from:"\"Romgo\""

Master/slave configuration

2012-03-07 Thread romgo

Dear community,

I use bind on my network as DNS Server. Running bind 1:9.6.ESV.R4+dfsg-0+lenny4
on Debian Lenny.

The setup is quite usual : one master server with one slave server.

The slave sync the zone from the master.

I discover that when the master is down I have some trouble to access to
internet and to local domain which are managed by the master server.

Symptoms are : slow browsing and some website can't be reached, seems to be a
timeout issue. (the server didn't answer in time).

I saw that for unreachable website, the issue was DNS as my tcpdump didn't get
any http request.

How can I troubleshoot this issue ?

Regards,



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master/slave configuration

2012-03-08 Thread Romgo

Hello,

thanks for the answer. That was my first change :
/etc/resolv.conf like :

domain example.fr
search example.fr example2.fr
nameserver 192.168.0.1
nameserver 192.168.0.2
options rotate
options timeout:1
options attempts:1

This works fine.

But the issue is now mainly coming from the client : windows XP :/
The default Windows timeout is 2s.

I can see in bind's logs the dns request, but the webpage is not showing
up.

I can use a VIP for DNS server, but I though that master/slave
configuration was made in order to avoid to use a VIP.

Did you guys encounter that kind of issues ?
Maybe my slave server is not well configured ?

Regards,

On 8 March 2012 10:22, Niall O'Reilly  wrote:

>
> On 8 Mar 2012, at 02:58, Lyle Giese wrote (on bind-users):
>
> > On linux boxes, adding
> >
> > options rotate
> >
> > to the /etc/resolv.conf helps.
>
> [cross-posted, reply-to header set]
>
>Is there a DHCP option which expresses that, and which
>typical fielded DHCP clients will respect?
>
>As you may guess, I don't have access to those thousands
>of client systems out there.
>
>/Niall
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master/slave configuration

2012-03-09 Thread Romgo

Hello,

I know that I can use VIP with any software (corosync, Linux HA...) But
this will not explain the origin of the issue I am facing :)


Even if I use a VIP I can reproduce the issue :
If the first VIP (so the nameserver 1) is down, I'll have the same
drawbacks. As the resolver will timeout before falling back to the second
nameserver.

Right ?



On 9 March 2012 10:13, Phil Mayers  wrote:

> On 03/08/2012 06:26 PM, michoski wrote:
>
>  Meant to add one thing...  In our configuration, we actually have two
>> recursive VIPs per site, and even considered three (internal IPs are
>> cheap).
>>
>
> We do this.
>
> We also make the two different VIPs use different underlying tech - one is
> an anycast route advertised with eBGP, the other is via load-balancing. The
> diversity of tech gives us a bit more resilience and flexibility - taking
> out the load-balancer no longer destroys DNS, for example.
>
> __**_
> Please visit 
> https://lists.isc.org/mailman/**listinfo/bind-usersto
>  unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/**listinfo/bind-users
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS requests error sending response: host unreachable

2012-03-12 Thread Romgo

Dear community,

I do have many error in my Bind's log file such as :

client 192.168.201.1#29404: error sending response: host unreachable

It seems that I have an iptables issue as each time I shut iptables I don't
have anymore this message showing up.

I saw that my firewall is dropping packets from the DNS server itself
towards the client, as the source port is SPT=53/UDP.

I am using bind 9.6, it should use random port >1024 for the source port.
(I didn't specify query-source parameter).

Nevertheless dns resolution seems to be working find.

Any idea ?


Regards,
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS requests error sending response: host unreachable

2012-03-12 Thread Romgo

Here is my Iptables configuration for bind :

# prod.dns.in
$IPTABLES -t filter -A INPUT -j LOGACCEPT -p udp --dport 53 -i eth1-d
192.168.201.2 -s 0/0
$IPTABLES -t filter -A INPUT -j LOGACCEPT -p tcp --dport 53 -i eth1 -d
192.168.201.2 -s 0/0


# OUTPUT
#-
# prod.dns.out
$IPTABLES -t filter -A OUTPUT -j LOGACCEPT -p tcp --dport 53 -o eth1 -s
192.168.201.2 -d 0/0
$IPTABLES -t filter -A OUTPUT -j LOGACCEPT -p udp --dport 53 -o eth1 -s
192.168.201.2 -d 0/0

My issue is between two Bind servers. The one having the error messages, is
my Public DNS server, used by the internal server as forwarders.
here is the drop from the firewall.

