Re: host unreachable, but i can ping it
On 07.01.11 12:54, Jay G. Scott wrote: i get, and have always gotten, billions of these messages. Jan 2 07:37:43 ns2 named[3028]: client 10.4.1.6#33823: view internal: error sending response: host unreachable the story is that these are the results of attempted zone transfers. apparently client tries access your server from host behind firewall, that will allow to send request, but not to receive response. Invalid, but apparently quite common FW configuration. Another possibility is that someone is sending requests with fake source IP 10.4.1.6. dumping traffic between your server and 10.4.1.6 would tell you more. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: check the master/slave status
On 07.01.11 12:08, blr maani wrote: You can develop scripts to do the following: Develop script(s) and run on a host which has access to both Master(s) and Slave(s). The script should do the following: 1. For each zones, check serial number on both master(s) and slave(s) for the zone and compare it. Report mismatch if any. 2. If you want to compare the zone contents as well (assuming you don't trust just the serial numbers), then you can get zone contents via dig AXFR and do a diff and report diff if any. note that there can be mismatch for a while when you change a zone on the master. The slave needs take some time to fetch the zone and update it... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host unreachable. -- a bit more info
hi, thanks for the replies. however, i didn't learn much. i'm more of a network newbie than i thought. but what i can say is this: (repeating the problem) i get zillions of these msgs: Jan 10 12:36:24 ns2 named[3037]: client 10.4.1.6#59926: view internal: error sending response: host unreachable i CAN do an AXFR from 10.4.1.6 to ns2 that is, dig @10.4.1.6 arlut.utexas.edu AXFR does give me output. on 10.4.1.6, dig @146.6.211.1 arlut.utexas.edu AXFR ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 @146.6.211.1 arlut.utexas.edu AXFR ; (1 server found) ;; global options: printcmd ; Transfer failed. now, when i attempt that AXFR, the error message is NOT like the symptom i have. so i conclude that my problem is not AXFR (or IXFR, similar experiment). so what is this msg talking about? Jan 10 12:36:24 ns2 named[3037]: client 10.4.1.6#59926: view internal: error sending response: host unreachable i'm starting to think it might be just an ordinary dns lookup. j. -- Jay Scott 512-835-3553g...@arlut.utexas.edu Head of Sun Support, Sr. System Administrator Applied Research Labs, Computer Science Div. S224 University of Texas at Austin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host unreachable. -- a bit more info
Jay G. Scott wrote: hi, thanks for the replies. however, i didn't learn much. i'm more of a network newbie than i thought. but what i can say is this: (repeating the problem) i get zillions of these msgs: Jan 10 12:36:24 ns2 named[3037]: client 10.4.1.6#59926: view internal: error sending response: host unreachable i CAN do an AXFR from 10.4.1.6 to ns2 that is, dig @10.4.1.6 arlut.utexas.edu AXFR does give me output. on 10.4.1.6, dig @146.6.211.1 arlut.utexas.edu AXFR ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 @146.6.211.1 arlut.utexas.edu AXFR ; (1 server found) ;; global options: printcmd ; Transfer failed. now, when i attempt that AXFR, the error message is NOT like the symptom i have. so i conclude that my problem is not AXFR (or IXFR, similar experiment). so what is this msg talking about? Jan 10 12:36:24 ns2 named[3037]: client 10.4.1.6#59926: view internal: error sending response: host unreachable i'm starting to think it might be just an ordinary dns lookup. j. Jay Please do the following two queries from the secondary server and show us the results: dig @146.6.211.1 +tcp arlut.utexas.edu dig @146.6.211.1 -tcp arlut.utexas.edu Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host unreachable. -- a bit more info
