Re: dig
On 21 August 2013, at 18:14, Colin House wrote: > On 22/08/2013 9:34 AM, Doug Hardie wrote: >> There appears to be a problem with dig and the +trace option in 9.2. I >> believe its also in 9.1. The command: >> >> dig freebsd.org +trace >> >> Only yields a dumb response. No useful information is provided. Running >> the same command on FreeBSD 7.2 yields a complete trace with lots of useful >> information. > > Have you tested against another NS? I ran into a similar problem when > setting up unbound as a local recursor recently on a 9.1-STABLE (r251985) box. > > dig +trace would return (next to) nothing. dig +trace > @8.8.8.8 worked as expected. > > I found it was the access-control configuration of unbound. Changing my > "access-control: ::1 allow" to "access-control: ::1 allow_snoop" restored the > +trace functionality. > > I'm not sure how this translates with bind.. Perhaps the defaults have > changed between the versions that you're running (if you're running the base > versions on 7.2 and 9.1) or your recursive server isn't allowing it on 9.2? > Fwiw, in unbound, "allow" allows recursive lookups, "allow_snoop" allows both > recursive and non-recursive lookups. After a bunch of testing, I have determined that the problem is the routers. If I use my local DNS servers or remote ones, then it works on all three systems. Three different routers block it somehow. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: dig
On Thu, 22 Aug 2013 11:14:04 +1000 Colin House articulated: > On 22/08/2013 9:34 AM, Doug Hardie wrote: > > There appears to be a problem with dig and the +trace option in > > 9.2. I believe its also in 9.1. The command: > > > > dig freebsd.org +trace > > > > Only yields a dumb response. No useful information is provided. > > Running the same command on FreeBSD 7.2 yields a complete trace > > with lots of useful information. > > Have you tested against another NS? I ran into a similar problem > when setting up unbound as a local recursor recently on a 9.1-STABLE > (r251985) box. > > dig +trace would return (next to) nothing. dig +trace > @8.8.8.8 worked as expected. > > I found it was the access-control configuration of unbound. Changing > my "access-control: ::1 allow" to "access-control: ::1 allow_snoop" > restored the +trace functionality. > > I'm not sure how this translates with bind.. Perhaps the defaults > have changed between the versions that you're running (if you're > running the base versions on 7.2 and 9.1) or your recursive server > isn't allowing it on 9.2? Fwiw, in unbound, "allow" allows recursive > lookups, "allow_snoop" allows both recursive and non-recursive > lookups. $ dig freebsd.org +trace ; <<>> DiG 9.6.-ESV-R7-P2 <<>> freebsd.org +trace ;; global options: +cmd ;; Received 12 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms $ drill freebsd.org +trace ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 28341 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; +trace. IN A ;; ANSWER SECTION: +trace. 10 IN A 69.16.143.110 +trace. 10 IN A 66.152.109.110 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 34 msec ;; SERVER: 209.18.47.62 ;; WHEN: Thu Aug 22 06:35:54 2013 ;; MSG SIZE rcvd: 56 I was surprised at the difference between the output of the two commands. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: dig
On 22/08/2013 9:34 AM, Doug Hardie wrote: There appears to be a problem with dig and the +trace option in 9.2. I believe its also in 9.1. The command: dig freebsd.org +trace Only yields a dumb response. No useful information is provided. Running the same command on FreeBSD 7.2 yields a complete trace with lots of useful information. Have you tested against another NS? I ran into a similar problem when setting up unbound as a local recursor recently on a 9.1-STABLE (r251985) box. dig +trace would return (next to) nothing. dig +trace @8.8.8.8 worked as expected. I found it was the access-control configuration of unbound. Changing my "access-control: ::1 allow" to "access-control: ::1 allow_snoop" restored the +trace functionality. I'm not sure how this translates with bind.. Perhaps the defaults have changed between the versions that you're running (if you're running the base versions on 7.2 and 9.1) or your recursive server isn't allowing it on 9.2? Fwiw, in unbound, "allow" allows recursive lookups, "allow_snoop" allows both recursive and non-recursive lookups. - Col ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: dig
> > There appears to be a problem with dig and the +trace option in > > 9.2. I believe its also in 9.1. The command: > > > > dig freebsd.org +trace > > > > Only yields a dumb response. No useful information is > provided. Running the same command on FreeBSD 7.2 yields a > complete trace with lots of useful information. > > Works for me on 9.0 and 9.1 (and 8.2, 7.1, 7.0) And on: FreeBSD 10.0-CURRENT #0 r248938: Sun Mar 31 06:24:42 EDT 2013 amd64 Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: dig
On 21 August 2013, at 17:02, Doug Hardie wrote: > > On 21 August 2013, at 16:46, Frank Leonhardt wrote: > >> On 22/08/2013 00:34, Doug Hardie wrote: >>> There appears to be a problem with dig and the +trace option in 9.2. I >>> believe its also in 9.1. The command: >>> >>> dig freebsd.org +trace >>> >>> Only yields a dumb response. No useful information is provided. Running >>> the same command on FreeBSD 7.2 yields a complete trace with lots of useful >>> information. >>> ___ >>> >> >> Works for me on 9.0 and 9.1 (and 8.2, 7.1, 7.0) >> >> Is there something wrong with your local bind configuration? >> >> Regards, Frank. > > No. The 7.2 config is identical to the 9.1 and there is no bind running on > the 9.2. > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: dig
On 22/08/2013 00:34, Doug Hardie wrote: There appears to be a problem with dig and the +trace option in 9.2. I believe its also in 9.1. The command: dig freebsd.org +trace Only yields a dumb response. No useful information is provided. Running the same command on FreeBSD 7.2 yields a complete trace with lots of useful information. ___ Works for me on 9.0 and 9.1 (and 8.2, 7.1, 7.0) Is there something wrong with your local bind configuration? Regards, Frank. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
dig
There appears to be a problem with dig and the +trace option in 9.2. I believe its also in 9.1. The command: dig freebsd.org +trace Only yields a dumb response. No useful information is provided. Running the same command on FreeBSD 7.2 yields a complete trace with lots of useful information. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: host & dig
