Re: Recursive queries fail if query source port is not fixed

> * Mark Andrews <[EMAIL PROTECTED]> [2008-08-14]: > > > > Does "dig ns . @198.41.0.4" succeed when run from the box > > running the nameserver? > > Yes. > > I still don't understand why most recursive queries only works after > many, many tries - argh. Oh, I just tested doing one query

Re: Recursive queries fail if query source port is not fixed

* Mark Andrews <[EMAIL PROTECTED]> [2008-08-14]: > > Does "dig ns . @198.41.0.4" succeed when run from the box > running the nameserver? Yes. I still don't understand why most recursive queries only works after many, many tries - argh. Oh, I just tested doing one query, waiting 30 s

Re: Recursive queries fail if query source port is not fixed

* Kevin Darcy <[EMAIL PROTECTED]> [2008-08-14]: > Hans F. Nordhaug wrote: > > * Hans F. Nordhaug <[EMAIL PROTECTED]> [2008-08-14]: > > > >> * Jeff Lightner <[EMAIL PROTECTED]> [2008-08-13]: > >> > >>> My guess is you have a firewall that is only allowing port 53 outbound. > >>> > >>> Are yo

Re: Recursive queries fail if query source port is not fixed

Does "dig ns . @198.41.0.4" succeed when run from the box running the nameserver? Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]

Re: Regarding Parallel Support

> At Wed, 13 Aug 2008 09:20:42 +0400, > Dmitry Rybin <[EMAIL PROTECTED]> wrote: > > > > Where is it documented? My servers suffered greatly from what seems to b > e > > > exactly this problem and we pulled our hair out trying to figure out how > to > > > solve it. max-cache-size just doesn't

Re: Recursive queries fail if query source port is not fixed

Hans F. Nordhaug wrote: > * Hans F. Nordhaug <[EMAIL PROTECTED]> [2008-08-14]: > >> * Jeff Lightner <[EMAIL PROTECTED]> [2008-08-13]: >> >>> My guess is you have a firewall that is only allowing port 53 outbound. >>> >>> Are you running iptables? If so does turning it off temporarily resol

Re: Queries for www.tjhinc.com

> One of our users here complained about getting a SERVFAIL when > querying DNS for > > www.tjhinc.com. > > I have done a number of queries (see below), and I do not understand > the results. Here are the questions: > > 1) Before I ran the queries, there was nothing in either DNS server's

Problem with named of a network error or problem with the configuration on the interconnecting peers?

Hello all I would like to report a problem I have with bind which is occuring for at least one month. I get this message from the log files. Aug 14 00:49:10 pelops named[4248]: transfer of 'physics.upatras.gr/IN' from xxx .xxx.xxx.xx#53: failed while receiving responses: connection reset The pro

Re: 9.5.0-P2 Windows 2000 Server

> Unfortunately all windows versions have issues at the moment, including > all -Px and -bx versions. But fixes should be coming really soon, hopefully > later this week. We have found 9.5.0-P2 being the best option at the moment. > It crashes often, our servers crash usually every 15-20 minute

Re: Recursive queries fail if query source port is not fixed

* Hans F. Nordhaug <[EMAIL PROTECTED]> [2008-08-14]: > * Jeff Lightner <[EMAIL PROTECTED]> [2008-08-13]: > > My guess is you have a firewall that is only allowing port 53 outbound. > > > > Are you running iptables? If so does turning it off temporarily resolve > > the issue? Is there a firewall/

Re: DNS Query Behavior with Global Forwarders Statement

> On 12 Aug 2008, at 23:12:18, Mark Andrews wrote: > > > > >>> Is this an artifact of the -P2 changes or was the use of RTT dropped > >>> for some other reason? > >> > >> You didn't say which version you were running. > > > Our NMS systems tend to be running BIND 9.3.5-P1. The -P2 rollout is

Re: domain cannot resolve

Ejaz wrote: > Hi, > Something wondering with me, through my Bind i cannot resolve the outside > domains for first time, Every time I have to repeat the query then i can see > the results when am in nslookup promtp. while am browsing the sites i need > to refresh the page to get the pages. > >

Re: Recursive queries fail if query source port is not fixed

* Jeff Lightner <[EMAIL PROTECTED]> [2008-08-14]: > You said you installed 9.3.4-P1. > > Was the update you did from a repository updated after July 10th? > > I believe July 10th is the day RedHat back ported the fix into 9.3.4-P1. > CentOS is a binary compile of RHEL sources so it seems the 9.

