/var overflow and named pipes?
Hi all, After running for a whopping 10 days or so, during which the use of my /var as shown by df stayed at 62%, my system hung in X. I was able to exit to a vty using ctlaltfn At that point I killed X using kill -SIGHUP I then attempted to restart X. It came up, but in a clobbered condition with some icons under xfwm4 not showing, and some of the top menu bar text hosed (showing the square box char which usually indicates bad character data). I was able to shut it down by exiting the controlling xterm. Somewhere in there I'm pretty sure I saw a message something like Too many named pipes When trying to start X again, there were a boatload of messages: Fatal IO Error 35 (Resource temporarily unavailable) on X server :0.0 Messages showed up for programs being started in the startx script (xfwm4, xterm) and some spawned by those (thunar...) Then the message: XIO: Fatal IO error 35 (...) after 518 requests (388 known processed) with 0 events remaining At that point, /var was at 109% Examining /var, there was one huge file, Xorg.0.log. Neither head nor tail nor the portions of the interior I've looked at of that file shows anything particularly interesting; however, what is interesting is it seems to contain a never-ending repeat of reinitialization of the graphics card for monitor configuration. I copied the offending Xorg.0.log file to save it in a place with more space so I could examine it later, then deleted it. Portion appended below. However, when I restarted X I was still getting the fatal io errors, so I shutdown the system and rebooted. Also, since I was editing several (small) text files using vi, upon rebooting I got the usual messages about recovery. One of those files, when I attempted recovery, indicated it was huge. The file itself was small, ~180 lines, and had been saved already so the huge recovery file was somehow corrupt. I interrupted the recovery attempt (^C, took a *long* time to respond), checked /var size with du, and it was still only 62% so I may have averted another overflow there. /var/log/messages shows nothing for 16 hrs and then: Sep 24 16:22:01 breakaway kernel: pid 59110 (dd), uid 2 inumber 113248 on /var: filesystem full Sep 24 16:33:00 breakaway kernel: pid 79946 (dd), uid 2 inumber 113453 on /var: filesystem full Sep 24 17:33:00 breakaway last message repeated 501 times etc... I *think* all of the above is true; unfortunately, I didn't write notes until some things had passed and some notes were incomplete as to where in the process they occurred. Questions: 1. Can anyone shed light on the too many named pipes message? Is this likely caused by xfwm4 / thunar ipc? 2. Is the XIO error 35 (Resource temporarily unavailable) probably referring to the unavailability of named pipes? Or the unavailability of space in the Xorg.0.log file? Or does a pipe require space on /var and therefore when /var fills, no pipes are available? Are the X log files supposed to cycle the way system logs do? 3. Is there a way to see which processes have named pipes opened? After killing X and restarting, /usr/local/libexec/gam_server was still running and showing a runtime of 6472:54.82, very large compared to everything else. It's my understanding gam_server is used to detect changes in a file or directory; and might be using pipes for this purpose. Is this likely holding onto pipes? Is there an easy way to cause it to exit when X exits? 4. I've noticed the growing Xorg.0.log file in the past, but since /var was staying small it seemed like I had plenty of room. Then it seemed to suddenly explode when the system hung. Is this a known issue with resetting the graphics card? (In this case an unsupported Visiontek 900331 which used Radeon HD 5550) There is a redhat bug which may be relevant: https://bugzilla.redhat.com/show_bug.cgi?id=820731 Would getting a different graphics card likely solve this issue? 5. This *feels* like a sudden runaway condition. Shouldn't I normally get mail indicating /var is full before reaching 109%? There's 10 min between the first two full messages, and I didn't get *any* file sys full messages. Minor Issue: /var/tmp contains a number of empty directories with names virtual-[user].xx and gvfs-[user]-xx cleanvar_enable is set in /etc/defaults/rc.conf, I have not overridden it; but these dirs are obviously not being removed. Do I need to specifically turn on daily_clean_tmps_enable daily_clean_disks_enable Are there any reasons *not* to turn these on? In particular, if things are still running using some files in those places which were created early enough to be candidates for deletion? Thanks for any insights, Gary Xorg.0.log repeated sequence = (II) RADEON(0): Monitor name: LCD1970NX (II) RADEON(0): Serial No: 57302818YA (II) RADEON(0): EDID (in hex): (II) RADEON(0
Named | Annoying behaviour
Dear group, I latety face an issue with BIND 9.4.-ESV-R4-P1. According to my log file, I get the following error: Aug 4 12:00:03 triton named[93266]: starting BIND 9.4.-ESV-R4-P1 -c /etc/namedb/named.conf -t /var/named -u bind Aug 4 12:00:03 triton named[93266]: command channel listening on 127.0.0.1#953 Aug 4 12:00:03 triton named[93266]: command channel listening on ::1#953 Aug 4 12:00:03 triton named[93266]: _the working directory is not writable_ Aug 4 12:00:03 triton named[93266]: running I tried to chmod w+g the respecive directory, but it is set to default again by bind itself. Can someone tell me how I can resolve the +w on the working directory? BR, Jos Chrispijn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Named | Annoying behaviour
on 04/08/2011 11:33, Jos Chrispijn wrote: I latety face an issue with BIND 9.4.-ESV-R4-P1. I deduce that you are running FreeBSD 7.x According to my log file, I get the following error: Aug 4 12:00:03 triton named[93266]: starting BIND 9.4.-ESV-R4-P1 -c /etc/namedb/named.conf -t /var/named -u bind Aug 4 12:00:03 triton named[93266]: command channel listening on 127.0.0.1#953 Aug 4 12:00:03 triton named[93266]: command channel listening on ::1#953 Aug 4 12:00:03 triton named[93266]: _the working directory is not writable_ Aug 4 12:00:03 triton named[93266]: running I tried to chmod w+g the respecive directory, but it is set to default again by bind itself. Can someone tell me how I can resolve the +w on the working directory? By default, the permissions on and location of Bind's working directory should be: % ls -lad /etc/namedb/working drwxr-xr-x 2 bind wheel 6 Aug 4 11:26 /etc/namedb/working/ Now, as you're clearly running named under the bind user ID, this suggests that perhaps you have some other directory defined as your working directory in named.conf Check the 'directory' setting in the options {}; block. The location of the working directory was changed not so long ago -- http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/namedb/named.conf#rev1.30 -- due to the requirement for named to track various data to do with DNSSEC. Previously, the working directory was /etc/namedb but simply making this writable by named would have meant a process with the credentials that named runs as could re-write named's configuration file; an unacceptable security risk for a daemon exposed to the internet. One unfortunate consequence is that any relative paths within named.conf have to be altered accordingly. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Named | Annoying behaviour
Matthew Seaman: One unfortunate consequence is that any relative paths within named.conf have to be altered accordingly. Thanks for your detailed explanation, I will follow up and let you know if I managed to solve it. BR Jos Chrispijn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
fuser(1): do FIFOs and sockets count as named files?
fuser(1) man page mentions the tool is supposed to list processes that have specified named file(s) open. As there are several types of files (according to stat(2)) it's not clear which are supported, e.g. $ (mkfifo foo.fifo; cat foo.fifo) nc -lU foo.socket $ fuser foo.* foo.fifo: foo.socket: $ procstat -af | awk 'NR == 1 || /foo/' PID COMM FD T V FLAGSREF OFFSET PRO NAME 6672 cat 0 f - rw-- 2 0 - /home/luser/foo.fifo 11493 nc 3 s - rw-- 2 0 UDS foo.socket $ fstat | awk 'NR == 1 || $2 ~ /cat/ $4 ~ 0 || $2 ~ /nc/ $4 ~ 3' USER CMD PID FD MOUNT INUM MODE SZ|DV R/W luser nc 114933* local stream fe00a980d690 luser cat 66720 /home/luser 5982 prw-r--r-- 0 rw fuser(1) on BusyBox/Linux does show open FIFOs, not sure about sockets. -- FreeBSD 9.0-CURRENT r47M amd64 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
named/bind problems....
Yesterday noon my time I rebooted my server. Things seemed to be slow. Several streams were hanging or stopping, and because ethic.thought.org had been up for 61 days I figured it wouldn't hurt to reinitialize stuff. Well, nutshell, disaster. For hours it wasn't clear whether the server would survive, but eventually i got a portupgrade -avOPk going and now I am close to having every port rebuilt. Now host kuow.org gives the the IP address of the U/Washington. Etc. last night for unknown reasons even this failed. I remembered that late last fall I was warned the bind9 was nearing its end/life. I okayed the portupgrade to remove bind9 and install whatever its follow up would be. Since then, my kill9named script[s] and my restartnamed script[s] have failed. Can anyone save me from hours of tracking down whatever I have to to put things right? Everything I get in trouble with this bind stuff it occurs how significant an achievement it is to have a service that automagically maps quad/dotted-decimals to actual words. Sorry if this sounds disjoint; it is past time for a lollipop and a blanket and a *nap* gary -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix The 7.97a release of Jottings: http://jottings.thought.org/index.php http://journey.thought.org ethic ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named/bind problems....
Sorry to see you are still having issues. I thought you were set when we fixed your resolv last night. Okay - let's start from scratch here Are you sure you need a named? Are you actually serving dns for your own IP addresses or are you using it as a caching server. Getting a new named working/installed is not an issue. Config files are usually and issue. If you can explain your network topology and what you are trying to make work I can probably point you in the right direction. We did get your local resolution issue solved didn't we? RB On Jan 19, 2011, at 6:03 PM, Gary Kline wrote: Yesterday noon my time I rebooted my server. Things seemed to be slow. Several streams were hanging or stopping, and because ethic.thought.org had been up for 61 days I figured it wouldn't hurt to reinitialize stuff. Well, nutshell, disaster. For hours it wasn't clear whether the server would survive, but eventually i got a portupgrade -avOPk going and now I am close to having every port rebuilt. Now host kuow.org gives the the IP address of the U/Washington. Etc. last night for unknown reasons even this failed. I remembered that late last fall I was warned the bind9 was nearing its end/life. I okayed the portupgrade to remove bind9 and install whatever its follow up would be. Since then, my kill9named script[s] and my restartnamed script[s] have failed. Can anyone save me from hours of tracking down whatever I have to to put things right? Everything I get in trouble with this bind stuff it occurs how significant an achievement it is to have a service that automagically maps quad/dotted-decimals to actual words. Sorry if this sounds disjoint; it is past time for a lollipop and a blanket and a *nap* gary -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix The 7.97a release of Jottings: http://jottings.thought.org/index.php http://journey.thought.org ethic ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named/bind problems....
On Wed, Jan 19, 2011 at 06:11:23PM -0500, Robert Boyer wrote: Sorry to see you are still having issues. I thought you were set when we fixed your resolv last night. Okay - let's start from scratch here Are you sure you need a named? Are you actually serving dns for your own IP addresses or are you using it as a caching server. Getting a new named working/installed is not an issue. Config files are usually and issue. If you can explain your network topology and what you are trying to make work I can probably point you in the right direction. Last night I was on the right track; then suddenly things broke and I have no idea w hy. From the modem/router, the wire goes thru my firewa that runs pfSense. Then output from the firewall plugs into my switch. My DNS/Mail/web server is a seperate box that plugs into the hub/switch as well. [i think; it is hard for me to get down and crawl around under the desk.] The server has been running named since April, '01. I read DNS AND BIND to get things going; then in late '07 serious network troubles and help from someone in the Dallas Ft-Worth area reconfigured my network.This fellow mostly edited the /etc/namedb/named.conf and related files. I also host a friend's site, gratis. He is a builder; we have been friends for nearly twenty years. His site is a vvery small part of the picture; I mention it only to emphasize that my setup is not entirely trivial. Would it help to shar or tarball up my namedb files? FWIW, I am logged into ethic ona console. Usually I work in X11 and have xset r off set to prevent key bounces. We did get your local resolution issue solved didn't we? Ithink in KVM'ing from tao to ethic and back, the configuration we set up last night broke. At least, in watching portupgrade draw in more and more files [on ethic], when I KVM back to my desktop, the mutt settings get lost -gary RB On Jan 19, 2011, at 6:03 PM, Gary Kline wrote: Yesterday noon my time I rebooted my server. Things seemed to be slow. Several streams were hanging or stopping, and because ethic.thought.org had been up for 61 days I figured it wouldn't hurt to reinitialize stuff. Well, nutshell, disaster. For hours it wasn't clear whether the server would survive, but eventually i got a portupgrade -avOPk going and now I am close to having every port rebuilt. Now host kuow.org gives the the IP address of the U/Washington. Etc. last night for unknown reasons even this failed. I remembered that late last fall I was warned the bind9 was nearing its end/life. I okayed the portupgrade to remove bind9 and install whatever its follow up would be. Since then, my kill9named script[s] and my restartnamed script[s] have failed. Can anyone save me from hours of tracking down whatever I have to to put things right? Everything I get in trouble with this bind stuff it occurs how significant an achievement it is to have a service that automagically maps quad/dotted-decimals to actual words. Sorry if this sounds disjoint; it is past time for a lollipop and a blanket and a *nap* gary -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix The 7.97a release of Jottings: http://jottings.thought.org/index.php http://journey.thought.org ethic ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix The 7.97a release of Jottings: http://jottings.thought.org/index.php http://journey.thought.org ethic ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named/bind problems....