Adam Vande More wrote: I used telnet to connect to 68.204.xxx.xxx it tells me I've connected to [1]xxx.xxx.204.68.cfl.res.rr.com. (backwards, right?), then I log in. No, you have to a connection before you login. You want to *strongly* consider using ssh instead of telnet. You may also be referring the format of the DNS query result which known as [2]http://en.wikipedia.org/wiki/Reverse_DNS_lookup I DID have a connection. ??? Maybe I gave too much detail, but the point is that the IP yielded by host/dig did not match what "whatismyip.com" gave here. I'd like to know why. After user/pass entry, it says connected from "user-yyy.cab" (replaced seemingly random name with "yyy" in case it's not transient) My external IP here is 24.110.nnn.nnn The issue: When I use either "host" or "dig" to give me the IP address from "user-yyy.cab", they tell me: 208.68.zzz.zzz (Ping gives the same.) So, I'm still at a loss, I think, to know the originating IP. Should a firewall rule blocking 208.68.zzz.zzz actually operate against 24.110.nnn.nnn? I don't understand the question, what is the rule? I'd STILL like to know the true source IP to be able to connect back to it. man sockstat man netstat Thanks. Did that: "netstat -n" gives the correct IP. "sockstat" does also. I couldn't find anything in the host or dig man pages that indicated to me that they could be made to yield the proper 24.110.*.* IP address. About the "rule"::: I was just mentioning one of the reasons I want the IP address is so I can monitor multiple bad login attempts to block the troublesome IP with a firewall rule. I ALSO would like the correct IP for another purpose (project), that involves connecting back to the source IP. I will give a try to find out which IP address the ipfw firewall operates on - the 208.68.*.* one or the 24.110.*.* one. It's not obvious which at this point to me. Thanks. Walter References 1. http://xxx.xxx.204.68.cfl.res.rr.com/ 2. http://en.wikipedia.org/wiki/Reverse_DNS_lookup ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: host & dig
On Sat, Apr 10, 2010 at 9:54 AM, Walter wrote: > A previous question to the List on how to get an IP > address from a host speicific URL yielded the helpful > responses of "host" and "dig." These (seemed to) work > fine. Well, just now I got a chance to try it out on a tiny > server I have at someone else's house, and on another > network. > > I used telnet to connect to 68.204.xxx.xxx > it tells me I've connected to xxx.xxx.204.68.cfl.res.rr.com. > (backwards, right?), then I log in. > No, you have to a connection before you login. You want to *strongly* consider using ssh instead of telnet. You may also be referring the format of the DNS query result which known as http://en.wikipedia.org/wiki/Reverse_DNS_lookup > > After user/pass entry, it says connected from "user-yyy.cab" > (replaced seemingly random name with "yyy" in case > it's not transient) > > My external IP here is 24.110.nnn.nnn > > The issue: > > When I use either "host" or "dig" to give me the IP address > from "user-yyy.cab", they tell me: 208.68.zzz.zzz > (Ping gives the same.) > > So, I'm still at a loss, I think, to know the originating IP. > Should a firewall rule blocking 208.68.zzz.zzz actually > operate against 24.110.nnn.nnn? I don't understand the question, what is the rule? > I'd STILL like to know the true source IP to be able to connect back to > it. > man sockstat man netstat -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
host & dig
A previous question to the List on how to get an IP address from a host speicific URL yielded the helpful responses of "host" and "dig." These (seemed to) work fine. Well, just now I got a chance to try it out on a tiny server I have at someone else's house, and on another network. I used telnet to connect to 68.204.xxx.xxx it tells me I've connected to xxx.xxx.204.68.cfl.res.rr.com. (backwards, right?), then I log in. After user/pass entry, it says connected from "user-yyy.cab" (replaced seemingly random name with "yyy" in case it's not transient) My external IP here is 24.110.nnn.nnn The issue: When I use either "host" or "dig" to give me the IP address from "user-yyy.cab", they tell me: 208.68.zzz.zzz (Ping gives the same.) So, I'm still at a loss, I think, to know the originating IP. Should a firewall rule blocking 208.68.zzz.zzz actually operate against 24.110.nnn.nnn? I'd STILL like to know the true source IP to be able to connect back to it. TIA. Again, please respond directly to me (as well as to the List) because I'm not subscribed. Walter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: How to use dig with an ip list
On Aug 18, 2008, at 10:25 PM, Fraser Tweedale wrote: On Mon, Aug 18, 2008 at 10:18:07PM -0500, Jeffrey Goldberg wrote: You'll want to change line four to echo "$LINE " `dig +short -x $LINE` for a cleaner output. The original works fine for me in ash. Definitely nothing wrong with yours though. What have I overlooked? Sorry, I misread what you actually wrote for what I would have written (before correction). What you have is perfectly correct. Or, in the words of Emily Latela: Nevermind. Cheers, -j ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to use dig with an ip list
On Mon, 2008-08-18 at 22:52 -0500, Paul Schmehl wrote:
> --On August 18, 2008 10:13:54 PM -0500 Jeffrey Goldberg
> <[EMAIL PROTECTED]> wrote:
>
> > On Aug 18, 2008, at 9:03 PM, Paul Schmehl wrote:
> >
> >> I know I'm missing the obvious. I want to use an IP list to
> >> generate an ip+hostname list. IOW, I want to go from this:
> >>
> >> x.x.x.x
> >> y.y.y.y
> >>
> >> to this;
> >>
> >> x.x.x.x foo.domain.tld
> >> y.y..y.y bar.domain.tld
> >>
> >> What's the best/easiest way to do this?
> >
> > Easiest:
> >
> > $ for i in `cat ip-list`; do
> > > echo -n "$i "
> > > dig +short -x $i
> > > done
> >
>
> Don't know why I didn't think of that.
>
> I ended up using this:
> for ip in `cat public_linux_ips`; do echo ${ip} `dig +short -x ${ip}`;
> done > public_linux_ips_resolved
>
> Which gave me the output I wanted. Thanks for the pointer.
>
Easiestest?
# host www.freebsd.org
www.freebsd.org has address 69.147.83.33
www.freebsd.org has IPv6 address 2001:4f8:fff6::21
www.freebsd.org mail is handled by 0 .
# host ftp.freebsd.org
ftp.freebsd.org has address 62.243.72.50
ftp.freebsd.org has address 204.152.184.73
ftp.freebsd.org has IPv6 address 2001:6c8:6:4::7
ftp.freebsd.org has IPv6 address 2001:4f8:0:2::e
# cat > freebsd.ips
69.147.83.33
62.243.72.50
204.152.184.73
# host 69.147.83.33
33.83.147.69.in-addr.arpa domain name pointer www.freebsd.org.
# awk '{ip=$1; "host "ip | getline; print ip,$NF }' freebsd.ips
69.147.83.33 www.freebsd.org.
62.243.72.50 ftp.beastie.tdk.net.
204.152.184.73 freebsd.isc.org.
s/host/dig/ to taste
The middle command - "host "ip | getline; - executes the 'cmd' part on
the left side of the pipe, getline parses the output, hence $NF now
gives the last field in the output from "host".
Wayne
(You don't know the power of the awk side!)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to use dig with an ip list
--On August 18, 2008 10:13:54 PM -0500 Jeffrey Goldberg
<[EMAIL PROTECTED]> wrote:
On Aug 18, 2008, at 9:03 PM, Paul Schmehl wrote:
I know I'm missing the obvious. I want to use an IP list to
generate an ip+hostname list. IOW, I want to go from this:
x.x.x.x
y.y.y.y
to this;
x.x.x.x foo.domain.tld
y.y..y.y bar.domain.tld
What's the best/easiest way to do this?
Easiest:
$ for i in `cat ip-list`; do
> echo -n "$i "
> dig +short -x $i
> done
Don't know why I didn't think of that.