Re: 9.5.0-P2 and socket: too many open file descriptors

At Wed, 13 Aug 2008 17:06:36 -0700, "David Sparks" <[EMAIL PROTECTED]> wrote: > > Also, don't forget the world is not just Linux. Solaris requires a > > compile time change to FD_SETSIZE, so it's very difficult to increase > > the limitation 100% run-time. > > Why not add a configure script to d

RE: Recursive queries fail if query source port is not fixed

You said you installed 9.3.4-P1. Was the update you did from a repository updated after July 10th? I believe July 10th is the day RedHat back ported the fix into 9.3.4-P1. CentOS is a binary compile of RHEL sources so it seems the 9.3.4-P1 update you would need from CentOS repositories would ha

Re: 9.5.0-P2 and socket: too many open file descriptors

JINMEI Tatuya / 神明達哉 wrote: > At Wed, 13 Aug 2008 12:28:23 -0700, > "David Sparks" <[EMAIL PROTECTED]> wrote: > Usual question: - did you build named with a large value of FD_SETSIZE? >> I just found out I have a similar problem with BIND 9.5.0-P2. I have nofile >> set to 8192 but it d

Re: Recursive queries fail if query source port is not fixed

* JINMEI Tatuya / [EMAIL PROTECTED]@C#:H <[EMAIL PROTECTED]> [2008-08-14]: > At Thu, 14 Aug 2008 01:42:40 +0200, > "Hans F. Nordhaug" <[EMAIL PROTECTED]> wrote: > > > > Do you mean any query always fails, or some queries sometime fail > > > (while some others succeed)? > > > > Thx for replying. >

Re: Root server list

Alan Clegg wrote: > Kevin Darcy wrote: > >> While it's true that you only need 1 working entry in "hints" to prime >> and start running, it's safer and more efficient to periodically keep >> the file up to date, as root server addresses change. >> > > Or just keep your BIND up-to-date. T

Re: Recursive queries fail if query source port is not fixed

At Thu, 14 Aug 2008 01:42:40 +0200, "Hans F. Nordhaug" <[EMAIL PROTECTED]> wrote: > > Do you mean any query always fails, or some queries sometime fail > > (while some others succeed)? > > Thx for replying. > > Any recursive query, i.e., any query for some domain the server isn't > authorative f

Re: Root server list

Kevin Darcy wrote: > While it's true that you only need 1 working entry in "hints" to prime > and start running, it's safer and more efficient to periodically keep > the file up to date, as root server addresses change. Or just keep your BIND up-to-date. The root hints are hard-coded if you don

Re: Recursive queries fail if query source port is not fixed

* JINMEI Tatuya / [EMAIL PROTECTED]@C#:H <[EMAIL PROTECTED]> [2008-08-14]: > At Wed, 13 Aug 2008 09:36:18 +0200, > "Hans F. Nordhaug" <[EMAIL PROTECTED]> wrote: > > > In the quest for securing the name servers in a company I try to help, > > I have gotten into to trouble. The company is running Ce

Re: Recursive queries fail if query source port is not fixed

* Jeff Lightner <[EMAIL PROTECTED]> [2008-08-13]: > My guess is you have a firewall that is only allowing port 53 outbound. > > Are you running iptables? If so does turning it off temporarily resolve > the issue? Is there a firewall/switch upstream from your server that > needs to be adjusted? >

Re: Recursive queries fail if query source port is not fixed

At Wed, 13 Aug 2008 09:36:18 +0200, "Hans F. Nordhaug" <[EMAIL PROTECTED]> wrote: > In the quest for securing the name servers in a company I try to help, > I have gotten into to trouble. The company is running CentOS 5.0 and I > have updated their Bind to 9.3.4_P1. In addition, I planned to remov

