Re: bind configuration issues
On Mon, Oct 26, 2009 at 6:42 PM, Steve Bertrand wrote: > Ray Still wrote: >> Ok, >> tell me just how nuts this idea is. > > imho, your thought-process is not nuts. I can see what you are trying to > do, so kudos given for trying to work it out with what you have. > >> To recap, two pipes, one destination. > >> I set up second DNS server. >> ns1.example.com at 70.65. (provider 1) >> ns2.example.com at 206.75(provider 2) >> A records for example.org on ns1 will give 70.65. >> on ns2 206.75 >> if provider one goes down, ns1 is gone, ns2 is still available, and so >> is the route to the sites. > > Note: I haven't followed the entire thread... > > Remember that no matter where your name servers are located, they both > will hold the same information (if they don't, then shame on you, as you > just broke scalability). > > This means that other caching servers all over the 'net may have either > entry. Some ISP's name servers will cache records even longer than what > your TTL is set to without trying to re-check (shame on them). Hence, > you can never count on using DNS naming as a tactic for redundancy. > >> It's not the best solution, but it's better than what I have. > > If I understand your conundrum properly (one server with an internal IP, > with NAT in front of it, port-forwarded back aliased from two separate > ISP public IPs), then, at minimum, here's how you can essentially > 'halve' the damage: > > - set up your DNS servers in a proper master/slave configuration > - configure your 'A' records in a round-robin setup. I'll assume your > zone is ibctech.ca, and that your $TTL is 360: > > www IN A 208.70.104.210 > www IN A 208.70.104.211 > > (yes, I know 360 puts pressure on everyone else, but this is for example > purposes). > > If I know I will need to make DNS changes in advance for a domain, I'll > set the TTL to 360 (secs) long before the changes need to be made. Then, > I can make the changes, and if caching resolvers are Doing The Right > Thing, they will pick up these changes after five minutes. > > If you have a domain that is high-traffic, don't do this. I'd like to > emphasize that a low ttl puts pressure on every DNS caching server on > the Internet that must look up information on your domain. > > With that said, with a 5 min ttl, in the event of an outage, you can hop > onto your authoritative DNS server, switch BOTH A records to point to > the working IP, and the rest of the 'net 'should' be able to see those > changes within five minutes (again, if they obey your ttl). > > Steve > OK, after reading and re-reading and experimenting I think I get it. Thanks for your comments and patience. I will probably end up using something based on Gary's round robin suggestion. It may not provide 100% reliable failover, but it will help, and worst case, it will provide some bandwidth sharing. Thanks, Ray ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: bind configuration issues
Ok, tell me just how nuts this idea is. To recap, two pipes, one destination. I set up second DNS server. ns1.example.com at 70.65. (provider 1) ns2.example.com at 206.75(provider 2) A records for example.org on ns1 will give 70.65. on ns2 206.75 if provider one goes down, ns1 is gone, ns2 is still available, and so is the route to the sites. It's not the best solution, but it's better than what I have. Am I missing something that's going to come back and bite me in the butt? Thanks, Ray On Mon, Oct 26, 2009 at 2:14 PM, Gary Gatten wrote: > I googled "dns round robin failover" and there are many hits. One > interesting one is: > http://forums.devshed.com/dns-36/ha-using-round-robinworking-368800.html > > It suggests well written apps / resolvers will try to use all ip's returned > by the query starting with the preferred one, not JUST the preferred one. > Which means, just by enabling round robin with multiple A records, you MAY > get some level of HA/Failover by default. Cool, BUT, I wouldn't bet my life > on it. I'd still have something that could tweak your DNS records based on > packet loss, latency, etc. What if your circuit is "up", but is degraded by > loss, latency (load induced or otherwise), etc. > > As you mentioned, something is better than nothing - so start simple and go > from there! > > HTH! > > G > > > -Original Message- > From: owner-freebsd-questi...