Re: Stats collection script for BIND 9.5 (and greater?)

[Alexander Gall]

On Mon, 15 Dec 2008 15:44:39 -0800, JINMEI Tatuya / $(b...@l@C#:H(B 
 said:

> At Mon, 15 Dec 2008 17:18:21 +0100,
> Alexander Gall  wrote:

>> > http://members.iinet.com.au/~pyard...@ihug.com.au/#%5B%5BBIND%209.5%20DNS%20Stats%5D%5D
>> 
>> This looks useful, thanks.  However, ISC has chosen to change some
>> tags in 9.6.0rc1 (nsstats -> nsstat, zonestats -> zonestat, resstats ->
>> resstat).  Unfortunately, they didn't bump the version of their XML
>> schema (it's still reported as 1.0 in the  tag), so it's hard to
>> do right.  I hope this is going to be fixed in the final 9.6.0
>> release.

> 9.6.0rc2 (and 9.5.1rc2) will soon be released (and I don't think we
> can make a change to these versions unless it's a fatal bug).

> So, if this is a crucial fix to be incorporated in the final release
> we don't have much time.  Just out of curiosity, how crucial do you
> think it is to bump the version?  My understanding is that bumping the
> version will help if we keep supporting the first version for a
> reasonably long period, while chasing newer versions.  Realistically,
> however, I suspect most users (especially those using advanced
> management tools like this script) will move to 9.5.1 (or 9.6.0)
> anyway, since 9.5.0 and its P1/P2 variants have other problems:
> vulnerability to the Kaminsky attack (in case of vanilla 9.5.0),
> performance issues due to file descriptor limitations, ACL
> crash/memory leak, cache memory management bug, etc.

> *If* we could assume no one realistically continues to stick to 9.5.0,
> wouldn't it be simpler just to drop the old format and migrate to the
> new one? (I understand the migration itself is a pain, and I apologize
> for the inconvenience.  As I said in a response to a different thread,
> we'll try to avoid happening in future releases).

Yes, if that assumption is correct, I don't see a big problem sticking
to version 1.0 for the new format in 9.6.0 and 9.5.1.  Still, if you
do manage to get this particular change in (I guess it would be
extremely localized and probably doesn't require any actual code
change at all) that would be preferrable, IMHO.

-- 
Alex

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

NSLOOKUP not finding server

[Dave]

Hi,

 

I'm hoping someone can point out where I'm going wrong as i seem to be going
round in circles!

 

I am trying to create a DNS server for my office network.  I have created a
smb domain (mydomain.now) which i am able to join from my windows pc's but
only while the old windows DNS server is still running (domain =
mydomain.int).  As soon as i shut down the windows domain controller and
force the pc's to use the new DNS server an NS lookup fails and i can't
access the internet etc from the PC's.

 

C:\Program Files\Windows Resource Kits\Tools>nslookup

DNS request timed out.

timeout was 2 seconds.

*** Can't find server name for address 192.168.1.80: Timed out

*** Default servers are not available

Default Server:  UnKnown

Address:  192.168.1.80  

 

I have the following hardware:

ADSL router facing the outside world (XX.194.XX.194 external, 192.168.1.254
internal)

 

Server "myserver" running CENTOS (192.168.1.80)

 

Internal windows PC's (192.168.1.XXX)

 

 

And the following files:

 

/etc/resolv.conf

domain mydomain.now

search mydomain.now

 

 

/var/named/chroot/etc/named.conf

options {

 

directory "/var/named/chroot/var/named";

pid-file "/var/named/chroot/var/run/named/named.pid";

listen-on { 192.168.1.80; };

 

};

 

//

zone "." {

type hint;

file "db.root";

};

zone "0.0.127.in-addr.arpa" {

 type master;

 file "db.local";

};

zone "mydomain.now" {

 type master;

 notify no;

 file "pri.mydomain.now";

};

 

//

zone "1.168.192.in-addr.arpa" {

type master;

file "192.168.1.rev";

};

 

 

 

/var/named/chroot/var/named/db.local

 

; reverse pointers for localhost

;

$TTL 1D

$ORIGIN 0.0.127.in-addr.arpa.

@IN   SOA   mydomain.now. root.localhost. (

2008111901; serial

28800; refresh, seconds

7200; retry, seconds

604800; expire, seconds

86400 ); minimum, seconds

 IN   NS   dns.mydomain.now.

1IN   PTR  localhost.

