Re: Nslookup not working for external domain
On 17.11.10 11:10, Moore, Mark A. wrote: Subject: Nslookup not working for external domain oh, nslookup is not working? Sure it is working, your problem is not in nslookup. We are running into a issue where one of our slave servers isn't resolving non-local domain names. the term slave only applies for domains server is fetchying from its master. There's no slave for non-local domains. For the two domains hosted on this server, we can resolve any entry. However, if we try to do an nslookup to cnn, google, yahoo, etc. it fails. We have turned off iptables and verified internet connectivity. Below is the error we get. What other areas should we be looking at to troubleshoot? Thx in advance for any help given. nslookup www.cnn.com ;; Got SERVFAIL reply from 192.243.160.18, trying next server This server apparently does not provide recursion for you. look at its logs ot put it away from resolv.conf. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
broken trust chain for non-existing AAAA records
We are using Bind 9.7 at the border to resolve DNS queries for a small LAN. After moving forward in using IPv6 we discovered many broken trust chain errors in the bind log for non existing records. One example is Nov 18 01:18:21 firewall named[27580]: error (broken trust chain) resolving 'smtp.g.comcast.net//IN': 76.96.53.47#53 Nov 18 01:18:21 firewall named[27580]: error (broken trust chain) resolving 'smtp.g.comcast.net//IN': 68.87.66.201#53 Nov 18 01:18:29 firewall named[27580]: error (broken trust chain) resolving 'smtp.g.comcast.net//IN': 76.96.53.47#53 Nov 18 01:18:29 firewall named[27580]: error (broken trust chain) resolving 'smtp.g.comcast.net//IN': 76.96.53.47#53 From what i can see there is no DNSSEC for comcast.net so this should not happen and the A record just resolve fine. Any comment if this should worry me? Regards Andreas ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Nslookup not working for external domain
I have figured out and resolved my issue. For some reason I could not read the contents of the db.rootcache file. So I deleted and downloaded a new copy. Now everything is working. Thx to all for your assistance. Mark From: Moore, Mark A. Sent: Wednesday, November 17, 2010 1:10 PM To: bind-users@lists.isc.org Subject: Nslookup not working for external domain We are running into a issue where one of our slave servers isn't resolving non-local domain names. For the two domains hosted on this server, we can resolve any entry. However, if we try to do an nslookup to cnn, google, yahoo, etc. it fails. We have turned off iptables and verified internet connectivity. Below is the error we get. What other areas should we be looking at to troubleshoot? Thx in advance for any help given. nslookup www.cnn.com ;; Got SERVFAIL reply from 192.243.160.18, trying next server Server: 192.243.130.42 Address: 192.243.130.42#53 Non-authoritative answer: Name: www.cnn.com Address: 157.166.226.26 Name: www.cnn.com Address: 157.166.255.18 Name: www.cnn.com Address: 157.166.255.19 Name: www.cnn.com Address: 157.166.224.25 Name: www.cnn.com Address: 157.166.224.26 Name: www.cnn.com Address: 157.166.226.25 Mark ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Is it Possible to Log nxdomain Responses?
On 17/11/2010 15:23, Stephane Bortzmeyer wrote: On Wed, Nov 17, 2010 at 07:48:55AM -0600, Martin McCormick mar...@dc.cis.okstate.edu wrote a message of 22 lines which said: It would be nice to log each nxdomain for a while so we can verify that the new deligated zone we are about to install fixed the problem. May be with dnscap https://www.dns-oarc.net/tools/dnscap: dnscap -e x -g -w nxdomain-%s-%u.pcap This will keep NXDOMAIN responses I like dnscap. It also has an option to specify a regex to match on the QNAME, and capture packets for certain domain names / zones. This is a useful feature to use on servers which host more than one zone. Regards, Anand ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Best Practices Query Logging, On or Off ?