Re: AIX named8 & CVE-2008-1447 / VU#800113

Mark van Huijstee wrote: > Hi, > > As implementing the IBM provided fix for CVE-2008-1447/VU#800113 would mean > a lot of affort, I would like to find out if it is really needed. > Our scenario : > > As the AIX resolver does not do any caching, we setup a caching only > nameserver (named8) with t

Re: Root server list

Andrey G. Sergeev (AKA Andris) wrote: > Hello Scott, > > > Wed, 13 Aug 2008 14:07:08 -0700 Scott Baker wrote: > > >> If I run dig without any options it outputs a list of root servers: >> >> ;; ANSWER SECTION: >> . 482765 IN NS K.ROOT-SERVERS.NET. >> .

AIX named8 & CVE-2008-1447 / VU#800113

Hi, As implementing the IBM provided fix for CVE-2008-1447/VU#800113 would mean a lot of affort, I would like to find out if it is really needed. Our scenario : As the AIX resolver does not do any caching, we setup a caching only nameserver (named8) with the following configuration : options {

Re: Not sure if my DNS is vulnerable?

Lars Hecking wrote: > Vincent Poy writes: > >> What about this since it seems even the patch is vulnerable to a degree: >> http://www.theinquirer.net/gb/inquirer/news/2008/08/10/physicist-hacks-dns-patch >> > > http://marc.info/?l=bind-users&m=121834710707369&w=2 > The Inquirer should b

Re: selecttest tool

Hello Kevin, Wed, 13 Aug 2008 17:37:28 -0400 Kevin Darcy wrote: >>> I don't know the answer to this question, but your operational >>> environment seems to be extraordinary in some points: >>> >>> - it's acting both as an authoritative and as a caching server >>> >> To Walter Gould: I thin

Re: Root server list

Hello Scott, Wed, 13 Aug 2008 14:07:08 -0700 Scott Baker wrote: > If I run dig without any options it outputs a list of root servers: > > ;; ANSWER SECTION: > . 482765 IN NS K.ROOT-SERVERS.NET. > . 482765 IN NS E.ROOT-SERVERS.NET

Re: Root server list

Scott Baker wrote: > If I run dig without any options it outputs a list of root servers: > > ;; ANSWER SECTION: > . 482765 IN NS K.ROOT-SERVERS.NET. > . 482765 IN NS E.ROOT-SERVERS.NET. > . 482765 IN NS

Re: 9.5.0-P2 and socket: too many open file descriptors

I believe FD_SETSIZE is the OS-defined value and your -DFD_SETSIZE=8192 is probably being re-defined/overridden by a system header file. ISC_SOCKET_FDSETSIZE is the BIND-specific setting, and will supercede FD_SETSIZE if it's larger: #if ISC_SOCKET_FDSETSIZE > FD_SETSIZE manager->fdsize

Re: 9.5.0-P2 and socket: too many open file descriptors

At Wed, 13 Aug 2008 12:28:23 -0700, "David Sparks" <[EMAIL PROTECTED]> wrote: > >> Usual question: > >> - did you build named with a large value of FD_SETSIZE? > > I just found out I have a similar problem with BIND 9.5.0-P2. I have nofile > set to 8192 but it doesn't seem to be respected by na

Re: selecttest tool

Andrey G. Sergeev (AKA Andris) wrote: > Hi there, > > > Mon, 11 Aug 2008 20:10:09 -0700 JINMEI Tatuya / 神明達哉 wrote: > > >> I don't know the answer to this question, but your operational >> environment seems to be extraordinary in some points: >> >> - it's acting both as an authoritative and as

Re: 9.5.0-P2 and socket: too many open file descriptors

A teammate had tried this: STD_CDEFINES="-DISC_SOCKET_FDSETSIZE=2048" ./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/opt/bind LDFLAGS="-Wl,-z,defs" --enable-threads --enable-largefile Perhaps hack for your environment and let us know what happens. Thanks. -

Re: 9.5.0-P2 and socket: too many open file descriptors

> Apparently 16384 fd isn't sufficient? I restarted named and: > I doubt it ran out of fds ... either I compiled it wrong or there is > something > else going on. To answer my own question I recompiled named with some diagnostics and find out that 1024 is still the FD limit: 13-Aug-2008 14:0

Root server list

If I run dig without any options it outputs a list of root servers: ;; ANSWER SECTION: . 482765 IN NS K.ROOT-SERVERS.NET. . 482765 IN NS E.ROOT-SERVERS.NET. . 482765 IN NS L.ROOT-SERVERS.NET. .