@freebsd.org > [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Gary Gatten > Sent: Monday, October 26, 2009 2:07 PM > To: Ray Still; freebsd-questions@freebsd.org > Subject: RE: bind configuration issues > > I'm not intimate with bind, or anything/one actually - but that's another > story... > > Anyway, the gist is you need to "ping" some public hosts from your dns server > (or another system I guess, but easier if on the dns server). One > destination host would be reachable through one connection, and the other of > course would only be reachable through the alternate connection. Maybe use > the primary DNS servers each upstream ISP provides to you? Anyway, if both > pings are OK, then your DNS server does round-robin for the host(s) in > question. If one ping fails, then you stop handing out that IP. You can for > the route taken within ping itself, or use static host(/32) routes, etc. > > Sounds simple huh? It kinda is, and LONG ago I had a shell script to do just > this, but it's gone - and maybe bind 9+ has some sort of this functionality > available to you embedded in the bind code? Don't know. Even if you have to > write your own script to update your dns records based on your monitoring > process it's not that hard even for a scripting novice such as myself! > > G > > > -Original Message- > From: owner-freebsd-questi...@freebsd.org > [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Ray Still > Sent: Monday, October 26, 2009 1:56 PM > To: freebsd-questions@freebsd.org > Subject: Re: bind configuration issues > > On Mon, Oct 26, 2009 at 11:55 AM, Gary Gatten wrote: >> >> You certainly don't "need" BGP for this, the DNS thing will work, but will >> be a bit kludgy and certainly not as ... "responsive" to failures - a la >> query caching, TTL's and what not. >> >> - Original Message - >> From: owner-freebsd-questi...@freebsd.org >> >> To: Ray Still >> Cc: freebsd-questions@freebsd.org >> Sent: Mon Oct 26 12:50:56 2009 >> Subject: Re: bind configuration issues >> >> On Oct 26, 2009, at 10:03 AM, Ray Still wrote: >> > Hello, >> > I am adding a redundant Internet connection to my current hosting >> > setup and >> > I need to figure out how to set up the DNS to make this work. >> >> The two issues normally aren't related. >> >> If both connections are from the same provider, talk to them about >> multilink PPP; if they are from different providers, you need to look >> into multihoming and getting your own AS #. >> > > two different providers. > >> >> > Current setup: >> > freebsd 7.0 machine, one local IP address, runs web, mail, and name >> > server. >> > static ip address in router. >> > I have two DNS servers registered, but they both point to the same ip >> > address an the same machine. (Yes, I should have my fingers slapped.) >> > >> > Desired setup >> > same machine, one local IP address, runs web, mail, and name server. >> > different router (Linksys RV082) with 2 static ip a
Re: bind configuration issues
On Mon, Oct 26, 2009 at 11:55 AM, Gary Gatten wrote: > > You certainly don't "need" BGP for this, the DNS thing will work, but will be > a bit kludgy and certainly not as ... "responsive" to failures - a la query > caching, TTL's and what not. > > - Original Message - > From: owner-freebsd-questi...@freebsd.org > > To: Ray Still > Cc: freebsd-questions@freebsd.org > Sent: Mon Oct 26 12:50:56 2009 > Subject: Re: bind configuration issues > > On Oct 26, 2009, at 10:03 AM, Ray Still wrote: > > Hello, > > I am adding a redundant Internet connection to my current hosting > > setup and > > I need to figure out how to set up the DNS to make this work. > > The two issues normally aren't related. > > If both connections are from the same provider, talk to them about > multilink PPP; if they are from different providers, you need to look > into multihoming and getting your own AS #. > two different providers. > > > Current setup: > > freebsd 7.0 machine, one local IP address, runs web, mail, and name > > server. > > static ip address in router. > > I have two DNS servers registered, but they both point to the same ip > > address an the same machine. (Yes, I should have my fingers slapped.) > > > > Desired setup > > same machine, one local IP address, runs web, mail, and name server. > > different router (Linksys RV082) with 2 static ip address. > > In order to have redundancy, you need to have two real, separate > machines, each of which is running BIND, each of which is on a > separate routable IP. This is an orthogonal issue to setting up > multiple Internet connections. Yes, In an ideal world I would do this. The two machines would also be in separate buildings/cities/provinces/countries/planets (pick your level of paranoia) ;) However, reducing single points of failure is an improvement, even if I can't eliminate them. > > > How do I set up bind so that > > 1) bandwidth is shared between the two connections, > > and > > 2) if