okay, lets start from the beginning here... 1) Do you have your own IP address and IP address block that you are hosting DMS for or is it local only? 2) from talking with you last night I want to make sure you are aware of two things... A) resolv.conf is used for name resolution on EVERY system it tells ALL of the software to get name services from. We fixed this last night for one of your systems by pointing it at a name server that works (the one you had did not work) B) named provides name services (as well as forwarding to other dns services) and can be pointed to by resolv.conf on you local systems - if it is not working AND your local resolv.conf files are pointing there your name resolution will not work. C) you can get internet name services working temporarily by using some of the servers I have you 8.8.8.8 and 8.8.4.4 in all of your resolv.conf files - you don't need named to work for this. You can also use /etc/hosts for your couple of local name/address translations as a work around until you get named working again. 3) dig is your friend for debugging named - you can use dig @local-dns-address lookup-name to debug your named while still using external name servers in your resolv.conf and local naming in /etc/hosts until you ACTUALLY are sure your local named is working. 4) The only thing you really really need a local named for is if you have a real IP block that you are responsible for providing name services on the internet for - rarely the case and even if you do you can temporarily jamb the names you care about in another DNS server somewhere out there like zoneedit or free dns temporarily. Get your stuff working then debug your named. RB On Jan 19, 2011, at 6:55 PM, Gary Kline wrote: On Wed, Jan 19, 2011 at 06:11:23PM -0500, Robert Boyer wrote: Sorry to see you are still having issues. I thought you were set when we fixed your resolv last night. Okay - let's start from scratch here Are you sure you need a named? Are you actually serving dns for your own IP addresses or are you using it as a caching server. Getting a new named working/installed is not an issue. Config files are usually and issue. If you can explain your network topology and what you are trying to make work I can probably point you in the right direction. Last night I was on the right track; then suddenly things broke and I have no idea w hy. From the modem/router, the wire goes thru my firewa that runs pfSense. Then output from the firewall plugs into my switch. My DNS/Mail/web server is a seperate box that plugs into the hub/switch as well. [i think; it is hard for me to get down and crawl around under the desk.] The server has been running named since April, '01. I read DNS AND BIND to get things going; then in late '07 serious network troubles and help from someone in the Dallas Ft-Worth area reconfigured my network.This fellow mostly edited the /etc/namedb/named.conf and related files. I also host a friend's site, gratis. He is a builder; we have been friends for nearly twenty years. His site is a vvery small part of the picture; I mention it only to emphasize that my setup is not entirely trivial. Would it help to shar or tarball up my namedb files? FWIW, I am logged into ethic ona console. Usually I work in X11 and have xset r off set to prevent key bounces. We did get your local resolution issue solved didn't we? Ithink in KVM'ing from tao to ethic and back, the configuration we set up last night broke. At least, in watching portupgrade draw in more and more files [on ethic], when I KVM back to my desktop, the mutt settings get lost -gary RB On Jan 19, 2011, at 6:03 PM, Gary Kline wrote: Yesterday noon my time I rebooted my server. Things seemed to be slow. Several streams were hanging or stopping, and because ethic.thought.org had been up for 61 days I figured it wouldn't hurt to reinitialize stuff. Well, nutshell, disaster. For hours it wasn't clear whether the server would survive, but eventually i got a portupgrade -avOPk going and now I am close to having every port rebuilt. Now host kuow.org gives the the IP address of the U/Washington. Etc. last night for unknown reasons even this failed. I remembered that late last fall I was warned the bind9 was nearing its end/life. I okayed the portupgrade to remove bind9 and install whatever its follow up would be. Since then, my kill9named script[s] and my restartnamed script[s] have failed. Can anyone save me from hours of tracking down whatever I have to to put things right? Everything I get in trouble with this bind stuff it occurs how significant an achievement it is to have a service that automagically maps
Re: named/bind problems....
HEy:: I quit out of portupgrade when it tried to pull over 200MB of stuff, did a pkgdb -Fv; then found the the new xdm actually works! So I am back with two or more xterms/Konsoles and able to type for legibally. Dunno what happened but aint asking no questions At least now I will be able to use my 4-port KVM switch to mv back and forth from here on ethic [Server] to tao [Desktop], and have fewer troubles. :_) On Wed, Jan 19, 2011 at 06:11:23PM -0500, Robert Boyer wrote: Sorry to see you are still having issues. I thought you were set when we fixed your resolv last night. Okay - let's start from scratch here Are you sure you need a named? Are you actually serving dns for your own IP addresses or are you using it as a caching server. i am actually serving my own DNS for 209.180.213.209-//213. No ethic, my doomain disappeares from the world. Note that friends say that I am a bit nuts to do this myself; they thingk I should just pay somebody to host my sites. There is www, jottings, journey, transfinite, the site that hosts my library writing group, and the site that hosts my friends busuiness site. Getting a new named working/installed is not an issue. Config files are usually and issue. If you can explain your network topology and what you are trying to make work I can probably point you in the right direction. We did get your local resolution issue solved didn't we? Somehow, with ^nameserver 8.8.8.8 added to my /etc/resolv.conf got even my firfox webserver working on tao. Not now. Now that you know that I acutally have ns1.thought.org [[ ==ethic.thought.org ]]; that is serves my DNS, what next? I admit to only having glanced at the new bind97. At 01:30 I was helping my daughter with an English paper. gary RB On Jan 19, 2011, at 6:03 PM, Gary Kline wrote: Yesterday noon my time I rebooted my server. Things seemed to be slow. Several streams were hanging or stopping, and because ethic.thought.org had been up for 61 days I figured it wouldn't hurt to reinitialize stuff. Well, nutshell, disaster. For hours it wasn't clear whether the server would survive, but eventually i got a portupgrade -avOPk going and now I am close to having every port rebuilt. Now host kuow.org gives the the IP address of the U/Washington. Etc. last night for unknown reasons even this failed. I remembered that late last fall I was warned the bind9 was nearing its end/life. I okayed the portupgrade to remove bind9 and install whatever its follow up would be. Since then, my kill9named script[s] and my restartnamed script[s] have failed. Can anyone save me from hours of tracking down whatever I have to to put things right? Everything I get in trouble with this bind stuff it occurs how significant an achievement it is to have a service that automagically maps quad/dotted-decimals to actual words. Sorry if this sounds disjoint; it is past time for a lollipop and a blanket and a *nap* gary -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix The 7.97a release of Jottings: http://jottings.thought.org/index.php http://journey.thought.org ethic ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix The 7.97a release of Jottings: http://jottings.thought.org/index.php http://journey.thought.org ethic ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to Best Prevent Unwanted named installation
On Fri, 10 Sep 2010 15:58:42 -0500 Martin McCormick mar...@dc.cis.okstate.edu wrote: After successfully installing bind97 from a package on to a new server, I do a cvs-sup of the system to get the latest patches in to the kernel. After discovering that bind97 had been replaced with bind9.6.1, Presumably that's because you explicitly configured the port version to install in the same place as the system version. It doesn't do that by default. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to Best Prevent Unwanted named installation
On 09/10/10 21:58, Martin McCormick wrote: After successfully installing bind97 from a package on to a new server, I do a cvs-sup of the system to get the latest patches in to the kernel. After discovering that bind97 had been replaced with bind9.6.1, I looked in /usr/src and there is a contrib/bind9 directory. What is the safest way to disable that build without adversly effecting the rest of the update? The reason for doing these things in this order is that I would like to get bind running as quickly as possible since it takes a couple of hours or more to get the world built when we could be doing DNS. Since I am not using that version of bind, not getting it built is no problem. I don't even care if it gets built so long as it does not end up in /usr/sbin to clobber the new bind9.7. If your ports version of named is in /usr/sbin you must have enabled the REPLACE_BASE option in the port. From man src.conf WITHOUT_BIND Setting this variable will prevent any part of BIND from being built. When set, it also enforces the following options: [list of sub options snipped] Add WITHOUT_BIND= true into /etc/src.conf, and the next time you rebuild the world the base system bind will be left out of it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
How to Best Prevent Unwanted named installation
After successfully installing bind97 from a package on to a new server, I do a cvs-sup of the system to get the latest patches in to the kernel. After discovering that bind97 had been replaced with bind9.6.1, I looked in /usr/src and there is a contrib/bind9 directory. What is the safest way to disable that build without adversly effecting the rest of the update? The reason for doing these things in this order is that I would like to get bind running as quickly as possible since it takes a couple of hours or more to get the world built when we could be doing DNS. Since I am not using that version of bind, not getting it built is no problem. I don't even care if it gets built so long as it does not end up in /usr/sbin to clobber the new bind9.7. This is not really a complaint. I just want to prevent the installation of the old bind over the new one as simply as possible. Thanks. Martin McCormick ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to Best Prevent Unwanted named installation
At 04:58 PM 9/10/2010, Martin McCormick wrote: contrib/bind9 directory. What is the safest way to disable that build without adversly effecting the rest of the update? Hi, Take a look at the man page for src.conf (and make.conf for completeness). You can control parts of what gets built and installed. ---Mike The reason for doing these things in this order is that I would like to get bind running as quickly as possible since it takes a couple of hours or more to get the world built when we could be doing DNS. Since I am not using that version of bind, not getting it built is no problem. I don't even care if it gets built so long as it does not end up in /usr/sbin to clobber the new bind9.7. This is not really a complaint. I just want to prevent the installation of the old bind over the new one as simply as possible. Thanks. Martin McCormick ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Mike Tancsa, tel +1 519 651 3400 Sentex Communications,m...@sentex.net Providing Internet since 1994www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Ownership of /var/named Changes on Reboot.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/06/2010 04:21:34, Peter Boosten wrote: On 17-6-2010 4:58, Robert Huff wrote: Martin McCormick writes: Is there a way to keep /var/named owned by bind across reboots? Yes. I had this happen for a long time. The bad news is it had been years since I fixed it, and I no longer remember exactly what I did. I will keep trying. Permissions are set using the mtree files: /etc/mtree/ Furthermore, the default setup *is* for named to run as an unprivileged process. The setup is very carefully designed so that named doesn't have write permission on the directory where its configuration files are stored, or on directories that contain static zone files, but it does have write permission on directories it uses for zone files AXFR'd from a master, or zone files maintained using dynamic DNS. This used to generate a warning from bind about not having a writable current working directory -- which was basically harmless and could be ignored. However recent changes mean bind needs a writable working directory, so the latest layouts include /var/named/etc/namedb/working Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwZ0w4ACgkQ8Mjk52CukIyWEACfdgSPyaDaLVXp/ugxYPCZIGSf KygAn2bsa27UF+O7BpZwmUMBGRIRvYeI =LaxU -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Ownership of /var/named Changes on Reboot.
On 17 June 2010 08:47, Matthew Seaman m.sea...@infracaninophile.co.ukwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/06/2010 04:21:34, Peter Boosten wrote: On 17-6-2010 4:58, Robert Huff wrote: Martin McCormick writes: Is there a way to keep /var/named owned by bind across reboots? Yes. I had this happen for a long time. The bad news is it had been years since I fixed it, and I no longer remember exactly what I did. I will keep trying. Permissions are set using the mtree files: /etc/mtree/ Furthermore, the default setup *is* for named to run as an unprivileged process. The setup is very carefully designed so that named doesn't have write permission on the directory where its configuration files are stored, or on directories that contain static zone files, but it does have write permission on directories it uses for zone files AXFR'd from a master, or zone files maintained using dynamic DNS. This used to generate a warning from bind about not having a writable current working directory -- which was basically harmless and could be ignored. However recent changes mean bind needs a writable working directory, so the latest layouts include /var/named/etc/namedb/working Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwZ0w4ACgkQ8Mjk52CukIyWEACfdgSPyaDaLVXp/ugxYPCZIGSf KygAn2bsa27UF+O7BpZwmUMBGRIRvYeI =LaxU -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org so the logical extension to this is by changing the ownership of the directory to bind, you are making the configuration directory writeable, and therefore you are actually lowering security. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Ownership of /var/named Changes on Reboot.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/06/2010 09:37:03, krad wrote: so the logical extension to this is by changing the ownership of the directory to bind, you are making the configuration directory writeable, and therefore you are actually lowering security. Correct. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwZ9iEACgkQ8Mjk52CukIxlOQCfZXV2D+ps0uQITQ6b05sXsmjC r3IAnjQyzVtfBhJ0XwxO8O+Gsct8wb9j =Kj7A -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Ownership of /var/named Changes on Reboot.
Matthew Seaman writes: Furthermore, the default setup *is* for named to run as an unprivileged process. The setup is very carefully designed so that named doesn't have write permission on the directory where its configuration files are stored, or on directories that contain static zone files, but it does have write permission on directories it uses for zone files AXFR'd from a master, or zone files maintained using dynamic DNS. This used to generate a warning from bind about not having a writable current working directory -- which was basically harmless and could be ignored. However recent changes mean bind needs a writable working directory, so the latest layouts include /var/named/etc/namedb/working That turned out to be the issue. I reset the permissions to match the way they are when one first installs bind. Root owns /var/named but bind owns directories that should be writable so the trick is to set one's named.conf file to reference writable directories for all the zones, logs and named.pid. It is now starting automatically on reboot just like it should. While bind owns all the writable subdirectories, they all still have wheel as their GID. That appears to be okay since they are all only writable by owner. Thanks for explaining this annoying little mystery that has dogged me at a minor level for years. I have been running bind for Oklahoma State University for close to 18 years and one tends to stick with configurations that work. It is just time to modernize and at least configure bind in the recommended way so as to take full advantage of the clever design. It does still give the message that the working directory is not writable. Martin McCormick ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Ownership of /var/named Changes on Reboot.
I run named chrooted to bind but not in a jail. When the system reboots, something changes ownership of /var/named back to root:wheel. I have thought several times I figured out how to prevent this from happening, but to no avail. The most promising lead was the following directives in /etc/rc.conf.local: named_uid=bind# User to run named as named_chrootdir= # Chroot directory (or not to auto-chroot it) named_chroot_autoupdate=YES # Automatically install/update chrooted Is there a way to keep /var/named owned by bind across reboots? Our production FreeBSD systems are up for years at a time so we don't see this problem often, but we have just been lucky that I am usually the one to reboot and know that named will come up broken and exit because named can not write in to /var/named when it is owned by root. It would be really nice to be able to count on /var/named staying put so named can just start automatically after a reboot. I prefer for named to run as a low-priority UID rather than as root so if I am doing something wrong, tell me that, also. We have been running named with a high-numbered UID for probably ten years and the force back to root ownership has always been a factor when the system is rebooted. Thank you. Martin McCormick WB5AGZ Stillwater, OK Systems Engineer OSU Information Technology Department Telecommunications Services Group ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Ownership of /var/named Changes on Reboot.
Martin McCormick writes: Is there a way to keep /var/named owned by bind across reboots? Yes. I had this happen for a long time. The bad news is it had been years since I fixed it, and I no longer remember exactly what I did. I will keep trying. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Ownership of /var/named Changes on Reboot.
On 17-6-2010 4:58, Robert Huff wrote: Martin McCormick writes: Is there a way to keep /var/named owned by bind across reboots? Yes. I had this happen for a long time. The bad news is it had been years since I fixed it, and I no longer remember exactly what I did. I will keep trying. Permissions are set using the mtree files: /etc/mtree/ Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
named - Is It Possible to Forward Requests for One Domain to Another Server?
In my home network, I have named running to resolve machines on my LAN. It is also configured to forward requests to my ISP for all other queries. On another machine in my LAN, I used mpd to create a vpn connection to my work and set appropriate routes so that any machine on my LAN can access any machine at my work over the vpn (using mpd's nat function). This works when accessing via the IP address. Now I'm trying to get DNS resolution for machines at work. Is there some way I can tell named to request DNS info for my work domain from my work's DNS server available over the vpn? Does this make sense? Thanks, Drew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named - Is It Possible to Forward Requests for One Domain to Another Server?