I ended up using this:
for ip in `cat public_linux_ips`; do echo ${ip} `dig +short -x ${ip}`;
done > public_linux_ips_resolved
Which gave me the output I wanted. Thanks for the pointer.
Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
Re: How to use dig with an ip list
On Mon, 18 Aug 2008 21:03:36 -0500
Paul Schmehl <[EMAIL PROTECTED]> wrote:
> I know I'm missing the obvious. I want to use an IP list to generate
> an ip+hostname list. IOW, I want to go from this:
>
> x.x.x.x
> y.y.y.y
>
> to this;
>
> x.x.x.x foo.domain.tld
> y.y..y.y bar.domain.tld
>
> What's the best/easiest way to do this?
You could pipe it through:
while read ip;do echo "${ip} `dig +short -x ${ip}`";done
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to use dig with an ip list
On Aug 18, 2008, at 9:03 PM, Paul Schmehl wrote: I know I'm missing the obvious. I want to use an IP list to generate an ip+hostname list. IOW, I want to go from this: x.x.x.x y.y.y.y to this; x.x.x.x foo.domain.tld y.y..y.y bar.domain.tld What's the best/easiest way to do this? Easiest: $ for i in `cat ip-list`; do > echo -n "$i " > dig +short -x $i > done Better might be to use something in p5-net-DNS so that you don't make N separate calls to dig. Cheers, -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to use dig with an ip list
On Aug 18, 2008, at 10:13 PM, Fraser Tweedale wrote: == #!/bin/sh while read LINE do echo $LINE `dig +short -x $LINE` done === You'll want to change line four to echo "$LINE " `dig +short -x $LINE` for a cleaner output. -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: How to use dig with an ip list
On Mon, Aug 18, 2008 at 10:18:07PM -0500, Jeffrey Goldberg wrote: > On Aug 18, 2008, at 10:13 PM, Fraser Tweedale wrote: > > > == > > #!/bin/sh > > while read LINE > > do > > echo $LINE `dig +short -x $LINE` > > done > > === > > You'll want to change line four to > > echo "$LINE " `dig +short -x $LINE` > > for a cleaner output. > > -j > > > -- > Jeffrey Goldberghttp://www.goldmark.org/jeff/ > The original works fine for me in ash. Definitely nothing wrong with yours though. What have I overlooked? frase pgpiijgjRBw3E.pgp Description: PGP signature
Re: How to use dig with an ip list
On Mon, Aug 18, 2008 at 10:05:18PM -0500, Paul Schmehl wrote: > --On August 19, 2008 12:44:05 PM +1000 Fraser Tweedale <[EMAIL PROTECTED]> > wrote: > > > On Mon, Aug 18, 2008 at 09:03:36PM -0500, Paul Schmehl wrote: > >> I know I'm missing the obvious. I want to use an IP list to generate > >> an ip+hostname list. IOW, I want to go from this: > >> > >> x.x.x.x > >> y.y.y.y > >> > >> to this; > >> > >> x.x.x.x foo.domain.tld > >> y.y..y.y bar.domain.tld > >> > >> What's the best/easiest way to do this? > >> > >> Paul Schmehl ([EMAIL PROTECTED]) > >> Senior Information Security Analyst > >> The University of Texas at Dallas > >> http://www.utdallas.edu/ir/security/ > > > > dig(1) - see section `MULTIPLE QUERIES' > > note the -x flag to instruct dig to perform a reverse lookup > > > > see also host(1) > > > > That's not a great deal of help. I, of course, had read and re-read the > man pages before posting the question here, and I'm quite familiar with > the "normal" use of dig and host, because I use them daily in my work. > > The two options that man (1) dig provides are; on the commandline and in a > file. I can easily generate a list of hostnames having constructed an > iplist in a file and then preceding each line with "dig +short -x IP" > using vi. But that gives me a list of hostnames only. What I'm looking > for is the combination of the two. host (1), of course, doesn't even have > *those* options, so it's of no use for accomplishing what I'm attempting. > > Again, I want to start with a list of IPs and end up with a list of IPs > *plus* their hostnames (on the same line). I'm quite sure someone here > has the experience and/or knowledge to do this using shell commands. I > suspect awk might be helpful but haven't yet investigated that angle. > > Paul Schmehl ([EMAIL PROTECTED]) > Senior Information Security Analyst > The University of Texas at Dallas > http://www.utdallas.edu/ir/security/ how about == #!/bin/sh while read LINE do echo $LINE `dig +short -x $LINE` done === whack that in a file, chmod +x it and cat in the IPs HTH frase pgpUcTGrjq53p.pgp Description: PGP signature
Re: How to use dig with an ip list
On Mon, Aug 18, 2008 at 09:03:36PM -0500, Paul Schmehl wrote: > I know I'm missing the obvious. I want to use an IP list to generate an > ip+hostname list. IOW, I want to go from this: > > x.x.x.x > y.y.y.y > > to this; > > x.x.x.x foo.domain.tld > y.y..y.y bar.domain.tld > > What's the best/easiest way to do this? > > Paul Schmehl ([EMAIL PROTECTED]) > Senior Information Security Analyst > The University of Texas at Dallas > http://www.utdallas.edu/ir/security/ dig(1) - see section `MULTIPLE QUERIES' note the -x flag to instruct dig to perform a reverse lookup see also host(1) frase pgp07Hd0weEn3.pgp Description: PGP signature
Re: How to use dig with an ip list
--On August 19, 2008 12:44:05 PM +1000 Fraser Tweedale <[EMAIL PROTECTED]> wrote: On Mon, Aug 18, 2008 at 09:03:36PM -0500, Paul Schmehl wrote: I know I'm missing the obvious. I want to use an IP list to generate an ip+hostname list. IOW, I want to go from this: x.x.x.x y.y.y.y to this; x.x.x.x foo.domain.tld y.y..y.y bar.domain.tld What's the best/easiest way to do this? Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ dig(1) - see section `MULTIPLE QUERIES' note the -x flag to instruct dig to perform a reverse lookup see also host(1) That's not a great deal of help. I, of course, had read and re-read the man pages before posting the question here, and I'm quite familiar with the "normal" use of dig and host, because I use them daily in my work. The two options that man (1) dig provides are; on the commandline and in a file. I can easily generate a list of hostnames having constructed an iplist in a file and then preceding each line with "dig +short -x IP" using vi. But that gives me a list of hostnames only. What I'm looking for is the combination of the two. host (1), of course, doesn't even have *those* options, so it's of no use for accomplishing what I'm attempting. Again, I want to start with a list of IPs and end up with a list of IPs *plus* their hostnames (on the same line). I'm quite sure someone here has the experience and/or knowledge to do this using shell commands. I suspect awk might be helpful but haven't yet investigated that angle. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
How to use dig with an ip list
I know I'm missing the obvious. I want to use an IP list to generate an ip+hostname list. IOW, I want to go from this: x.x.x.x y.y.y.y to this; x.x.x.x foo.domain.tld y.y..y.y bar.domain.tld What's the best/easiest way to do this? Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
dig via socks5 not working on 5.4
Hello. I have to use socks5 server for outgoing connections from office LAN. After updating to FreeBSD 5.4-RELEASE-p6 dig stops working via runsocks: defbsd# runsocks dig Bus error (core dumped) in logs: Aug 26 00:14:51 defbsd libsocks5[7549]: NEC NWSL Socks5 v1.0r11 library Aug 26 00:14:51 defbsd kernel: pid 7549 (dig), uid 0: exited on signal 10 (core dumped) Aug 26 00:14:51 defbsd kernel: Aug 26 00:14:51 defbsd kernel: pid 7549 (dig), uid 0: exited on signal 10 (core dumped) What should I do to improve this? What information can I get from corefile? -- Andrew N. Below, Zenon N.S.P., technical support department Moscow: +7 095 2323736, SPb: +7 812 3264468, http://www.zenon.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Userland "dig/host" for lookups against /etc/hosts?