one goes down, the other keeps working. > > I had a few ideas, but they all seem to have flaws. > > You can't set up BIND to control multilink aggregation and failover; > that's not what it does. > > Regards, > -- freebsd-questions@freebsd.org > -Chuck > Thanks for the replies. Chuck, thanks for the keywords to search. Some of what I'm finding looks like a solution for companies a lot bigger than me, but I'll keep looking. Gary, can you give me any clues about how to do it with just DNS? Yes, I do realize that this leaves single points of failure, but at least they would be points that I could do something about if necessary. Thanks again, Ray > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > > "This email is intended to be reviewed by only the intended recipient and may > contain information that is privileged and/or confidential. If you are not > the intended recipient, you are hereby notified that any review, use, > dissemination, disclosure or copying of this email and its attachments, if > any, is strictly prohibited. If you have received this email in error, please > immediately notify the sender by return email and delete this email from your > system." ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
bind configuration issues
Hello, I am adding a redundant Internet connection to my current hosting setup and I need to figure out how to set up the DNS to make this work. Current setup: freebsd 7.0 machine, one local IP address, runs web, mail, and name server. static ip address in router. I have two DNS servers registered, but they both point to the same ip address an the same machine. (Yes, I should have my fingers slapped.) Desired setup same machine, one local IP address, runs web, mail, and name server. different router (Linksys RV082) with 2 static ip address. How do I set up bind so that 1) bandwidth is shared between the two connections, and 2) if one goes down, the other keeps working. I had a few ideas, but they all seem to have flaws. feel free to answer with links or search keywords. Also, as this question isn't exactly a FreeBSD question, is there a better list for this? Thanks Ray ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
problem installing port (amavisd-new) under 6.3 release
Hello all, I'm installing 6.3 fresh, and I'm running into some problems installing some ports. everything goes fine until I get here: any suggestions? Thanks in advance, Ray ===> Returning to build of p5-Encode-Detect-1.00 ===> p5-Encode-Detect-1.00 depends on file: /usr/local/bin/perl5.8.8 - found ===> Configuring for p5-Encode-Detect-1.00 Checking whether your kit is complete... Looks good Warning: this distribution contains XS files, but Module::Build is not configured with C_support. Please install ExtUtils::CBuilder to enable C_support. Checking prerequisites... - ERROR: ExtUtils::CBuilder is not installed ERRORS/WARNINGS FOUND IN PREREQUISITES. You may wish to install the versions of the modules indicated above before proceeding with this installation Creating new 'Build' script for 'Encode-Detect' version '1.00' ===> Building for p5-Encode-Detect-1.00 Module::Build is not configured with C_support at /usr/local/lib/perl5/site_perl/5.8.8/Module/Build/Base.pm line 3887. *** Error code 2 Stop in /usr/ports/converters/p5-Encode-Detect. *** Error code 1 Stop in /usr/ports/mail/p5-Mail-SpamAssassin. *** Error code 1 Stop in /usr/ports/security/amavisd-new. *** Error code 1 Stop in /usr/ports/security/amavisd-new. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
problem installing port (amavisd-new) under 6.3 release
Hello all, I'm installing 6.3 fresh, and I'm running into some problems installing some ports. everything goes fine until I get here: any suggestions? Thanks in advance, Ray ===> Returning to build of p5-Encode-Detect-1.00 ===> p5-Encode-Detect-1.00 depends on file: /usr/local/bin/perl5.8.8 - found ===> Configuring for p5-Encode-Detect-1.00 Checking whether your kit is complete... Looks good Warning: this distribution contains XS files, but Module::Build is not configured with C_support. Please install ExtUtils::CBuilder to enable C_support. Checking prerequisites... - ERROR: ExtUtils::CBuilder is not installed ERRORS/WARNINGS FOUND IN PREREQUISITES. You may wish to install the versions of the modules indicated above before proceeding with this installation Creating new 'Build' script for 'Encode-Detect' version '1.00' ===> Building for p5-Encode-Detect-1.00 Module::Build is not configured with C_support at /usr/local/lib/perl5/site_perl/5.8.8/Module/Build/Base.pm line 3887. *** Error code 2 Stop in /usr/ports/converters/p5-Encode-Detect. *** Error code 1 Stop in /usr/ports/mail/p5-Mail-SpamAssassin. *** Error code 1 Stop in /usr/ports/security/amavisd-new. *** Error code 1 Stop in /usr/ports/security/amavisd-new. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Fw: Re: problem with script execution