 [FW-DROP] IN= OUT=eth1 SRC=192.168.200.2 DST=192.168.201.1 LEN=81 TOS=0x00
PREC=0x00 TTL=64 ID=65231 PROTO=UDP SPT=53 DPT=37513 LEN=61 UID=108 GID=111

doesn't seems to be a TCP issue as the packet is UDP.

Any idea ?

Regards,

On 12 March 2012 18:00, Chuck Swiger  wrote:

> On Mar 12, 2012, at 8:09 AM, Romgo wrote:
> > Dear community,
> >
> > I do have many error in my Bind's log file such as :
> >
> > client 192.168.201.1#29404: error sending response: host unreachable
> >
> > It seems that I have an iptables issue as each time I shut iptables I
> don't have anymore this message showing up.
>
> You're probably exhausting the firewall state table with DNS traffic under
> load, causing the traffic to be blocked with an ICMP "host unreachable"
> response.
>
> > I saw that my firewall is dropping packets from the DNS server itself
> towards the client, as the source port is SPT=53/UDP.
> >
> > I am using bind 9.6, it should use random port >1024 for the source
> port. (I didn't specify query-source parameter).
> >
> > Nevertheless dns resolution seems to be working find.
>
> Adjust your firewall to permit UDP and TCP traffic needed for DNS without
> keeping state, or only keep state on external traffic, but not between your
> nameserver(s) and your local clients...
>
> Regards,
> --
> -Chuck
>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS requests error sending response: host unreachable

2012-03-12 Thread Romgo

Sorry, it has a space, I just made an error by copying.

Yes 192.168.201.2 is dropped because it uses source port 53. I don't have
any iptables rule for this.
I don't understand why there is a packet with source port 53.





On 12 March 2012 21:33, Chuck Swiger  wrote:

> On Mar 12, 2012, at 1:24 PM, Romgo wrote:
> > Here is my Iptables configuration for bind :
> >
> > # prod.dns.in
> > $IPTABLES -t filter -A INPUT -j LOGACCEPT -p udp --dport 53 -i eth1-d
> 192.168.201.2 -s 0/0
> > $IPTABLES -t filter -A INPUT -j LOGACCEPT -p tcp --dport 53 -i eth1 -d
> 192.168.201.2 -s 0/0
>
> Shouldn't the first line have a space before the minus within "eth1-d"?
>
> Regards,
> --
> -Chuck
>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS requests error sending response: host unreachable

2012-03-13 Thread Romgo

I see, but It should be statefull right ?


On 12 March 2012 23:57, Mark Andrews  wrote:

>
> In message <
> caaoqnkg-xfkws_fen9kedub7w19vf4jocsfp52lb8ixv5+g...@mail.gmail.com>
> , Romgo writes:
> >
> > Here is my Iptables configuration for bind :
> >
> > # prod.dns.in
> > $IPTABLES -t filter -A INPUT -j LOGACCEPT -p udp --dport 53 -i eth1-d
> > 192.168.201.2 -s 0/0
> > $IPTABLES -t filter -A INPUT -j LOGACCEPT -p tcp --dport 53 -i eth1 -d
> > 192.168.201.2 -s 0/0
> >
> >
> > # OUTPUT
> > #-
> > # prod.dns.out
> > $IPTABLES -t filter -A OUTPUT -j LOGACCEPT -p tcp --dport 53 -o eth1 -s
> > 192.168.201.2 -d 0/0
> > $IPTABLES -t filter -A OUTPUT -j LOGACCEPT -p udp --dport 53 -o eth1 -s
> > 192.168.201.2 -d 0/0
>
> This is obviously wrong.  You want to be looking at the source port not
> the destination port for reply traffic.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS requests error sending response: host unreachable

2012-03-13 Thread Romgo

All right.

this seems to correct the issue.
But that's the first time I had to open the firewall for a packet answer.

weird.