On Tue, May 25, 2010 at 04:30:04PM -0700, Drew Tomlinson wrote: Hi Drew, In my home network, I have named running to resolve machines on my LAN. It is also configured to forward requests to my ISP for all other queries. On another machine in my LAN, I used mpd to create a vpn connection to my work and set appropriate routes so that any machine on my LAN can access any machine at my work over the vpn (using mpd's nat function). This works when accessing via the IP address. Now I'm trying to get DNS resolution for machines at work. Is there some way I can tell named to request DNS info for my work domain from my work's DNS server available over the vpn? Does this make sense? Yes, it makes sense. What you're looking for is a forward type zone in named.conf, like zone foobar.com { type forward; forward only; forwarders { ip_of_work_dns_server; }; }; I'm not sure if I got the syntax 100% right. Also consider that this might interfere with the setup of the VPN, if you're using DNS names in the configuration, as named will not be able to resolve hosts in foobar.com without being able to reach ip_of_work_dns_server. Regards Thomas -- * Freelance Linux BSD Systemengineer // IT Consultant * -=- Homepage: http://www.bsd-solutions-duesseldorf.de -=- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named - Is It Possible to Forward Requests for One Domain to Another Server?
On 5/25/2010 4:58 PM, Thomas Keusch wrote: On Tue, May 25, 2010 at 04:30:04PM -0700, Drew Tomlinson wrote: Hi Drew, In my home network, I have named running to resolve machines on my LAN. It is also configured to forward requests to my ISP for all other queries. On another machine in my LAN, I used mpd to create a vpn connection to my work and set appropriate routes so that any machine on my LAN can access any machine at my work over the vpn (using mpd's nat function). This works when accessing via the IP address. Now I'm trying to get DNS resolution for machines at work. Is there some way I can tell named to request DNS info for my work domain from my work's DNS server available over the vpn? Does this make sense? Yes, it makes sense. What you're looking for is a forward type zone in named.conf, like zone foobar.com { type forward; forward only; forwarders { ip_of_work_dns_server; }; }; I'm not sure if I got the syntax 100% right. Also consider that this might interfere with the setup of the VPN, if you're using DNS names in the configuration, as named will not be able to resolve hosts in foobar.com without being able to reach ip_of_work_dns_server. Hi Thomas, Thank you for your reply. That was what I needed. Cheers, Drew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Can a foreign drive's mirrors be prevented from joining identically named mirrors?
Say I have two systems with two hot-swappable drives and have created mirrors for root, var, and swap across those two drives on each system. If I take a drive from one system and insert it into the other system, it appears that the mirror providers on that drive automatically insert themselves into the identically named mirrors on the system where the drive has been inserted. What's worse, they may also become recognized as the mirrors with the most recent data, even though they came from a different system and should in fact be immediately flagged as dirty and synchronized with the mirrors on the receiving system. The only solution we've found is that drives being inserted into an existing system should be thoroughly wiped first. The problem with that is we cannot be certain a user will follow that guideline. The alternative is to make sure that the mirrors are uniquely named across all systems. So for example instead of having mirrors named root, var, and swap, we could name them root-macId, var-macId, and swap-macId, where macId is a unique ID based on the MAC address of a given system's Ethernet interface. This is a 100% solution but it would likely solve most of the problems we've encountered. My question is whether there is any other way to accomplish this? We do not want the mirrors on a drive being inserted into another system to automatically added to the receiving systems identically named mirrors. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Does NAT require DNS (named)?
On Thu, 2010-04-08 at 20:46 -0400, Brodey Dover wrote: If you already have a name server on your network then no, the WAP will not need to use DNS. You can tell the clients of the WAP that a nameserver exists in the DHCPD.conf file. I believe you can also set router 10.0.0.1 for example in the dhchpd.conf. On Thu, Apr 8, 2010 at 8:32 PM, Gary Dunn o...@aloha.com wrote: On Thu, 8 Apr 2010 17:05:12 -0400 mikel king mikel.k...@olivent.com wrote: On Apr 8, 2010, at 4:57 PM, Gary Dunn wrote: [snip] Thanks for all the help with this! I got NAT working today by commenting out my custom menu stuff and doing exactly what the handbook documents, with adjustments for the outdated ipfw documentation. Now I need to backtrack to get back to my menu design goals. I got DNS working by placing my upstream DNS servers in dhcpd.conf. Works fine as long as the router never moves. It is supposed to be mobile, so I am working on a simple solution for that. Still might go with a full DNS, as some suggest, but I need to learn a lot more about managing those configuration files! Performance was excellent. No visible delay pulling up oddball Google image searches. -- Gary Dunn, Honolulu o...@aloha.com http://openslate.net/ http://e9erust.blogspot.com/ Sent from Slate001 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Does NAT require DNS (named)?
Continuing the saga of building a wireless access point, what is the best way to provide DNS service to the dowstream network? Seems like all I need is a simple pass-through. For that named seems like overkill. Anyone have an /etc/named/named.conf that does that? -- Gary Dunn, Honolulu o...@aloha.com http://openslate.net/ http://e9erust.blogspot.com/ Sent from a Newton 2100 via Mail V ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Does NAT require DNS (named)?
On Apr 8, 2010, at 1:57 PM, Gary Dunn wrote: Continuing the saga of building a wireless access point, what is the best way to provide DNS service to the dowstream network? Run a nameserver? Seems like all I need is a simple pass-through. For that named seems like overkill. Anyone have an /etc/named/named.conf that does that? named is fine, although I was happier with it's security history in the prior millennium than I am recently. But, if you don't want to run your own nameserver, point them toward nameservers run by your upstream network provider... Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Does NAT require DNS (named)?
On Apr 8, 2010, at 4:57 PM, Gary Dunn wrote: Continuing the saga of building a wireless access point, what is the best way to provide DNS service to the dowstream network? Seems like all I need is a simple pass-through. For that named seems like overkill. Anyone have an /etc/named/named.conf that does that? -- Gary Dunn, Honolulu o...@aloha.com http://openslate.net/ http://e9erust.blogspot.com/ Sent from a Newton 2100 via Mail V Depends on how your internal LAN is configured. Generally if there are no internal servers then you can forgo deploying a DNS server. Simply setup your firewall IPFW or pf or whatever you are using to allow clients to go out to the net and look names up. You will likely need a dhcp server though so that your wireless clients can auto-discover the appropriate network settings, but you can elect to do that manually as well if it's your desire. Regards, Mikel King CEO, Olivent Technologies Senior Editor, BSD News Network Columnist, BSD Magazine skype:mikel.king http://olivent.com http://www.linkedin.com/in/mikelking http://twitter.com/mikelking ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Does NAT require DNS (named)?
Gary Dunn wrote: Continuing the saga of building a wireless access point, what is the best way to provide DNS service to the dowstream network? Seems like all I need is a simple pass-through. For that named seems like overkill. Anyone have an /etc/named/named.conf that does that? I normally run a copy of djbdns on the private IP, having private clients use that for DNS. Alternately, the private clients could just use your ISP's caching servers, which should work without any other configuration (possibly an allowance on the firewall). - Darek ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Does NAT require DNS (named)?
On Thu, 8 Apr 2010 17:05:12 -0400 mikel king mikel.k...@olivent.com wrote: On Apr 8, 2010, at 4:57 PM, Gary Dunn wrote: Continuing the saga of building a wireless access point, what is the best way to provide DNS service to the dowstream network? Seems like all I need is a simple pass-through. For that named seems like overkill. Anyone have an /etc/named/named.conf that does that? Depends on how your internal LAN is configured. Generally if there are no internal servers then you can forgo deploying a DNS server. Simply setup your firewall IPFW or pf or whatever you are using to allow clients to go out to the net and look names up. You will likely need a dhcp server though so that your wireless clients can auto-discover the appropriate network settings, but you can elect to do that manually as well if it's your desire. I failed to mention that the same FreeBSD box will provide file and printer services via Samba, all clients will be Windows Vista, and there will bo no other servers on the downstream network. I cannot rely on clients editing their LMHOSTS files ... I need plug and play. Do I need a DNS server on the downstream network for Windows clients to connect to Samba? -- Gary Dunn, Honolulu o...@aloha.com http://openslate.net/ http://e9erust.blogspot.com/ Sent from a Newton 2100 via Mail V ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Does NAT require DNS (named)?
On Apr 8, 2010, at 8:32 PM, Gary Dunn wrote: On Thu, 8 Apr 2010 17:05:12 -0400 mikel king mikel.k...@olivent.com wrote: On Apr 8, 2010, at 4:57 PM, Gary Dunn wrote: Continuing the saga of building a wireless access point, what is the best way to provide DNS service to the dowstream network? Seems like all I need is a simple pass-through. For that named seems like overkill. Anyone have an /etc/named/named.conf that does that? Depends on how your internal LAN is configured. Generally if there are no internal servers then you can forgo deploying a DNS server. Simply setup your firewall IPFW or pf or whatever you are using to allow clients to go out to the net and look names up. You will likely need a dhcp server though so that your wireless clients can auto-discover the appropriate network settings, but you can elect to do that manually as well if it's your desire. I failed to mention that the same FreeBSD box will provide file and printer services via Samba, all clients will be Windows Vista, and there will bo no other servers on the downstream network. I cannot rely on clients editing their LMHOSTS files ... I need plug and play. Do I need a DNS server on the downstream network for Windows clients to connect to Samba? -- Gary Dunn, Honolulu o...@aloha.com http://openslate.net/ http://e9erust.blogspot.com/ Sent from a Newton 2100 via Mail V Gary, Thanks for the clarification. In this case if it were my network then I would roll out both DNS and DHCP on this server. Honestly it will make your life a hell of a lot easier in the long run, especially if you intend on using WINS resolution for the Windows client via samba. However only allow the DNS and DHCP services to run on the internal LAN, bind them to an internal IP address. You should be fine. Cheers, Mikel King ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Does NAT require DNS (named)?
Unfortunately, still 17MB. I am going to play around with the sticks of RAM that I have installed to see if there is a chipset/motherboard issue. On Thu, Apr 8, 2010 at 8:56 PM, mikel king mikel.k...@olivent.com wrote: On Apr 8, 2010, at 8:32 PM, Gary Dunn wrote: On Thu, 8 Apr 2010 17:05:12 -0400 mikel king mikel.k...@olivent.com wrote: On Apr 8, 2010, at 4:57 PM, Gary Dunn wrote: Continuing the saga of building a wireless access point, what is the best way to provide DNS service to the dowstream network? Seems like all I need is a simple pass-through. For that named seems like overkill. Anyone have an /etc/named/named.conf that does that? Depends on how your internal LAN is configured. Generally if there are no internal servers then you can forgo deploying a DNS server. Simply setup your firewall IPFW or pf or whatever you are using to allow clients to go out to the net and look names up. You will likely need a dhcp server though so that your wireless clients can auto-discover the appropriate network settings, but you can elect to do that manually as well if it's your desire. I failed to mention that the same FreeBSD box will provide file and printer services via Samba, all clients will be Windows Vista, and there will bo no other servers on the downstream network. I cannot rely on clients editing their LMHOSTS files ... I need plug and play. Do I need a DNS server on the downstream network for Windows clients to connect to Samba? -- Gary Dunn, Honolulu o...@aloha.com http://openslate.net/ http://e9erust.blogspot.com/ Sent from a Newton 2100 via Mail V Gary, Thanks for the clarification. In this case if it were my network then I would roll out both DNS and DHCP on this server. Honestly it will make your life a hell of a lot easier in the long run, especially if you intend on using WINS resolution for the Windows client via samba. However only allow the DNS and DHCP services to run on the internal LAN, bind them to an internal IP address. You should be fine. Cheers, Mikel King ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Named errors after adding IPv4 alias - solved by restarting named
It seems that if you add an alias to an interface once named is up and running, it will cause named, on an hourly basis from the time named was first started (that is, if it was started at 07:32 after the hour, then every hour after the alias is added at about 07:32 after each hour), named will say: Feb 16 22:07:32 elwood named[626]: could not listen on UDP socket: permission denied Feb 16 22:07:32 elwood named[626]: creating IPv4 interface fxp0 failed; interface ignored A kill -1 does not help. If you do a full stop and start on named, that will take care of the problem. Is this something that should be addressed within named, or is this such a rare event (adding an IP alias on an interface that named is using) that it should just be let go? -- John Lind j...@starfire.mn.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: HELP! Is that possible creating a user named root but acturallynot the administrator root
On 2/12/10, Jason Lin taosheng@gmail.com wrote: I try this method, after set the password of toor, I can't login with the account toor. It is possible (I don't remember) that the toor account does not have a shell in the default passwd file. If that's the problem, use vipw to add the path to a shell as the last field on the line. The root account should provide a good example, or look at the line for your own user account. /bin/csh should work for recent versions of FreeBSD. - Bob ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: HELP! Is that possible creating a user named root but acturallynot the administrator root
On 13/02/2010 17:49, Bob Johnson wrote: It is possible (I don't remember) that the toor account does not have a shell in the default passwd file. If that's the problem, use vipw to add the path to a shell as the last field on the line. The root account should provide a good example, or look at the line for your own user account. /bin/csh should work for recent versions of FreeBSD. An empty field for the user shell in /etc/{master.,}passwd means the account gets the default shell, which in the case of FreeBSD is /bin/sh. Shouldn't cause the observed problem. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard, Flat 3 Black Earth Consulting Ramsgate Kent, CT11 9PW Free and Open Source Solutions Tel: +44 (0)1843 580647 signature.asc Description: OpenPGP digital signature
Re: HELP! Is that possible creating a user named root but acturallynot the administrator root
On 13 February 2010 18:10, Matthew Seaman m.sea...@black-earth.co.uk wrote: On 13/02/2010 17:49, Bob Johnson wrote: It is possible (I don't remember) that the toor account does not have a shell in the default passwd file. If that's the problem, use vipw to add the path to a shell as the last field on the line. The root account should provide a good example, or look at the line for your own user account. /bin/csh should work for recent versions of FreeBSD. An empty field for the user shell in /etc/{master.,}passwd means the account gets the default shell, which in the case of FreeBSD is /bin/sh. Shouldn't cause the observed problem. Cheers, Matthew I would imagine then that /etc/ttys is set to 'insecure' for all. Can you log in as root Jason? Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: HELP! Is that possible creating a user named root but acturallynot the administrator root
yes, I login with toor as root successfully. 2010/2/14 Chris Rees utis...@googlemail.com: On 13 February 2010 18:10, Matthew Seaman m.sea...@black-earth.co.uk wrote: On 13/02/2010 17:49, Bob Johnson wrote: It is possible (I don't remember) that the toor account does not have a shell in the default passwd file. If that's the problem, use vipw to add the path to a shell as the last field on the line. The root account should provide a good example, or look at the line for your own user account. /bin/csh should work for recent versions of FreeBSD. An empty field for the user shell in /etc/{master.,}passwd means the account gets the default shell, which in the case of FreeBSD is /bin/sh. Shouldn't cause the observed problem. Cheers, Matthew I would imagine then that /etc/ttys is set to 'insecure' for all. Can you log in as root Jason? Chris -- Lin Taosheng Mobile: 86-010-15801256127 MSN: taosheng@gmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: HELP! Is that possible creating a user named root but acturallynot the administrator root