it was said: >It works if I ping 'hostname', but how can I find out the IP of >'hostname' from the command line? Hello, Would not grep 'hostname' /etc/hosts do this? HTH, stheg __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Userland "dig/host" for lookups against /etc/hosts?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2005-03-28, Emanuel Strobl scribbled these curious markings: > Is there one? Unfortunately I can't write one myself, at least not > in a reasonable amount of time - --cut-- #!/usr/bin/perl -w use strict; use Socket; my $host = shift or die "usage: hostshost hostname\n"; my $addr = gethostbyname($host); die "Cannot resolve host '$host'.\n" unless defined $addr; my $ip = inet_ntoa($addr); print "$host has address $ip\n"; - --cut-- Needs some 5.x version of Perl. Works with 5.005_03 as shipped in FreeBSD 4.x. Also works with more recent perls. Best Regards, Christopher Nehren -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCR6Rpk/lo7zvzJioRAg8pAJ4s69gjARzlc/ZL5sNKT2vSYa9XFwCbBILr ehnDiO3MuDC3b3nryMUx+Ws= =Z9c9 -END PGP SIGNATURE- -- I abhor a system designed for the "user", if that word is a coded pejorative meaning "stupid and unsophisticated". -- Ken Thompson If you ask the wrong questions, you get answers like "42" and "God". Unix is user friendly. However, it isn't idiot friendly. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Userland "dig/host" for lookups against /etc/hosts?
Am Montag, 28. März 2005 08:23 schrieb Alexander Chamandy: > On Mon, 28 Mar 2005 07:17:31 +0200, Emanuel Strobl > > <[EMAIL PROTECTED]> wrote: > > Dear all, > > > > my testbed lacks of Ethernet Ports so one machine has no connection to my > > DNS, no problem, there is something called /etc/hosts I thought. > > It works if I ping 'hostname', but how can I find out the IP of > > 'hostname' from the command line? dig and host want to contact the DNS > > server, also nslookup does, so I think I need a utility which uses the > > gethostbyname(3) function. Is there one? Unfortunately I can't write one > > myself, at least not in a reasonable amount of time > > May I ask what you're trying to do with the machine? If you just want > local DNS resolution for experimentation you may try running BIND 9 or > TinyDNS. No DNS experiments, I'm very well equiped (authoritative DNS). It's just that my local subnet (productive) has not enough ethernet ports so one test-machine (in another subnet) cannot be connected to the local net and the two other subnets are for testing only, so none routes to my productive net Everything is working fine, just curiosity.. -Harry > > > Thanks, > > > > -Harry pgpaEOOjtheY9.pgp Description: PGP signature
Re: Userland "dig/host" for lookups against /etc/hosts?
On Mon, 28 Mar 2005 07:17:31 +0200, Emanuel Strobl <[EMAIL PROTECTED]> wrote: > Dear all, > > my testbed lacks of Ethernet Ports so one machine has no connection to my DNS, > no problem, there is something called /etc/hosts I thought. > It works if I ping 'hostname', but how can I find out the IP of 'hostname' > from the command line? dig and host want to contact the DNS server, also > nslookup does, so I think I need a utility which uses the gethostbyname(3) > function. Is there one? Unfortunately I can't write one myself, at least not > in a reasonable amount of time May I ask what you're trying to do with the machine? If you just want local DNS resolution for experimentation you may try running BIND 9 or TinyDNS. > Thanks, > > -Harry > > > -- Best wishes, Alexander G. Chamandy Webmaster www.bsdfreak.org Your Source For BSD News! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Userland "dig/host" for lookups against /etc/hosts?
Dear all, my testbed lacks of Ethernet Ports so one machine has no connection to my DNS, no problem, there is something called /etc/hosts I thought. It works if I ping 'hostname', but how can I find out the IP of 'hostname' from the command line? dig and host want to contact the DNS server, also nslookup does, so I think I need a utility which uses the gethostbyname(3) function. Is there one? Unfortunately I can't write one myself, at least not in a reasonable amount of time Thanks, -Harry pgpql7mmH14RD.pgp Description: PGP signature
Seg Fault in Dig on 5.3-RELEASE
Hi all. Wondering if anyone else is having similar problems. On 5.3-RELEASE (smp if it matters), I'm getting occasional (1 out of every 10 runs or so) seg faults from running dig. In the core dump, it makes mention of: pointer != NULL ERROR /usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/cryptlib.c %s(%d): OpenSSL internal error, assertion failed: %s Anyone else experiencing this? Any help would be appreciated. Thanks, --Brian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Fwd: dig/named - res_nsend: Protocol not supported
Yes, it was an IPV6 address in my hosts file. Had I specified the loopback IP instead of 'localhost' it would have worked. Luke Begin forwarded message: From: Saint Aardvark the Carpeted <[EMAIL PROTECTED]> Date: February 7, 2004 12:09:52 PST To: Luke Cowell <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Subject: Re: dig/named - res_nsend: Protocol not supported Luke Cowell disturbed my sleep to write: *Why* do I need to have IPV6 enable ? Is it some configuration option of named that I overlooked ? Hm...it could be that named is only listening on IPv6 localhost (::1) rather than IPv4 (127.0.0.1) by default, but that seems strange to me. Try "grep localhost /etc/hosts" and see if you've got entries for both. Are you running the default version of BIND, or a version from ports? Hugh -- Saint Aardvark the Carpeted [EMAIL PROTECTED] Because the plural of Anecdote is Myth. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: dig/named - res_nsend: Protocol not supported
Luke Cowell disturbed my sleep to write: > *Why* do I need to have IPV6 enable ? Is it some configuration option > of named that I overlooked ? Hm...it could be that named is only listening on IPv6 localhost (::1) rather than IPv4 (127.0.0.1) by default, but that seems strange to me. Try "grep localhost /etc/hosts" and see if you've got entries for both. Are you running the default version of BIND, or a version from ports? Hugh -- Saint Aardvark the Carpeted [EMAIL PROTECTED] Because the plural of Anecdote is Myth. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
dig/named - res_nsend: Protocol not supported