Thanks for the help.



On 13 March 2012 10:19,  wrote:

> Zitat von Romgo :
>
>
>  I see, but It should be statefull right ?
>>
>>
> If using stateful UPD filtering you might get hit by short timeout values
> for UDP state matching, so packets get dropped if the query is too slow.
>
> Regards
>
> Andreas
>
>
> __**_
> Please visit 
> https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>to
>  unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind not forwarding all requests

2012-12-07 Thread Romgo

Hello,

I am currently running two bind9 server on Debian Squeeze.
 1:9.7.3.dfsg-1~squeeze8

Server 1 is internal dns server and serve some local zone. This server
should forward all unknown requests to our  public DNS server. So I
configured this server as follow :
/etc/bind/named.conf.options

  forward only;
forwarders {
  ip_server_2;
};


The second server is allowed to do DNS request on the internet, so there is
no forwarder configured.

The issue is that I see on my firewall that server1 is trying to do DNS
requests on DNS ROOT server.

Any idea why I do have this issue ? wrong configuration ?

Regards,
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind not forwarding all requests

2012-12-07 Thread Romgo

Yes that was my first idea by reading the documentation.
But has my configuration is clearly using forward only, I don't understand.

Could this be a bug ?




On 7 December 2012 18:10, Ben Croswell  wrote:

> It is probably related to forward first versus forward only. Forward first
> is default but will fall back to no forwarding if the forwarders fail.
> On Dec 7, 2012 12:06 PM, "Romgo"  wrote:
>
>> Hello,
>>
>> I am currently running two bind9 server on Debian Squeeze.
>>  1:9.7.3.dfsg-1~squeeze8
>>
>> Server 1 is internal dns server and serve some local zone. This server
>> should forward all unknown requests to our  public DNS server. So I
>> configured this server as follow :
>> /etc/bind/named.conf.options
>>
>>   forward only;
>> forwarders {
>>   ip_server_2;
>> };
>>
>>
>> The second server is allowed to do DNS request on the internet, so there
>> is no forwarder configured.
>>
>> The issue is that I see on my firewall that server1 is trying to do DNS
>> requests on DNS ROOT server.
>>
>> Any idea why I do have this issue ? wrong configuration ?
>>
>> Regards,
>>
>>
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind not forwarding all requests

2012-12-09 Thread Romgo

Hello,

yes I have a db.root file which contains Root servers.
/etc/resolv.conf is configured to ask to him self.

Forward is not configured at zone level, it is specified in
named.conf.options
In an option{} block, so I guess this should apply for all, if not specify
at the zone level.

Here is my conf for root zone :

// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};


should I try to force forwarders in zone "." ?


On 8 December 2012 20:22, Romgo  wrote:

> Hello,
>
> yes I have a db.root file which contains Root servers.
> /etc/resolv.conf is configured to ask to him self.
>
> Forward is not configured at zone level, it is specified in
> named.conf.options
> In an option{} block, so I guess this should apply for all, if not specify
> at the zone level.
>
> Here is my conf for root zone :
>
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
>
> should I try to force forwarders in zone "." ?
>
>
>
>
> On 8 December 2012 00:26, Leonard Mills  wrote:
>
>>
>> Which zone(s) have that forward clause?  To do what I think you want to
>> do, the zone should be the root (dot and only the dot in the zone name)
>>
>> Your named will use the builtin roots for any non-local lookups.
>> Forwarding "." will send all non-local traffic to your edge daemon.
>>
>> Len
>>
>>   --
>> *From:* Romgo 
>> *To:* bind-users@lists.isc.org
>> *Sent:* Friday, December 7, 2012 9:05 AM
>> *Subject:* Bind not forwarding all requests
>>
>> Hello,
>>
>> I am currently running two bind9 server on Debian Squeeze.
>>  1:9.7.3.dfsg-1~squeeze8
>>
>> Server 1 is internal dns server and serve some local zone. This server
>> should forward all unknown requests to our  public DNS server. So I
>> configured this server as follow :
>> /etc/bind/named.conf.options
>>
>>   forward only;
>> forwarders {
>>   ip_server_2;
>> };
>>
>>
>> The second server is allowed to do DNS request on the internet, so there
>> is no forwarder configured.
>>
>> The issue is that I see on my firewall that server1 is trying to do DNS
>> requests on DNS ROOT server.
>>
>> Any idea why I do have this issue ? wrong configuration ?
>>
>> Regards,
>>
>>
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind not forwarding all requests