I try this method, after set the password of toor, I can't login with the account toor. Bogdan Webb bog...@pgn.ro ??:c81e6afd1002102307l2b089a76p36a8d67d3085a...@mail.gmail.com... Edit the /etc/master.passwd and /etc/passwd records to change the uid and gid of the root account BUT FIRST MAKE SURE YOU ADD (or changed password of) ANOTHER UID0 ACCOUNT here's an example: etc/master.passwd: root:*PASSWORD HASH*:99:99::0:0:Charlie :/root:/bin/csh and /etc/passwd root:*:99:99:Charlie :/root:/bin/csh check the toor account it's already created by freebsd but it doesn't have a password, 1st apply a password for that account, triple check that it's usable then edit the records (keep in mind that the 99 uid and 99gid in my examples are fake try giving your's the uid and gid of the nobody account, or someother) cheers! 2010/2/11 Anthony M. Rasat anthony.ra...@gmail.com Lin Taosheng wrote: Is that possible to implementated? No. I think not. But I have not tried it either. Can I ask what do you want to achieve? Because I had the same thought once, concerning how to combat once-increasing script-driven SSH brute-force attack. But I was instead have a better solution using fail2ban to easily thwart those SSH brute force attack. Is that your situation? Regards, Anthony M. Rasat Manager - Technical, Network and Support Division PT. Jawa Pos National Network Graha Pena Jawa Pos Group Building, 5th floor Jln. Raya Kebayoran Lama 12, Jakarta Selatan 12210 Indonesia.- Phone 02132185562 Phone 081574217035 Fax 02153651465 Web http://www.jpnn.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: HELP! Is that possible creating a user named root but acturally not the administrator root
On 11/02/2010 05:23, Giorgos Keramidas wrote: On Thu, 11 Feb 2010 00:18:30 -0500, Robert Huff roberth...@rcn.com wrote: Lin Taosheng writes: Is that possible to implementated? For most purposes, what's important is not the account name, but the User II. Root is special because it has UID 0. You can, create other accounts with UIS 0 ... but it's usually a Very Bad Idea. As far as I know, there's no reason you can't rename the root account and have a non UID 0 account with that name. On the other hand, if you're asking this question there may be a better way to accomplish your objective: would you care to share? The kernel doesn't really care what your user *name* is. See for example the 'toor user in '/etc/master.passwd'. On the other hand, lots of software expects the superuser account to be called 'root' because that what it always has been ever since Thompson and Ritchie et al. first created Unix. Changing the name of the superuser account, and making root into an unprivileged user will cause you much wailing and gnashing of teeth. It doesn't really buy you much in terms of improved security in any case. Far better to concentrate on making it impossible for the existing root account to be compromised. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard, Flat 3 Black Earth Consulting Ramsgate Kent, CT11 9PW Free and Open Source Solutions Tel: +44 (0)1843 580647 signature.asc Description: OpenPGP digital signature
Re: HELP! Is that possible creating a user named root but acturally not the administrator root
On 2/11/10, Robert Huff roberth...@rcn.com wrote: Lin Taosheng writes: Is that possible to implementated? Yes, use vipw to edit the password file. Add another username that is UID zero. The name toor is actually already there as an example of how to do that, but it is disabled because it has a * in the password field. After the new username is tested and you know it works, use vipw to replace the password field for root to an *. Then root will still exist, but it will not be possible to log in to it. You could also delete the entire line for root, but that gets farther into unusual territory and increases the chance that you will break something else by doing so. For most purposes, what's important is not the account name, but the User II. Root is special because it has UID 0. You can, create other accounts with UIS 0 ... but it's usually a Very Bad Idea. I know of no reason that this would be a bad idea. It is in fact useful in some situations to have more than one admin account, enough so that about a decade ago some effort was put into making sure it works properly when you do that in FreeBSD. As far as I know, there's no reason you can't rename the root account and have a non UID 0 account with that name. On the other hand, if you're asking this question there may be a better way to accomplish your objective: would you care to share? Having an account named root that is not UID 0 (i.e. not an administrator), is likely to have unexpected side effects that you probably won't like. So even though it has theoretical security advantages (because unlike Windows, you can't remotely query FreeBSD and ask it the name of its administrator account), it probably isn't a good idea. A quick search turned up problems when people tried this in Debian, and I would expect similar issues in FreeBSD. But if you try it, I'd love to hear the result. If you are worried about remote logins to the root account, that is actually disabled by default in FreeBSD. The biggest hazard you face in that area is that if you configure SSH to use PAM login, the PAM subsystem can allow remote root logins when you think they are disabled. You have to be careful to configure SSH (and anything else that uses PAM) correctly in that situation. - Bob Johnson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: HELP! Is that possible creating a user named root but acturally not the administrator root
On Thu, Feb 11, 2010 at 01:58:07PM -0500, Bob Johnson wrote: On 2/11/10, Robert Huff roberth...@rcn.com wrote: Lin Taosheng writes: Is that possible to implementated? Yes, use vipw to edit the password file. Add another username that is UID zero. The name toor is actually already there as an example of how to do that, but it is disabled because it has a * in the password field. After the new username is tested and you know it works, use vipw to replace the password field for root to an *. Then root will still exist, but it will not be possible to log in to it. You could also delete the entire line for root, but that gets farther into unusual territory and increases the chance that you will break something else by doing so. If I take what the OP said literally, you are answering backwards. The OP asked if it is possible to name a different account root - eg one that is not UID 0.You are answering that it is possible to give an account other than root a UID 0. Now, the OP may have meant to ask what you are answering and just got it mixed up. But, that was not the way the question went. Anyway, even if it is possible to name a non-UID 0 account root, it is a very bad idea. Too many things assume that the string 'root' refers to the UID 0 account. There may be something that depends on it. On the other side, it is possible to give an account with a different name the UID of 0. This is often done so someone can work at a root level without using the root name - probably in hopes of controlling things more tightly. Maybe it might help a bit. But, the FreeBSD system comes automatically set to you cannot log in over the net with a root (eg a UID 0) account. The recommended way to get to root is to either use the console or to log in as a non-root account using an encrypted path and then su(1) to root or to a root account (eg one with UID 0). jerry For most purposes, what's important is not the account name, but the User II. Root is special because it has UID 0. You can, create other accounts with UIS 0 ... but it's usually a Very Bad Idea. I know of no reason that this would be a bad idea. It is in fact useful in some situations to have more than one admin account, enough so that about a decade ago some effort was put into making sure it works properly when you do that in FreeBSD. As far as I know, there's no reason you can't rename the root account and have a non UID 0 account with that name. On the other hand, if you're asking this question there may be a better way to accomplish your objective: would you care to share? Having an account named root that is not UID 0 (i.e. not an administrator), is likely to have unexpected side effects that you probably won't like. So even though it has theoretical security advantages (because unlike Windows, you can't remotely query FreeBSD and ask it the name of its administrator account), it probably isn't a good idea. A quick search turned up problems when people tried this in Debian, and I would expect similar issues in FreeBSD. But if you try it, I'd love to hear the result. If you are worried about remote logins to the root account, that is actually disabled by default in FreeBSD. The biggest hazard you face in that area is that if you configure SSH to use PAM login, the PAM subsystem can allow remote root logins when you think they are disabled. You have to be careful to configure SSH (and anything else that uses PAM) correctly in that situation. - Bob Johnson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: HELP! Is that possible creating a user named root but acturally not the administrator root
On Thu, 11 Feb 2010 08:04:00 +, Matthew Seaman m.sea...@black-earth.co.uk wrote: On 11/02/2010 05:23, Giorgos Keramidas wrote: On Thu, 11 Feb 2010 00:18:30 -0500, Robert Huff roberth...@rcn.com wrote: Lin Taosheng writes: Is that possible to implementated? For most purposes, what's important is not the account name, but the User II. Root is special because it has UID 0. You can, create other accounts with UIS 0 ... but it's usually a Very Bad Idea. As far as I know, there's no reason you can't rename the root account and have a non UID 0 account with that name. On the other hand, if you're asking this question there may be a better way to accomplish your objective: would you care to share? The kernel doesn't really care what your user *name* is. See for example the 'toor user in '/etc/master.passwd'. On the other hand, lots of software expects the superuser account to be called 'root' because that what it always has been ever since Thompson and Ritchie et al. first created Unix. Changing the name of the superuser account, and making root into an unprivileged user will cause you much wailing and gnashing of teeth. It doesn't really buy you much in terms of improved security in any case. Far better to concentrate on making it impossible for the existing root account to be compromised. This is a good point. One can argue that the specific applications are those that are broken if they do not use a tunable option to switch the name of the 'privileged user'. But that doesn't negate the fact that precisely *this* type of applications exists out there and will break. pgpeEzPfM6FxC.pgp Description: PGP signature
Re: HELP! Is that possible creating a user named root but acturally not the administrator root
On 2/11/10, Jerry McAllister jerr...@msu.edu wrote: On Thu, Feb 11, 2010 at 01:58:07PM -0500, Bob Johnson wrote: On 2/11/10, Robert Huff roberth...@rcn.com wrote: Lin Taosheng writes: Is that possible to implementated? Yes, use vipw to edit the password file. Add another username that is UID zero. The name toor is actually already there as an example of how to do that, but it is disabled because it has a * in the password field. After the new username is tested and you know it works, use vipw to replace the password field for root to an *. Then root will still exist, but it will not be possible to log in to it. You could also delete the entire line for root, but that gets farther into unusual territory and increases the chance that you will break something else by doing so. If I take what the OP said literally, you are answering backwards. The OP asked if it is possible to name a different account root - eg one that is not UID 0.You are answering that it is possible to give an account other than root a UID 0. Now, the OP may have meant to ask what you are answering and just got it mixed up. But, that was not the way the question went. Oops. Rats. When I started my reply I had it right, but by the time I finished I had confused myself. Thanks. Anyway, it's possible, but in practice it probably won't work right, and doesn't do much for security anyway. - Bob ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
HELP! Is that possible creating a user named root but acturally not the administrator root
Hi all, Is that possible to implementated? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
HELP! Is that possible creating a user named root but acturally not the administrator root
Lin Taosheng writes: Is that possible to implementated? For most purposes, what's important is not the account name, but the User II. Root is special because it has UID 0. You can, create other accounts with UIS 0 ... but it's usually a Very Bad Idea. As far as I know, there's no reason you can't rename the root account and have a non UID 0 account with that name. On the other hand, if you're asking this question there may be a better way to accomplish your objective: would you care to share? Respectfully, Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: HELP! Is that possible creating a user named root but acturally not the administrator root
On Thu, 11 Feb 2010 00:18:30 -0500, Robert Huff roberth...@rcn.com wrote: Lin Taosheng writes: Is that possible to implementated? For most purposes, what's important is not the account name, but the User II. Root is special because it has UID 0. You can, create other accounts with UIS 0 ... but it's usually a Very Bad Idea. As far as I know, there's no reason you can't rename the root account and have a non UID 0 account with that name. On the other hand, if you're asking this question there may be a better way to accomplish your objective: would you care to share? The kernel doesn't really care what your user *name* is. See for example the 'toor user in '/etc/master.passwd'. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: HELP! Is that possible creating a user named root but acturallynot the administrator root
Lin Taosheng wrote: Is that possible to implementated? No. I think not. But I have not tried it either. Can I ask what do you want to achieve? Because I had the same thought once, concerning how to combat once-increasing script-driven SSH brute-force attack. But I was instead have a better solution using fail2ban to easily thwart those SSH brute force attack. Is that your situation? Regards, Anthony M. Rasat Manager - Technical, Network and Support Division PT. Jawa Pos National Network Graha Pena Jawa Pos Group Building, 5th floor Jln. Raya Kebayoran Lama 12, Jakarta Selatan 12210 Indonesia.- Phone 02132185562 Phone 081574217035 Fax 02153651465 Web http://www.jpnn.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: HELP! Is that possible creating a user named root but acturallynot the administrator root
Edit the /etc/master.passwd and /etc/passwd records to change the uid and gid of the root account BUT FIRST MAKE SURE YOU ADD (or changed password of) ANOTHER UID0 ACCOUNT here's an example: etc/master.passwd: root:*PASSWORD HASH*:99:99::0:0:Charlie :/root:/bin/csh and /etc/passwd root:*:99:99:Charlie :/root:/bin/csh check the toor account it's already created by freebsd but it doesn't have a password, 1st apply a password for that account, triple check that it's usable then edit the records (keep in mind that the 99 uid and 99gid in my examples are fake try giving your's the uid and gid of the nobody account, or someother) cheers! 2010/2/11 Anthony M. Rasat anthony.ra...@gmail.com Lin Taosheng wrote: Is that possible to implementated? No. I think not. But I have not tried it either. Can I ask what do you want to achieve? Because I had the same thought once, concerning how to combat once-increasing script-driven SSH brute-force attack. But I was instead have a better solution using fail2ban to easily thwart those SSH brute force attack. Is that your situation? Regards, Anthony M. Rasat Manager - Technical, Network and Support Division PT. Jawa Pos National Network Graha Pena Jawa Pos Group Building, 5th floor Jln. Raya Kebayoran Lama 12, Jakarta Selatan 12210 Indonesia.- Phone 02132185562 Phone 081574217035 Fax 02153651465 Web http://www.jpnn.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
UDP flooding / Ethernet issues? WAS Re: named error sending response: not enough free resources
On Thu, Jan 28, 2010 at 12:59 PM, James Smallacombe u...@3.am wrote: To follow up on this: Noticed the issue again this morning, which also was accompanied by latency so high that I could not connect (some pings got through at very high latency). I emailed the provider and they told me that they had my port on their Ether switch set to 10Mbs. They switched it to 100Mbs and only time will tell if that fixes it. Does this sound like it could be the entire cause? I ask because I've maxed out pipes before, but never seen it shut all traffic down this much. One key difference that I forgot to mention is that this server is running TWO instances of named, on two different IPs (for different domains), each running a few hundred zones. Bottom line: Would congestion cause this issue, or would this issue cause congestion? Some updates that may confuse more than inform: I caught this while it was happening yesterday and was able to do a tcpdump. I saw a ton of UDP traffic outbound to one IP that turned out to be a colocated server in Chicago. I put that IP in my ipfw rules and once I blocked any to that IP, it seemed to stop. Since then however, the logs have show the same issue again and there have been a few brief service disruptions. Today's security run output showed this: +(RULE NUMBER) 16054161 131965203420 deny ip from any to (blocked IP) and more alarmingly, this: kernel log messages: +++ /tmp/security.BErFHSS3 2010-01-29 03:09:32.0 -0500 +re0: link state changed to DOWN +re0: link state changed to UP +re0: promiscuous mode enabled +re0: promiscuous mode disabled +re0: promiscuous mode enabled +re0: promiscuous mode disabled +re0: promiscuous mode enabled +re0: promiscuous mode disabled re0 obviously being the Realtek Ethernet driver. The server itself never went down during this time, but the Ethernet did. Is there any DOS type of event that could cause this, or could the root of the problem be an Ethernet hardware or driver issue? Again, it is not clear to me which is the cause and which is the effect. Last bit of info: I just did a: 'tcpdump -n | grep -i udp' and saw a bunch of these, coming up a couple of times per second: 11:31:59.387561 IP (IP REMOVED) (IP REMOVED): NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST Where the source and destination IPs vary, but are NOT one of mine, but DO appear to belong to my colo/dedicated server provider and their customers. Is my server being used to DDOS others? If so, how? TIA, James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: UDP flooding / Ethernet issues? WAS Re: named error sending response: not enough free resources