Re: Queries for www.tjhinc.com

Is this server aggressively cleaning its cache? Seems like cache entries are disappearing on you. FWIW, I did a bunch of queries of this name and the results were exactly as you were expecting, i.e. the TTL of the Answer record, of the 2 records in the Authority Section, and of the 2 records in

Re: 9.5.0-P2 and socket: too many open file descriptors

>> Usual question: >> - did you build named with a large value of FD_SETSIZE? I just found out I have a similar problem with BIND 9.5.0-P2. I have nofile set to 8192 but it doesn't seem to be respected by named? Why does named not use the limits set by ulimit? Distro binaries are seldom built

Re: Regarding Parallel Support

At Wed, 13 Aug 2008 09:20:42 +0400, Dmitry Rybin <[EMAIL PROTECTED]> wrote: > > Where is it documented? My servers suffered greatly from what seems to be > > exactly this problem and we pulled our hair out trying to figure out how to > > solve it. max-cache-size just doesn't work in 9.4. > >

Re: Bind 9.5.0-P1 Crash 0x000a717c in cleanup_dead_nodes

At Wed, 13 Aug 2008 11:28:24 -0500 (CDT), [EMAIL PROTECTED] wrote: > Program terminated with signal 10, Bus error. > #0 0x000a717c in cleanup_dead_nodes (rbtdb=0x78f8e8, bucketnum=1544) > at rbtdb.c:1375 > 1375ISC_LIST_UNLINK(rbtdb->deadnodes[bucketnum], node, > deadlink)

domain cannot resolve

Hi, Something wondering with me, through my Bind i cannot resolve the outside domains for first time, Every time I have to repeat the query then i can see the results when am in nslookup promtp. while am browsing the sites i need to refresh the page to get the pages. Please any can have any

Bind 9.5.0-P1 Crash 0x000a717c in cleanup_dead_nodes

oberon# /usr/afsws/local/bin/gdb named core.oberon.080813.1047 GNU gdb 6.7.1 Copyright (C) 2007 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to th

Re: Not sure if my DNS is vulnerable?

Vincent Poy writes: > What about this since it seems even the patch is vulnerable to a degree: > http://www.theinquirer.net/gb/inquirer/news/2008/08/10/physicist-hacks-dns-patch http://marc.info/?l=bind-users&m=121834710707369&w=2

Re: Not sure if my DNS is vulnerable?

What about this since it seems even the patch is vulnerable to a degree: http://www.theinquirer.net/gb/inquirer/news/2008/08/10/physicist-hacks-dns-patch Cheers, Vince On Wed, Aug 13, 2008 at 8:52 AM, Ben Croswell <[EMAIL PROTECTED]>wrote: > I have not heard of any actual javascript attacks like

Queries for www.tjhinc.com

One of our users here complained about getting a SERVFAIL when querying DNS for www.tjhinc.com. I have done a number of queries (see below), and I do not understand the results. Here are the questions: 1) Before I ran the queries, there was nothing in either DNS server's cache for the d

Re: Not sure if my DNS is vulnerable?

I have not heard of any actual javascript attacks like I mentioned in the wild, but it is a definite possibility. On Wed, Aug 13, 2008 at 11:01 AM, John Smith <[EMAIL PROTECTED]> wrote: > Do you have any links to the reports I would like to read them... I could > not find them using Google? > > >

Re: 9.5.0-P2 Windows 2000 Server

Unfortunately all windows versions have issues at the moment, including all -Px and -bx versions. But fixes should be coming really soon, hopefully later this week. We have found 9.5.0-P2 being the best option at the moment. It crashes often, our servers crash usually every 15-20 minutes at dayt

9.5.0-P2 Windows 2000 Server

I recently upgraded to the newest version of bind so that I could patch my system. Since I have upgraded the named service dies about every 9 hours? There is nothing in the event viewer giving any indication of why, unless I need to add something to the logging channel? The previous version never

Re: Not sure if my DNS is vulnerable?