 

 

 

 

/var/named/chroot/var/named/pri.mydomain.now

$TTL 86400

@   IN  SOA mydomain.now. root.dns.mydomain.now. (

2008111910

28800

7200

604800

86400 )

NS  dns.mydomain.now

IN  A   192.168.1.80

IN  MX  10  mail.mydomain.now.

 

 

localhost   A   127.0.0.1

myserver  A   192.168.1.80

A   87.194.173.194

dns CNAME   myserver

mailCNAME   myserver

www CNAME   myserver

ftp CNAME   myserver

svn CNAME   myserver

mydomainpc3 A   192.169.1.64

 

 

 

 

/var/named/chroot/var/named/192.168.1.rev

$ttl 38400

@   IN  SOA dns.mydomain.now. root.dns.mydomain.now. (

1   ; Serial

8H  ; Refresh

2H  ; Retry

1W  ; Expire

1D  ; Minimum

)

NS  dns.mydomain.now.

80  PTRmyserver.mydomain.now.

PTR mail.mydomain.now.

64  PTR myserver.mydomain.now.

 

 

 

 

 

 

I have tried about 20 different how-to BIND tutorials and come to nothing.
Any help now would be greatly appreciated.

 

Thanks in advance.

 

DP

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Random nx name queries, anyone see this before?

[Dave Sparro]

Alan Clegg wrote:
> ponga2...@gmail.com wrote:
>> I'm seeing name queries from a couple clients on the network that
>> occur around every two minutes - the queries are evidently random and
>> are looking for A IN records of this form, as an example:
>>
>> ungzbvyf.lzghmccim
>>
>> They always look like this, 8 lowercase chars, dot, then 9 lowercase
>> chars - never an FQDN.
>> I can't find what this might be - has anyone seen this before or have
>> any ideas?
> 
> I've seen this and told a couple of people, but nobody has really shown
> interest.
> 
> In addition to the regular format that you see, I've also picked up a
> pattern when you start seeing the queries from multiple sources...
> 

I've seen it as well.  The only pattern I've noticed is that the same name
is commonly queried by multiple sources within an about 30-60 second window.
 Other than that window, the queries aren't repeated in at least 48 hours.



-- 
Dave

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Random nx name queries, anyone see this before?

[Ian Sampson]

Do you get an injected response at the same time not from the relevant  
root server? The only way would be to gather a tetheral dump to see if  
that is the case?


On 16 Dec 2008, at 14:20, Alan Clegg wrote:


Frank Behrens wrote:

ponga2...@gmail.com  wrote on 15 Dec 2008 16:34:

I'd be very interested in what others find. I do have an update and
correction to my original post:

The format is 9chars.8chars - as an example:
qjnqrtfun.wxsifmgj
Sometimes a colon appears, so the char list seems to be [a-z:]
Also, I was wrong about the FQDN - they do appear in named/bind  
logs -

so whatever app it is, the suffix search order is being used. My
apologies for the incorrect info the first time.


I had never seen any suffixes on the ones that I captured in the past
(note that I first noticed this in March of 2008 and I don't see any  
of

the odd traffic at the moment).

Thre are a couple clients that do this - so thanks for the tip  
AlanC,

I will look for a pattern. Other than that, I'm stumped. Thanks for
any hints provided!!


Look for patterns in the source UDP port -- also the timing of the
queries was rather interesting, with some of the queries actually
matching even when the sources of the requests were on different  
subnets

and on machines that were owned by different organizations.


Is it possible that a bot net tries to connect?
http://www.heise-online.co.uk/security/Botnet-rises-again--/news/112118

I don't want to make a panic, it's an idea only...


I had originally thought the same thing, but I can't see how it  
would be

used.

The problem with that theory is that the queries would only make it  
from
the infected machine to the upstream resolver, and then to the root  
and

an NXDOMAIN response would be elicited.

07-Mar-2008 02:01:31.516 queries: info: client A#1067: query:
4wmn1f4:t.g5u97dc9 IN A +
07-Mar-2008 02:03:11.317 queries: info: client B#42637: query:
9ra4hmm9s.u5j87tb6 IN A +
07-Mar-2008 02:03:23.049 queries: info: client C#1031: query:
gxmikjfn4.v5w70um3 IN A +
07-Mar-2008 02:03:31.558 queries: info: client A#1067: query:
8m2zdm:4c.k3u86uf1 IN A +
07-Mar-2008 02:05:11.501 queries: info: client B#42638: query:
fug8xatrs.w7m65zq4 IN A +
07-Mar-2008 02:05:23.112 queries: info: client C#1031: query:
ek3hfaui:.t2o91ir1 IN A +

AlanC

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Random nx name queries, anyone see this before?