On Fri, Jan 29, 2010 at 10:51 AM, James Smallacombe u...@3.am wrote: Some updates that may confuse more than inform: I caught this while it was happening yesterday and was able to do a tcpdump. I saw a ton of UDP traffic outbound to one IP that turned out to be a colocated server in Chicago. I put that IP in my ipfw rules and once I blocked any to that IP, it seemed to stop. Since then however, the logs have show the same issue again and there have been a few brief service disruptions. Today's security run output showed this: +(RULE NUMBER) 16054161 131965203420 deny ip from any to (blocked IP) and more alarmingly, this: kernel log messages: +++ /tmp/security.BErFHSS3 2010-01-29 03:09:32.0 -0500 +re0: link state changed to DOWN +re0: link state changed to UP +re0: promiscuous mode enabled +re0: promiscuous mode disabled +re0: promiscuous mode enabled +re0: promiscuous mode disabled +re0: promiscuous mode enabled +re0: promiscuous mode disabled re0 obviously being the Realtek Ethernet driver. The server itself never went down during this time, but the Ethernet did. Is there any DOS type of event that could cause this, or could the root of the problem be an Ethernet hardware or driver issue? Again, it is not clear to me which is the cause and which is the effect. Last bit of info: I just did a: 'tcpdump -n | grep -i udp' and saw a bunch of these, coming up a couple of times per second: promiscuous mode entries are caused by tcpdump -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: UDP flooding / Ethernet issues? WAS Re: named error sending response: not enough free resources
Hi-- On Jan 29, 2010, at 8:51 AM, James Smallacombe wrote: On Thu, Jan 28, 2010 at 12:59 PM, James Smallacombe u...@3.am wrote: To follow up on this: Noticed the issue again this morning, which also was accompanied by latency so high that I could not connect (some pings got through at very high latency). I emailed the provider and they told me that they had my port on their Ether switch set to 10Mbs. They switched it to 100Mbs and only time will tell if that fixes it. [ ... ] Today's security run output showed this: +(RULE NUMBER) 16054161 131965203420 deny ip from any to (blocked IP) and more alarmingly, this: kernel log messages: +++ /tmp/security.BErFHSS3 2010-01-29 03:09:32.0 -0500 +re0: link state changed to DOWN +re0: link state changed to UP These are probably from your ISP changing the link speed from 10 to 100Mbs. +re0: promiscuous mode enabled +re0: promiscuous mode disabled +re0: promiscuous mode enabled +re0: promiscuous mode disabled +re0: promiscuous mode enabled +re0: promiscuous mode disabled These are from running tcpdump. re0 obviously being the Realtek Ethernet driver. The server itself never went down during this time, but the Ethernet did. Is there any DOS type of event that could cause this, or could the root of the problem be an Ethernet hardware or driver issue? Again, it is not clear to me which is the cause and which is the effect. Last bit of info: I just did a: 'tcpdump -n | grep -i udp' and saw a bunch of these, coming up a couple of times per second: 11:31:59.387561 IP (IP REMOVED) (IP REMOVED): NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST Where the source and destination IPs vary, but are NOT one of mine, but DO appear to belong to my colo/dedicated server provider and their customers. Is my server being used to DDOS others? If so, how? That is standard Windows NetBIOS over IP traffic. It shouldn't be coming over your link unless your machines are sharing a subnet with someone else's Windows (or Samba) domain. You might discuss this with your ISP and ask them what's up, but failing that, using IPFW rules like this would be prudent: add deny tcp from any 135-139 to any add deny tcp from any to any 135-139 add deny udp from any 135-139 to any add deny udp from any to any 135-139 Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named error sending response: not enough free resources
On Wed, 27 Jan 2010, Chuck Swiger wrote: Hi-- On Jan 27, 2010, at 1:15 PM, James Smallacombe wrote: Jan 26 21:50:32 host named[667]: client IP REMOVED#57938: error sending response: not enough free resources Jan 26 21:50:32 host named[667]: client IP REMOVED#59830: error sending response: not enough free resources OK, if the nameserver is published / authoritative, then it would be expected to be fielding requests from the Internet at large. To follow up on this: Noticed the issue again this morning, which also was accompanied by latency so high that I could not connect (some pings got through at very high latency). I emailed the provider and they told me that they had my port on their Ether switch set to 10Mbs. They switched it to 100Mbs and only time will tell if that fixes it. Does this sound like it could be the entire cause? I ask because I've maxed out pipes before, but never seen it shut all traffic down this much. One key difference that I forgot to mention is that this server is running TWO instances of named, on two different IPs (for different domains), each running a few hundred zones. Bottom line: Would congestion cause this issue, or would this issue cause congestion? Thanks again! James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named error sending response: not enough free resources
On Thu, Jan 28, 2010 at 12:59 PM, James Smallacombe u...@3.am wrote: To follow up on this: Noticed the issue again this morning, which also was accompanied by latency so high that I could not connect (some pings got through at very high latency). I emailed the provider and they told me that they had my port on their Ether switch set to 10Mbs. They switched it to 100Mbs and only time will tell if that fixes it. Does this sound like it could be the entire cause? I ask because I've maxed out pipes before, but never seen it shut all traffic down this much. One key difference that I forgot to mention is that this server is running TWO instances of named, on two different IPs (for different domains), each running a few hundred zones. Bottom line: Would congestion cause this issue, or would this issue cause congestion? I would guess no, but that guess could easily be wrong. Have you tried turning up the logging to verbosity to get a better idea of what's happening? -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
named error sending response: not enough free resources
NOTE: Please reply off-list as well as I am not subscribed My server (7.2-STABLE) suffered at least two outages Sunday through yesterday after having been up since July (it is a rented dedicated server with my FSBD install). The first time, I was able to log in via remotely, saw a ton of spam apparently abusing a php mail form script (more on that later) filling the /var partition. I purged it, but it still required a reboot as CPU was through the roof. Yesterday morning, I was unable to get into the server at all...pings were very high. I called the provider and got in via KVM over IP. CPU was fine and there wre no full partitions. As I had to catch a flight, I just rebooted it and it was fine. After getting home, I looked in the syslog and see thousands of these: Jan 26 21:50:32 host named[667]: client IP REMOVED#57938: error sending response: not enough free resources Jan 26 21:50:32 host named[667]: client IP REMOVED#59830: error sending response: not enough free resources Some googling on this error found a reference to a possible queue limiting problem in pf/qlimit, but the only firewalling I do is a very basic ipfw setup strictly for bruteblock. I am not even sure if this error caused the outage(s) or was caused by them, let alone a fix or workaround. Appreciate any and all clues, especially if you are familiar with this. TIA! James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named error sending response: not enough free resources
On Jan 27, 2010, at 10:24 AM, James Smallacombe wrote: NOTE: Please reply off-list as well as I am not subscribed OK. In return, please don't cross-post or multi-post the same question to multiple FreeBSD lists. My server (7.2-STABLE) suffered at least two outages Sunday through yesterday after having been up since July (it is a rented dedicated server with my FSBD install). The first time, I was able to log in via remotely, saw a ton of spam apparently abusing a php mail form script (more on that later) filling the /var partition. I purged it, but it still required a reboot as CPU was through the roof. See man pkill for an easier way to terminate processes short of rebooting. Depending on just how badly this PHP script was being taken advantage of and how closely you've been tracking security updates, it's possible that your machine might have been compromised. Yesterday morning, I was unable to get into the server at all...pings were very high. I called the provider and got in via KVM over IP. CPU was fine and there wre no full partitions. As I had to catch a flight, I just rebooted it and it was fine. After getting home, I looked in the syslog and see thousands of these: Jan 26 21:50:32 host named[667]: client IP REMOVED#57938: error sending response: not enough free resources Jan 26 21:50:32 host named[667]: client IP REMOVED#59830: error sending response: not enough free resources Were these client IPs expected to be talking to this machine? It indicates a problem sending UDP traffic; netstat -s output would be informative. You might find that setting options in named.conf to tune the # of outstanding queries will help: clients-per-query 10; max-clients-per-query 20; Doing a tcpdump and examining the queries to see what DNS resources are being requested would also be useful. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named error sending response: not enough free resources
On Wed, 27 Jan 2010, Chuck Swiger wrote: On Jan 27, 2010, at 10:24 AM, James Smallacombe wrote: NOTE: Please reply off-list as well as I am not subscribed OK. In return, please don't cross-post or multi-post the same question to multiple FreeBSD lists. I posted to the -isp list a couple of hours earlier, then looked at the archives and noticed zero traffic on that list for the past couple of weeks, so I then posted here. After getting home, I looked in the syslog and see thousands of these: Jan 26 21:50:32 host named[667]: client IP REMOVED#57938: error sending response: not enough free resources Jan 26 21:50:32 host named[667]: client IP REMOVED#59830: error sending response: not enough free resources Were these client IPs expected to be talking to this machine? It This server is authoritative for a few hundred domains, so I would imagine anybody doing a query on any of them would need to talk to it...unless I misunderstand what you mean by talk. indicates a problem sending UDP traffic; netstat -s output would be Unfortunately, I did not have time for netstats or tcpdumps when this was happening and I've not seen this log entry since yesterday evening. informative. You might find that setting options in named.conf to tune the # of outstanding queries will help: clients-per-query 10; max-clients-per-query 20; Thanks, I will look into those. the man page for named.conf doesn't tell you much and my latest cricket book is 3rd edition (only up to BIND 8), so I guess it's time to break down and get the latest. James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named error sending response: not enough free resources
Hi-- On Jan 27, 2010, at 1:15 PM, James Smallacombe wrote: Jan 26 21:50:32 host named[667]: client IP REMOVED#57938: error sending response: not enough free resources Jan 26 21:50:32 host named[667]: client IP REMOVED#59830: error sending response: not enough free resources Were these client IPs expected to be talking to this machine? It This server is authoritative for a few hundred domains, so I would imagine anybody doing a query on any of them would need to talk to it...unless I misunderstand what you mean by talk. OK, if the nameserver is published / authoritative, then it would be expected to be fielding requests from the Internet at large. indicates a problem sending UDP traffic; netstat -s output would be Unfortunately, I did not have time for netstats or tcpdumps when this was happening and I've not seen this log entry since yesterday evening. Unless you rebooted the machine again since the errors were reported, the netstat output would still be relevant. informative. You might find that setting options in named.conf to tune the # of outstanding queries will help: clients-per-query 10; max-clients-per-query 20; Thanks, I will look into those. the man page for named.conf doesn't tell you much and my latest cricket book is 3rd edition (only up to BIND 8), so I guess it's time to break down and get the latest. Good luck -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named error sending response: not enough free resources
On Wed, 27 Jan 2010, Chuck Swiger wrote: On Jan 27, 2010, at 1:15 PM, James Smallacombe wrote: Jan 26 21:50:32 host named[667]: client IP REMOVED#57938: error sending response: not enough free resources indicates a problem sending UDP traffic; netstat -s output would be Unfortunately, I did not have time for netstats or tcpdumps when this was happening and I've not seen this log entry since yesterday evening. Unless you rebooted the machine again since the errors were reported, the netstat output would still be relevant. Ok, I saw this at least once since the last reboot, so here are the tcp and udp portions of the netstat -s: tcp: 31422122 packets sent 23133142 data packets (3473553079 bytes) 314215 data packets (132175418 bytes) retransmitted 6579 data packets unnecessarily retransmitted 11 resends initiated by MTU discovery 5408494 ack-only packets (200066 delayed) 0 URG only packets 1237 window probe packets 868892 window update packets 1713629 control packets 28600984 packets received 17029642 acks (for 3351867346 bytes) 1256410 duplicate acks 73760 acks for unsent data 11363962 packets (548204663 bytes) received in-sequence 184682 completely duplicate packets (16657176 bytes) 2327 old duplicate packets 1468 packets with some dup. data (339128 bytes duped) 334018 out-of-order packets (337877573 bytes) 85687 packets (637782 bytes) of data after window 10 window probes 114047 window update packets 160975 packets received after close 1148 discarded for bad checksums 0 discarded for bad header offset fields 0 discarded because packet too short 9123 discarded due to memory problems 413250 connection requests 1504359 connection accepts 6 bad connection attempts 100 listen queue overflows 186225 ignored RSTs in the windows 1912682 connections established (including accepts) 2050764 connections closed (including 1022550 drops) 1058803 connections updated cached RTT on close 1065370 connections updated cached RTT variance on close 252114 connections updated cached ssthresh on close 3769 embryonic connections dropped 11958433 segments updated rtt (of 11574855 attempts) 285733 retransmit timeouts 12079 connections dropped by rexmit timeout 1884 persist timeouts 4 connections dropped by persist timeout 0 Connections (fin_wait_2) dropped because of timeout 385 keepalive timeouts 345 keepalive probes sent 40 connections dropped by keepalive 2663719 correct ACK header predictions 5996181 correct data packet header predictions 1520655 syncache entries added 58477 retransmitted 26560 dupsyn 20622 dropped 1504359 completed 137 bucket overflow 0 cache overflow 6190 reset 10206 stale 100 aborted 0 badack 47 unreach 0 zone failures 1541277 cookies sent 415 cookies received 21638 SACK recovery episodes 37110 segment rexmits in SACK recovery episodes 51620488 byte rexmits in SACK recovery episodes 240368 SACK options (SACK blocks) received 217836 SACK options (SACK blocks) sent 0 SACK scoreboard overflow udp: 9663633 datagrams received 0 with incomplete header 0 with bad data length field 549 with bad checksum 9609 with no checksum 12092 dropped due to no socket 49230 broadcast/multicast datagrams undelivered 0 dropped due to full socket buffers 0 not for hashed pcb 9601762 delivered 42443353 datagrams output 0 times multicast source filter matched James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named needs restart after a reboot
On Tue, Dec 8, 2009 at 12:24 PM, Warren Block wbl...@wonkity.com wrote: On Tue, 8 Dec 2009, Derrick Ryalls wrote: uname: FreeBSD example.com 8.0-RELEASE-p1 FreeBSD 8.0-RELEASE-p1 #0: Sun Dec 6 11:23:52 PST 2009 ryal...@example.com:/usr/obj/usr/src/sys/FRODO amd64 I have most things working, but I have noticed that every time I reboot the machine, I need to manually restart named to get it listening on the proper interfaces as by default it is listening on 127.0.0.1 interfaces only. A simple /etc/rc.d/named restart fixes it which seems like it would be configured correctly, but I have had to do this on a install before. Anyone have a guess as to what could be wrong? Only a guess: network interface comes up too late. If you're using DHCP to configure that interface, you could try SYNCDHCP. Or if it's an re(4) interface, there are patches in 8-STABLE that make it come up faster. -Warren Block * Rapid City, South Dakota USA ifconfig_nfe0=SYNCDHCP Was the fix, thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named needs restart after a reboot