I am looking for a best practices for dns query logging Versions in use on Linux... - BIND 9.7.1-P2 - BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 The minimum logging statement in my test named.conf (bind 9.7.1-P2) logging { category lame-servers { null; }; category resolver { null; }; }; which I have tested still allows the dns (default) to log to /var/log/messages -- default The default category defines the logging options for those categories where no specific configuration has been defined. -- I have also been made aware that query logging can give a machine up to a 30% performance hit but also with today's machines it is mostly negligible.. My question is : Do folks normally use query logging as a forensic tool or are most Bind installations done without logging any queries ? The powers that be seem to think the performance hit outweighs any forensic benefit... Thx Charles ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Nslookup not working for external domain
On 17.11.10 11:10, Moore, Mark A. wrote: nslookup www.cnn.com ;; Got SERVFAIL reply from 192.243.160.18, trying next server On 11/18/2010 5:16 AM, Matus UHLAR - fantomas wrote: This server apparently does not provide recursion for you. On 18.11.10 12:44, Kevin Darcy wrote: The OP already found the problem - - apparently the hints file wasn't being loaded properly. it was after my reply ;-) However, for future reference in troubleshooting DNS problems through interpretation of nslookup results, for the versions of nslookup I'm familiar with, trying to do a lookup that requires recursion, from a resolver that doesn't provide it, results in either a) a goofy-looking referral response, if no searchlisting is being performed, or b) nslookup going off and doing searchlisted queries, and returning the results of the *last* query it does (which is likely to be an NXDOMAIN response, thus causing nslookup to mis-report the result of the overall lookup as NXDOMAIN) In neither case would it return SERVFAIL. That usually points to some other root cause. My guess would have been that the resolver had no connectivity to the Internet and had marked all of the root nameservers as lame. Mis-loading of the hints file apparently has the same symptoms, although to be honest I don't think I've seen that before. Last versions of BIND do not even return root referrals to clients that are not allowed to recurse. Accesing hint zone is understood as recursion too. ...you may remember issue with flooding some servers with UDP responses to spoofed queries for . some time ago... Have you checked with such server? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Debugging configuring TKEY: failure (w/samba4)
On Fri, 2010-11-12 at 07:54 -0700, Nicholas F Miller wrote: I recently went through this and have it working. Look through the archives for 'GSS-TSIG and Active Directory'. https://lists.isc.org/mailman/mmsearch/bind-users?config=bind-users.htsearchrestrict=exclude=method=andformat=shortsort=scorewords=GSS-TSIG+and+Active+Directory Things to check: 1) You are running the newest version of Bind. Done. BIND 9.7.2 built with '--prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--localstatedir=/var' '--libdir=/usr/lib64' '--includedir=/usr/include/bind' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-openssl' '--enable-threads' '--with-gssapi' '--with-libtool' '--with-libxml2' '--with-dlz-mysql' '--with-dlz-ldap' 'CFLAGS=-O2 -g -m64 -fmessage-length=0 -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -fno-strict-aliasing' 'LDFLAGS=-L/usr/lib64' I built an RPM of 9.7.2 on openSUSE 2) You might try compiling Bind with --with-gssap=/usr 3) Double check your krb5.conf and make sure you have arcfour-hmac-md5 listed first in default_tgs_enctypes and default_tkt_enctypes. I added that and retried, to no avail. 4) When you create your keytab don't define crypto it will default to RC4-HMAC-NT. (ktpass -out foo.keytab -princ DNS/foo.example.org at EXAMPLE.ORG -pass * -mapuser foo at example.org) samba:/opt/ad/samba4/private # klist -k dns.keytab -e Keytab name: WRFILE:dns.keytab KVNO Principal 1 DNS/ad.mormail@ad.mormail.com (DES cbc mode with RSA-MD5) 1 DNS/ad.mormail@ad.mormail.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 DNS/ad.mormail@ad.mormail.com (Triple DES cbc mode with HMAC/sha1) 1 DNS/ad.mormail@ad.mormail.com (ArcFour with HMAC/md5) 5) FWIW, I am not using any of the Samba settings. The DNS server isn't joined to the AD it just has the krb5.conf setup and a keytab for DNS/dnserver.domain. Yes, I believe that is generally the setup; Samba just uses KRB5 to authorize to bind to perform the update. I'm baffled there is seemingly no way to get bind to cough up more error information such as what file it can't access or some KRB5/GSSAPI error message. On Nov 10, 2010, at 6:48 AM, Adam Tauno Williams wrote: I'm attempting to get Bind 9.7.2 (built on openSUSE 11.3) running in relation to Samba4; this uses GSSAPI authentication to update the Bind zones. Everything works except this part. I've build bind with --with-gssapi, verified krb5 is linked in, and verified [at least with kinit and other trivial krb5 tools] that Kerberos/GSSAPI is working. But when I add: options { tkey-gssapi-credential