Re: Recursive queries fail after bind has been running for a few hours
I don't look at debug logs and may be WAY off base. But the time period for the log seems to be about 10 seconds start to finish in the failed query. However line 56 indicates that it timed out the query after 30 seconds. That just doesn't add up to me for some reason. Or is there 20 seconds of preceeding logs missing when the query started? Lyle Giese LCR Computer Services, Inc. On 03/12/12 15:05, Mr X wrote: Hey there I'm having a bizarre issue with 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 - recursive queries stop functioning after bind has been running for a few hours. It's a very low volume system (dev), maybe a few queries per hour at most. It's not due to cache filling or anything like I've dealt with in the past. I suspect it's related to DNSSEC and root-server validation but I could use another set of eyes on my debug log. Sorry for posting from a inconspicuous e-mail address. My employer asks that I'm careful about the information I disclose on public mailing lists. You can see my debug log during a failed query http://pastebin.com/5hh05WjM Successful query here http://pastebin.com/H9qSQcyG If you would like to see my config, I can include portions, but it's huge so please let me know exactly what parts you're looking for. - Brian ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS requests error sending response: host unreachable
In message , Romgo writes: > > Here is my Iptables configuration for bind : > > # prod.dns.in > $IPTABLES -t filter -A INPUT -j LOGACCEPT -p udp --dport 53 -i eth1-d > 192.168.201.2 -s 0/0 > $IPTABLES -t filter -A INPUT -j LOGACCEPT -p tcp --dport 53 -i eth1 -d > 192.168.201.2 -s 0/0 > > > # OUTPUT > #- > # prod.dns.out > $IPTABLES -t filter -A OUTPUT -j LOGACCEPT -p tcp --dport 53 -o eth1 -s > 192.168.201.2 -d 0/0 > $IPTABLES -t filter -A OUTPUT -j LOGACCEPT -p udp --dport 53 -o eth1 -s > 192.168.201.2 -d 0/0 This is obviously wrong. You want to be looking at the source port not the destination port for reply traffic. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS requests error sending response: host unreachable
Sorry, it has a space, I just made an error by copying. Yes 192.168.201.2 is dropped because it uses source port 53. I don't have any iptables rule for this. I don't understand why there is a packet with source port 53. On 12 March 2012 21:33, Chuck Swiger wrote: > On Mar 12, 2012, at 1:24 PM, Romgo wrote: > > Here is my Iptables configuration for bind : > > > > # prod.dns.in > > $IPTABLES -t filter -A INPUT -j LOGACCEPT -p udp --dport 53 -i eth1-d > 192.168.201.2 -s 0/0 > > $IPTABLES -t filter -A INPUT -j LOGACCEPT -p tcp --dport 53 -i eth1 -d > 192.168.201.2 -s 0/0 > > Shouldn't the first line have a space before the minus within "eth1-d"? > > Regards, > -- > -Chuck > > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recursive queries fail after bind has been running for a few hours
On Mon, Mar 12, 2012 at 12:05 PM, Mr X wrote: > Hey there > > I'm having a bizarre issue with 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 - > recursive queries stop functioning after bind has been running for a few > hours. It's a very low volume system (dev), maybe a few queries per hour at > most. It's not due to cache filling or anything like I've dealt with in the > past. I suspect it's related to DNSSEC and root-server validation but I > could use another set of eyes on my debug log. Sorry for posting from a > inconspicuous e-mail address. My employer asks that I'm careful about the > information I disclose on public mailing lists. > > You can see my debug log during a failed query > http://pastebin.com/5hh05WjM > > Successful query here > http://pastebin.com/H9qSQcyG > > If you would like to see my config, I can include portions, but it's huge so > please let me know exactly what parts you're looking for. You are getting timeouts for some reason. The obvious question is whether the queries are actually being sent or whether they and and responses are not coming back. Or,perhaps the response IS coming back, but named is not picking them up. Could you try getting a packet capture? As these are UDP and assuming Unix, something like 'tcpdump -w badquery.bpf -s0 -p port 53`. This will capture all DNS traffic to/from this system, but you say it is not all that much, so it should be tractable. Once you have captured the data, you can use a tool like wireshark to look at it. -- R. Kevin Oberman, Network Engineer E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: reverse dns for IPV6 ranges