Do you have any links to the reports I would like to read them... I could not find them using Google? On Wed, Aug 13, 2008 at 10:52 AM, Faehl, Chris <[EMAIL PROTECTED]> wrote: > John, > > Yes, there have been successful attacks. As you might expect, many of the > targets are financial institutions

RE: Recursive queries fail if query source port is not fixed

My guess is you have a firewall that is only allowing port 53 outbound. Are you running iptables? If so does turning it off temporarily resolve the issue? Is there a firewall/switch upstream from your server that needs to be adjusted? We're running RHEL 5 with 9.3.4-P1 and it works fine here wi

RE: Not sure if my DNS is vulnerable?

John, Yes, there have been successful attacks. As you might expect, many of the targets are financial institutions. Chris Faehl Hosting Manager, RightNow Technologies -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Smith Sent: Wednesday, August 13,

Re: Not sure if my DNS is vulnerable?

Has anyone heard of any successful attacks? On Wed, Aug 13, 2008 at 10:27 AM, John Smith <[EMAIL PROTECTED]> wrote: > That clears it up for me. Thank you. > > > > On Wed, Aug 13, 2008 at 10:12 AM, Chris Buxton <[EMAIL PROTECTED]>wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> No

Re: Not sure if my DNS is vulnerable?

That clears it up for me. Thank you. On Wed, Aug 13, 2008 at 10:12 AM, Chris Buxton <[EMAIL PROTECTED]>wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > No, that's pretty much it. > > Step 1) Attacker sets up attacking name server, which waits for contact > from a potential victim. > >

Re: Not sure if my DNS is vulnerable?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 No, that's pretty much it. Step 1) Attacker sets up attacking name server, which waits for contact from a potential victim. Step 2) Attacker hacks a web page, adding a short (and legitimate- looking) JavaScript. Step 3) Innocent web browser in yo

Re: DNS Query Behavior with Global Forwarders Statement

On 12 Aug 2008, at 23:12:18, Mark Andrews wrote: > >>> Is this an artifact of the -P2 changes or was the use of RTT dropped >>> for some other reason? >> >> You didn't say which version you were running. Our NMS systems tend to be running BIND 9.3.5-P1. The -P2 rollout is in progress. There

Re: Not sure if my DNS is vulnerable?

I would say you are "less vulnerable", but you are still vulnerable. It is only a matter of time before someone integrates the exploit code into a webpage. One of your internal users goes to the web page which has the browser resolve somehost.evil.org. The attacker now knows the IP of your outboun

Re: Not sure if my DNS is vulnerable?

>From what I have read, I thought that in order to start this attack the attacker MUST be able to send some packets to your DNS with some fake requests in order to guess at the starting point for the transaction ID's, otherwise they have to guess... So they have to get at least one response... I r

Not sure if my DNS is vulnerable?

So I have a caching only DNS server that is behind a firewall and has no incoming connections allowed unless specifically requested from inside. My DNS server does contact the root DNS servers upstream. But again incoming conections are only allowed into my DNS server unless the originated from the

Re: selecttest tool

Hi there, Mon, 11 Aug 2008 20:10:09 -0700 JINMEI Tatuya / 神明達哉 wrote: > I don't know the answer to this question, but your operational > environment seems to be extraordinary in some points: > > - it's acting both as an authoritative and as a caching server To Walter Gould: I think it's time

Re: Error with logging channel audit_log

On Tue, Aug 12, 2008 at 08:53:42PM -0400, Robert Spangler wrote: > On Tuesday 12 August 2008 20:09, Mark A. Moore wrote: > > > Yes. We are running SELinux. What is the command to stop the service and > > if we plan on using SELinux, can you tell us what changes need to be made? > > setenforce 0

Recursive queries fail if query source port is not fixed

(Posted to the news group earlier, but reposting to the mailing list since moderation of group seems to be slow.) In the quest for securing the name servers in a company I try to help, I have gotten into to trouble. The company is running CentOS 5.0 and I have updated their Bind to 9.3.4_P1. In ad