Re: BIND 9.9.1-P4 is now available
Hello, We are finding several of our recursive BIND 9.9.1-P3 servers (on Solaris 10 OS) hung and I want to be able to qualify the symptoms in order to convince others that P4 (or 9.9.2?) will (or will not) address this. Let me define what "hung" means in our experience: We find that named is running but will not respond to queries, "rndc status" will respond with output but that output shows that named is not processing any queries (see below), other rndc commands appear to work as well (e.g., "rndc dumpdb"). From what I understand, P4 offers this known bug fix: * A deliberately constructed combination of records could cause named to hang while populating the additional section of a response. [RT #31090] -- CVE-2012-5166: Specially crafted DNS data can cause a lockup in named Additional details are mentioned in https://kb.isc.org/article/AA-00801/74/CVE-2012-5166%3A-Specially-crafted-DNS-data-can-cause-a-lockup-in-named.html: "A nameserver that has become locked-up due to the problem reported in this advisory will not respond to queries or control commands." So, our hang issue qualifies for the "...will not respond to queries"; however, it seems that our issue does *not* qualify for the "... will not respond to... control commands" piece if the responses from "rndc" are considered control command. Thoughts? Thank you. $ rndc status version: 9.9.1-P3 (version.bind/txt/ch disabled) CPUs found: 2 worker threads: 2 UDP listeners per interface: 2 number of zones: 36 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/3900/4000 tcp clients: 0/100 server is up and running $ time host www.google.com 127.0.0.1 ;; connection timed out; no servers could be reached real 0m10.035s user 0m0.017s sys 0m0.017s $ time host localhost 127.0.0.1 ;; connection timed out; no servers could be reached real 0m10.034s user 0m0.017s sys 0m0.017s $ truss -p 17657 /4: lwp_park(0xFE9AFD48, 0) (sleeping...) /3: lwp_park(0x, 0) (sleeping...) /1: sigtimedwait(0xFFBFFBE8, 0xFFBFFB68, 0x) (sleeping...) /2: lwp_park(0x, 0) (sleeping...) /5: ioctl(8, DP_POLL, 0xFE98FF80) (sleeping...)___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: transparent DNS load-balancing with a Cisco ACE
Thanks, Phil. This makes perfect sense--unlike TCP, there's nothing
inherent in UDP to make sure that packets come back from the right IP.
Thank you also for explaining this in terms of the socket APIs. This is
something I've only barely touched on--time for me to play around a bit
and write some code. I'd also just been doing an rndc stop/start to
update the listening sockets--just what's bundled into the initscript.
I'll keep reconfig in mind--might come in handy.
Aside: realized that I didn't reply to the list last time--doing so now.
John
On 10/25/2012 11:53 AM, Phil Mayers wrote:
On 25/10/12 15:54, John Miller wrote:
Is BIND associating each request with a particular socket, then? It
would certainly make sense if that were the case. This was something I
didn't fully realize.
Yes.
Something else I didn't fully realize was that by default, BIND binds to
_each_ of the available IP addresses on the system--_not_ to 0.0.0.0, as
happens with other network daemons (e.g. sshd).
It does this because the cross-platform AF_INET socket APIs are limited.
Binding a socket to each separate IP and replying from the same socket
is the simplest cross-platform way to guarantee that UDP replies come
from the right IP.
AF_INET6 has a newer API which solves this, and if you "lsof -i :53"
you'll see that bind only opens one socket for IPv6/UDP (unless you are
on a system which doesn't implement RFC 3493/3542, in which case it
falls back to one socket per IPv6 address).
TCP-based daemons can ignore this, because the TCP stack takes care of it.
Note that bind doesn't detect new IPs immediately - you need to do "rndc
reconfig" or wait for the timer ("interface-interval" in the "options"
block).