On Wed, Dec 9, 2009 at 3:39 PM, Derrick Ryalls ryal...@gmail.com wrote: On Tue, Dec 8, 2009 at 12:24 PM, Warren Block wbl...@wonkity.com wrote: On Tue, 8 Dec 2009, Derrick Ryalls wrote: uname: FreeBSD example.com 8.0-RELEASE-p1 FreeBSD 8.0-RELEASE-p1 #0: Sun Dec 6 11:23:52 PST 2009 ryal...@example.com:/usr/obj/usr/src/sys/FRODO amd64 I have most things working, but I have noticed that every time I reboot the machine, I need to manually restart named to get it listening on the proper interfaces as by default it is listening on 127.0.0.1 interfaces only. A simple /etc/rc.d/named restart fixes it which seems like it would be configured correctly, but I have had to do this on a install before. Anyone have a guess as to what could be wrong? Only a guess: network interface comes up too late. If you're using DHCP to configure that interface, you could try SYNCDHCP. Or if it's an re(4) interface, there are patches in 8-STABLE that make it come up faster. -Warren Block * Rapid City, South Dakota USA ifconfig_nfe0=SYNCDHCP Was the fix, thanks! Spoke too soon. On one reboot, the interface couldn't talk to DHCP until I set it down then back up. I have gone to statically setting the IP. Not ideal, but seems to be working (based on one clean reboot). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
named needs restart after a reboot
Greetings, uname: FreeBSD example.com 8.0-RELEASE-p1 FreeBSD 8.0-RELEASE-p1 #0: Sun Dec 6 11:23:52 PST 2009 ryal...@example.com:/usr/obj/usr/src/sys/FRODO amd64 I have most things working, but I have noticed that every time I reboot the machine, I need to manually restart named to get it listening on the proper interfaces as by default it is listening on 127.0.0.1 interfaces only. A simple /etc/rc.d/named restart fixes it which seems like it would be configured correctly, but I have had to do this on a install before. Anyone have a guess as to what could be wrong? Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named needs restart after a reboot
On Tue, 8 Dec 2009, Derrick Ryalls wrote: uname: FreeBSD example.com 8.0-RELEASE-p1 FreeBSD 8.0-RELEASE-p1 #0: Sun Dec 6 11:23:52 PST 2009 ryal...@example.com:/usr/obj/usr/src/sys/FRODO amd64 I have most things working, but I have noticed that every time I reboot the machine, I need to manually restart named to get it listening on the proper interfaces as by default it is listening on 127.0.0.1 interfaces only. A simple /etc/rc.d/named restart fixes it which seems like it would be configured correctly, but I have had to do this on a install before. Anyone have a guess as to what could be wrong? Only a guess: network interface comes up too late. If you're using DHCP to configure that interface, you could try SYNCDHCP. Or if it's an re(4) interface, there are patches in 8-STABLE that make it come up faster. -Warren Block * Rapid City, South Dakota USA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named issue
Jeffrey Goldberg wrote: These are queries your mailservers are making to the spamhaus blocking list. How many queries to the ZEN Spamhaus DNSBL are you making per day? If you exceed their non-commercial usage, they will cut you off. I see. Thank you all for your suggestions. Jos Chrispijn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
named issue
[named] Lately I get messages like thin in my all.log: named[605]: too many timeouts resolving '*.*.*.*.zen.spamhaus.org/A' (in 'zen.spamhaus.ORG'?): disabling EDNS (*) is random ip address Now before I add the following lines in /etc/named.conf or /var/named/chroot/etc/ named.conf: logging { category lame-servers {null; }; category edns-disabled { null; }; }; I would like to know what I could do to prevent generation of that line? Thanks, Jos Chrispijn ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named issue
On 9/25/09, Jos Chrispijn ker...@webrz.net wrote: [named] Lately I get messages like thin in my all.log: named[605]: too many timeouts resolving '*.*.*.*.zen.spamhaus.org/A' (in 'zen.spamhaus.ORG'?): disabling EDNS (*) is random ip address Now before I add the following lines in /etc/named.conf or /var/named/chroot/etc/ named.conf: logging { category lame-servers {null; }; category edns-disabled { null; }; }; I would like to know what I could do to prevent generation of that line? Thanks, Jos Chrispijn That's likely a email DNSBL (DNS Blacklist). zen.spamhaus.org is known for DNSBL. Disable it in your mailserver... but then you get nasties. --TJ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named issue
On Sep 25, 2009, at 2:00 PM, Jos Chrispijn wrote: [named] Lately I get messages like thin in my all.log: named[605]: too many timeouts resolving '*.*.*.*.zen.spamhaus.org/ A' (in 'zen.spamhaus.ORG'?): disabling EDNS (*) is random ip address These are queries your mailservers are making to the spamhaus blocking list. How many queries to the ZEN Spamhaus DNSBL are you making per day? If you exceed their non-commercial usage, they will cut you off. See http://www.spamhaus.org/organization/dnsblusage.html -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/rc.d/named dilemma
Nerius Landys nlan...@gmail.com wrote: I am still bambuzzled by the network taking 30 seconds to come up. One thing I've run into recently is an Ethernet switch that needs to resolve spanning tree after a port reset. The physical link comes back up quickly, but it seems to take about 30 seconds before the switch will handle any traffic. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/rc.d/named dilemma
On Fri, Aug 21, 2009 at 09:37:09PM -0700, Nerius Landys wrote: I am trying to figure out why DNS lookups are not possible right after the named process has been launched (during bootup). At start, named sends a couple of queries to e.g. root servers. All this requires the network connection to be already up and running; and if you're using a firewall, it also needs to be up and ready. And, more importantly, it requires some time until named is ready to answer lookups... and in the mean time, you've already launched other processes who do queries. I have a similar problem with a little FreeBSD-based home router running net/mpd5 to connect via PPPoE to a DSL line. Because packages (and so mpd) start after all system processes, named has problems to connect to the root servers, pf has problems initializing itself without ng0 interface, ntpd has problems initializing itself,... and when mpd finally established the network connection, it is already too late. I'd love to change the rc-order of the scripts, so that mpd starts first, waits until the link is up, and only then starts the other processes. But until I've found out how to do that the right way, I wrote a little batch script that gets invoked at link-up, and that simply restarts all other processes in the order: pf, named, ntpd, postfix, etc... That's not ideal, but as a kludge, it works for me. -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/rc.d/named dilemma
On Fri, 21 Aug 2009 21:37:09 -0700 Nerius Landys nlan...@gmail.com wrote: Then why can't I do a lookup right after named starts? Possibly it's a delay in bind being ready or maybe you don't have any network access - the latter is common with ppp. By the way, the underlying issue that I'm trying to address is that ntpdate, which comes right after named in the boot sequence, is not able to resolve the DNS for the time servers. Try putting the following in /usr/local/etc/rc.d/waitfordns and make it executable (untested) #!/bin/sh # # PROVIDE: waitfordns # REQUIRE: named # BEFORE: ntpdate . /etc/rc.subr : ${waitfordns_enable:=yes} name=waitfordns rcvar=`set_rcvar` stop_cmd=: start_cmd=waitfordns_start waitfordns_start(){ /usr/bin/dig +time=1 +retry=99 @127.0.0.1 google.com 21 /dev/null } load_rc_config ${name} run_rc_command $1 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/rc.d/named dilemma
Thanks for the script. I found the underlying problem on my system. My server is at a data center and I don't know what kind of equipment the server is connected to. It appears that it takes 30 seconds for the networking to start. I added this script as /etc/rc.d/waitfornetwork, and enabled it in rc.conf: === #!/bin/sh # PROVIDE: waitfornetwork # REQUIRE: NETWORKING # BEFORE: named . /etc/rc.subr : ${waitfornetwork_enable:=NO} name=waitfornetwork rcvar=`set_rcvar` stop_cmd=: start_cmd=waitfornetwork_start waitfornetwork_start() { echo Waiting for network to initialize. for i in 0 1 2 3 4 5 6 7 8 9; do #echo Iteration $i if ping -c 1 198.41.0.4 | grep -q '^1 packets transmitted, 1 packets received, 0.0% packet loss'; then break fi done } load_rc_config ${name} run_rc_command $1 === It goes through 4 or 5 iterations (the for loop) before it exits. This takes about 30 seconds. Without this startup script, ntpdate and ntpd fail, regardless of whether or not I use named as my local DNS caching server. With this script enabled, ntpdate and ntpd are able to resolve the listed DNS for the time servers, regardless of whether I'm using 127.0.0.1 or some other DNS in my resolv.conf. This 30 second delay for the network to start on every reboot (at the data center) - is this normal? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/rc.d/named dilemma
One last question. I'm getting interesting [kernel?] messages during bootup. You know, the kind that are highlighted white in the console. The relevant lines of rc.conf look like this right now: defaultrouter=64.156.192.1 hostname=daffy.nerius.com ifconfig_em0=inet 64.156.192.169 netmask 255.255.255.0 waitfornetwork_enable=YES named_enable=YES sshd_enable=YES #ntpdate_enable=YES ntpd_enable=YES linux_enable=YES apache22_enable=YES mysql_enable=YES Early on in the bootup, the ifconfig shows for em0: inet 64.156.192.169 ... media: Ethernet autoselect status: no carrier Then later on: Waiting for network to initialize. highlightedem0: link state changed to UP/highlighted highlightedcalcru: runtime went backwards from 37332 usec to 16577 usec for pid 47 (sh).../highlighted ... (more messages about calcru) And then everything starts fine, including ntpd. Why is em0 only brought up when I do my ping command in /etc/rc.d/waitfornetwork? And are these calcru messages something to be worried about? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/rc.d/named dilemma
highlightedcalcru: runtime went backwards from 37332 usec to 16577 usec for pid 47 (sh).../highlighted Not to seem like I'm talking to myself, but I fixed this problem: http://www.freebsd.org/doc/en_US.ISO8859-1/books/faq/troubleshoot.html#CALCRU-NEGATIVE-RUNTIME (Turn off Intel® Enhanced SpeedStep.) I am still bambuzzled by the network taking 30 seconds to come up. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/rc.d/named dilemma
Nerius Landys wrote: I am still bambuzzled by the network taking 30 seconds to come up. I don't remember the original description, but any time I hear about a 30 second gap during startup, I think of the well-known DNS reverse look-up issue. Are you sure this is not the case here? Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/rc.d/named dilemma
I don't remember the original description, but any time I hear about a 30 second gap during startup, I think of the well-known DNS reverse look-up issue. Are you sure this is not the case here? Indeed, I have forgotten to have the PTR record set up for my new IP address. However the original description is that when I issue a ping -c 100 x.y.z.w to a well-known IP address, only the last 70 packets get returned, not the first 30 (hence 30 seconds). This ping command is issued very early in the rc.d scripts, after NETWORK and before named, and the script does not exit until a ping request is successful. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: /etc/rc.d/named dilemma
On Saturday 22 August 2009 21:11:01 Nerius Landys wrote: I don't remember the original description, but any time I hear about a 30 second gap during startup, I think of the well-known DNS reverse look-up issue. Are you sure this is not the case here? Indeed, I have forgotten to have the PTR record set up for my new IP address. However the original description is that when I issue a ping -c 100 x.y.z.w to a well-known IP address, only the last 70 packets get returned, not the first 30 (hence 30 seconds). This ping command is issued very early in the rc.d scripts, after NETWORK and before named, and the script does not exit until a ping request is successful. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Nerius; I had the same problem until I put: # REQUIRE: SERVERS cleanvar ppp-user in /etc/rc.d/named script, which means that named won't start until the ppp -ddial adsl command, which is called by in /etc/rc.d/ppp-user, is finished. By then, DNS and default route will be established. I also put: # PROVIDE: ppp-user in /etc/rc.d/ppp-user. Sorry for writing you directly but I don't know why, the freebsd-questions list (in fact, all freebsd lists i'm subscribed to) is refusing my posts. Not even the list manager/owner gets them. If you would be so kind to forward this to them, I'd be very greatful. Maybe they could find out why so I could take action to try remedy what is causing the refusals of my e-mail. Thanks and Best wishes, -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since version 2.2.8 [not Pro-Audio YET!!] (99,7% winedows FREE) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
/etc/rc.d/named dilemma
I am trying to figure out why DNS lookups are not possible right after the named process has been launched (during bootup). I am kind of a newb at diagnosing these sorts of issues, but as an attempt to figure out what's wrong, I added the following lines to the very bottom of my /etc/rc.d/named: case $1 in *start) sleep 5 cat /etc/resolv.conf ping -c 4 127.0.0.1 host google.com || true ;; esac And so, during bootup, I get the following messages, as expected: Starting named. domain nerius.com nameserver 127.0.0.1 PING 127.0.0.1 64 bytes from 127.0.0.1: icmp. ... 4 packets transmitted, 4 packets received... ... ;; connection timed out; no servers could be reached The last line is what I don't understand. named is listening on 127.0.0.1, and normal lookups can be done fine after bootup. Then why can't I do a lookup right after named starts? By the way, the underlying issue that I'm trying to address is that ntpdate, which comes right after named in the boot sequence, is not able to resolve the DNS for the time servers. Thx. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
/etc/rc.d/named dilemma
I am trying to figure out why DNS lookups are not possible right after the named process has been launched (during bootup). I am kind of a newb at diagnosing these sorts of issues, but as an attempt to figure out what's wrong, I added the following lines to the very bottom of my /etc/rc.d/named: case $1 in *start) sleep 5 cat /etc/resolv.conf ping -c 4 127.0.0.1 host google.com || true ;; esac And so, during bootup, I get the following messages, as expected: Starting named. domain nerius.com nameserver 127.0.0.1 PING 127.0.0.1 64 bytes from 127.0.0.1: icmp. ... 4 packets transmitted, 4 packets received... ... ;; connection timed out; no servers could be reached The last line is what I don't understand. named is listening on 127.0.0.1, and normal lookups can be done fine after bootup. Then why can't I do a lookup right after named starts? By the way, the underlying issue that I'm trying to address is that ntpdate, which comes right after named in the boot sequence, is not able to resolve the DNS for the time servers. Thx. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named startup problems upgrading from 7.1p4 to 7.1p5 or 7.1p6
On Sun, 28 Jun 2009 20:54:26 Ian wrote: Hi, I've been meaning to sort this out since the release of 7.1p5, but only just got around to it - I have an installation of 7.1 that runs bind and has been working fine up until I tried to update the system to 7.1p5 (using freebsd-update). As soon as I apply the update reboot, named loads but the startup script hangs. If I press Ctrl+C, the system continues to boot. If I then run /etc/rc.d/named start, named starts, but again the script hangs. I can do DNS lookups while named is running, so it seems to be functioning ok. I tried adding various echo statements to /etc/rc.d/named and found that the script seems to run right through. The hang occurs where /etc/rc.subr echoes out Starting named after the named script has run and that's where things seem to stop! Nothing else that is started by the rc.d scripts hangs, so I'm guessing /etc/rc.subr is ok. I did a diff of /etc/rc.d/named before after the upgrade from p4 to p5 (or p6 which has the same issue) and there are no changes to the file. Nothing seems to be logged anywhere that shows a problem, so I really have no idea what to check next. The only named entry in rc.conf is named_enable=YES. Doing a freebsd-update rollback restores normal operation and given that bind actually loads 7 seems to work apart fromthe hanging script, I suspect there's nothing wrong with my bind configuration. Any suggestions? Cheers, -- Ian gpg key: http://home.swiftdsl.com.au/~imoore/no-spam.asc I've never really solved this problem - even running with the default named.conf as a simple caching server didn't change anything. Instead, I rolled back to 7.1p4 then upgraded to 7.2(p2) and bind works just fine. Cheers, -- Ian gpg key: http://home.swiftdsl.com.au/~imoore/no-spam.asc signature.asc Description: This is a digitally signed message part.