Hi I'm running FreeBSD 4.9 and I'm having a little difficulty with named/dig. %uname -a FreeBSD polo.asap.bc.ca 4.9-RELEASE-p1 FreeBSD 4.9-RELEASE-p1 #1: Thu Feb 5 16:23:04 PST 2004 [EMAIL PROTECTED]:/usr/src/sys/compile/POLO i386 Here's what's happening. %dig @localhost ; <<>> DiG 8.3 <<>> @localhost ; (2 servers found) ;; res options: init recurs defnam dnsrch ;; res_nsend: Protocol not supported So, I did some reading this is an error that is coming up for those trying to enable IPV6 on their system. I'm not trying to do that , so I got the idea to re-enable IPV6 in the kernel. Well, what do you know, I know get normal output when issuing a dig command. My question is what do I need to have IPV6 enable ? Is it some configuration option of named that I overlooked ? Luke ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: dig/named - res_nsend: Protocol not supported
Ignore my previously stated question. What I meant to say was: *Why* do I need to have IPV6 enable ? Is it some configuration option of named that I overlooked ? On Feb 6, 2004, at 9:23, Luke Cowell wrote: Hi I'm running FreeBSD 4.9 and I'm having a little difficulty with named/dig. %uname -a FreeBSD polo.asap.bc.ca 4.9-RELEASE-p1 FreeBSD 4.9-RELEASE-p1 #1: Thu Feb 5 16:23:04 PST 2004 [EMAIL PROTECTED]:/usr/src/sys/compile/POLO i386 Here's what's happening. %dig @localhost ; <<>> DiG 8.3 <<>> @localhost ; (2 servers found) ;; res options: init recurs defnam dnsrch ;; res_nsend: Protocol not supported So, I did some reading this is an error that is coming up for those trying to enable IPV6 on their system. I'm not trying to do that , so I got the idea to re-enable IPV6 in the kernel. Well, what do you know, I know get normal output when issuing a dig command. My question is what do I need to have IPV6 enable ? Is it some configuration option of named that I overlooked ? Luke ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
dig/named - res_nsend: Protocol not supported
Hi I'm running FreeBSD 4.9 and I'm having a little difficulty with named/dig. %uname -a FreeBSD polo.asap.bc.ca 4.9-RELEASE-p1 FreeBSD 4.9-RELEASE-p1 #1: Thu Feb 5 16:23:04 PST 2004 [EMAIL PROTECTED]:/usr/src/sys/compile/POLO i386 Here's what's happening. %dig @localhost ; <<>> DiG 8.3 <<>> @localhost ; (2 servers found) ;; res options: init recurs defnam dnsrch ;; res_nsend: Protocol not supported So, I did some reading this is an error that is coming up for those trying to enable IPV6 on their system. I'm not trying to do that , so I got the idea to re-enable IPV6 in the kernel. Well, what do you know, I know get normal output when issuing a dig command. My question is what do I need to have IPV6 enable ? Is it some configuration option of named that I overlooked ? Luke ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: dig command for reverse dsn check
another method ;-)
use the 'host' command with either the domainname or the ip
dle:demo:/etc {101} # host yahoo.com
yahoo.com has address 66.218.71.198
yahoo.com has address 64.58.79.230
yahoo.com mail is handled (pri=1) by mx2.mail.yahoo.com
yahoo.com mail is handled (pri=5) by mx4.mail.yahoo.com
yahoo.com mail is handled (pri=1) by mx1.mail.yahoo.com
dle:demo:/etc {102} # host 64.58.79.230
230.79.58.64.IN-ADDR.ARPA domain name pointer w1.rc.vip.dcx.yahoo.com
--
John Brooks
[EMAIL PROTECTED]
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of JoeB
> Sent: Tuesday, January 07, 2003 8:43 PM
> To: Fuzzy
> Cc: FBSDQ
> Subject: RE: dig command for reverse dsn check
>
>
>>>>>>>>>> snip <<<<<<<<<<<<<
> Thanks for the quick reply, but I need some clarification
> MY email address = [EMAIL PROTECTED]
> My email server mail.clvhoh.adelphia.net
> dig -x 66.26.76.83 ptr
> what IP address to use in dig command?
> The ip address of the domain name or the email server?
>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
Re: dig command for reverse dsn check
On Tuesday, January 7, 2003, at 09:42 PM, JoeB wrote: On Tue, 7 Jan 2003, JoeB wrote: How do I check my ISP domain name to see if it's DNS server is configured correctly for email reverse DNS lookup? I'd use: dig -x ip.ad.dr.ess PTR [@name.server] the ANSWER SECTION shows what DNS thinks is the reverse name for that IP. dig -x 66.26.76.83 ptr Thanks for the quick reply, but I need some clarification MY email address = [EMAIL PROTECTED] My email server mail.clvhoh.adelphia.net dig -x 66.26.76.83 ptr what IP address to use in dig command? The ip address of the domain name or the email server? use dig to find the IP address of your host (dig foo.bar) use the IP address that comes back in the ANSWER section for the dig -x (IP address from above) PTR again, look under the ANSWER section, and it will show you the reverse record. Brian -- Brian Jackson [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: dig command for reverse dsn check
On Tue, 7 Jan 2003, JoeB wrote: > How do I check my ISP domain name to see if it's DNS server is > configured correctly for email reverse DNS lookup? I have used dig > isp-domain-name but I can not tell from what it displays what to look > for to verify it's configured correctly. The dig display is lacking > descriptive verbiage to identify what the information displayed means. > Can someone help me please. I'd use: dig -x ip.ad.dr.ess PTR [@name.server] the ANSWER SECTION shows what DNS thinks is the reverse name for that IP. dig -x 66.26.76.83 ptr ; <<>> DiG 8.3 <<>> -x ptr ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUERY SECTION: ;; 83.76.26.66.in-addr.arpa, type = PTR, class = IN ;; ANSWER SECTION: 83.76.26.66.in-addr.arpa. 59m25s IN PTR rdu26-76-083.nc.rr.com. ;; AUTHORITY SECTION: 76.26.66.in-addr.arpa. 59m25s IN NSns1.nc.rr.com. 76.26.66.in-addr.arpa. 59m25s IN NSns2.nc.rr.com. ;; ADDITIONAL SECTION: ns1.nc.rr.com. 33m25s IN A 24.93.67.126 ns2.nc.rr.com. 33m25s IN A 24.93.67.127 ;; Total query time: 0 msec ;; FROM: pooh.ASARian.org to SERVER: default -- 127.0.0.1 ;; WHEN: Tue Jan 7 21:34:00 2003 ;; MSG SIZE sent: 42 rcvd: 146 Thanks for the quick reply, but I need some clarification MY email address = [EMAIL PROTECTED] My email server mail.clvhoh.adelphia.net dig -x 66.26.76.83 ptr what IP address to use in dig command? The ip address of the domain name or the email server? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
dig command for reverse dsn check
How do I check my ISP domain name to see if it's DNS server is configured correctly for email reverse DNS lookup? I have used dig isp-domain-name but I can not tell from what it displays what to look for to verify it's configured correctly. The dig display is lacking descriptive verbiage to identify what the information displayed means. Can someone help me please. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: dig . ns @b.root-servers.net - Connection refused. WHY?[related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in/var/log/security
