Re: DNS Appliance
You may want to look into the Men & Mice suite. I have been testing their software for the last couple of months for consideration at our site. The suite offers a windows GUI client, CLI & web interface. An agent gets installed on each server hosting BIND and their suite will manage the servers accordingly. The pricing doesn't seem that bad either. On Wed, 25 Mar 2009 12:09:35 -0400, "John D. Vo" wrote: > I am running Bind on two Solaris servers. It's pretty much command line, > old school. > I can see some GUI with Webmin but that's probably not as pretty as the > appliances. > My boss wants "visibility" so I'm looking. eh. meh. :) > > Thanks. > > Gainey, Joe (AT - Atlanta) wrote: >> blue cat Adonis/XMB provide a great GUI interfaces for dns power users >> with enough intuitive widgets for dns novices. they have been fairly >> stable and easy to manage and their support has been knowledgeable. >> >> -Original Message- >> From: bind-users-boun...@lists.isc.org >> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of John D. Vo >> Sent: Wednesday, March 25, 2009 11:41 AM >> To: bind-users@lists.isc.org >> Subject: DNS Appliance >> >> Anyone has experience (good or bad) with a dns appliance? >> >> Bluecatnetwork >> infoblox >> infoweapons.. >> >> Thanks. >> >> ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: namespace verification
On Wed, 8 Jul 2009 14:23:36 -0400, "Todd Snyder" wrote: > Good day all, > > I am looking at making some sweeping changes to some zone files, > cleaning up NS records primarily. As I'm pondering the impact of this, > I got to thinking about how to validate every single record in my > namespace, and therefore the entirety of my change. > > What I'm thinking of is a script that will go through each zone file and > do a dig against a server (localhost, or otherwise) for each record, > verifying that every record resolves correctly. > > Has anyone written such a beast or know of a tool like this? Am I being > obtuse in thinking that this would be useful to me to verify my changes? > > Cheers, > > Todd. > > - > This transmission (including any attachments) may contain confidential > information, privileged material (including material protected by the > solicitor-client or other applicable privileges), or constitute non-public > information. Any use of this information by anyone other than the intended > recipient is prohibited. If you have received this transmission in error, > please immediately reply to the sender and delete this information from > your system. Use, dissemination, distribution, or reproduction of this > transmission by unintended recipients is not authorized and may be > unlawful. > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users I was forced into writing some stuff like this as I inherited a severely neglected DNS environment. Instead of having to write the logic capable of parsing a zone file I found it easier to parse host -l output. This allows for not needing to take account of all the allowed shorthand within the zone files that bind understands. I suppose it even makes the scripts non bind dependent. I choose to examine things such as A records with multiple entries (possible round robin or possible that someone didn't remove an old record before adding new), if PTR records exist for A records, if PTR records match the corresponding A records, for duplicate PTR records & if two different A records contain the same IP data (possible old IP that was reassigned to new machine while old DNS data was never removed or possibly one machine known by many names). I am sure there is some paid software out there that performs similar functionality. I tested the Men & Mice suite which performed alot of very similar functionality as my own scripts did. I wouldn't be surprised if there were some open source projects as well. Thanks, David ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
System Resolver Test App?
All, It has been a long day so please excuse me if I am over looking something trivial. I am wondering if anyone knows of an app similar to nslookup or dig that actually uses the system resolver. I spent a decent amount of time this morning trouble shooting an issue where a third invalid nameserver entry within the /etc/resolv.conf (CentOS) cause me much grief. My trusty tools nslookup & dig failed me because they worked as expected while the system resolver did not. I am basically trying to uinderstand why the system resolver was getting stuck on the third entry within the resolv.conf while it should have tried one of the first two working DNS servers first. Thanks, David Porsche___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: System Resolver Test App?
On Thu, 12 Nov 2009 10:01:38 +0900, Stephane Bortzmeyer wrote: > On Wed, Nov 11, 2009 at 05:00:03PM -0600, > da...@from525.com wrote > a message of 60 lines which said: > >> I am wondering if anyone knows of an app similar to nslookup or >> dig that actually uses the system resolver. > > C source attached. Compile, for instance, with: > > gcc -o resolve-name resolve-name.c > >> I am basically trying to uinderstand why the system resolver was >> getting stuck on the third entry within the resolv.conf while it >> should have tried one of the first two working DNS servers first. > > Not sure it will help. Stephane, Thanks for that bit of c it works great and does just what I was hoping for. I was able to reproduce the almost 13 second delay while looking up a specific hostname. Funny thing is, when I perform other queries for other hostnames the third invalid DNS server mentioned in the resolv.conf does not seem to be a problem. When I remove the third invalid entry and perform the same query with your application the delay is non existent. I have captured previous tcpdumps and didn't notice anything out of the norm, but there was alot of other network chatter. The app should let me capture a more concise tcpdump for further examination. Is there any way you could incorporate resolver errors being sent to stdout? Thanks, David Porsche ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: System Resolver Test App?