[Alan Clegg]

Frank Behrens wrote:
> ponga2...@gmail.com  wrote on 15 Dec 2008 16:34:
>> I'd be very interested in what others find. I do have an update and
>> correction to my original post:
>>
>> The format is 9chars.8chars - as an example:
>> qjnqrtfun.wxsifmgj
>> Sometimes a colon appears, so the char list seems to be [a-z:]
>> Also, I was wrong about the FQDN - they do appear in named/bind logs -
>> so whatever app it is, the suffix search order is being used. My
>> apologies for the incorrect info the first time.

I had never seen any suffixes on the ones that I captured in the past
(note that I first noticed this in March of 2008 and I don't see any of
the odd traffic at the moment).

>> Thre are a couple clients that do this - so thanks for the tip AlanC,
>> I will look for a pattern. Other than that, I'm stumped. Thanks for
>> any hints provided!!

Look for patterns in the source UDP port -- also the timing of the
queries was rather interesting, with some of the queries actually
matching even when the sources of the requests were on different subnets
and on machines that were owned by different organizations.

> Is it possible that a bot net tries to connect?
> http://www.heise-online.co.uk/security/Botnet-rises-again--/news/112118
> 
> I don't want to make a panic, it's an idea only...

I had originally thought the same thing, but I can't see how it would be
used.

The problem with that theory is that the queries would only make it from
the infected machine to the upstream resolver, and then to the root and
an NXDOMAIN response would be elicited.

07-Mar-2008 02:01:31.516 queries: info: client A#1067: query:
4wmn1f4:t.g5u97dc9 IN A +
07-Mar-2008 02:03:11.317 queries: info: client B#42637: query:
9ra4hmm9s.u5j87tb6 IN A +
07-Mar-2008 02:03:23.049 queries: info: client C#1031: query:
gxmikjfn4.v5w70um3 IN A +
07-Mar-2008 02:03:31.558 queries: info: client A#1067: query:
8m2zdm:4c.k3u86uf1 IN A +
07-Mar-2008 02:05:11.501 queries: info: client B#42638: query:
fug8xatrs.w7m65zq4 IN A +
07-Mar-2008 02:05:23.112 queries: info: client C#1031: query:
ek3hfaui:.t2o91ir1 IN A +

AlanC



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: NSLOOKUP not finding server

[Dave]

After months of failing to get this working. Within 10 minutes of joining
this list i have found the solution!

 

I needed to enable port 53 tcp AND UDP! 

 

Sorry to waste anyone's time.

 

Regards

 

DP

 

From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Dave
Sent: 16 December 2008 10:14
To: bind-users@lists.isc.org
Subject: NSLOOKUP not finding server

 

Hi,

 

I'm hoping someone can point out where I'm going wrong as i seem to be going
round in circles!

 

I am trying to create a DNS server for my office network.  I have created a
smb domain (mydomain.now) which i am able to join from my windows pc's but
only while the old windows DNS server is still running (domain =
mydomain.int).  As soon as i shut down the windows domain controller and
force the pc's to use the new DNS server an NS lookup fails and i can't
access the internet etc from the PC's.

 

C:\Program Files\Windows Resource Kits\Tools>nslookup

DNS request timed out.

timeout was 2 seconds.

*** Can't find server name for address 192.168.1.80: Timed out

*** Default servers are not available

Default Server:  UnKnown

Address:  192.168.1.80  

 

I have the following hardware:

ADSL router facing the outside world (XX.194.XX.194 external, 192.168.1.254
internal)

 

Server "myserver" running CENTOS (192.168.1.80)

 

Internal windows PC's (192.168.1.XXX)

 

 

And the following files:

 

/etc/resolv.conf

domain mydomain.now

search mydomain.now

 

 

/var/named/chroot/etc/named.conf

options {

 

directory "/var/named/chroot/var/named";

pid-file "/var/named/chroot/var/run/named/named.pid";

listen-on { 192.168.1.80; };

 

};

 

//

zone "." {

type hint;

file "db.root";

};

zone "0.0.127.in-addr.arpa" {

 type master;

 file "db.local";

};

zone "mydomain.now" {

 type master;

 notify no;

 file "pri.mydomain.now";

};

 

//

zone "1.168.192.in-addr.arpa" {

type master;

file "192.168.1.rev";

};

 

 

 

/var/named/chroot/var/named/db.local

 

; reverse pointers for localhost

;

$TTL 1D

$ORIGIN 0.0.127.in-addr.arpa.