Hello, Thought you'd like to know that the amendments you suggested works for me now. Thank you very much for the time and effort! See: $ dig . ns @c.root-servers.net ; <<>> DiG 8.3 <<>> . ns @c.root-servers.net ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ;; QUERY SECTION: ;; ., type = NS, class = IN ;; ANSWER SECTION: . 6D IN NSL.ROOT-SERVERS.NET. . 6D IN NSM.ROOT-SERVERS.NET. . 6D IN NSI.ROOT-SERVERS.NET. . 6D IN NSE.ROOT-SERVERS.NET. . 6D IN NSD.ROOT-SERVERS.NET. . 6D IN NSA.ROOT-SERVERS.NET. . 6D IN NSH.ROOT-SERVERS.NET. . 6D IN NSC.ROOT-SERVERS.NET. . 6D IN NSG.ROOT-SERVERS.NET. . 6D IN NSF.ROOT-SERVERS.NET. . 6D IN NSB.ROOT-SERVERS.NET. . 6D IN NSJ.ROOT-SERVERS.NET. . 6D IN NSK.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: L.ROOT-SERVERS.NET. 5w6d16h IN A198.32.64.12 M.ROOT-SERVERS.NET. 5w6d16h IN A202.12.27.33 I.ROOT-SERVERS.NET. 5w6d16h IN A192.36.148.17 E.ROOT-SERVERS.NET. 5w6d16h IN A192.203.230.10 D.ROOT-SERVERS.NET. 5w6d16h IN A128.8.10.90 A.ROOT-SERVERS.NET. 5w6d16h IN A198.41.0.4 H.ROOT-SERVERS.NET. 5w6d16h IN A128.63.2.53 C.ROOT-SERVERS.NET. 5w6d16h IN A192.33.4.12 G.ROOT-SERVERS.NET. 5w6d16h IN A192.112.36.4 F.ROOT-SERVERS.NET. 5w6d16h IN A192.5.5.241 B.ROOT-SERVERS.NET. 5w6d16h IN A128.9.0.107 J.ROOT-SERVERS.NET. 5w6d16h IN A198.41.0.10 K.ROOT-SERVERS.NET. 5w6d16h IN A193.0.14.129 ;; Total query time: 229 msec ;; FROM: Demon.vickiandstacey.com to SERVER: c.root-servers.net 192.33.4.12 ;; WHEN: Sun Oct 27 20:41:04 2002 ;; MSG SIZE sent: 17 rcvd: 436 $ On Sun, 2002-10-27 at 18:09, D. Penev wrote: > On Sun, Oct 27, 2002 at 06:29:16PM +0000, Stacey Roberts wrote: > >Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY? > > [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in > > /var/log/security > >From: Stacey Roberts <[EMAIL PROTECTED]> > >To: Ruben de Groot <[EMAIL PROTECTED]> > >Cc: [EMAIL PROTECTED], > > FreeBSD Questions <[EMAIL PROTECTED]> > >Date: 27 Oct 2002 18:29:16 + > > > >Okay, > >I've been hacking about with my ipfw rules in order to nail this > >down, but I'm still coming up against a wall here.., > > > >I've made this change: > ># Allow out access to Internet Domain name server > >$fwcmd add 00617 allow tcp from any to any 53 out via $oif setup > >keep-state > >#$fwcmd add 00618 allow udp from any to any 53 out via $oif setup > >keep-state < > >$fwcmd add 00618 allow udp from any to any 53 out via $oif > > You forget keep-state. You rule should be: > $fwcmd add 00618 allow udp from any to any 53 out via $oif keep-state > > > > ^ > > | > > PUT THIS IN INSTEAD > > > >Now I try to query a root-server, I still get stopped by the firewall: > ># date > >Sun Oct 27 18:19:35 GMT 2002 > ># dig . ns @b.root-servers.net > > > >; <<>> DiG 8.3 <<>> . ns @b.root-servers.net > >; (1 server found) > >;; res options: init recurs defnam dnsrch > >;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed > >out > > > >Checking logs: > ># tail /var/log/security > > > >Oct 27 18:19:40 Demon /kernel: ipfw: 900 Deny UDP 128.9.0.107:53 > >192.168.1.8:1642 in via sis0 > ># > > > >The previous posted (see below) informed me that using setup / > >keep-state with udp is wrong. Given the changes I've made above, what > >are the magic statements to allow my to query the root servers and allow > >their responses back in? > > > >TIA > >Stacey > > > >On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: > > > >> > > >> > Verifying relevant ipfw rules: > >> > # Allow out access to Internet Domain name server > >> > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup > >> > keep-state > >> > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup > >> > keep-state > >> > >> This la
res_nmkquery: buffer too small WAS[Re: dig . ns @b.root-servers.net- Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of"DENY UDP" mess]ages in /var/log/security]
Hi, I've made the changes to rule 00618 as you've suggested, but now I get a different error: # dig .ns @a.root-servers.net ; <<>> DiG 8.3 <<>> .ns @a.root-servers.net ; (1 server found) ;; res_nmkquery: buffer too small # dig .ns @b.root-servers.net ; <<>> DiG 8.3 <<>> .ns @b.root-servers.net ; (1 server found) ;; res_nmkquery: buffer too small # I'll not even pretend to know what that means.., Thanks for the pointer to what I missed out in the rule. Stacey On Sun, 2002-10-27 at 18:09, D. Penev wrote: > > You forget keep-state. You rule should be: > $fwcmd add 00618 allow udp from any to any 53 out via $oif keep-state > > > > ^ > > | > > PUT THIS IN INSTEAD > > > >Now I try to query a root-server, I still get stopped by the firewall: > ># date > >Sun Oct 27 18:19:35 GMT 2002 > ># dig . ns @b.root-servers.net > > > >; <<>> DiG 8.3 <<>> . ns @b.root-servers.net > >; (1 server found) > >;; res options: init recurs defnam dnsrch > >;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed > >out > > > >On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: > > > >> > > >> > Verifying relevant ipfw rules: > >> > # Allow out access to Internet Domain name server > >> > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup > >> > keep-state > >> > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup > >> > keep-state > >> > >> This last rule is bogus. From ipfw(8): > >> > >> setup Matches TCP packets that have the SYN bit set but no ACK bit. > >> This is the short form of ``tcpflags syn,!ack''. > >> > >> "setup" is not supposed to work for UDP packets. there is no handshake as > >> in tcp connections. > >> > >> > >> > > >> > Checking ipfw rule 910: > >> > $fwcmd add 00910 deny log logamount 500 ip from any to any > >> > > >> > Why am I not able to query root servers, given my rules 00618 & 00619? > >> > > >> > I'd appreciate someone helping me out here., (or hitting me over the > >> > head if I'm missing something simple and glaringly obvious) > >> > > >> > TIA > >> > > >> > Stacey > >> > > >> > > >> > > >> > -- > >> > Stacey Roberts > >> > B.Sc (HONS) Computer Science > >> > > >> > Web: www.vickiandstacey.com > >> > > >> > >> To Unsubscribe: send mail to [EMAIL PROTECTED] > >> with "unsubscribe freebsd-questions" in the body of the message > >-- > >Stacey Roberts > >B.Sc (HONS) Computer Science > > > >Web: www.vickiandstacey.com > > > > > > -- > Regards, > D. Penev > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com signature.asc Description: This is a digitally signed message part
Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security