On Mon, 12 Mar 2012, hugo hugoo wrote: Has anyone else experience with reverse IPV6 configuration with Bind? We do static PTR records in the ip6.arpa zones like we do in the in-addr.arpa zones, to create address->name mappings matching the name->address mappings created by the & A records. I fairly recently started fiddling with wildcard PTR records for DHCPv6 address pools, to at least return some answer for a query about the addresses. Right now I have it configured so that a query for any address in any of the pools returns the same name, but it could be changed to return different names for different pools. This obviously doesn't create symmetric name->address & address->name mapping, which might or might not be a problem. I don't have enough real use of this to know whether this wildcard stuff is helpful or not. Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: reverse dns for IPV6 ranges
HEllo, Has anyone else experience with reverse IPV6 configuration with Bind? Regards, Hugo, > From: spa...@countryday.net > To: hugo...@hotmail.com > CC: bind-users@lists.isc.org > Subject: RE: reverse dns for IPV6 ranges > Date: Tue, 6 Mar 2012 03:09:42 + > > > But if only some IP have e reverse..what about the other server who have > > received an IP in the range? Ip that can be changed every x hours. > > IF no reverse, it can be blacklisted for some reasons or having some > > problems with services asking a reverse dns resolution. > > In my ip6.arpa zone, all of the entries are for servers whose IPv6 addresses > never change. If you are going to register PTR records for clients with > changeable IPv6 addresses, then you need a dynamic update mechanism. Mark > Andrews made a recommendation earlier in this regard. I don't think there is > any reason to have PTR records that have no corresponding records in the > forward lookup zone. That would be computationally infeasible anyway. Jeff. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Anycast DNS - LB/LTM
I'm not familiar with LTM, so there is no need to check the pool with the script, LTM will know itself and stop advertising through some other mechanism when the pool is empty? therefore checking VIPA using the script is just redundant? From: David Klein To: ju wusuo Cc: "bind-users@lists.isc.org" Sent: Saturday, March 10, 2012 3:31 PM Subject: Re: Anycast DNS - LB/LTM Exactly. The script runs inside the LTM, and wraps "nslookup" or "dig". It should output a distinct output for success, and another distinct output for failure. It should only check the pool members, not the VIPA itself. If the pool is empty, the LTM will stop advertise the VIPA. -DTK On Fri, Mar 9, 2012 at 1:16 PM, ju wusuo wrote: so the script would run on the LTM, it will periodically check each physical DNS node, if one cannot resolve then takes it out of the pool; it will also check the VIP, if the VIP cannot resolve, pool is empty or LTM issue, stop the advertising? > > > > > From: David Klein >To: ju wusuo >Cc: "bind-users@lists.isc.org" >Sent: Wednesday, March 7, 2012 11:18 PM >Subject: Re: Anycast DNS > > > >You would need to create a custom script to use as your monitor, which does a >lookup of an address that you know will always be in your domain. If that >fails, force-down/inactive the node, and tie this script as a monitor to the >pool holding the DNS server nodes. > > >You can advertise the /32 containing the VIPA to the up-stream router via >either OSPF or IBGP, and if the pool goes empty, stop advertising the route >(the only option is stop advertising, not actively withdraw the route, since >that could cause a massive reconvergence cycle in your enterprise-wide RIB, if >done wrong, just because of a flapping interface). > > > > > > >HTH, > > > -DTK > > > >On Wed, Mar 7, 2012 at 2:34 PM, ju wusuo wrote: > > >> >>thanks everyone for all responses with the great inputs .. >> >> >>now if I want to put the DNS servers behind LBs, 1) would the LTMs be able to >>announce the routes dynamically for the DNS servers, and a VIP can be >>withdrawn when the site is gone? 2) would the LTMs be able to detect a DNS >>service failure and stop sending over DNS queries, i.e., in the case a named >>is still up but just not able to resolve names (assuming LTM can detect a >>named is down)? >> >> >>___ >>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >>from this list >> >>bind-users mailing list >>bind-users@lists.isc.org >>https://lists.isc.org/mailman/listinfo/bind-users >> > > > >-- > >david t. klein > >Cisco Certified Network Associate (CSCO11281885) >Linux Professional Institute Certification (LPI000165615) >Redhat Certified Engineer (805009745938860) > >Quis custodiet ipsos custodes? > > > > > > -- david t. klein Cisco Certified Network Associate (CSCO11281885) Linux Professional Institute Certification (LPI000165615) Redhat Certified Engineer (805009745938860) Quis custodiet ipsos custodes?___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS requests error sending response: host unreachable
