Re: Bind9 logging options
On 17.05.10 13:38, Techi wrote: > I have a problem in my recursive DNS servers (Bind 9, on RHEL 5). Intalled > package on my system is the latest bind-9.3.6-4.P1.el5_4.2 from Red Hat. My > problem is that sometimes, queries are failed with timeouts and that the one > of my 2 DNS servers (the one set as primaryin my users) has 3 time more > failed > queries than the secondary, while the succesful queries are almost the same. > . > I am almost sure that the problem is network related (hardware or software), > but I need a proof for that. Is there any way to log the timed-out queries in > a log file? and there is nothing in the bind log files? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind9 logging options
No! Log files are indicating any issue! The only indication I have about the problem, is the lack if queries in the log files. No timeouts, no failures. I even tried to query a fake domain. The result was a normal record (with A+). I did not find any error! So, how on earth do I log them? On Tue 18 of May 2010 10:58:53 Matus UHLAR - fantomas wrote: > On 17.05.10 13:38, Techi wrote: > > I have a problem in my recursive DNS servers (Bind 9, on RHEL 5). > > Intalled package on my system is the latest bind-9.3.6-4.P1.el5_4.2 from > > Red Hat. My problem is that sometimes, queries are failed with timeouts > > and that the one of my 2 DNS servers (the one set as primaryin my users) > > has 3 time more failed queries than the secondary, while the succesful > > queries are almost the same. . I am almost sure that the problem is > > network related (hardware or software), but I need a proof for that. Is > > there any way to log the timed-out queries in a log file? > > and there is nothing in the bind log files? > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind9 logging options
> No! Log files are indicating any issue! The only indication I have about the > problem, is the lack if queries in the log files. No timeouts, no failures. I > even tried to query a fake domain. The result was a normal record (with A+). > I did not find any error! > So, how on earth do I log them? Use a packet sniffer (e.g. tcpdump, wireshark) on your DNS servers to capture the DNS traffic. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind9 logging options
Quoting sth...@nethelp.no: No! Log files are indicating any issue! The only indication I have about the problem, is the lack if queries in the log files. No timeouts, no failures. I even tried to query a fake domain. The result was a normal record (with A+). I did not find any error! So, how on earth do I log them? Use a packet sniffer (e.g. tcpdump, wireshark) on your DNS servers to capture the DNS traffic. if you set it to capture only 53 port and to save files up to reasonable size you can leave it running for 24h without a problem - wouldnt recommend doing that without specifying port/service. t -- bEsT rEgArDs| "Confidence is what you have before you tomasz dereszynski | understand the problem." -- Woody Allen | Spes confisa Deo| "In theory, theory and practice are much numquam confusa recedit | the same. In practice they are very | different." -- Albert Einstein This message was sent using IMP, the Internet Messaging Program. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
using TXT fields
Hello, I wanted to ask if using TXT fields can have some bad implication security issues thanks Rick ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: using TXT fields
On May 18 2010, fddi wrote: I wanted to ask if using TXT fields can have some bad implication security issues It rather depends what you put in them, doesn't it? hostname TXT "Root password is AndyPandy" mc-room TXT "Entacode is 2038" ... -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind9 logging options
>The DNS Servers are authoritive. I have more than 100 users for them, and the >number of queries performed per minute is very high due to the nature of our >organization. Moreover, I do not have a specific time window in which the >timeouts occur, so, it is impossible to run it 24/7! From your answer I >conclude that there is no such option, correct? Well, it depends on the reason for the timeouts. If the packet is getting lost along the way due to network issues, it would never hit the server, and you wouldn't have any logs of it. You could use filters on tcpdump (tcpdump -tt host x.y.z.a && port 53)and setup a script on a remote host to send a stream of queries. You don't necessarily have to capture all traffic to troubleshoot the problem. Make sure your servers are time sync'd properly so you can correlate the logs. Otherwise, if the issue is happening after the packet reaches the server, then I'd bump up the debug level and turn on a bunch of logging and make sure ntp is working fine and start watching logs while generating a bunch of traffic from a test box. Cheers, Todd. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to prevent slaves from contacting master for name resolution?