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.9.1-P4 is now available
Hello Again, I could have made my question a bit more clear as I try to understand the details behind what P4 addresses. Perhaps I am having an internal battle between logic vs. interpretation around "or". Let me explain. I'm wondering if a named process affected by CVE-2012-5166 has symptoms of both (1) "not respond to queries" and (2) "not respond to control commands" at the same time, all the time. If that is the case, then P4 will not address my issue as I am only seeing (1) and so there may be another bug affecting BIND stability which I would like to report. Thank you. > > From: Fr34k >To: Bindlist >Sent: Thursday, October 25, 2012 9:51 AM >Subject: Re: BIND 9.9.1-P4 is now available > > >Hello, > > >We are finding several of our recursive BIND 9.9.1-P3 servers (on Solaris 10 OS) hung and I want to be able to qualify the symptoms in order to convince others that P4 (or 9.9.2?) will (or will not) address this. > > >Let me define what "hung" means in our experience: We find that named is running but will not respond to queries, "rndc status" will respond with output but that output shows that named is not processing any queries (see below), other rndc commands appear to work as well (e.g., "rndc dumpdb"). > > > >From what I understand, P4 offers this known bug fix: > > >* A deliberately constructed combination of records could cause named > to hang while populating the additional section of a response. > [RT #31090] -- CVE-2012-5166: Specially crafted DNS data can cause a lockup >in named > > >Additional details are mentioned in https://kb.isc.org/article/AA-00801/74/CVE-2012-5166%3A-Specially-crafted-DNS-data-can-cause-a-lockup-in-named.html: "A nameserver that has become locked-up due to the problem reported in this advisory will not respond to queries or control commands." > > >So, our hang issue qualifies for the "...will not respond to queries"; however, it seems that our issue does *not* qualify for the "... will not respond to... control commands" piece if the responses from "rndc" are considered control command. > > >Thoughts? > > >Thank you. > > > >$ rndc status >version: 9.9.1-P3 (version.bind/txt/ch disabled) >CPUs found: 2 >worker threads: 2 >UDP listeners per interface: 2 >number of zones: 36 >debug level: 0 >xfers running: 0 >xfers deferred: 0 >soa queries in progress: 0 >query logging is OFF >recursive clients: 0/3900/4000 >tcp clients: 0/100 >server is up and running > > >$ time host www.google.com 127.0.0.1 >;; connection timed out; no servers could be reached > >real 0m10.035s >user 0m0.017s >sys 0m0.017s >$ time host localhost 127.0.0.1 >;; connection timed out; no servers could be reached > >real 0m10.034s >user 0m0.017s >sys 0m0.017s > > >$ truss -p 17657 >/4: lwp_park(0xFE9AFD48, 0) (sleeping...) >/3: lwp_park(0x, 0) (sleeping...) >/1: sigtimedwait(0xFFBFFBE8, 0xFFBFFB68, 0x) (sleeping...) >/2: lwp_park(0x, 0) (sleeping...) >/5: ioctl(8, DP_POLL, 0xFE98FF80) (sleeping...) >___ >Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >from this list > >bind-users mailing list >bind-users@lists.isc.org >https://lists.isc.org/mailman/listinfo/bind-users > >___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: transparent DNS load-balancing with a Cisco ACE
Hi,
Is it possible to configure BIND for IPV4 and IPV6 in the same server?
Regards,
Jagan
On Thu, Oct 25, 2012 at 9:35 PM, John Miller wrote:
> Thanks, Phil. This makes perfect sense--unlike TCP, there's nothing
> inherent in UDP to make sure that packets come back from the right IP.
>
> Thank you also for explaining this in terms of the socket APIs. This is
> something I've only barely touched on--time for me to play around a bit and
> write some code. I'd also just been doing an rndc stop/start to update the
> listening sockets--just what's bundled into the initscript. I'll keep
> reconfig in mind--might come in handy.
>
> Aside: realized that I didn't reply to the list last time--doing so now.
>
> John
>
> On 10/25/2012 11:53 AM, Phil Mayers wrote:
>
>> On 25/10/12 15:54, John Miller wrote:
>>
>> Is BIND associating each request with a particular socket, then? It
>>> would certainly make sense if that were the case. This was something I
>>> didn't fully realize.
>>>
>>
>> Yes.
>>
>> Something else I didn't fully realize was that by default, BIND binds to
>>> _each_ of the available IP addresses on the system--_not_ to 0.0.0.0, as
>>> happens with other network daemons (e.g. sshd).
>>>
>>
>> It does this because the cross-platform AF_INET socket APIs are limited.
>> Binding a socket to each separate IP and replying from the same socket
>> is the simplest cross-platform way to guarantee that UDP replies come
>> from the right IP.
>>
>> AF_INET6 has a newer API which solves this, and if you "lsof -i :53"
>> you'll see that bind only opens one socket for IPv6/UDP (unless you are
>> on a system which doesn't implement RFC 3493/3542, in which case it
>> falls back to one socket per IPv6 address).
>>
>> TCP-based daemons can ignore this, because the TCP stack takes care of it.
>>
>> Note that bind doesn't detect new IPs immediately - you need to do "rndc
>> reconfig" or wait for the timer ("interface-interval" in the "options"
>> block).