DNS/ad.mormail.com; tkey-domain AD.MORMAIL.COM; ... } - to my bind configuration bind fails to start with - Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: D.F.IP6.ARPA Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: 8.E.F.IP6.ARPA Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: 9.E.F.IP6.ARPA Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: A.E.F.IP6.ARPA Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: B.E.F.IP6.ARPA Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Nov 10 08:43:32 opensuse named[3021]: configuring TKEY: failure Nov 10 08:43:32 opensuse named[3021]: loading configuration: failure Nov 10 08:43:32 opensuse named[3021]: exiting (due to fatal error) I've tried playing with log levels, etc... and I just can seem to dig any more information out of it. Are there any procedures / tips for debugging a configuring TKEY: failure message? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Debugging configuring TKEY: failure (w/samba4)
On Thu, 2010-11-18 at 16:20 -0500, Adam Tauno Williams wrote: On Fri, 2010-11-12 at 07:54 -0700, Nicholas F Miller wrote: I recently went through this and have it working. Look through the archives for 'GSS-TSIG and Active Directory'. https://lists.isc.org/mailman/mmsearch/bind-users?config=bind-users.htsearchrestrict=exclude=method=andformat=shortsort=scorewords=GSS-TSIG+and+Active+Directory Things to check: 1) You are running the newest version of Bind. Done. BIND 9.7.2 built with '--prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--localstatedir=/var' '--libdir=/usr/lib64' '--includedir=/usr/include/bind' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-openssl' '--enable-threads' '--with-gssapi' '--with-libtool' '--with-libxml2' '--with-dlz-mysql' '--with-dlz-ldap' 'CFLAGS=-O2 -g -m64 -fmessage-length=0 -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -fno-strict-aliasing' 'LDFLAGS=-L/usr/lib64' I built an RPM of 9.7.2 on openSUSE 2) You might try compiling Bind with --with-gssap=/usr 3) Double check your krb5.conf and make sure you have arcfour-hmac-md5 listed first in default_tgs_enctypes and default_tkt_enctypes. I added that and retried, to no avail. 4) When you create your keytab don't define crypto it will default to RC4-HMAC-NT. (ktpass -out foo.keytab -princ DNS/foo.example.org at EXAMPLE.ORG -pass * -mapuser foo at example.org) samba:/opt/ad/samba4/private # klist -k dns.keytab -e Keytab name: WRFILE:dns.keytab KVNO Principal 1 DNS/ad.mormail@ad.mormail.com (DES cbc mode with RSA-MD5) 1 DNS/ad.mormail@ad.mormail.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 1 DNS/ad.mormail@ad.mormail.com (Triple DES cbc mode with HMAC/sha1) 1 DNS/ad.mormail@ad.mormail.com (ArcFour with HMAC/md5) 5) FWIW, I am not using any of the Samba settings. The DNS server isn't joined to the AD it just has the krb5.conf setup and a keytab for DNS/dnserver.domain. Yes, I believe that is generally the setup; Samba just uses KRB5 to authorize to bind to perform the update. I'm baffled there is seemingly no way to get bind to cough up more error information such as what file it can't access or some KRB5/GSSAPI error message. Ok, I got this - dispatch 0x7f68968b6120: created task 0x7f688fdce850 res 0x7f689631b198: create dns_requestmgr_create dns_requestmgr_create: 0x7f688fdcf1c8 dns_requestmgr_whenshutdown dispatch 0x7f68968b6120: detach: refcount 2 acquiring credentials for DNS/ad.mormail.com failed to acquire accept credentials for DNS/ad.mormail.com: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Resource temporarily unavailable. configuring TKEY: failure client @0x7f68965ea090: udprecv - by running named -4 -c /etc/named.conf -g -u named -d 65535 with both $KEYTAB_FILE and $KRB5_KTNAME indicating the location of the keytab. On Nov 10, 2010, at 6:48 AM, Adam Tauno Williams wrote: I'm attempting to get Bind 9.7.2 (built on openSUSE 11.3) running in relation to Samba4; this uses GSSAPI authentication to update the Bind zones. Everything works except this part. I've build bind with --with-gssapi, verified krb5 is linked in, and verified [at least with kinit and other trivial krb5 tools] that Kerberos/GSSAPI is working. But when I add: options { tkey-gssapi-credential DNS/ad.mormail.com; tkey-domain AD.MORMAIL.COM; ... } - to my bind configuration bind fails to start with - Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: D.F.IP6.ARPA Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: 8.E.F.IP6.ARPA Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: 9.E.F.IP6.ARPA Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: A.E.F.IP6.ARPA Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: B.E.F.IP6.ARPA Nov 10 08:43:32 opensuse named[3021]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Nov 10 08:43:32 opensuse named[3021]: configuring TKEY: failure Nov 10 08:43:32 opensuse named[3021]: loading configuration: failure Nov 10 08:43:32 opensuse named[3021]: exiting (due to fatal error) I've tried playing with log levels, etc... and I just can seem to dig any more information out of it. Are there any procedures / tips for debugging a configuring TKEY: failure message? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Best Practices Query Logging, On or Off ?
