Re: dns not resolving
On 2013-11-11 12:11, S. Jeff Cold wrote: ... ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22495 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;jeffdiss.org. IN A ... BIND's configuration file is : $TTL 3600 $ORIGIN jeffdiss.org. ; Start of Authority record defining the key characteristics of the zone (domain) @ IN SOA server1.jeffdiss.org. zonemaster.jeffdiss.org. ( ... ; mail server Resource Records (RR) for the domain 3w IN MX 10 mail.jeffdiss.org. ; domain hosts includes NS and MX records defined above plus any others required server1 IN A 192.168.1.50 server2 IN A 192.168.1.51 www IN A 192.168.1.51 ... Jeff, The above is not the configuration file. As others have pointed out, there is no way to know why a SERVFAIL was returned without that and other important information. But you will NEVER be able to resolve the name "jeffdiss.org" with the zone file you included. Why is that? Because you never defined an address for that name! That would require either an A record with a blank left hand side before all the other A records, or one with "@" in the LHS. And speaking of missing A records, what is the IP address of "mail.jeffdiss.org"? Nobody will ever know, given this zone file. As Tom Lehrer famously said, life is like a sewer: what you get out of it depends on what you put into it. Same with DNS - only a bit more pleasant, one might hope. I hope this starts to help. Joe Yao ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
On 2013-11-13 00:16, Manish Rane wrote: ... 6.Assume if ISP1 goes down, client coming on ISP1 would never be able to reach; hence as per DNS protocol will try for another link and come on ISP2 and then probably get an IP address of Link 2 i.e. 2.2.2.2. ... I'm not sure about your DNS setup, because I didn't understand how you described it. But that doesn't matter. Even if you 100% properly did what you intended to do, it breaks down at step 6. The DNS protocol definitions only go as far as saying what your BIND DNS server will return. Importantly (for this answer), it does NOT say (a) what a remote user's caching/resolving name server will actually do with your responses, or (b) what the actual application will do with your responses. If the application is an SMTP server or another DNS server then, yes, BY THE DEFINITION OF THAT PROTOCOL, it will try again for another server. If the application is a Web browser - which is likely, given that you mention port 80, presumably TCP - then it will only look at one of the two IP addresses [for almost all currently available Web browsers]. If it gets a bad one, it will return the user an error. Because that is how THAT protocol is defined. Most protocols are not defined to re-try different servers. What you are trying to do is what the F5 BigIP GTM does - only return the IP address for a known-working site. There's a reason that F5 can sell those boxes - they work where doing this in pure DNS does not. Joe Yao ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: logging query time
-Original Message- From: Birta Levente Date: Wednesday, November 13, 2013 3:29 PM To: "bind-users@lists.isc.org" Subject: logging query time >Hi > >I have a caching nameserver (bind 9.8.2) and I curious if I can log the >duration of queries to the forwarders? not that i know of easily (from logs), nor from collectd's bind plugin that i've found, though the dns plugin could be expanded to provide this...however, since that ultimately involves running a sniffer process on your name server(s), it might be better to just do it yourself if it's for debug purposes. something like: http://ask.wireshark.org/questions/3678/dns-transaction-latency ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
logging query time
Hi I have a caching nameserver (bind 9.8.2) and I curious if I can log the duration of queries to the forwarders? Thanks Levi smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
In message , Joseph S D Yao writes: > On 2013-11-13 00:16, Manish Rane wrote: > ... > > 6.Assume if ISP1 goes down, client coming on ISP1 would never be able > > to reach; hence as per DNS protocol will try for another link and > > come > > on ISP2 and then probably get an IP address of Link 2 i.e. 2.2.2.2. > ... > > > I'm not sure about your DNS setup, because I didn't understand how you > described it. But that doesn't matter. > > Even if you 100% properly did what you intended to do, it breaks down > at step 6. The DNS protocol definitions only go as far as saying what > your BIND DNS server will return. Importantly (for this answer), it > does NOT say (a) what a remote user's caching/resolving name server will > actually do with your responses, or (b) what the actual application will > do with your responses. > > If the application is an SMTP server or another DNS server then, yes, > BY THE DEFINITION OF THAT PROTOCOL, it will try again for another > server. RFC 1123 (October 1989) applies to all applications on all hosts. Note "SHOULD" and "until". 2.3 Applications on Multihomed hosts When the remote host is multihomed, the name-to-address translation will return a list of alternative IP addresses. As specified in Section 6.1.3.4, this list should be in order of decreasing preference. Application protocol implementations SHOULD be prepared to try multiple addresses from the list until success is obtained. More specific requirements for SMTP are given in Section 5.3.4. When the local host is multihomed, a UDP-based request/response application SHOULD send the response with an IP source address that is the same as the specific destination address of the UDP request datagram. The "specific destination address" is defined in the "IP Addressing" section of the companion RFC [INTRO:1]. Similarly, a server application that opens multiple TCP connections to the same client SHOULD use the same local IP address for all. > If the application is a Web browser - which is likely, given that you > mention port 80, presumably TCP - then it will only look at one of the > two IP addresses [for almost all currently available Web browsers]. If > it gets a bad one, it will return the user an error. Because that is > how THAT protocol is defined. Most protocols are not defined to re-try > different servers. No, there is no such requirement. The browsers are just BROKEN if they don't try all the offered addresses. All browsers we were written after RFC 1123 was published. > What you are trying to do is what the F5 BigIP GTM does - only return > the IP address for a known-working site. There's a reason that F5 can > sell those boxes - they work where doing this in pure DNS does not. > > > Joe Yao > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