Re: named startup problems upgrading from 7.1p4 to 7.1p5 or 7.1p6
Sorry for starting a new thread with this - my ISP's mail server seems to rejecting all mail recipients when I send email with a mail client, so I'm having to use webmail instead. Their tech says they won't help - they only support Outlook! Grrr! On Sun, 28 Jun 2009 23:27:07 Matthew Seaman wrote: Ian wrote: Well the fact that if I run /etc/rc.d/named manually after the system has booted, the script also hangs suggests it's not the next process I have just check however ntpdate is the next one in the list to be started and that does start correctly - you can see it report the clock being adjusted. Also, when you do a Ctrl+C to break the named script on bootup, it says Script /etc/rc.d/named interrupted. Something I've just realised is that named stays loaded even when you 'break' the script. on bootup and DNS lookups work (I didn't think that was the case originally, but it is). Actually, some careful checking tonight shows that I had forgotten I had a second DNS server in resolv.conf that was doing the DNS resolution - in fact bind on this server is not working even though a bind process appears to be running :/ Hmmm Anything interesting from named in the system logs? You might want to enable /var/log/all.log by following the instructions in /etc/syslog.conf and then see what output you get by bouncing named. It's usually pretty good at pointing out exactly what it thinks the problem is. I've enabled all.log, it only shows the following output when starting named: Jun 29 20:51:43 msgserver named[1593]: starting BIND 9.4.2-P2 -t /var/named -u bind Jun 29 20:51:43 msgserver named[1593]: found 1 CPU, using 1 worker thread a ps axw | grep named gives the following output after running /etc/rc.d/named start: 1988 ?? Is 0:00.00 /usr/sbin/named -t /var/named -u bind 1930 p0 I+ 0:00.06 /bin/sh -x /etc/rc.d/named start 1987 p0 I+ 0:00.01 /usr/sbin/named -t /var/named -u bind and then after doing a Ctrl+C in the terminal where /etc/rc.d/named start is running, only one process continues to run: 1988 ?? Is 0:00.00 /usr/sbin/named -t /var/named -u bind This process doesn't respond to DNS queries, to rndc commands, to /etc/rc.d/named stop (says no process is running because there is no pid file being created) or by a kill command other than kill -9. (All named processes were killed before stating named) You could also try running: # /bin/sh -x /etc/rc.d/named start -- make sure named isn't running when you do that. There will be quite a lot of output as the rc system loads all of the various config files, but you should be able to trace exactly where it's got to when it does hang. Here's the edited highlights of output, I can't see anything that helps: + _rc_subr_loaded=: + name=named + rcvar=named_enable + command=/usr/sbin/named + extra_commands=reload + start_precmd=named_precmd + start_postcmd=make_symlinks + reload_cmd=named_reload + stop_cmd=named_stop + stop_postcmd=named_poststop + load_rc_config named + _name=named + [ -z named ] + false + [ -r /etc/defaults/rc.conf ] snip + named_enable=NO + named_program=/usr/sbin/named + named_pidfile=/var/run/named/pid + named_uid=bind + named_chrootdir=/var/named + named_chroot_autoupdate=YES + named_symlink_enable=YES snip + sourced_files=:/etc/rc.conf::/etc/rc.conf.local: + [ -r /etc/rc.conf.local ] + _rc_conf_loaded=true + [ -f /etc/rc.conf.d/named ] + required_dirs=/var/named + pidfile=/var/run/named/pid + command_args=-u bind + run_rc_command start + _return=0 + rc_arg=start + [ -z named ] + shift 1 + rc_extra_args= + _rc_prefix= + eval _override_command=$named_program + _override_command=/usr/sbin/named + command=/usr/sbin/named + _keywords=start stop restart rcvar reload + rc_pid= + _pidcmd= + _procname=/usr/sbin/named + [ -n /usr/sbin/named ] + [ -n /var/run/named/pid ] + _pidcmd=rc_pid=$(check_pidfile /var/run/named/pid /usr/sbin/named ) + [ -n rc_pid=$(check_pidfile /var/run/named/pid /usr/sbin/named ) ] + _keywords=start stop restart rcvar reload status poll + [ -z start ] + [ -n ] + eval rc_flags=$named_flags + rc_flags= + eval _chdir=$named_chdir _chroot=$named_chroot _nice=$named_nice _user=$named_user _group=$named_group _groups=$named_groups + _chdir= _chroot= _nice= _user= _group= _groups= + [ -n ] + [ -n named_enable -a start != rcvar ] + checkyesno named_enable + eval _value=$named_enable + _value=YES + debug checkyesno: named_enable is set to YES. + return 0 + eval rc_pid=$(check_pidfile /var/run/named/pid /usr/sbin/named ) + check_pidfile /var/run/named/pid /usr/sbin/named + _pidfile=/var/run/named/pid + _procname=/usr/sbin/named + _interpreter= + [ -z /var/run/named/pid -o -z /usr/sbin/named ] + [ ! -f /var/run/named/pid ] + debug pid file (/var/run/named/pid): not readable. + return + rc_pid= + [ start != start ] + eval _cmd=$start_cmd _precmd=$start_precmd _postcmd
Re: named startup problems upgrading from 7.1p4 to 7.1p5 or 7.1p6
On Tue, 30 Jun 2009 08:35:26 +, no-s...@people.net.au wrote: Sorry for starting a new thread with this - my ISP's mail server seems to rejecting all mail recipients when I Which which reason? send email with a mail client, so I'm having to use webmail instead. Their tech says they won't help - they only support Outlook! Grrr! Can I read this as they don't support proper POP/SMPT? What an ISP... :-( -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
named startup problems upgrading from 7.1p4 to 7.1p5 or 7.1p6
Hi, I've been meaning to sort this out since the release of 7.1p5, but only just got around to it - I have an installation of 7.1 that runs bind and has been working fine up until I tried to update the system to 7.1p5 (using freebsd-update). As soon as I apply the update reboot, named loads but the startup script hangs. If I press Ctrl+C, the system continues to boot. If I then run /etc/rc.d/named start, named starts, but again the script hangs. I can do DNS lookups while named is running, so it seems to be functioning ok. I tried adding various echo statements to /etc/rc.d/named and found that the script seems to run right through. The hang occurs where /etc/rc.subr echoes out Starting named after the named script has run and that's where things seem to stop! Nothing else that is started by the rc.d scripts hangs, so I'm guessing /etc/rc.subr is ok. I did a diff of /etc/rc.d/named before after the upgrade from p4 to p5 (or p6 which has the same issue) and there are no changes to the file. Nothing seems to be logged anywhere that shows a problem, so I really have no idea what to check next. The only named entry in rc.conf is named_enable=YES. Doing a freebsd-update rollback restores normal operation and given that bind actually loads 7 seems to work apart fromthe hanging script, I suspect there's nothing wrong with my bind configuration. Any suggestions? Cheers, -- Ian gpg key: http://home.swiftdsl.com.au/~imoore/no-spam.asc signature.asc Description: This is a digitally signed message part.
Re: named startup problems upgrading from 7.1p4 to 7.1p5 or 7.1p6
Ian wrote: Hi, I've been meaning to sort this out since the release of 7.1p5, but only just got around to it - I have an installation of 7.1 that runs bind and has been working fine up until I tried to update the system to 7.1p5 (using freebsd-update). As soon as I apply the update reboot, named loads but the startup script hangs. If I press Ctrl+C, the system continues to boot. If I then run /etc/rc.d/named start, named starts, but again the script hangs. I can do DNS lookups while named is running, so it seems to be functioning ok. I tried adding various echo statements to /etc/rc.d/named and found that the script seems to run right through. The hang occurs where /etc/rc.subr echoes out Starting named after the named script has run and that's where things seem to stop! Nothing else that is started by the rc.d scripts hangs, so I'm guessing /etc/rc.subr is ok. I did a diff of /etc/rc.d/named before after the upgrade from p4 to p5 (or p6 which has the same issue) and there are no changes to the file. Nothing seems to be logged anywhere that shows a problem, so I really have no idea what to check next. The only named entry in rc.conf is named_enable=YES. Doing a freebsd-update rollback restores normal operation and given that bind actually loads 7 seems to work apart fromthe hanging script, I suspect there's nothing wrong with my bind configuration. Any suggestions? Are you sure it's not the thing which starts immediately *after* named that is hanging? Try running: # rcorder /etc/rc.d/* /usr/local/etc/rc.d/* and see what should come next. Note this command shows the order in which all of the rc scripts in those directories would run, not just the ones you have enabled in rc.conf, so you may well have to skip a few lines until you get to something that is enabled. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: named startup problems upgrading from 7.1p4 to 7.1p5 or 7.1p6
On Sun, 28 Jun 2009 21:43:49 Matthew Seaman wrote: Ian wrote: Hi, I've been meaning to sort this out since the release of 7.1p5, but only just got around to it - I have an installation of 7.1 that runs bind and has been working fine up until I tried to update the system to 7.1p5 (using freebsd-update). As soon as I apply the update reboot, named loads but the startup script hangs. If I press Ctrl+C, the system continues to boot. If I then run /etc/rc.d/named start, named starts, but again the script hangs. I can do DNS lookups while named is running, so it seems to be functioning ok. I tried adding various echo statements to /etc/rc.d/named and found that the script seems to run right through. The hang occurs where /etc/rc.subr echoes out Starting named after the named script has run and that's where things seem to stop! Nothing else that is started by the rc.d scripts hangs, so I'm guessing /etc/rc.subr is ok. I did a diff of /etc/rc.d/named before after the upgrade from p4 to p5 (or p6 which has the same issue) and there are no changes to the file. Nothing seems to be logged anywhere that shows a problem, so I really have no idea what to check next. The only named entry in rc.conf is named_enable=YES. Doing a freebsd-update rollback restores normal operation and given that bind actually loads 7 seems to work apart fromthe hanging script, I suspect there's nothing wrong with my bind configuration. Any suggestions? Are you sure it's not the thing which starts immediately *after* named that is hanging? Try running: # rcorder /etc/rc.d/* /usr/local/etc/rc.d/* and see what should come next. Note this command shows the order in which all of the rc scripts in those directories would run, not just the ones you have enabled in rc.conf, so you may well have to skip a few lines until you get to something that is enabled. Cheers, Matthew Well the fact that if I run /etc/rc.d/named manually after the system has booted, the script also hangs suggests it's not the next process I have just check however ntpdate is the next one in the list to be started and that does start correctly - you can see it report the clock being adjusted. Also, when you do a Ctrl+C to break the named script on bootup, it says Script /etc/rc.d/named interrupted. Something I've just realised is that named stays loaded even when you 'break' the script. on bootup and DNS lookups work (I didn't think that was the case originally, but it is). Cheers, -- Ian gpg key: http://home.swiftdsl.com.au/~imoore/no-spam.asc signature.asc Description: This is a digitally signed message part.
Re: named startup problems upgrading from 7.1p4 to 7.1p5 or 7.1p6
Ian wrote: Well the fact that if I run /etc/rc.d/named manually after the system has booted, the script also hangs suggests it's not the next process I have just check however ntpdate is the next one in the list to be started and that does start correctly - you can see it report the clock being adjusted. Also, when you do a Ctrl+C to break the named script on bootup, it says Script /etc/rc.d/named interrupted. Something I've just realised is that named stays loaded even when you 'break' the script. on bootup and DNS lookups work (I didn't think that was the case originally, but it is). Hmmm Anything interesting from named in the system logs? You might want to enable /var/log/all.log by following the instructions in /etc/syslog.conf and then see what output you get by bouncing named. It's usually pretty good at pointing out exactly what it thinks the problem is. You could also try running: # /bin/sh -x /etc/rc.d/named start -- make sure named isn't running when you do that. There will be quite a lot of output as the rc system loads all of the various config files, but you should be able to trace exactly where it's got to when it does hang. You're using the system-supplied copy of bind aren't you? Have you got a valid /etc/named/rndc.conf or /etc/named/rndc.key file so you can use rndc(8)? If not, try running: # rndc-confgen /etc/namedb/rndc.conf and then cut'n'paste the indicated key and controls statements from that file into named.conf, stripping out the comment characters as you do (of course). If you're using one of the ports versions of named, do exactly the same thing, but copy or link rndc.conf into /usr/local/etc/ as well. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: named startup problems upgrading from 7.1p4 to 7.1p5 or 7.1p6
On Sunday 28 June 2009 03:24:26 Ian wrote: I tried adding various echo statements to /etc/rc.d/named and found that the script seems to run right through. rc_debug=YES in /etc/rc.conf is REALLY handy for this. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Named ignoring forward-only zones?