On 11/18/2010 4:10 PM, Russell Jackson wrote: On 11/18/2010 12:19 PM, Kevin Darcy wrote: On 11/18/2010 1:36 PM, CT wrote: I am looking for a best practices for dns query logging Versions in use on Linux... - BIND 9.7.1-P2 - BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 The minimum logging statement in my test named.conf (bind 9.7.1-P2) logging { category lame-servers { null; }; category resolver { null; }; }; which I have tested still allows the dns (default) to log to /var/log/messages -- default The default category defines the logging options for those categories where no specific configuration has been defined. -- I have also been made aware that query logging can give a machine up to a 30% performance hit but also with today's machines it is mostly negligible.. My question is : Do folks normally use query logging as a forensic tool or are most Bind installations done without logging any queries ? The powers that be seem to think the performance hit outweighs any forensic benefit... That's pretty short-sighted, IMO. Query logging allows one to find misbehaving or misconfigured apps/servers/clients, active worms, etc. By identifying those bad actors and correcting them, you reduce your query volumes, usually much more than 30%. So, at the end of the day, what benefit is there, really, in flying blind about one's query traffic? Needless to say, we log all queries here. We even have a subsystem that collects summaries of those query statistics from all of our remote nameserver into a central repository for further mining/analysis. Query logging also undermines the privacy of your users. There may even be applicable state and federal laws regulating the storage of information that can link users to site's they've visited. There is no such linkage, when all users are forced to go through a web proxy to access Internet sites, so that it is in fact the web proxy which is making the DNS lookups without any distinction between one user and another. Whether the web proxy logs themselves violate state and/or federal laws is an interesting question, but not really relevant to this thread or list. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Best Practices Query Logging, On or Off ?
Kevin Darcy wrote, On 11/18/2010 02:19 PM: On 11/18/2010 1:36 PM, CT wrote: I am looking for a best practices for dns query logging Versions in use on Linux... - BIND 9.7.1-P2 - BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 The minimum logging statement in my test named.conf (bind 9.7.1-P2) logging { category lame-servers { null; }; category resolver { null; }; }; which I have tested still allows the dns (default) to log to /var/log/messages -- default The default category defines the logging options for those categories where no specific configuration has been defined. -- I have also been made aware that query logging can give a machine up to a 30% performance hit but also with today's machines it is mostly negligible.. My question is : Do folks normally use query logging as a forensic tool or are most Bind installations done without logging any queries ? The powers that be seem to think the performance hit outweighs any forensic benefit... That's pretty short-sighted, IMO. Query logging allows one to find misbehaving or misconfigured apps/servers/clients, active worms, etc. By identifying those bad actors and correcting them, you reduce your query volumes, usually much more than 30%. So, at the end of the day, what benefit is there, really, in flying blind about one's query traffic? Needless to say, we log all queries here. We even have a subsystem that collects summaries of those query statistics from all of our remote nameserver into a central repository for further mining/analysis. - Kevin Kevin.. I am one of the ones that keep all my query logs for forensics.. One of my co-workers was actually looking for best practices document, I will take a look in the ARM but don't remember seeing anything in there when I read through it.. I am curious of the product you use to collect the data / logs.. if you can reply on list.. Thx Charles ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Nslookup not working for external domain
In article mailman.807.1290086898.555.bind-us...@lists.isc.org, Moore, Mark A. mmo...@osmre.gov wrote: I have figured out and resolved my issue. For some reason I could not read the contents of the db.rootcache file. So I deleted and downloaded a new copy. Now everything is working. Thx to all for your assistance. I thought BIND now has a compiled-in set of root hints, to use as an ultimate default. I guess this isn't used if the hints are configured but unreadable. Perhaps you should submit this as a bug report. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Nslookup not working for external domain
In message barmar-7a12cd.21563118112...@reserved-multicast-range-not-delegated .example.com, Barry Margolin writes: In article mailman.807.1290086898.555.bind-us...@lists.isc.org, Moore, Mark A. mmo...@osmre.gov wrote: I have figured out and resolved my issue. For some reason I could not read the contents of the db.rootcache file. So I deleted and downloaded a new copy. Now everything is working. Thx to all for your assistance. I thought BIND now has a compiled-in set of root hints, to use as an ultimate default. I guess this isn't used if the hints are configured but unreadable. Perhaps you should submit this as a bug report. Why does it need a bug report? If you have a hint zone in named.conf then falling back to the built-in hints is just plain wrong as named would be doing something that you have told it not to do. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users