2012-12-10 Thread Romgo

Hello all,

I tried to add the forwarders in the root zone :

/etc/bind/named.conf:9: option 'forward' is not allowed in 'hint' zone '.'
/etc/bind/named.conf:10: option 'forwarders' is not allowed in 'hint' zone
'.'
So I really don't understand the behaviour...

Is there a bug tracker for Bind ?

Regards




On 9 December 2012 13:32, Romgo  wrote:

> Hello,
>
> yes I have a db.root file which contains Root servers.
> /etc/resolv.conf is configured to ask to him self.
>
> Forward is not configured at zone level, it is specified in
> named.conf.options
> In an option{} block, so I guess this should apply for all, if not specify
> at the zone level.
>
> Here is my conf for root zone :
>
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
>     file "/etc/bind/db.root";
> };
>
>
> should I try to force forwarders in zone "." ?
>
>
> On 8 December 2012 20:22, Romgo  wrote:
>
>> Hello,
>>
>> yes I have a db.root file which contains Root servers.
>> /etc/resolv.conf is configured to ask to him self.
>>
>> Forward is not configured at zone level, it is specified in
>> named.conf.options
>> In an option{} block, so I guess this should apply for all, if not
>> specify at the zone level.
>>
>> Here is my conf for root zone :
>>
>> // prime the server with knowledge of the root servers
>> zone "." {
>> type hint;
>> file "/etc/bind/db.root";
>> };
>>
>>
>> should I try to force forwarders in zone "." ?
>>
>>
>>
>>
>> On 8 December 2012 00:26, Leonard Mills  wrote:
>>
>>>
>>> Which zone(s) have that forward clause?  To do what I think you want to
>>> do, the zone should be the root (dot and only the dot in the zone name)
>>>
>>> Your named will use the builtin roots for any non-local lookups.
>>> Forwarding "." will send all non-local traffic to your edge daemon.
>>>
>>> Len
>>>
>>>   --
>>> *From:* Romgo 
>>> *To:* bind-users@lists.isc.org
>>> *Sent:* Friday, December 7, 2012 9:05 AM
>>> *Subject:* Bind not forwarding all requests
>>>
>>> Hello,
>>>
>>> I am currently running two bind9 server on Debian Squeeze.
>>>  1:9.7.3.dfsg-1~squeeze8
>>>
>>> Server 1 is internal dns server and serve some local zone. This server
>>> should forward all unknown requests to our  public DNS server. So I
>>> configured this server as follow :
>>> /etc/bind/named.conf.options
>>>
>>>   forward only;
>>> forwarders {
>>>   ip_server_2;
>>> };
>>>
>>>
>>> The second server is allowed to do DNS request on the internet, so there
>>> is no forwarder configured.
>>>
>>> The issue is that I see on my firewall that server1 is trying to do DNS
>>> requests on DNS ROOT server.
>>>
>>> Any idea why I do have this issue ? wrong configuration ?
>>>
>>> Regards,
>>>
>>>
>>>
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>>
>>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind not forwarding all requests

2012-12-10 Thread Romgo

Hello,

I found the issue :

I had 2 old zone with forwarders configured, the forwarders was down.
One equipment was still using one of this zone, so bind wasn't able to
contact the forwarders and fall back to root zone.

I don't really why it try the root zone but since I delete those old zone I
don't have any new queries to the root zone.

According to what I read about "forward only" :

"it doesn't try to contact other name servers to find information if the
forwarders don't give it an answer."

I had exactly opposite behaviour.

Thank you for the help !