On Mon, Jan 10, 2011 at 12:41:48PM -0600, Jay G. Scott wrote: hi, thanks for the replies. however, i didn't learn much. i'm more of a network newbie than i thought. but what i can say is this: (repeating the problem) i get zillions of these msgs: Jan 10 12:36:24 ns2 named[3037]: client 10.4.1.6#59926: view internal: error sending response: host unreachable i CAN do an AXFR from 10.4.1.6 to ns2 that is, dig @10.4.1.6 arlut.utexas.edu AXFR does give me output. on 10.4.1.6, dig @146.6.211.1 arlut.utexas.edu AXFR ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 @146.6.211.1 arlut.utexas.edu AXFR ; (1 server found) ;; global options: printcmd ; Transfer failed. now, when i attempt that AXFR, the error message is NOT like the symptom i have. so i conclude that my problem is not AXFR (or IXFR, similar experiment). so what is this msg talking about? Jan 10 12:36:24 ns2 named[3037]: client 10.4.1.6#59926: view internal: error sending response: host unreachable i'm starting to think it might be just an ordinary dns lookup. heh. no. of course not. suddenly realized that i could test that, and, no, that's not it. so what could it be? j. j. -- Jay Scott 512-835-3553g...@arlut.utexas.edu Head of Sun Support, Sr. System Administrator Applied Research Labs, Computer Science Div. S224 University of Texas at Austin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Jay Scott 512-835-3553g...@arlut.utexas.edu Head of Sun Support, Sr. System Administrator Applied Research Labs, Computer Science Div. S224 University of Texas at Austin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
stale cache in alternate views?
I'm using bind-9.5.1-P3 (yes, I know it's old). I have a zone in
multiple views. When I update the zone and reload, the match-clients
{ any } view sees new DNS records right away, but another view
doesn't see them for a while.
Given this configuration:
view global {
match-clients { any; };
zone example.net {
type slave;
file /var/named/slaves/example.net.zone;
masters {a.b.c.d;};
};
};
view full {
match-clients { a.b.c.0/24; 127.0.0.1; };
zone example.net {
type slave;
file /var/named/slaves/example.net.zone;
masters {a.b.c.d;};
};
};
If a client in the a.b.c.0/24 subnet queries the server, it doesn't
see recently added DNS records. If a client outside a.b.c.0/24 does
the same query, it sees the new records immediately after the rndc
reload.
Anyone know how to change this behavior?
Thanks.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: host unreachable. -- a bit more info
On Mon, Jan 10, 2011 at 12:52:16PM -0600, Lyle Giese wrote: [snip] Jay Please do the following two queries from the secondary server and show us the results: dig @146.6.211.1 +tcp arlut.utexas.edu dig @146.6.211.1 -tcp arlut.utexas.edu Lyle Giese LCR Computer Services, Inc. okay. but it doesn't seem to like -tcp as an arg. thanks for helping. [r...@ns5 ~]# dig @146.6.211.1 +tcp arlut.utexas.edu ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 @146.6.211.1 +tcp arlut.utexas.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 15938 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;arlut.utexas.edu. IN A ;; AUTHORITY SECTION: arlut.utexas.edu. 300 IN SOA csdsun9.arlut.utexas.edu. root.arlut.utexas.edu. 2011011010 10800 600 604800 300 ;; Query time: 0 msec ;; SERVER: 146.6.211.1#53(146.6.211.1) ;; WHEN: Mon Jan 10 14:49:55 2011 ;; MSG SIZE rcvd: 83 --- [r...@ns5 ~]# dig @146.6.211.1 -tcp arlut.utexas.edu ;; Warning, ignoring invalid type cp ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 @146.6.211.1 -tcp arlut.utexas.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 23674 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;arlut.utexas.edu. IN A ;; AUTHORITY SECTION: arlut.utexas.edu. 300 IN SOA csdsun9.arlut.utexas.edu. root.arlut.utexas.edu. 2011011010 10800 600 604800 300 ;; Query time: 0 msec ;; SERVER: 146.6.211.1#53(146.6.211.1) ;; WHEN: Mon Jan 10 14:50:27 2011 ;; MSG SIZE rcvd: 83 -- Jay Scott 512-835-3553g...@arlut.utexas.edu Head of Sun Support, Sr. System Administrator Applied Research Labs, Computer Science Div. S224 University of Texas at Austin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host unreachable. -- a bit more info