On Sun, Oct 27, 2002 at 06:29:16PM +, Stacey Roberts wrote: Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security From: Stacey Roberts <[EMAIL PROTECTED]> To: Ruben de Groot <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED], FreeBSD Questions <[EMAIL PROTECTED]> Date: 27 Oct 2002 18:29:16 + Okay, I've been hacking about with my ipfw rules in order to nail this down, but I'm still coming up against a wall here.., I've made this change: # Allow out access to Internet Domain name server $fwcmd add 00617 allow tcp from any to any 53 out via $oif setup keep-state #$fwcmd add 00618 allow udp from any to any 53 out via $oif setup keep-state < $fwcmd add 00618 allow udp from any to any 53 out via $oif You forget keep-state. You rule should be: $fwcmd add 00618 allow udp from any to any 53 out via $oif keep-state ^ | PUT THIS IN INSTEAD Now I try to query a root-server, I still get stopped by the firewall: # date Sun Oct 27 18:19:35 GMT 2002 # dig . ns @b.root-servers.net ; <<>> DiG 8.3 <<>> . ns @b.root-servers.net ; (1 server found) ;; res options: init recurs defnam dnsrch ;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed out Checking logs: # tail /var/log/security Oct 27 18:19:40 Demon /kernel: ipfw: 900 Deny UDP 128.9.0.107:53 192.168.1.8:1642 in via sis0 # The previous posted (see below) informed me that using setup / keep-state with udp is wrong. Given the changes I've made above, what are the magic statements to allow my to query the root servers and allow their responses back in? TIA Stacey On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: > > Verifying relevant ipfw rules: > # Allow out access to Internet Domain name server > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup > keep-state > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup > keep-state This last rule is bogus. From ipfw(8): setup Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of ``tcpflags syn,!ack''. "setup" is not supposed to work for UDP packets. there is no handshake as in tcp connections. > > Checking ipfw rule 910: > $fwcmd add 00910 deny log logamount 500 ip from any to any > > Why am I not able to query root servers, given my rules 00618 & 00619? > > I'd appreciate someone helping me out here., (or hitting me over the > head if I'm missing something simple and glaringly obvious) > > TIA > > Stacey > > > > -- > Stacey Roberts > B.Sc (HONS) Computer Science > > Web: www.vickiandstacey.com > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: dig . ns @b.root-servers.net - Connection refused. WHY?[related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in/var/log/security
Okay, I've been hacking about with my ipfw rules in order to nail this down, but I'm still coming up against a wall here.., I've made this change: # Allow out access to Internet Domain name server $fwcmd add 00617 allow tcp from any to any 53 out via $oif setup keep-state #$fwcmd add 00618 allow udp from any to any 53 out via $oif setup keep-state < $fwcmd add 00618 allow udp from any to any 53 out via $oif ^ | PUT THIS IN INSTEAD Now I try to query a root-server, I still get stopped by the firewall: # date Sun Oct 27 18:19:35 GMT 2002 # dig . ns @b.root-servers.net ; <<>> DiG 8.3 <<>> . ns @b.root-servers.net ; (1 server found) ;; res options: init recurs defnam dnsrch ;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed out Checking logs: # tail /var/log/security Oct 27 18:19:40 Demon /kernel: ipfw: 900 Deny UDP 128.9.0.107:53 192.168.1.8:1642 in via sis0 # The previous posted (see below) informed me that using setup / keep-state with udp is wrong. Given the changes I've made above, what are the magic statements to allow my to query the root servers and allow their responses back in? TIA Stacey On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: > > > > Verifying relevant ipfw rules: > > # Allow out access to Internet Domain name server > > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup > > keep-state > > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup > > keep-state > > This last rule is bogus. From ipfw(8): > > setup Matches TCP packets that have the SYN bit set but no ACK bit. > This is the short form of ``tcpflags syn,!ack''. > > "setup" is not supposed to work for UDP packets. there is no handshake as > in tcp connections. > > > > > > Checking ipfw rule 910: > > $fwcmd add 00910 deny log logamount 500 ip from any to any > > > > Why am I not able to query root servers, given my rules 00618 & 00619? > > > > I'd appreciate someone helping me out here., (or hitting me over the > > head if I'm missing something simple and glaringly obvious) > > > > TIA > > > > Stacey > > > > > > > > -- > > Stacey Roberts > > B.Sc (HONS) Computer Science > > > > Web: www.vickiandstacey.com > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com signature.asc Description: This is a digitally signed message part
Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security
On Sun, Oct 27, 2002 at 05:18:10PM +, Stacey Roberts wrote: > Just checked against http://www.pgp.net/wwwkeys.html to verify: > > pub 2048R/DC92FBD7 2002-08-03 Stacey Roberts <[EMAIL PROTECTED]> > Key fingerprint = 04 2E 82 F6 3E 78 25 14 42 84 90 E7 B7 B1 F7 26 > > Verbose: > Public Key Server -- Verbose Index ``0xDC92FBD7 '' > > Type bits/keyIDDate User ID > pub 2048R/DC92FBD7 2002-08-03 Stacey Roberts <[EMAIL PROTECTED]> > Key fingerprint = 04 2E 82 F6 3E 78 25 14 42 84 90 E7 B7 B1 F7 26 > > New! attempt to lookup keyholder on biglumber.com. > sig 0x10 DC92FBD7 2002-08-03 [selfsig] > > Unless I'm missing something., so do enlighten me, please. It doesn't verify here either. I think it's because you haven't added the email address you post from as an alias. Ceri -- you can't see when light's so strong you can't see when light is gone To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: dig . ns @b.root-servers.net - Connection refused. WHY?[related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in/var/log/security
Just checked against http://www.pgp.net/wwwkeys.html to verify: pub 2048R/DC92FBD7 2002-08-03 Stacey Roberts <[EMAIL PROTECTED]> Key fingerprint = 04 2E 82 F6 3E 78 25 14 42 84 90 E7 B7 B1 F7 26 Verbose: Public Key Server -- Verbose Index ``0xDC92FBD7 '' Type bits/keyIDDate User ID pub 2048R/DC92FBD7 2002-08-03 Stacey Roberts <[EMAIL PROTECTED]> Key fingerprint = 04 2E 82 F6 3E 78 25 14 42 84 90 E7 B7 B1 F7 26 New! attempt to lookup keyholder on biglumber.com. sig 0x10 DC92FBD7 2002-08-03 [selfsig] Unless I'm missing something., so do enlighten me, please. Stacey On Sun, 2002-10-27 at 17:06, Daniel Harris wrote: > On Sun, Oct 27, 2002 at 04:48:34PM +, Stacey Roberts wrote: > -snip- > > Just letting you know that the pgp sig on this message > did not verify with my gnupg 1.2.1. > > -- > Daniel Harris -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com signature.asc Description: This is a digitally signed message part
Re: dig . ns @b.root-servers.net - Connection refused. WHY?[related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in/var/log/security