@IN   SOA   mydomain.now. root.localhost. (

2008111901; serial

28800; refresh, seconds

7200; retry, seconds

604800; expire, seconds

86400 ); minimum, seconds

 IN   NS   dns.mydomain.now.

1IN   PTR  localhost.

 

 

 

 

/var/named/chroot/var/named/pri.mydomain.now

$TTL 86400

@   IN  SOA mydomain.now. root.dns.mydomain.now. (

2008111910

28800

7200

604800

86400 )

NS  dns.mydomain.now

IN  A   192.168.1.80

IN  MX  10  mail.mydomain.now.

 

 

localhost   A   127.0.0.1

myserver  A   192.168.1.80

A   87.194.173.194

dns CNAME   myserver

mailCNAME   myserver

www CNAME   myserver

ftp CNAME   myserver

svn CNAME   myserver

mydomainpc3 A   192.169.1.64

 

 

 

 

/var/named/chroot/var/named/192.168.1.rev

$ttl 38400

@   IN  SOA dns.mydomain.now. root.dns.mydomain.now. (

1   ; Serial

8H  ; Refresh

2H  ; Retry

1W  ; Expire

1D  ; Minimum

)

NS  dns.mydomain.now.

80  PTRmyserver.mydomain.now.

PTR mail.mydomain.now.

64  PTR myserver.mydomain.now.

 

 

 

 

 

 

I have tried about 20 different how-to BIND tutorials and come to nothing.
Any help now would be greatly appreciated.

 

Thanks in advance.

 

DP

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind 9.5 configuration doubt

[Reinaldo Matukuma]

Hello.

I'm in doubt about defining a SOA record to a zone.
Is this correct and valid?

$TTL86400
$ORIGIN teste.com.
@   1D IN SOA   @ root (
   42  ; serial (d.
adams)
   3H  ; refresh
   15M ; retry
   1W  ; expiry
   1D ); minimum

   1D IN NS@
   1D IN A 192.168.1.3
www IN A192.168.1.2


This is just a example. In fact, my zone will be a public zone with valid
ip addresses.

My doubt is if it's correct specify the "owner" and "source-dname" with
"@", once "@" denotes the current origin. If I used $ORIGIN like in example
then I suppose that "@" will define just "teste.com" too.

But I make this test into a interna DNS server and look as a valid
configuration.





smime.p7s
Description: S/MIME Cryptographic Signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dns cache performance

[Sener ATAS]

Hi,

I  use BIND 9.5.0-P2 on my FreeBSD 6.4 machine as a cache server.
My server has 1 gb ram and 1.4 ghz cpu. I want to improve respone time. 
Is it possible with configure bind with "--enable-threads" options?


Or any other idea for it ?

Not: My CPU is not dual core.

Thanks.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dns cache performance

[JINMEI Tatuya / 神明達哉]

At Tue, 16 Dec 2008 21:23:51 +0200,
Sener ATAS  wrote:

> I  use BIND 9.5.0-P2 on my FreeBSD 6.4 machine as a cache server.
> My server has 1 gb ram and 1.4 ghz cpu. I want to improve respone time. 
> Is it possible with configure bind with "--enable-threads" options?

It's *possible*, but threads won't help improve response performance
for a single processor machine.

I'd recommend you upgrade to 9.5.1 (currently rc1).  That's the
easiest and most effective way to improve overall performance for
caching servers.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Stuck glue records in the GTLD servers??

[wes]

If it were just a matter of the domain's authoritative name servers, you
would be correct. But in order to use those name servers for other domains,
the registrar has to submit them to the registry as HOST records. This is
separate and unrelated to the nameserver settings on the domain itself, and
does not appear at all in the zone file for that domain.