>>
> __**_
> Please visit
> https://lists.isc.org/mailman/**listinfo/bind-usersto
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/**listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: transparent DNS load-balancing with a Cisco ACE
-Original Message- From: jagan padhi Date: Thursday, October 25, 2012 1:21 PM To: DNS BIND Subject: Re: transparent DNS load-balancing with a Cisco ACE >Hi, > >Is it possible to configure BIND for IPV4 and IPV6 in the same server? > >Regards, >Jagan Yes, we've been doing that since world IPv6 day. BIND supports it, but there are also best practices you'll want to follow when it comes to serving via IPv6 externally. You can Google for a lot of related discussion. Right now about 50% of our external services are exposed via IPv6, and all internal DNS clusters are available via IPv4 and IPv6 as load balanced VIPs (note: I am talking about hosted services / acquisitions, not just cisco.com). We've been happy with the results. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.9.1-P4 is now available
> Let me define what "hung" means in our experience: We find that named is > running but will not respond to queries, "rndc status" will respond with > output but that output shows that named is not processing any queries (see > below), other rndc commands appear to work as well (e.g., "rndc dumpdb"). Does it work if you restart named? If not, can you confirm it is listening on your intended interfaces (including 127.0.0.1) even if not working? > $ time host www.google.com 127.0.0.1 > ;; connection timed out; no servers could be reached Can you confirm that you can query for that without? (Such as dig @216.239.34.10 www.google.com or dig @8.8.8.8 www.google.com) > $ time host localhost 127.0.0.1 > ;; connection timed out; no servers could be reached Do you have a localhost zone defined? (Sometimes the messages from host like the one above are misleading and even the named may be working correctly but it is slow.) Jeremy C. Reed ISC___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC Bind in Active Directory
On 10/24/2012 6:02 PM, Phil Mayers wrote: Hell, if you've got WINS running and broadcast netbios, I think it's still possible to log in with *no* working DNS at all. At the risk of getting *totally* off-topic, no-one who cares about security or about broadcast traffic on their LANs would even consider allowing WINS to function in their enterprise. It can (and should) be disabled via registry key and/or DHCP options, and left in the dustbin of ancient IT history. - Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.9.1-P4 is now available
Hello Jeremy, Thank you for your reply. >> Let me define what "hung" means in our experience: We find that named is >> running but will not respond to queries, "rndc status" will respond with >> output but that output shows that named is not processing any queries (see >> below), other rndc commands appear to work as well (e.g., "rndc dumpdb"). > >Does it work if you restart named? Yes. That is, everything is up and running again after we restart named. 9.9.1-P3 has been running on several servers since 10/3 without any known issues... until today. > >If not, can you confirm it is listening on your intended interfaces >(including 127.0.0.1) even if not working? > >> $ time host www.google.com 127.0.0.1 >> ;; connection timed out; no servers could be reached > >Can you confirm that you can query for that without? (Such as dig >@216.239.34.10 www.google.com or dig @8.8.8.8 www.google.com) > >> $ time host localhost 127.0.0.1 >> ;; connection timed out; no servers could be reached > >Do you have a localhost zone defined? (Sometimes the messages from host >like the one above are misleading and even the named may be working >correctly but it is slow.) Yes, we do have a localhost zone defined. However, queries for 3rd party hostnames (e.g., www.google.com) were failing as well. > > Jeremy C. Reed > ISC > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: transparent DNS load-balancing with a Cisco ACE
In message
, jagan padhi writes:
>
> Hi,
>
> Is it possible to configure BIND for IPV4 and IPV6 in the same server?
>
> Regards,
> Jagan
Yes. listen-on-v6 { any; };
By default it use both IPv4 and IPv6 when recursing.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
forwarder is ignored when authoritative zone is added
I've recently had an issue that I'm having some issues finding
information on solving.
I have internal DNS resolvers...they act as recursive name servers for
general internet queries, but we have forwarders explicitly defined
for specific internal zones being served by other name servers.
My configuration has one particular zone configured as such:
zone "internal.organization.com" IN { type forward; forward only;
forwarders {172.x.x.x; 172.x.x.x; }; };
I have our main zone, organization.com, hosted in an external area
outside of a firewall with a wildcard record contained in it for
anything that is not explicitly defined. I have some services that I
need to reach using names that are in this external zone internally.
What I'm trying to do is to slave the organization.com zone to my
internal recursive resolver to mitigate any possible network issues.
So I setup the internal resolver as a slave for the "organization.com"
zone and found that queries against "internal.organization.com" were
getting answered with the wildcard for the external "organization.com"
zone. I can't seem to figure out why the forwarders are getting
ignored. Is it an order of precedence, say authoritative zones are
respected over forwarders...or something else??
Thanks for any assistance anyone can provide, or point me to some
documentation I'm missing,
Frank
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