sorry about that. I don't normally use these options But it's dig @146.6.211.1 +tcp arlut.utexas.edu dig @146.6.211.1 +notcp arlut.utexas.edu But UDP is default and the second query should have been transmitted using UDP. The end result is that you have TCP and UDP port 53 openned properly in the firewalls between the two sites. BTW, zone transfers are done using TCP because of their size. Small queries try to use UDP first. This is starting to sound more like the master is not allowing your site to get a zone transfer. That is an ACL issue for the master site. Lyle Giese LCR Computer Services, Inc. Jay G. Scott wrote: On Mon, Jan 10, 2011 at 12:52:16PM -0600, Lyle Giese wrote: [snip] Jay Please do the following two queries from the secondary server and show us the results: dig @146.6.211.1 +tcp arlut.utexas.edu dig @146.6.211.1 -tcp arlut.utexas.edu Lyle Giese LCR Computer Services, Inc. okay. but it doesn't seem to like -tcp as an arg. thanks for helping. [r...@ns5 ~]# dig @146.6.211.1 +tcp arlut.utexas.edu ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 @146.6.211.1 +tcp arlut.utexas.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 15938 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;arlut.utexas.edu. IN A ;; AUTHORITY SECTION: arlut.utexas.edu. 300 IN SOA csdsun9.arlut.utexas.edu. root.arlut.utexas.edu. 2011011010 10800 600 604800 300 ;; Query time: 0 msec ;; SERVER: 146.6.211.1#53(146.6.211.1) ;; WHEN: Mon Jan 10 14:49:55 2011 ;; MSG SIZE rcvd: 83 --- [r...@ns5 ~]# dig @146.6.211.1 -tcp arlut.utexas.edu ;; Warning, ignoring invalid type cp ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 @146.6.211.1 -tcp arlut.utexas.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 23674 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;arlut.utexas.edu. IN A ;; AUTHORITY SECTION: arlut.utexas.edu. 300 IN SOA csdsun9.arlut.utexas.edu. root.arlut.utexas.edu. 2011011010 10800 600 604800 300 ;; Query time: 0 msec ;; SERVER: 146.6.211.1#53(146.6.211.1) ;; WHEN: Mon Jan 10 14:50:27 2011 ;; MSG SIZE rcvd: 83 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: stale cache in alternate views?
It was pointed out to me that order of views matters, and indeed I do
have the correct order in my config--I just pasted it out of order in
my original email. Here is the corrected version where I still have
this problem.
On Mon, Jan 10, 2011 at 03:09:40PM -0500, Chuck Anderson wrote:
I'm using bind-9.5.1-P3 (yes, I know it's old). I have a zone in
multiple views. When I update the zone and reload, the match-clients
{ any } view sees new DNS records right away, but another view
doesn't see them for a while.
Given this configuration:
view full {
match-clients { a.b.c.0/24; 127.0.0.1; };
zone example.net {
type slave;
file /var/named/slaves/example.net.zone;
masters {a.b.c.d;};
};
};
view global {
match-clients { any; };
zone example.net {
type slave;
file /var/named/slaves/example.net.zone;
masters {a.b.c.d;};
};
};
If a client in the a.b.c.0/24 subnet queries the server, it doesn't
see recently added DNS records. If a client outside a.b.c.0/24 does
the same query, it sees the new records immediately after the rndc
reload.
Anyone know how to change this behavior?
Thanks.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: stale cache in alternate views?
The NOTIFY message is only going to one view (external). The simple
solution is to have the internal view transfer the zone from the
external view. I posted how to do this within the last month so
check the archives for examples.