On Wed, 11 Nov 2009 20:06:11 -0600, "da...@from525.com" wrote: > On Thu, 12 Nov 2009 10:01:38 +0900, Stephane Bortzmeyer > wrote: >> On Wed, Nov 11, 2009 at 05:00:03PM -0600, >> da...@from525.com wrote >> a message of 60 lines which said: >> >>> I am wondering if anyone knows of an app similar to nslookup or >>> dig that actually uses the system resolver. >> >> C source attached. Compile, for instance, with: >> >> gcc -o resolve-name resolve-name.c >> >>> I am basically trying to uinderstand why the system resolver was >>> getting stuck on the third entry within the resolv.conf while it >>> should have tried one of the first two working DNS servers first. >> >> Not sure it will help. > > Stephane, > > Thanks for that bit of c it works great and does just what I was hoping > for. I was able to reproduce the almost 13 second delay while looking up a > specific hostname. Funny thing is, when I perform other queries for other > hostnames the third invalid DNS server mentioned in the resolv.conf does > not seem to be a problem. When I remove the third invalid entry and > perform the same query with your application the delay is non existent. I > have captured previous tcpdumps and didn't notice anything out of the norm, > but there was alot of other network chatter. The app should let me capture > a more concise tcpdump for further examination. Is there any way you could > incorporate resolver errors being sent to stdout? > > Thanks, > David Porsche > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users Thanks All, I think between Stephane's test app and some snoop data I have a better idea of what is going on. It seems as if the local resolver starts by issuing ipv6 requests to the three name servers mentioned in resolv.conf. The first two valid DNS servers (not configured for ipv6) each respond back stating they are not authoritative for the domain in question causing the subsequent servers to be queried. The resolver finds itself querying the third bogus name server and has to wait for the 5 second time out. The resolver then repeats the whole process for ipv6 adding another 5 seconds to the delay (total of 10 now). The resolver then finally starts the whole process again for ipv4 and gets the proper answer with the first query. Thanks, David Porsche ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: System Resolver Test App?
On Thu, 12 Nov 2009 01:48:02 -0500, Barry Margolin wrote: > In article , > "da...@from525.com" wrote: > >> I think between Stephane's test app and some snoop data I have a better >> idea of what is going on. It seems as if the local resolver starts by >> issuing ipv6 requests to the three name servers mentioned in resolv.conf. >> > > Do you mean that it's issuing requests using IPv6, or it's using IPv4 to > send requests for records? > The latter. Using IPv4 to send requests for records. >> The first two valid DNS servers (not configured for ipv6) each respond >> back stating they are not authoritative for the domain in question >> causing >> the subsequent servers to be queried. The resolver finds itself querying > > Which servers are you talking about now, the servers in resolv.conf, or > the servers for the domain you're querying? The latter should not > respond that they're not authoritative. Authority is not specific to IP > versions, it just goes by names. A server is either authoritative for > foo.com or it isn't, it can't be authoritative for foo.com's IPv4 data > but not for its IPv6 data. I was talking about the servers mentioned in the resolv.conf. So here goes a second try,. There are (were) three servers mentioned in the resolv.conf. We can reference them going forward as nameserver1, nameserver2 & nameserver3. Nameserver3 is a bogus invalid IP belonging to nothing, while nameserver1 & nameserver2 are legitimate nameservers. Now it is important to know that the resource record that was causing issue while attempting to query is a CNAME to another resource record. The "other" resource record lives in DNS space that has been delegated out. In this case it has been delegated out to a Citrix Netscaler load balancing device. I believe the issue to actually be the fault of the Netscaler as it seems as if it does not handle the records as it should. When the initial query is issued to the local resolver snoop data shows that both nameserver1 & namserver2 send a response back with an error message of "Server failure" (when the record is requested). The error message then triggers the loop of subsequent queries and creates the delays until the resolver issues the query for the A record. At this point everything works as normal. I plan to do some more tests to confirm my theory on the Netscaler. Please let me know if I am just talking nonsense,.. > >> the third bogus name server and has to wait for the 5 second time out. >> The >> resolver then repeats the whole process for ipv6 adding another 5 seconds >> to the delay (total of 10 now). The resolver then finally starts the >> whole >> process again for ipv4 and gets the proper answer with the first query. > > If you're not actually using IPv6, you might consider disabling it on > your system. That should stop all the unnecessary v6 lookups. It is not my system. I was just brought in to help find the issue. I can suggest this to the proper system admin. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: System Resolver Test App?