- Original Message - From: "Alex Zbyslaw" <[EMAIL PROTECTED]> To: "Ray Still" <[EMAIL PROTECTED]> Cc: Sent: Friday, December 01, 2006 8:28 AM Subject: Re: Fw: Re: problem with script execution Ray Still wrote: Just out of curiosity: What is the "echo * |" supposed to do? From my point of view the shell will expand "*" to the list of files and directories in PWD, so "echo *" acts like a simple ls in this context. This list is piped to sudo. But what does sudo do with these? sorry, I didn't want to show my passwords, so I replaced it with an astrix. the password of course is being read from the pipe by sudo because of the -S option. Probably nothing to do with your original problem, but you do know that you can allow sudo to execute certain commands without a password? Passwords in shell scripts isn't exactly ideal... I am aware of the security issues, but in this case I think it's the best option because: 1) any one who can login to the machine also knows root passwords. 2) this script lives in a directory that is password protected by apache. 3) I don't like the thought of turning off passwords. so if you can see the script, you won't learn anything you don't already know. am I totally out to lunch? E.g. my sudoers has: Cmnd_Alias HEALTHD = /usr/local/sbin/healthd [...] %wheel ALL=(root) NOPASSWD: SMART_STATUS, HEALTHD, MBMON So anyone in group wheel (me :-)) can excecute any of the named commands without any password. You can also force the flags that will be passed - the sudoers man page has more details. --Alex -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Fw: Re: problem with script execution
sorry, I hit reply, not reply all - Original Message - From: "Christian Walther" <[EMAIL PROTECTED]> To: "Ray Still" <[EMAIL PROTECTED]> Cc: Sent: Friday, December 01, 2006 1:03 AM Subject: Re: problem with script execution Try adding "#!/bin/sh" as the first new line of your script. Roughly speaking: This makes the system use /bin/sh as the shell that executes the script. Specifying a PATH inside the script might help, too. Scripts have a very small environment set by default, so your PATH might be just something like /bin:/usr/bin. If sudo is in /usr/local/bin it won't work. thank you for your suggestions. I will try them and get bck to you. Just out of curiosity: What is the "echo * |" supposed to do? From my point of view the shell will expand "*" to the list of files and directories in PWD, so "echo *" acts like a simple ls in this context. This list is piped to sudo. But what does sudo do with these? sorry, I didn't want to show my passwords, so I replaced it with an astrix. the password of course is being read from the pipe by sudo because of the -S option. -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
problem with script execution
Hello;
I have a problem that I have put considerable time into, but I keep
coming up empty. short form is that the script works from the command
line, but doesn't work from a php script. (I've already stumped the php
list.)
details follow.
I have a shell script , 'copy' consisting of 4 lines
echo * | sudo -u admn -S rm /path/to/file1
echo * | sudo -u admn -S cp /some/path/to/source1 /path/to/file1
echo * | sudo -u admn -S rm /path/to/file2
echo * | sudo -u admn -S cp /some/path/to/source2 /path/to/file2
copy is owned by www:www and is mode 777
file1 and file2 are owned by admn:www and are mode 666
copy, file1 and file2 are in the same directory which is owned by
www:www and is mode 777
I have enabled targetpw in the sudoers file as www doesn't really have
a password.
I also have a php script
echo exec ('whoami');
exec ('/path/to/copy');
?>
(just for the sake of completeness, exec passes a command to the OS and
echo prints what ever is passed to it.)
my output is "www" which is the expected result of the whoami for the
php/apache user. however no file changes happen.
however, from root:
sudo -u www /path/to/copy
changes the files exactly as expected/desired.
any suggestions/pointers/links would be appreciated.
system:
FreeBSD www.domain.tld 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Mon Feb 13
09:28:07 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/i386/compile/WWW
i386
Apache/2.2.3 (FreeBSD) mod_ssl/2.2.3 OpenSSL/0.9.7e-p1 PHP/5.1.5
(potentially sensitve info removed)
Ray
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