Are all the slaves authoritative for all the zones? If so, unless you're using forwarding, or some really odd delegation, queries shouldn't be going to the master servers. Todd. -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Keith Christian Sent: Monday, May 17, 2010 5:59 PM To: bind-users@lists.isc.org Subject: How to prevent slaves from contacting master for name resolution? Our redundant DNS configuration is one master and three slaves, spread across two colo facilities. master and slave1 are in colo_ALPHA. slave2 and slave3 are in colo_BETA. During an extended maintenance window, the master DNS was offline. Slave2 was trying to contact the master, and lookups failed. Usually, slave2 resolves without contacting the master, but occasionally it does. The IP for the master does not appear in slave2's /etc/resolv.conf, and I'm not sure what else to check for on slave machines. Where else would I look? Would any settings in named.conf account for this behavior? Versions are Linux (CentOS 5) and BIND 9.5.x. Thanks. ==Keith ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Help for a Windows installation
Any help for me? :,-(
2010/5/17 Alessandro:
> Hi,
>
> I'm trying to install the last version of Bind in a standalone Windows
> 2003 Server.
>
> I would set a caching-only nameserver, but I'm not so expert.
>
> I would:
> - limit who can use this nameserver
> - log the failed queries
> - delete the cache if necessary
>
> How should I fill in these files? Thanks!
> Alex
>
> named.conf nr. 1
>
>
> options {
> directory "C:\WINDOWS\system32\dns\etc";
> };
>
>
> key "rndc-key" {
> algorithm hmac-md5;
> secret " ";
> };
>
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; } keys { "rndc-key"; };
> };
>
>
> named.conf nr. 2
>
>
> acl corpnets { 192.168.1.0/24; };
> options {
> // Working directory
> directory "/etc/namedb";
>
> allow-query { corpnets; };
> };
> // Provide a reverse mapping for the loopback
> // address 127.0.0.1
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "localhost.rev";
> notify no;
> };
>
>
> key "rndc-key" {
> algorithm hmac-md5;
> secret " ";
> };
>
>
> controls {
> inet 192.168.1.46 port 953
> allow { 192.168.1.46; } keys { "rndc-key"; };
> };
>
>
> zone "." IN {
> type hint;
> file "db.root.hint.txt";
> };
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Help for a Windows installation
Any help for me? :,-(
2010/5/17 Alessandro:
> Hi,
>
> I'm trying to install the last version of Bind in a standalone Windows
> 2003 Server.
>
> I would set a caching-only nameserver, but I'm not so expert.
>
> I would:
> - limit who can use this nameserver
> - log the failed queries
> - delete the cache if necessary
>
> How should I fill in these files? Thanks!
> Alex
>
> named.conf nr. 1
>
>
> options {
> directory "C:\WINDOWS\system32\dns\etc";
> };
>
>
> key "rndc-key" {
> algorithm hmac-md5;
> secret " ";
> };
>
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; } keys { "rndc-key"; };
> };
>
>
> named.conf nr. 2
>
>
> acl corpnets { 192.168.1.0/24; };
> options {
> // Working directory
> directory "/etc/namedb";
>
> allow-query { corpnets; };
> };
> // Provide a reverse mapping for the loopback
> // address 127.0.0.1
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "localhost.rev";
> notify no;
> };
>
>
> key "rndc-key" {
> algorithm hmac-md5;
> secret " ";
> };
>
>
> controls {
> inet 192.168.1.46 port 953
> allow { 192.168.1.46; } keys { "rndc-key"; };
> };
>
>
> zone "." IN {
> type hint;
> file "db.root.hint.txt";
> };
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Help for a Windows installation
Alessandro,
Generally people won't want to lay out entire configurations for you. Spend a
little time with the DNS & BIND book which will be your loving companion as a
BIND admin (available on google books for free if your google-fu is good), and
come back with direct questions/configuration examples if there is something
you can't figure out and I'm confident people will more readily help out.