-wes

On Mon, Dec 15, 2008 at 4:22 PM, Milo Hyson  wrote:

> Thanks for the tip. I've asked those with the proper authority to verify
> the registrar's records.
> I must admit that I find it unusual that this needs to be done. In my
> experience, the glue records automatically change when a domain's name
> servers are altered. However, I have never worked with this particular
> registrar before, so perhaps they do things differently. Regardless, thanks
> again. :)
>
> --
>
> *Milo Hyson*
>
> Chief Scientist
>
> CyberLife Labs
>
>
> On Dec 15, 2008, at 16:05, Mark Andrews wrote:
>
>
> You need to contact the registar for netdentalcare.com and
> update the HOST record for ns.netdentalcare.com to have the
> new address record.  This changes what GLUE is published
> in the COM zone.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
>
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Install problem

[Fred Zinsli]

Hello everyone

I am attempting to install bind (chrooted) on my debian etch server.

I frist installed bind using apt-get install bind9, then realized I wanted
it chrooted, so I uninstalled it and removed the /etc/bind folder
thninking I was being very cleaver.

I then went to install bind as per this article.
http://linux.justinhartman.com/DNS_Installation_and_Setup_using_BIND9

Now bind doesn't seem to want to install properly even when I just use
apt-get install bind9.

It seems the install is complaining about the original files in /etc/bind
that don't exist any more, and the install doesn't seem to rebuild/replace
them.

The install created a new /etc/bind folder with rndc.key only in it.

Now I am stuck as I don't have a clue as to how to resolve this.

Here is what I get when I attempt to install bind9

server2:~# apt-get install bind9
Reading package lists... Done
Building dependency tree... Done
The following NEW packages will be installed:
  bind9
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 0B/297kB of archives.
After unpacking 782kB of additional disk space will be used.
Selecting previously deselected package bind9.
(Reading database ... 33301 files and directories currently installed.)
Unpacking bind9 (from .../bind9_1%3a9.3.4-2etch3_i386.deb) ...
Setting up bind9 (9.3.4-2etch3) ...
wrote key file "/etc/bind/rndc.key"
chgrp: cannot access `/etc/bind/named.conf*': No such file or directory
dpkg: error processing bind9 (--configure):
 subprocess post-installation script returned error exit status 1
Errors were encountered while processing:
 bind9
E: Sub-process /usr/bin/dpkg returned an error code (1)

Any comments would be most helpful.

Regards

Fred


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Install problem [resolved]

[Fred Zinsli]

Hello all

Well out of curiosity I thought I would see what happened if I just
installed bind, not bind9.

When it went to install it asked me some questions about the original
files it couldn't find and installed them.

I then uninstalled bind and reinstalled binb9 as I wanted and it installed
properly.

Now the fun of setting it all up.

Regards

Fred

-Original Message-
From: "Fred Zinsli" 
To: bind-us...@isc.org
Date: Wed, 17 Dec 2008 16:44:24 +1300
Subject: Install problem

> Hello everyone
> 
> I am attempting to install bind (chrooted) on my debian etch server.
> 
> I frist installed bind using apt-get install bind9, then realized I
> wanted
> it chrooted, so I uninstalled it and removed the /etc/bind folder
> thninking I was being very cleaver.
> 
> I then went to install bind as per this article.
> http://linux.justinhartman.com/DNS_Installation_and_Setup_using_BIND9
> 
> Now bind doesn't seem to want to install properly even when I just use
> apt-get install bind9.
> 
> It seems the install is complaining about the original files in
> /etc/bind
> that don't exist any more, and the install doesn't seem to
> rebuild/replace
> them.
> 
> The install created a new /etc/bind folder with rndc.key only in it.
> 
> Now I am stuck as I don't have a clue as to how to resolve this.
> 
> Here is what I get when I attempt to install bind9
> 
> server2:~# apt-get install bind9
> Reading package lists... Done
> Building dependency tree... Done
> The following NEW packages will be installed:
>   bind9
> 0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
> Need to get 0B/297kB of archives.
> After unpacking 782kB of additional disk space will be used.
> Selecting previously deselected package bind9.
> (Reading database ... 33301 files and directories currently installed.)
> Unpacking bind9 (from .../bind9_1%3a9.3.4-2etch3_i386.deb) ...
> Setting up bind9 (9.3.4-2etch3) ...
> wrote key file "/etc/bind/rndc.key"
> chgrp: cannot access `/etc/bind/named.conf*': No such file or directory
> dpkg: error processing bind9 (--configure):
>  subprocess post-installation script returned error exit status 1
> Errors were encountered while processing:
>  bind9
> E: Sub-process /usr/bin/dpkg returned an error code (1)
> 
> Any comments would be most helpful.
> 
> Regards
> 
> Fred
> 
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users