On 10 December 2012 11:52, Romgo  wrote:

> Hello all,
>
> I tried to add the forwarders in the root zone :
>
> /etc/bind/named.conf:9: option 'forward' is not allowed in 'hint' zone '.'
> /etc/bind/named.conf:10: option 'forwarders' is not allowed in 'hint' zone
> '.'
> So I really don't understand the behaviour...
>
> Is there a bug tracker for Bind ?
>
> Regards
>
>
>
>
> On 9 December 2012 13:32, Romgo  wrote:
>
>> Hello,
>>
>> yes I have a db.root file which contains Root servers.
>> /etc/resolv.conf is configured to ask to him self.
>>
>> Forward is not configured at zone level, it is specified in
>> named.conf.options
>> In an option{} block, so I guess this should apply for all, if not
>> specify at the zone level.
>>
>> Here is my conf for root zone :
>>
>> // prime the server with knowledge of the root servers
>> zone "." {
>> type hint;
>> file "/etc/bind/db.root";
>> };
>>
>>
>> should I try to force forwarders in zone "." ?
>>
>>
>> On 8 December 2012 20:22, Romgo  wrote:
>>
>>> Hello,
>>>
>>> yes I have a db.root file which contains Root servers.
>>> /etc/resolv.conf is configured to ask to him self.
>>>
>>> Forward is not configured at zone level, it is specified in
>>> named.conf.options
>>> In an option{} block, so I guess this should apply for all, if not
>>> specify at the zone level.
>>>
>>> Here is my conf for root zone :
>>>
>>> // prime the server with knowledge of the root servers
>>> zone "." {
>>> type hint;
>>> file "/etc/bind/db.root";
>>> };
>>>
>>>
>>> should I try to force forwarders in zone "." ?
>>>
>>>
>>>
>>>
>>> On 8 December 2012 00:26, Leonard Mills  wrote:
>>>
>>>>
>>>> Which zone(s) have that forward clause?  To do what I think you want to
>>>> do, the zone should be the root (dot and only the dot in the zone name)
>>>>
>>>> Your named will use the builtin roots for any non-local lookups.
>>>> Forwarding "." will send all non-local traffic to your edge daemon.
>>>>
>>>> Len
>>>>
>>>>   --
>>>> *From:* Romgo 
>>>> *To:* bind-users@lists.isc.org
>>>> *Sent:* Friday, December 7, 2012 9:05 AM
>>>> *Subject:* Bind not forwarding all requests
>>>>
>>>> Hello,
>>>>
>>>> I am currently running two bind9 server on Debian Squeeze.
>>>>  1:9.7.3.dfsg-1~squeeze8
>>>>
>>>> Server 1 is internal dns server and serve some local zone. This server
>>>> should forward all unknown requests to our  public DNS server. So I
>>>> configured this server as follow :
>>>> /etc/bind/named.conf.options
>>>>
>>>>   forward only;
>>>> forwarders {
>>>>   ip_server_2;
>>>> };
>>>>
>>>>
>>>> The second server is allowed to do DNS request on the internet, so
>>>> there is no forwarder configured.
>>>>
>>>> The issue is that I see on my firewall that server1 is trying to do DNS
>>>> requests on DNS ROOT server.
>>>>
>>>> Any idea why I do have this issue ? wrong configuration ?
>>>>
>>>> Regards,
>>>>
>>>>
>>>>
>>>> ___
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>>> unsubscribe from this list
>>>>
>>>> bind-users mailing list
>>>> bind-users@lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>>
>>>>
>>>
>>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Master/slave configuration

Re: Master/slave configuration

Re: Master/slave configuration

DNS requests error sending response: host unreachable

Re: DNS requests error sending response: host unreachable

Re: DNS requests error sending response: host unreachable

Re: DNS requests error sending response: host unreachable

Re: DNS requests error sending response: host unreachable

Bind not forwarding all requests

Re: Bind not forwarding all requests

Re: Bind not forwarding all requests

Re: Bind not forwarding all requests

Re: Bind not forwarding all requests

13 matches

Site Navigation

Mail list logo

Footer information