Specific things to look for:
-ACLs
- acl
- allow-recusion
- allow-query-cache
- allow-query
-logging statement
-rndc flush
Cheers,
Todd.
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of
Alessandro Magno
Sent: Tuesday, May 18, 2010 9:37 AM
To: bind-users@lists.isc.org
Subject: Re: Help for a Windows installation
Any help for me? :,-(
2010/5/17 Alessandro:
> Hi,
>
> I'm trying to install the last version of Bind in a standalone Windows
> 2003 Server.
>
> I would set a caching-only nameserver, but I'm not so expert.
>
> I would:
> - limit who can use this nameserver
> - log the failed queries
> - delete the cache if necessary
>
> How should I fill in these files? Thanks!
> Alex
>
> named.conf nr. 1
>
>
> options {
> directory "C:\WINDOWS\system32\dns\etc";
> };
>
>
> key "rndc-key" {
> algorithm hmac-md5;
> secret " ";
> };
>
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; } keys { "rndc-key"; };
> };
>
>
> named.conf nr. 2
>
>
> acl corpnets { 192.168.1.0/24; };
> options {
> // Working directory
> directory "/etc/namedb";
>
> allow-query { corpnets; };
> };
> // Provide a reverse mapping for the loopback
> // address 127.0.0.1
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "localhost.rev";
> notify no;
> };
>
>
> key "rndc-key" {
> algorithm hmac-md5;
> secret " ";
> };
>
>
> controls {
> inet 192.168.1.46 port 953
> allow { 192.168.1.46; } keys { "rndc-key"; };
> };
>
>
> zone "." IN {
> type hint;
> file "db.root.hint.txt";
> };
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-
This transmission (including any attachments) may contain confidential
information, privileged material (including material protected by the
solicitor-client or other applicable privileges), or constitute non-public
information. Any use of this information by anyone other than the intended
recipient is prohibited. If you have received this transmission in error,
please immediately reply to the sender and delete this information from your
system. Use, dissemination, distribution, or reproduction of this transmission
by unintended recipients is not authorized and may be unlawful.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Explanation of a resolver.c error message
Could anyone offer an explanation for what condition(s) trigger this
error in older, out of date versions of BIND, specifically, BIND
9.5.1b1 ?
resolver.c:5617: REQUIREquery) != ((void *)0)) && (((const
isc__magic_t *)(query))->magic == ((('Q') << 24 | ('!') << 16 | ('!')
<< 8 | ('!')) failed
Is this related to a type of query, or some other event?
Thanks!
==Keith
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Explanation of a resolver.c error message
At Tue, 18 May 2010 12:07:12 -0600,
Keith Christian wrote:
> Could anyone offer an explanation for what condition(s) trigger this
> error in older, out of date versions of BIND, specifically, BIND
> 9.5.1b1 ?
>
> resolver.c:5617: REQUIREquery) != ((void *)0)) && (((const
> isc__magic_t *)(query))->magic == ((('Q') << 24 | ('!') << 16 | ('!')
> << 8 | ('!')) failed
>
> Is this related to a type of query, or some other event?
I suspect it's a known bug:
2408. [bug] A duplicate TCP dispatch event could be sent, which
could then trigger an assertion failure in
resquery_response(). [RT #18275]
which has been fixed in recent versions of 9.5.
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: using TXT fields
On 05/18/10 06:16, Chris Thompson wrote: On May 18 2010, fddi wrote: I wanted to ask if using TXT fields can have some bad implication security issues It rather depends what you put in them, doesn't it? hostname TXT "Root password is AndyPandy" mc-room TXT "Entacode is 2038" Post-Its are great, but they often fall off the monitor. This is a superior solution and has the benefit of being remotely accessible. Thanks for the "pro tip"! -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