On Thu, Jun 04, 2009 at 11:53:38AM -0500, Kirk Strauser wrote: For some reason, BIND 9 (FreeBSD 7.2-RELEASE) isn't properly forwarding queries. A snippet of named.conf: acl clients { localnets; localhost; ::1; 10.45.12/19; }; view internal { match-clients { clients; }; zone 5.0.10.in-addr.arpa { type forward; forward only; forwarders { 10.0.5.16; }; }; }; Now, I can query the forwarder directly to get the right answer: $ dig +noall +answer -t ptr -x 10.0.5.16 @10.0.5.16 16.5.0.10.in-addr.arpa. 86400 IN PTR kanga.honeypot.net. But I can't get the same from named: $ dig -t ptr -x 10.0.5.16 ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 56485 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;16.5.0.10.in-addr.arpa.IN PTR ;; AUTHORITY SECTION: 10.in-addr.arpa.10800 IN SOA 10.in-addr.arpa. nobody.localhost. 42 86400 43200 604800 10800 So, why isn't named directing that query to the configured forwarder? I'm 99.9% certain this has been working recently. Hi, Kirk. I had the similar issue with forward type zones yesterday. Though I'm not quite sure, but it started to work after I put 127.0.0.1 to /etc/resolv.conf on our bind server. My named.conf entries look like this: ... zone need2.frwd.zone { type forward; forward only; forwarders { 10.xx.xx.xx; 10.xx.xx.yy; }; }; zone 10.in-addr.arpa { type forward; forward only; forwarders { 10.xx.xx.xx; 10.xx.xx.yy; }; }; ... -- Best regards, Jeff | Nobody wants to say how this works. | | Maybe nobody knows ... | | Xorg.conf(5)| ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
D'oh! was Re: Named ignoring forward-only zones?
On Thursday 04 June 2009 11:53:38 am Kirk Strauser wrote: For some reason, BIND 9 (FreeBSD 7.2-RELEASE) isn't properly forwarding queries. Commenting out // zone 10.in-addr.arpa { type master; file master/empty.db; }; from named.conf fixed the problem. That's kind of... embarrassing. -- Kirk Strauser ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named: error sending response: not enough free resources
Steve Bertrand wrote: Chris St Denis wrote: Steve Bertrand wrote: What type of device is em1 attached to? Is it a switch or a hub? Is it possible to upgrade this? You should upgrade it to 100 (or 1000) anyways. Does this device show any collisions? This is a dedicated server in a datacenter. I don't know the exact switch specs but it's likely a layer 2/3 managed switch. Probably a 1U catalyst. Do you force 10Mb on your NIC, or do you auto-negotiate that? Perhaps before you pay a higher fee, your colo centre could allow you to connect to a 100Mb port (with perhaps some traffic policing) so you, as a client, could quickly verify if you want to scale up to their next tier without having to spend these up-front costs on troubleshooting this back-asswards. I can upgrade the connection to 100mbps for a small monthly fee. I've left it at 10 because I haven't had a need, but with traffic recently growing, this is probably the problem. Tell the colo that. Tell them you need to test their next tier of service! # mail -s tcpdump output st...@ipv6canada.com /var/log/dns.pcap I don't think this is necessary. If cutting down the http traffic or raising the port speed doesn't fix it, I'll look into further debugging with this. ...one more time, don't attempt to throttle your own traffic to troubleshoot what looks like a throughput bottleneck. Start with the collocation provider. They should, for free, allow you to have a testing period with their next service tier. Hopefully, they can do it without having to swap your Ethernet cable into another device. If it works during the test, then a small 'migration' and monthly upgrade fee would be acceptable (if they choose). Steve The problem was resolved by switching to 100Mbps. It's interesting that bind is all that complains about the bandwidth exhaustion, but I guess it's about my only use of UDP and TCP is better able to handle this kind of issue so doesn't complain. -- Chris St Denis Programmer SmarttNet (www.smartt.com) Ph: 604-473-9700 Ext. 200 --- Smart Internet Solutions For Businesses ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named: error sending response: not enough free resources
This is a dedicated server in a datacenter. I don't know the exact switch specs but it's likely a layer 2/3 managed switch. Probably a 1U catalyst. you mean cisco? there are actually most problematic switches. They don't properly autonegotiate speed and full/half duplex with many network cards. For example card is set to full duplex, cisco to half duplex, or reverse. More funny - even this doesn't help always. the only way to be sure it's fine is to set up speed manually on both sides. in one place i have connectivity from upstream provider that uses cisco switch. They set up speed to 100Mbps and to full duplex on their side, but many NICs does not work with it fine. It works but there are packet losses, or messages showing that card sometimes can't send packet etc. Actually - cheapest RTL8139 works best, digital 21140 or broadcom chips does not. I really wasted a lot of time to discover that cisco really works well with: - another cisco - realtek NICs - some cheapest 5 or 8 port switches ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Named ignoring forward-only zones?
For some reason, BIND 9 (FreeBSD 7.2-RELEASE) isn't properly forwarding queries. A snippet of named.conf: acl clients { localnets; localhost; ::1; 10.45.12/19; }; view internal { match-clients { clients; }; zone 5.0.10.in-addr.arpa { type forward; forward only; forwarders { 10.0.5.16; }; }; }; Now, I can query the forwarder directly to get the right answer: $ dig +noall +answer -t ptr -x 10.0.5.16 @10.0.5.16 16.5.0.10.in-addr.arpa. 86400 IN PTR kanga.honeypot.net. But I can't get the same from named: $ dig -t ptr -x 10.0.5.16 ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 56485 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;16.5.0.10.in-addr.arpa.IN PTR ;; AUTHORITY SECTION: 10.in-addr.arpa.10800 IN SOA 10.in-addr.arpa. nobody.localhost. 42 86400 43200 604800 10800 So, why isn't named directing that query to the configured forwarder? I'm 99.9% certain this has been working recently. -- Kirk Strauser ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named: error sending response: not enough free resources
- the network/LAN named tries to sent UDP packet is somehow flooded. Dns is probably fairly busy. It's the primary authorative dns for some busy domains. Is there a setting I can do to increase the limits of UDP packets to keep it from causing problems? it would need to sent 50 (i think) udp packets in burst faster than NIC can send it. unlikely. i'm 90% sure there is some problem with network. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named: error sending response: not enough free resources
On Wednesday 03 June 2009 00:46:20 Wojciech Puchar wrote: named[69750]: client *ip removed*: error sending response: not enough free resources quite misleading message, but the problem is that named want to send UDP packet and get's error from kernel. possible reasons - your firewall rules are the cause - check it. - your network card produce problems (REALLY i have that case) - the network/LAN named tries to sent UDP packet is somehow flooded. - the network card changes from UP to DOWN state at the time of the error See that a lot running local resolver on a wireless-g card and turning on the microwave. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named: error sending response: not enough free resources
possible reasons - your firewall rules are the cause - check it. - your network card produce problems (REALLY i have that case) - the network/LAN named tries to sent UDP packet is somehow flooded. - the network card changes from UP to DOWN state at the time of the error See that a lot running local resolver on a wireless-g card and turning on the microwave. this is extreme case. but card don't need to turn UP and DOWN for long enough for system to get a message. my second case - your network card produce problems (REALLY i have that case) is an example. i had such card that just reported error every some amount of packets. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named: error sending response: not enough free resources
On Wednesday 03 June 2009 11:48:48 Wojciech Puchar wrote: possible reasons - your firewall rules are the cause - check it. - your network card produce problems (REALLY i have that case) - the network/LAN named tries to sent UDP packet is somehow flooded. - the network card changes from UP to DOWN state at the time of the error See that a lot running local resolver on a wireless-g card and turning on the microwave. this is extreme case. Not really. The point is that at the time the network card goes from up to down, named spits out this error. If you log named to a different log file then /var/log/messages, you will not see the relation. The reason for changing UP to DOWN can be from a device operating at the 2.4Ghz band when using wireless-g to someone bumping his elbow into the colo's network cable, driver problems to switch failures, etc etc. -- Mel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named: error sending response: not enough free resources
Not really. The point is that at the time the network card goes from up to down, named spits out this error. If you log named to a different log file then /var/log/messages, you will not see the relation. The reason for changing this is one reason i always change syslog.conf to configure everything to /var/log/messages. As you said - i see all events in time order. Fortunately i don't use radio networking unless i have no other choice. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
named: error sending response: not enough free resources
I occasionally get named errors like these in my messages log. I've done a lot of searching and have found others with similar problems, but no solutions. named[69750]: client *ip removed*: error sending response: not enough free resources named[69750]: client *ip removed*: error sending response: not enough free resources named[69750]: client *ip removed*: error sending response: not enough free resources named[69750]: client *ip removed*: error sending response: not enough free resources named[69750]: client *ip removed*: error sending response: not enough free resources System isn't particularly heavily loaded. Load averages around 0.5, cpu averages about 90% idle, not swapping much. Other messages on this subject suggest a shortage of mbuffs of an issue with the nic driver (the item I read was complaining about fxp, but I have em) so here is the related info. eureka# uname -a FreeBSD eureka 6.3-RELEASE-p1 FreeBSD 6.3-RELEASE-p1 #1: Mon Feb 25 08:17:08 PST 2008 cstde...@eureka:/usr/obj/usr/src/sys/EUREKA i386 eureka# named -v BIND 9.3.4-P1 eureka# ifconfig em1 em1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=1bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING *IPs removed* ether 00:30:48:94:0a:31 media: Ethernet 10baseT/UTP full-duplex status: active eureka# netstat -m 1240/2165/3405 mbufs in use (current/cache/total) 1216/1290/2506/25600 mbuf clusters in use (current/cache/total/max) 1216/150 mbuf+clusters out of packet secondary zone in use (current/cache) 0/0/0/0 4k (page size) jumbo clusters in use (current/cache/total/max) 0/0/0/0 9k jumbo clusters in use (current/cache/total/max) 0/0/0/0 16k jumbo clusters in use (current/cache/total/max) 2742K/3121K/5863K bytes allocated to network (current/cache/total) 0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters) 0/0/0 requests for jumbo clusters denied (4k/9k/16k) 8/430/6656 sfbufs in use (current/peak/max) 0 requests for sfbufs denied 0 requests for sfbufs delayed 999635 requests for I/O initiated by sendfile 276104 calls to protocol drain routines How do I fix this? -- Chris St Denis Programmer SmarttNet (www.smartt.com) Ph: 604-473-9700 Ext. 200 --- Smart Internet Solutions For Businesses ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named: error sending response: not enough free resources
lot of searching and have found others with similar problems, but no solutions. named[69750]: client *ip removed*: error sending response: not enough free resources named[69750]: client *ip removed*: error sending response: not enough free resources named[69750]: client *ip removed*: error sending response: not enough free resources named[69750]: client *ip removed*: error sending response: not enough free resources named[69750]: client *ip removed*: error sending response: not enough free resources quite misleading message, but the problem is that named want to send UDP packet and get's error from kernel. possible reasons - your firewall rules are the cause - check it. - your network card produce problems (REALLY i have that case) - the network/LAN named tries to sent UDP packet is somehow flooded. i experienced all 3 cases. last is of course easiest to detect. Other messages on this subject suggest a shortage of mbuffs of an issue with no you are fine with mbufs, memory etc.. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named: error sending response: not enough free resources
Wojciech Puchar wrote: lot of searching and have found others with similar problems, but no solutions. named[69750]: client *ip removed*: error sending response: not enough free resources named[69750]: client *ip removed*: error sending response: not enough free resources named[69750]: client *ip removed*: error sending response: not enough free resources named[69750]: client *ip removed*: error sending response: not enough free resources named[69750]: client *ip removed*: error sending response: not enough free resources quite misleading message, but the problem is that named want to send UDP packet and get's error from kernel. possible reasons - your firewall rules are the cause - check it. Nope eureka# ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65534 allow ip from any to any 65535 deny ip from any to any - your network card produce problems (REALLY i have that case) I have had this kind of error on multiple servers over the years, so i don't think it's a hardware problem. - the network/LAN named tries to sent UDP packet is somehow flooded. Dns is probably fairly busy. It's the primary authorative dns for some busy domains. Is there a setting I can do to increase the limits of UDP packets to keep it from causing problems? The server is approaching it's 10 mbps interface speed during peak hours, I may need to upgrade it to 100mbps. i experienced all 3 cases. last is of course easiest to detect. Other messages on this subject suggest a shortage of mbuffs of an issue with no you are fine with mbufs, memory etc.. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Chris St Denis Programmer SmarttNet (www.smartt.com) Ph: 604-473-9700 Ext. 200 --- Smart Internet Solutions For Businesses ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: named: error sending response: not enough free resources
Chris St Denis wrote: Wojciech Puchar wrote: possible reasons - your firewall rules are the cause - check it. Nope eureka# ipfw list - your network card produce problems (REALLY i have that case) I have had this kind of error on multiple servers over the years, so i don't think it's a hardware problem. - the network/LAN named tries to sent UDP packet is somehow flooded. Dns is probably fairly busy. It's the primary authorative dns for some busy domains. Is there a setting I can do to increase the limits of UDP packets to keep it from causing problems? The server is approaching it's 10 mbps interface speed during peak hours, I may need to upgrade it to 100mbps. The 10Mb ceiling (provided by your ifconfig output) could be a damper on this. What type of device is em1 attached to? Is it a switch or a hub? Is it possible to upgrade this? You should upgrade it to 100 (or 1000) anyways. Does this device show any collisions? Can you do the following for a few minutes (until at least the problem is triggered): # tcpdump -n -i em1 proto 17 port 53 -s -w /var/log/dns.pcap ...and then: # mail -s tcpdump output st...@ipv6canada.com /var/log/dns.pcap Is this server a caching recursive server for internal clients, or an authoritative server? What else runs on this box? If you generate further network traffic over the interface, do the log entries pile up faster? What does: # netstat -s -p udp say? I'd focus squarely on the 10Mbps cap first. That should be easy to test and eliminate. Then, once that is rectified, we can find out whether it's an inherent problem with the system. Steve smime.p7s Description: S/MIME Cryptographic Signature