In article , Mark Andrews wrote: > No, there is no such requirement. The browsers are just BROKEN if > they don't try all the offered addresses. All browsers we were > written after RFC 1123 was published. That attitude should probably be moderated when interactive applications are involved. It means that users will have to wait for an arbitrary number of timeouts before the browser can give them an error message. The requirement is stated as a SHOULD, not a MUST. This gives latitude to the application designer to trade off reliability and usability. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 2013-11-13 at 16:49 -0500, Barry Margolin wrote: > It means that users will have to wait for an arbitrary > number of timeouts before the browser can give them an error message. Well, the browser *could* of course give a message like "I have tried $N out of $M possible ip addresses with no success - do you want to abandon this?" at any time while trying that collection of ip addresses. The other approach is to try them all in parallel, sort of like ipv4 and ipv6 parallel connection attempts in http://tools.ietf.org/html/rfc6555 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlKD+2MACgkQL6j7milTFsHZGQCfTvrWBpL/0qqESlTbUSZoo2Fo EG4An3GdHZty3kVTJvG/Wjns1grYC+RP =Ns3q -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
In message , Barry Mar golin writes: > In article , > Mark Andrews wrote: > > > No, there is no such requirement. The browsers are just BROKEN if > > they don't try all the offered addresses. All browsers we were > > written after RFC 1123 was published. > > That attitude should probably be moderated when interactive applications > are involved. It means that users will have to wait for an arbitrary > number of timeouts before the browser can give them an error message. And there is no requirement to wait 30 seconds for the next connection attempt. If in the 80's if it took more than 1 or 2 seconds to connect you could assume it wasn't going to succeed and be right 99.99% of the time. With happy eyeballs the second and subsequent connection attempts start in less than a second (~100-200ms) after the previous one and you abandon redundant successful connections. While happy eyeballs was looking at IPv4/IPv6 that is only a special case of multi-homed servers. > The requirement is stated as a SHOULD, not a MUST. This gives latitude > to the application designer to trade off reliability and usability. So rather than doing staggered parallel connects which would have given them reliability and usability they decided to throw away reliability. Non blocking connects have existed since before the first web browser was written. > -- > Barry Margolin > Arlington, MA > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cacti Template for graphing BIND9.8 queries stats
Sherif Magdy wrote: > Can any one help with a template for graphing BIND9.8 queries stats using > Cacti? > Or any other way to graph the queries stats and response time and so on Hello. Sorry for replying so late. I'd suggest looking at http://www.l3jane.net/wiki/factory:b9agent_en to expose counters from BIND through SNMP, which you can then easily get into Cacti. Regards Eivind Olsen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ Errors
On Tue, Nov 12, 2013 at 09:14:24AM -0500, Alan Clegg wrote: > > On Nov 12, 2013, at 12:13 AM, Crist Clark wrote: > > > From the initial mail: "This is BIND 9.9.2 (Infoblox 6.7.3)." > > > > No huge increase in resource usage noted. > > Has the vendor in question provided a response? > > Having worked on Frankenstein versions of BIND in the past (Hi, Redhat!), I?d > be leery of answering this question as an ?outsider?. Certainly not with an > authoritative answer. I have an open ticket with their support. I only came to the list after not getting a lot of help. My tech seems to think the db_find() messages mean the server cannot resolve the names in question like there is a firewall or something blocking queries. But I can resolve the names when I query directly and the firewall is not blocking any DNS from the servers in question. I vaguely remember seeing something about the RPZ checks only using cached data for checks and not doing active lookups for things like NS records for performance reasons. I think it was on an ISC blog or something, not in any official manual. That's my suspicion of what db_find() failures mean. It couldn't find info in the cache. What I'd actually really like here is someone to give me a RTFM post with a pointer to the FM for RPZ error messages and algorthms if one exists. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
On 2013-11-13 16:44, Mark Andrews wrote: ... RFC 1123 (October 1989) applies to all applications on all hosts. Note "SHOULD" and "until". ... Mark, I've always read "SHOULD" here as more of a plaintive hope than anything else. People have certainly felt free to ignore it. Yes, that makes their software "broken" if you are reading "SHOULD" as almost a "MUST". Joe Yao ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I have Inbound load balancing achieved with below settings
In message <661ca5ab225cad04bdcc3831c6964...@tux.org>, Joseph S D Yao writes: > On 2013-11-13 16:44, Mark Andrews wrote: > ... > > RFC 1123 (October 1989) applies to all applications on all hosts. > > Note "SHOULD" and "until". > ... > > > Mark, I've always read "SHOULD" here as more of a plaintive hope than > anything else. People have certainly felt free to ignore it. Yes, that > makes their software "broken" if you are reading "SHOULD" as almost a > "MUST". Which is how it is defined in the RFC. *"SHOULD" This word or the adjective "RECOMMENDED" means that there may exist valid reasons in particular circumstances to ignore this item, but the full implications should be understood and the case carefully weighed before choosing a different course. We have "MAY" for the plaintive hope case. *"MAY" This word or the adjective "OPTIONAL" means that this item is truly optional. One vendor may choose to include the item because a particular marketplace requires it or because it enhances the product, for example; another vendor may omit the same item. I just wish vendors were required to publish the analysis that lead them to not follow a SHOULD. I'd love to hear NETGEAR's analysis of why their DNS proxy doesn't talk TCP in the router I have here at home and see if it passes the laugh test. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