Hi Ruben, Thanks much for the reply - comments inline..., > > Verifying relevant ipfw rules: > > # Allow out access to Internet Domain name server > > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup > > keep-state > > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup > > keep-state > > This last rule is bogus. From ipfw(8): > > setup Matches TCP packets that have the SYN bit set but no ACK bit. > This is the short form of ``tcpflags syn,!ack''. > > "setup" is not supposed to work for UDP packets. there is no handshake as > in tcp connections. Okay, I see what you mean about rule 00619 (probably explains why this rule never appears in ipfw l), and as such, I have three questions based on rule 00619 being bogus: 1] Is this the reason why I am unable to query root-servers? 2] Do I remove it completely - would ipfw still be secure without it completely? 3] If not, should I just amend as: $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state Based on ipfw (8): ### A similar approach can be used for UDP, where an UDP packet coming from the inside will install a dynamic rule to let the response through the firewall: ipfw add check-state ipfw add allow udp from my-subnet to any ipfw add deny udp from any to any $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state CHANGE TO: $fwcmd add allow udp from any to any 53 out via $oif $fwcmd add deny udp from any to any 53 in via $oif I'm basing the above amendments based on: I have a check-state at rule 00500 >From the make up of my rule-set, I do not have a rule and explicitly denies udp to port 53 per-se. More clearly, I have these deny rules in place at the moment: $ grep -i deny fwrules $fwcmd add 00020 deny log ip from me to any in $fwcmd add 00030 deny log tcp from any to any in tcpflags syn,fin $fwcmd add 00100 deny udp from any to any 520 in via $oif $fwcmd add 00502 deny all from any to any frag $fwcmd add 00501 deny tcp from any to any established $fwcmd add 00850 deny log ip from me to me in via $oif $fwcmd add 00860 deny log icmp from any to me icmptype 0,8 in via $oif $fwcmd add 00900 deny log all from any to any in via $oif $fwcmd add 00910 deny log logamount 500 ip from any to any $ None of which explicitly applies to DNS. I make this point as there *are* udp packets I want to allow in via $oif - 137 - 139 Thanks again for the reply Ruben. If I'm not clear enough in my explanations, I'm quite happy to post my complete rule-set to you (off-list) if you need it to get a better picture. Cheers! Stacey On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: > On Sun, Oct 27, 2002 at 03:24:07PM +, Stacey Roberts typed: > > Hello, > > I don't know if this is related to post earlier today [FBSD 4.7 > > reset itself - lots of "DENY UDP" messages in /var/log/security], but > > I've been trying to trouble shoot the "DENY" messages in > > /var/log/security using dig: > > > > # dig . ns @b.root-servers.net > > > > ; <<>> DiG 8.3 <<>> . ns @b.root-servers.net > > ; (1 server found) > > ;; res options: init recurs defnam dnsrch > > ;; res_nsend to server b.root-servers.net 128.9.0.107: Connection > > refused > > # > > I get connection refused for this. Checking security: > > Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP :1381 > > 128.9.0.107:53 out via sis0 > > Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP 1:1382 > > 128.9.0.107:53 out via sis0 > > # > > Checking ipfw rule 910: > > $fwcmd add 00910 deny log logamount 500 ip from any to any > > > > Why am I not able to query root servers, given my rules 00618 & 00619? > > > > I'd appreciate someone helping me out here., (or hitting me over the > > head if I'm missing something simple and glaringly obvious) > > > > TIA > > > > Stacey > > > > > > > > -- > > Stacey Roberts > > B.Sc (HONS) Computer Science > > > > Web: www.vickiandstacey.com > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com signature.asc Description: This is a digitally signed message part
Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security
On Sun, Oct 27, 2002 at 03:24:07PM +, Stacey Roberts typed: > Hello, > I don't know if this is related to post earlier today [FBSD 4.7 > reset itself - lots of "DENY UDP" messages in /var/log/security], but > I've been trying to trouble shoot the "DENY" messages in > /var/log/security using dig: > > # dig . ns @b.root-servers.net > > ; <<>> DiG 8.3 <<>> . ns @b.root-servers.net > ; (1 server found) > ;; res options: init recurs defnam dnsrch > ;; res_nsend to server b.root-servers.net 128.9.0.107: Connection > refused > # > I get connection refused for this. Checking security: > Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP :1381 > 128.9.0.107:53 out via sis0 > Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP 1:1382 > 128.9.0.107:53 out via sis0 > # > > Verifying relevant ipfw rules: > # Allow out access to Internet Domain name server > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup > keep-state > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup > keep-state This last rule is bogus. From ipfw(8): setup Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of ``tcpflags syn,!ack''. "setup" is not supposed to work for UDP packets. there is no handshake as in tcp connections. > > Checking ipfw rule 910: > $fwcmd add 00910 deny log logamount 500 ip from any to any > > Why am I not able to query root servers, given my rules 00618 & 00619? > > I'd appreciate someone helping me out here., (or hitting me over the > head if I'm missing something simple and glaringly obvious) > > TIA > > Stacey > > > > -- > Stacey Roberts > B.Sc (HONS) Computer Science > > Web: www.vickiandstacey.com > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
dig . ns @b.root-servers.net - Connection refused. WHY? [related toFBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security
Hello, I don't know if this is related to post earlier today [FBSD 4.7 reset itself - lots of "DENY UDP" messages in /var/log/security], but I've been trying to trouble shoot the "DENY" messages in /var/log/security using dig: # dig . ns @b.root-servers.net ; <<>> DiG 8.3 <<>> . ns @b.root-servers.net ; (1 server found) ;; res options: init recurs defnam dnsrch ;; res_nsend to server b.root-servers.net 128.9.0.107: Connection refused # I get connection refused for this. Checking security: Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP :1381 128.9.0.107:53 out via sis0 Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP 1:1382 128.9.0.107:53 out via sis0 # Verifying relevant ipfw rules: # Allow out access to Internet Domain name server $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup keep-state $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state Checking ipfw rule 910: $fwcmd add 00910 deny log logamount 500 ip from any to any Why am I not able to query root servers, given my rules 00618 & 00619? I'd appreciate someone helping me out here., (or hitting me over the head if I'm missing something simple and glaringly obvious) TIA Stacey -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com signature.asc Description: This is a digitally signed message part