Mark
In message 20110110200940.gn28...@angus.ind.wpi.edu, Chuck Anderson writes:
I'm using bind-9.5.1-P3 (yes, I know it's old). I have a zone in
multiple views. When I update the zone and reload, the match-clients
{ any } view sees new DNS records right away, but another view
doesn't see them for a while.
Given this configuration:
view global {
match-clients { any; };
zone example.net {
type slave;
file /var/named/slaves/example.net.zone;
masters {a.b.c.d;};
};
};
view full {
match-clients { a.b.c.0/24; 127.0.0.1; };
zone example.net {
type slave;
file /var/named/slaves/example.net.zone;
masters {a.b.c.d;};
};
};
If a client in the a.b.c.0/24 subnet queries the server, it doesn't
see recently added DNS records. If a client outside a.b.c.0/24 does
the same query, it sees the new records immediately after the rndc
reload.
Anyone know how to change this behavior?
Thanks.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: host unreachable. -- a bit more info
On 1/10/2011 2:04 PM, Jay G. Scott wrote: On Mon, Jan 10, 2011 at 12:41:48PM -0600, Jay G. Scott wrote: hi, thanks for the replies. however, i didn't learn much. i'm more of a network newbie than i thought. but what i can say is this: (repeating the problem) i get zillions of these msgs: Jan 10 12:36:24 ns2 named[3037]: client 10.4.1.6#59926: view internal: error sending response: host unreachable i CAN do an AXFR from 10.4.1.6 to ns2 that is, dig @10.4.1.6 arlut.utexas.edu AXFR does give me output. on 10.4.1.6, dig @146.6.211.1 arlut.utexas.edu AXFR ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 @146.6.211.1 arlut.utexas.edu AXFR ; (1 server found) ;; global options: printcmd ; Transfer failed. now, when i attempt that AXFR, the error message is NOT like the symptom i have. so i conclude that my problem is not AXFR (or IXFR, similar experiment). so what is this msg talking about? Jan 10 12:36:24 ns2 named[3037]: client 10.4.1.6#59926: view internal: error sending response: host unreachable i'm starting to think it might be just an ordinary dns lookup. heh. no. of course not. suddenly realized that i could test that, and, no, that's not it. so what could it be? If you're getting normal DNS queries from that IP (as well as the zone transfers), and there is a stateful firewall in front of it, it could still be ordinary queries that end up timing out when your server attempts to get an answer from the Internet. The problem would be that the state table entry in the firewall times out faster that BIND gives up on a query, so by the time your server sends the failure response, the firewall has already aged out that connection and blocks the answer. -- Dave ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: stale cache in alternate views?
Also, you should NOT use the same filename for slave zones in different
views.
In article mailman.1305.1294698399.555.bind-us...@lists.isc.org,
Mark Andrews ma...@isc.org wrote:
The NOTIFY message is only going to one view (external). The simple
solution is to have the internal view transfer the zone from the
external view. I posted how to do this within the last month so
check the archives for examples.
Mark
In message 20110110200940.gn28...@angus.ind.wpi.edu, Chuck Anderson writes:
I'm using bind-9.5.1-P3 (yes, I know it's old). I have a zone in
multiple views. When I update the zone and reload, the match-clients
{ any } view sees new DNS records right away, but another view
doesn't see them for a while.
Given this configuration:
view global {
match-clients { any; };
zone example.net {
type slave;
file /var/named/slaves/example.net.zone;
masters {a.b.c.d;};
};
};
view full {
match-clients { a.b.c.0/24; 127.0.0.1; };
zone example.net {
type slave;
file /var/named/slaves/example.net.zone;
masters {a.b.c.d;};
};
};
If a client in the a.b.c.0/24 subnet queries the server, it doesn't
see recently added DNS records. If a client outside a.b.c.0/24 does
the same query, it sees the new records immediately after the rndc
reload.
Anyone know how to change this behavior?
Thanks.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