On Thu, 12 Nov 2009 08:04:35 -0600, "da...@from525.com" wrote: > On Thu, 12 Nov 2009 01:48:02 -0500, Barry Margolin > wrote: >> In article , >> "da...@from525.com" wrote: >> >>> I think between Stephane's test app and some snoop data I have a better >>> idea of what is going on. It seems as if the local resolver starts by >>> issuing ipv6 requests to the three name servers mentioned in > resolv.conf. >>> >> >> Do you mean that it's issuing requests using IPv6, or it's using IPv4 to >> send requests for records? >> > > The latter. Using IPv4 to send requests for records. > > >>> The first two valid DNS servers (not configured for ipv6) each respond >>> back stating they are not authoritative for the domain in question >>> causing >>> the subsequent servers to be queried. The resolver finds itself > querying >> >> Which servers are you talking about now, the servers in resolv.conf, or >> the servers for the domain you're querying? The latter should not >> respond that they're not authoritative. Authority is not specific to IP >> versions, it just goes by names. A server is either authoritative for >> foo.com or it isn't, it can't be authoritative for foo.com's IPv4 data >> but not for its IPv6 data. > > I was talking about the servers mentioned in the resolv.conf. > > So here goes a second try,. > > There are (were) three servers mentioned in the resolv.conf. We can > reference them going forward as nameserver1, nameserver2 & nameserver3. > Nameserver3 is a bogus invalid IP belonging to nothing, while nameserver1 & > nameserver2 are legitimate nameservers. > > Now it is important to know that the resource record that was causing issue > while attempting to query is a CNAME to another resource record. The > "other" resource record lives in DNS space that has been delegated out. In > this case it has been delegated out to a Citrix Netscaler load balancing > device. I believe the issue to actually be the fault of the Netscaler as > it seems as if it does not handle the records as it should. > > When the initial query is issued to the local resolver snoop data shows > that both nameserver1 & namserver2 send a response back with an error > message of "Server failure" (when the record is requested). The error > message then triggers the loop of subsequent queries and creates the delays > until the resolver issues the query for the A record. At this point > everything works as normal. I plan to do some more tests to confirm my > theory on the Netscaler. > > Please let me know if I am just talking nonsense,.. > >> >>> the third bogus name server and has to wait for the 5 second time out. >>> The >>> resolver then repeats the whole process for ipv6 adding another 5 > seconds >>> to the delay (total of 10 now). The resolver then finally starts the >>> whole >>> process again for ipv4 and gets the proper answer with the first query. >> >> If you're not actually using IPv6, you might consider disabling it on >> your system. That should stop all the unnecessary v6 lookups. > > It is not my system. I was just brought in to help find the issue. I can > suggest this to the proper system admin. All, I have confirmed the issue with the Citrix Netscaler and records which is documented at the link bellow. Thanks for everyone's help figuring this out. http://support.citrix.com/article/CTX117947 Thanks, David Porsche ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Has anyone Seen the NANOG post titled "Upcoming DNS behavior changes to .com/.net/.edu name servers"
All, Last Friday (Jan 8th 2010) Matt Larson from Verisign started a thread on the NANOG mailing list titled "Upcoming DNS behavior changes to .com/.net/.edu name servers". I haven't seen any chatter on here or NANOG in regards to the post and figured now would be as good a time as any to start some. I have posted a link bellow to the NANOG archive containing the referenced post. I would like to hear everyone's thoughts/concerns about this scheduled change. Please forgive me if someone else has posted something similar. http://mailman.nanog.org/pipermail/nanog/2010-January/016924.html Thanks, David Porsche___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Favorite bind-dlz / mysql web based frontend?
All, I was wondering if any of the folks out there using bind-dlz with mysql have found a decent web based tool for managing their data? Thanks, David Porsche___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
