Re: [Ntop] DNS Resolution half working

[Gary Gatten]

Weird...

That mac address "-o" thing causes more trouble....

So, IP's in your local and remote network ranges resolve, it's just slow?

There are many debug options you can enable, but will require a recompile. I 
would use tcpdump to capture dns traffic between ntop and your dns server(s). 
Analyze that first before messing with the debug stuff.

G


From: Eric Peters [mailto:e...@linuxsystems.net]
Sent: Tuesday, October 11, 2011 11:24 AM
To: n...@unipi.it <n...@unipi.it>
Subject: Re: [Ntop] DNS Resolution half working

What I see from my environment, DNS resolves SLOW! I'm able to resolve from 
inside and outside my network, but takes hours to update. I'm also running a 
caching BIND server on the same server to see if that would speed things up, 
which it's not? Also on a side note for Ntop to work correctly separating my 
local and remote traffic I had to to turn off MAC addresses via the command 
line -o

Cheers,
Eric


On Tue, Oct 11, 2011 at 6:05 AM, Gary Gatten 
<ggat...@waddell.com<mailto:ggat...@waddell.com>> wrote:
Caching likely has nothing to do with it.  Do you notice if only your "remote" 
networks resolve, or only your "local", or do IP from local AND remote networks 
resolve.  If one type of hosts is consistently not resolving it's prolly a bug 
is the resolution code

----- Original Message -----
From: Charles Gagnon 
[mailto:charl...@unixrealm.com<mailto:charl...@unixrealm.com>]
Sent: Tuesday, October 11, 2011 06:51 AM
To: n...@unipi.it<mailto:n...@unipi.it> <n...@unipi.it<mailto:n...@unipi.it>>
Subject: Re: [Ntop] DNS Resolution half working

I'm surprised there is no caching. I just can't get ntop to resolve
the IPs and show the names. It works in only about half the IPs and I
have no idea why.

Looking at the "throughput" table, I will see some entries resolved properly:

sys1.unixrealm.com<http://sys1.unixrealm.com>

While others show the ip:

192.168.213.42 [IP]

I can't figure out why this happens. I tested and re-tested my DNS and
these IPs resolve fine. Not sure why ntop won't handle it. Maybe it
should cache?


