. Use of this option
will significantly reduce your ability to withstand cache poisoning
attacks, and should be avoided if at all possible.
Replace N in the example with a number between 49160 and 65530.
*/
// query-source address * port N;
// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
// Also, make sure to enable it in /etc/rc.conf.
// The traditional root hints mechanism. Use this, OR the slave zones below.
zone "." { type hint; file "named.root"; };
/* Slaving the following zones from the root name servers has some
significant advantages:
1. Faster local resolution for your users
2. No spurious traffic will be sent from your network to the roots
3. Greater resilience to any potential root server failure/DDoS
On the other hand, this method requires more monitoring than the
hints file to be sure that an unexpected failure mode has not
incapacitated your server. Name servers that are serving a lot
of clients will benefit more from this approach than individual
hosts. Use with caution.
To use this mechanism, uncomment the entries below, and comment
the hint zone above.
*/
/*
zone "." {
type slave;
file "slave/root.slave";
masters {
192.5.5.241;// F.ROOT-SERVERS.NET.
};
notify no;
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "master/localhost.rev";
};
zone "in-addr.arpa" {
type slave;
file "slave/in-addr.arpa.slave";
masters {
192.5.5.241;// F.ROOT-SERVERS.NET.
};
notify no;
};
*/
/* Serving the following zones locally will prevent any quer
Re: BIND Refusing to Resolve for External Hosts
On Sat, Jul 3, 2010 at 12:52 PM, Matthew Seaman
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 03/07/2010 20:28:27, Chris Maness wrote:
>> Including the line:
>>
>> acl public-nets { 127.0.0.1; ::1; }
> ^
> You need a semi-colon here __|
I am on gmail with variable width font. I am not sure exactly where I
need the semi colon.
>
> Just defining the acl won't do a great deal on its own -- you need to
> add it to an allow-recursion {}; or similar block.
>
Sorry, Matt. I haven't had to mess with the configuration file in 10
years. Everything just worked until recently (probably the upgrade).
I am running a small Web/DNS/Mail server in my house. I like using a
local recursive server as it has been faster than the alternatives in
the past. Currently, my local net is using the DSL router as its
upstream DNS. So without rambling too much. I am a bit simple at
this stuff, and a little confused. I could switch to another DNS
server, but for academic purposes, I want to learn this stuff. I am
looking at some example files from the ISC link you sent me:
http://www.isc.org/files/arm96.html#sample_configuration
I was thinking of just rebuilding the file from scratch as my current
file is greek to me. However, the examples posted are for recursive
only and authoritative only. Since my server is a hybrid, I am
wondering which directives might interfere with the other.
Moreover I had a look at the security section from that link:
http://www.isc.org/files/arm96.html#Bv9ARM.ch07
Here is what I added to my named.conf. I guess over time they have
increased the default security of BIND so that old files don't allow
recursion from outside hosts by default.
// Set up an ACL called our-nets. Replace this with the real IP numbers.
acl our-nets { 192.168.1.0/24; };
options {
// Relative to the chroot directory, if any
directory "/etc/namedb";
pid-file"/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
allow-transfer {
76.238.148.146;
allow-query { our-nets; };
allow-recursion { our-nets; };
};
Thanks,
Chris Maness
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: BIND Refusing to Resolve for External Hosts
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/07/2010 20:28:27, Chris Maness wrote:
> Including the line:
>
> acl public-nets { 127.0.0.1; ::1; }
^
You need a semi-colon here __|
> for testing resulted in a failure to launch with the following error code:
>
> /etc/namedb/named.conf:23: unknown option 'acl'
> /etc/rc.d/named: ERROR: named-checkconf for $named_conf failed
Just defining the acl won't do a great deal on its own -- you need to
add it to an allow-recursion {}; or similar block.
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwvlQMACgkQ8Mjk52CukIy3igCfXVI0Hvq4VYLMFOWa5mR0E6JK
zuEAn2Lt3SZbmm0z/chH1FimEtWQxaSI
=DV8h
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: BIND Refusing to Resolve for External Hosts
On Thu, Jul 1, 2010 at 7:33 AM, Matthew Seaman
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 01/07/2010 15:05:37, Chris Maness wrote:
>> Can a sub block of IP address space be used, and if so, what is the
>> wild card?
>
> Yes. You can use lists of IPs or address-and-mask in BIND ACLs. See:
>
> http://www.isc.org/files/arm96.html#address_match_lists
>
> and
>
> http://www.isc.org/files/arm96.html#id2553419
>
> So, for example, I use this in my own BIND configuration:
>
> acl public-nets {
> 127.0.0.1;
> ::1;
> 81.187.76.160/29;
> 81.187.220.164;
> 2001:8b0:151:1::/64;
> };
>
> Cheers,
>
> Matthew
>
>
> - --
Including the line:
acl public-nets { 127.0.0.1; ::1; }
for testing resulted in a failure to launch with the following error code:
/etc/namedb/named.conf:23: unknown option 'acl'
/etc/rc.d/named: ERROR: named-checkconf for $named_conf failed
It seems as though BIND did not recognize this option. Is there
something that I need to enable in order to use this option?
Thanks,
Chris Maness
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: BIND Refusing to Resolve for External Hosts
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/07/2010 15:05:37, Chris Maness wrote:
> Can a sub block of IP address space be used, and if so, what is the
> wild card?
Yes. You can use lists of IPs or address-and-mask in BIND ACLs. See:
http://www.isc.org/files/arm96.html#address_match_lists
and
http://www.isc.org/files/arm96.html#id2553419
So, for example, I use this in my own BIND configuration:
acl public-nets {
127.0.0.1;
::1;
81.187.76.160/29;
81.187.220.164;
2001:8b0:151:1::/64;
};
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwspz4ACgkQ8Mjk52CukIwe+ACfUD9llW6qoIhgNRGYr63gYU87
geAAmwcYudxH5G6YHiYLTmZGlveTOB+6
=ltc+
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