On Mar 12, 2012, at 1:24 PM, Romgo wrote: > Here is my Iptables configuration for bind : > > # prod.dns.in > $IPTABLES -t filter -A INPUT -j LOGACCEPT -p udp --dport 53 -i eth1-d > 192.168.201.2 -s 0/0 > $IPTABLES -t filter -A INPUT -j LOGACCEPT -p tcp --dport 53 -i eth1 -d > 192.168.201.2 -s 0/0 Shouldn't the first line have a space before the minus within "eth1-d"? Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS requests error sending response: host unreachable
Here is my Iptables configuration for bind : # prod.dns.in $IPTABLES -t filter -A INPUT -j LOGACCEPT -p udp --dport 53 -i eth1-d 192.168.201.2 -s 0/0 $IPTABLES -t filter -A INPUT -j LOGACCEPT -p tcp --dport 53 -i eth1 -d 192.168.201.2 -s 0/0 # OUTPUT #- # prod.dns.out $IPTABLES -t filter -A OUTPUT -j LOGACCEPT -p tcp --dport 53 -o eth1 -s 192.168.201.2 -d 0/0 $IPTABLES -t filter -A OUTPUT -j LOGACCEPT -p udp --dport 53 -o eth1 -s 192.168.201.2 -d 0/0 My issue is between two Bind servers. The one having the error messages, is my Public DNS server, used by the internal server as forwarders. here is the drop from the firewall. [FW-DROP] IN= OUT=eth1 SRC=192.168.200.2 DST=192.168.201.1 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=65231 PROTO=UDP SPT=53 DPT=37513 LEN=61 UID=108 GID=111 doesn't seems to be a TCP issue as the packet is UDP. Any idea ? Regards, On 12 March 2012 18:00, Chuck Swiger wrote: > On Mar 12, 2012, at 8:09 AM, Romgo wrote: > > Dear community, > > > > I do have many error in my Bind's log file such as : > > > > client 192.168.201.1#29404: error sending response: host unreachable > > > > It seems that I have an iptables issue as each time I shut iptables I > don't have anymore this message showing up. > > You're probably exhausting the firewall state table with DNS traffic under > load, causing the traffic to be blocked with an ICMP "host unreachable" > response. > > > I saw that my firewall is dropping packets from the DNS server itself > towards the client, as the source port is SPT=53/UDP. > > > > I am using bind 9.6, it should use random port >1024 for the source > port. (I didn't specify query-source parameter). > > > > Nevertheless dns resolution seems to be working find. > > Adjust your firewall to permit UDP and TCP traffic needed for DNS without > keeping state, or only keep state on external traffic, but not between your > nameserver(s) and your local clients... > > Regards, > -- > -Chuck > > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS requests error sending response: host unreachable
On Mar 12, 2012, at 8:09 AM, Romgo wrote: > Dear community, > > I do have many error in my Bind's log file such as : > > client 192.168.201.1#29404: error sending response: host unreachable > > It seems that I have an iptables issue as each time I shut iptables I don't > have anymore this message showing up. You're probably exhausting the firewall state table with DNS traffic under load, causing the traffic to be blocked with an ICMP "host unreachable" response. > I saw that my firewall is dropping packets from the DNS server itself towards > the client, as the source port is SPT=53/UDP. > > I am using bind 9.6, it should use random port >1024 for the source port. (I > didn't specify query-source parameter). > > Nevertheless dns resolution seems to be working find. Adjust your firewall to permit UDP and TCP traffic needed for DNS without keeping state, or only keep state on external traffic, but not between your nameserver(s) and your local clients... Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS requests error sending response: host unreachable
Dear community, I do have many error in my Bind's log file such as : client 192.168.201.1#29404: error sending response: host unreachable It seems that I have an iptables issue as each time I shut iptables I don't have anymore this message showing up. I saw that my firewall is dropping packets from the DNS server itself towards the client, as the source port is SPT=53/UDP. I am using bind 9.6, it should use random port >1024 for the source port. (I didn't specify query-source parameter). Nevertheless dns resolution seems to be working find. Any idea ? Regards, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