On Mon, Oct 10, 2011 at 2:05 PM, Gary Gatten 
<ggat...@waddell.com<mailto:ggat...@waddell.com>> wrote:
> Lol!  I have dns issues, but different than your.  If I rul more than a sinle 
> resolution thread ntop will die a horrible death.
>
> There's no dnscache.db for some time now.  If u want caching try a caching 
> resolver.  I used bind.
>
> What do you want to start from scratch?  There's no caching or other history 
> related to resolution.
>
> After reviewing your problem it seems to be something with your dns and/or 
> local resolver conf.  What exactly is the issue?
>
> ----- Original Message -----
> From: Charles Gagnon 
> [mailto:charl...@unixrealm.com<mailto:charl...@unixrealm.com>]
> Sent: Monday, October 10, 2011 12:57 PM
> To: n...@unipi.it<mailto:n...@unipi.it> <n...@unipi.it<mailto:n...@unipi.it>>
> Subject: Re: [Ntop] DNS Resolution half working
>
> Nobody has DNS resolition issues?
>
> Did something replace dnsCache.db? Which of the DB files would I need
> to restart from scratch?
>
> On Wed, Sep 28, 2011 at 7:32 AM, Charles Gagnon 
> <charl...@unixrealm.com<mailto:charl...@unixrealm.com>> wrote:
>> These are all private servers. We use private addresses inside and NAT
>> out to the internet. All my servers use internal DNS servers. I have
>> /etc/resolv.conf setup as it should and nsswitch.conf says:
>>
>> hosts:      files nis dns
>>
>> So I'm thinking gethostbyaddr() should work fine. I feel like
>> resolution was attempted at some point and results were cached and now
>> it's not retrying. But I can't find "dnsCache.db" yet the man page
>> still refers to it.
>>
>> I started with:
>>
>> # ntop -P /usr/local/var/ntop -u ntop -d
>>
>> And this is what I have:
>>
>> [root@sys1 ~]# ls -l /usr/local/var/ntop/
>> total 2072
>> -rw-r----- 1 ntop ntop  225280 Sep 27 09:20 fingerprint.db
>> -rw-r----- 1 ntop ntop 1986634 Sep 26 12:55 macPrefix.db
>> -rw-r----- 1 ntop ntop   12546 Oct 21  2010 ntop_pw.db
>> -rw-r----- 1 ntop ntop   14094 Sep 27 09:20 prefsCache.db
>> drwxrwxrwx 5 ntop ntop    4096 Oct 21  2010 rrd
>>
>>
>> On Tue, Sep 27, 2011 at 10:24 PM, Burton Strauss III
>> <bur...@ntopsupport.com<mailto:bur...@ntopsupport.com>> wrote:
>>> 192.168.x.x/16 is the private space (RFC 1913).  So no public facing DNS
>>> server would resolve those.  It would only be resolved if you were pointing
>>> to your internal DNS server AND it was setup to manage the specific zone.
>>> So the question is where is nslookup getting names from?
>>>
>>>
>>>
>>> -----Burton
>>>
>>> %QUOTE%
>>>
>>> -----Original Message-----
>>> From: 
>>> ntop-boun...@listgateway.unipi.it<mailto:ntop-boun...@listgateway.unipi.it>
>>> [mailto:ntop-boun...@listgateway.unipi.it<mailto:ntop-boun...@listgateway.unipi.it>]
>>>  On Behalf Of Charles Gagnon
>>> Sent: Tuesday, September 27, 2011 1:12 PM
>>> To: ntop@listgateway.unipi.it<mailto:ntop@listgateway.unipi.it>
>>> Subject: [Ntop] DNS Resolution half working
>>>
>>> I searched for references and I can't find what this error could be.
>>> When listing hosts (specially in the throughput list I use a lot), some
>>> hosts get resolved and others don't and I can't figure out why.
>>> I've setup DNS resolution to 'All' (though I tried "local" and "Local
>>> + Remote").
>>>
>>> When I look at the list, a number of items have names, others should the IP
>>> with "[IP]" after. Seems very consistent, the same hosts are resolved and
>>> the same show IPs between restarts.
>>>
>>> I was thinking of flushing out dnsCache.db but I don't that exists in
>>> 4.1.0 (gone since 3.x maybe?).
>>>
>>> When I dump the hosts, I see some with names and others without:
>>>
>>> 192.168.206.11|0|'192.168.206.11'|'192.168.206.11'|[...]
>>> 192.168.206.10|0|'192.168.206.10'|'hhnas01'|[...]
>>> 192.168.206.13|0|'192.168.206.13'|'192.168.206.13'|[...]
>>> 192.168.206.12|0|'192.168.206.12'|'192.168.206.12'|[...]
>>> 192.168.206.15|0|'192.168.206.15'|'hhutil01'|[...]
>>> 192.168.206.14|0|'192.168.206.14'|'192.168.206.14'|[...]
>>>
>>> Any ideas? Any other "cache" I can get rid of. Testing with nslookup yields
>>> a name for all those IPs.
>>>
>>> --
>>> Charles Gagnon
>>> charlesg at unixrealm.com<http://unixrealm.com>
>>> _______________________________________________
>>> Ntop mailing list
>>> Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>
>>> _______________________________________________
>>> Ntop mailing list
>>> Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>
>>
>>
>>
>> --
>> Charles Gagnon
>> charlesg at unixrealm.com<http://unixrealm.com>
>>
>
>
>
> --
> Charles Gagnon
> charlesg at unixrealm.com<http://unixrealm.com>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
>
>
>
>
> <font size="1">
> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 
> 0in 1.0pt 0in'>
> </div>
> "This email is intended to be reviewed by only the intended recipient
>  and may contain information that is privileged and/or confidential.
>  If you are not the intended recipient, you are hereby notified that
>  any review, use, dissemination, disclosure or copying of this email
>  and its attachments, if any, is strictly prohibited.  If you have
>  received this email in error, please immediately notify the sender by
>  return email and delete this email from your system."
> </font>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop
>



--
Charles Gagnon
charlesg at unixrealm.com<http://unixrealm.com>
_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop





<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>

_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop






<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>


_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop