Re: nanny (was Re: bind-9.8.1: INSIST(! dns_rdataset_isassociated(sigrdataset)) failed)
Hi there, On Thu, 17 Nov 2011 Jeremy C. Reed wrote: On Wed, 16 Nov 2011, Phil Mayers wrote: It might be good if bind were able to re-start itself, rather than dying outright (e.g. re-exec the process) but that is dangerous too; it's better done by an unrelated supervising process. In the bind9 tarball's contrib directory there is a simply nanny ... I am curious if any users of the nanny.pl script (or similar parent) had any crash but didn't notice it. ... Never in several machine decades have I had to do anything like that for BIND. The fact that people are even talking about it is of some concern to me. Twice in approximately the last month I have had one particular server go down for no apparent reason. This machine runs BIND. I keep its copy of BIND fairly well up to date. It has been running 24/7 for well over a decade with typically a couple of years between reboots. I have no evidence that BIND was the culprit, but in view of recent events elsewhere it seems just a little suspicious. Also what other types of nanny scripts do you use? (I already saw other emails with a few suggestions.) The only nanny I normally use is something which restarts sshd every fifteen minutes from the crontab. Attackers sometimes manage to crash a daemon while trying to exploit it; some of my remote machines are *very* remote; and a two thousand mile round trip to restart a daemon is unappealing. Other than that, if something is so unreliable that it needs a nanny, I won't use it anywhere that matters. -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Not able to resolve a domain
I have found that www.thisisgame.com does not resolve on our DNS servers. Google DNS works fine. According to dns.14x.org the top level domain com is w. I do not see a w server. I have the most recent named.root file from June. What have I done wrong? Thanks for looking during this busy time. -- Hal King - h...@utk.edumailto:h...@utk.edu Systems Administrator Office of Information Technology Systems: Business Information Systems The University of Tennessee 135D Kingston Pike Building 2309 Kingston Pk. Knoxville, TN 37996 Phone: 974-1599 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Not able to resolve a domain
This is the trace I get trying to resolve the domain. dig +trace thisisgame.com ; DiG 9.8.1-P1 +trace thisisgame.com ;; global options: +cmd . 456080 IN NS d.root-servers.net. . 456080 IN NS h.root-servers.net. . 456080 IN NS l.root-servers.net. . 456080 IN NS f.root-servers.net. . 456080 IN NS e.root-servers.net. . 456080 IN NS b.root-servers.net. . 456080 IN NS i.root-servers.net. . 456080 IN NS m.root-servers.net. . 456080 IN NS j.root-servers.net. . 456080 IN NS k.root-servers.net. . 456080 IN NS a.root-servers.net. . 456080 IN NS c.root-servers.net. . 456080 IN NS g.root-servers.net. ;; Received 512 bytes from 127.0.0.1#53(127.0.0.1) in 364 ms com.172800 IN NS f.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS a.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. ;; Received 504 bytes from 192.33.4.12#53(192.33.4.12) in 496 ms thisisgame.com. 172800 IN NS ns1.thisisgame.com. dig: couldn't get address for 'ns1.thisisgame.com': not found -- Hal King - h...@utk.edumailto:h...@utk.edu Systems Administrator Office of Information Technology Systems: Business Information Systems The University of Tennessee 135D Kingston Pike Building 2309 Kingston Pk. Knoxville, TN 37996 Phone: 974-1599 From: Hal King h...@utk.edumailto:h...@utk.edu Date: Fri, 18 Nov 2011 15:19:18 + To: Bind Users bind-users@lists.isc.orgmailto:bind-users@lists.isc.org Subject: Not able to resolve a domain I have found that www.thisisgame.com does not resolve on our DNS servers. Google DNS works fine. According to dns.14x.org the top level domain com is w. I do not see a w server. I have the most recent named.root file from June. What have I done wrong? Thanks for looking during this busy time. -- Hal King - h...@utk.edumailto:h...@utk.edu Systems Administrator Office of Information Technology Systems: Business Information Systems The University of Tennessee 135D Kingston Pike Building 2309 Kingston Pk. Knoxville, TN 37996 Phone: 974-1599 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.orgmailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Not able to resolve a domain
Maybe a network/firewall issue? My results below. dig +trace thisisgame.com ; DiG 9.8.0-P2 +trace thisisgame.com ;; global options: +cmd . 432154 IN NS b.root-servers.net. . 432154 IN NS l.root-servers.net. . 432154 IN NS h.root-servers.net. . 432154 IN NS f.root-servers.net. . 432154 IN NS m.root-servers.net. . 432154 IN NS i.root-servers.net. . 432154 IN NS d.root-servers.net. . 432154 IN NS k.root-servers.net. . 432154 IN NS j.root-servers.net. . 432154 IN NS g.root-servers.net. . 432154 IN NS a.root-servers.net. . 432154 IN NS e.root-servers.net. . 432154 IN NS c.root-servers.net. ;; Received 512 bytes from 10.1.6.203#53(10.1.6.203) in 0 ms com.172800 IN NS a.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. ;; Received 492 bytes from 199.7.83.42#53(l.root-servers.net) in 200 ms thisisgame.com. 172800 IN NS ns1.thisisgame.com. ;; Received 66 bytes from 192.35.51.30#53(f.gtld-servers.net) in 60 ms - Will On Fri, Nov 18, 2011 at 9:23 AM, King, Harold Clyde (Hal) h...@utk.eduwrote: This is the trace I get trying to resolve the domain. dig +trace thisisgame.com ; DiG 9.8.1-P1 +trace thisisgame.com ;; global options: +cmd . 456080 IN NS d.root-servers.net. . 456080 IN NS h.root-servers.net. . 456080 IN NS l.root-servers.net. . 456080 IN NS f.root-servers.net. . 456080 IN NS e.root-servers.net. . 456080 IN NS b.root-servers.net. . 456080 IN NS i.root-servers.net. . 456080 IN NS m.root-servers.net. . 456080 IN NS j.root-servers.net. . 456080 IN NS k.root-servers.net. . 456080 IN NS a.root-servers.net. . 456080 IN NS c.root-servers.net. . 456080 IN NS g.root-servers.net. ;; Received 512 bytes from 127.0.0.1#53(127.0.0.1) in 364 ms com.172800 IN NS f.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS a.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. ;; Received 504 bytes from 192.33.4.12#53(192.33.4.12) in 496 ms thisisgame.com. 172800 IN NS ns1.thisisgame.com. dig: couldn't get address for 'ns1.thisisgame.com': not found -- Hal King - h...@utk.edu Systems Administrator Office of Information Technology Systems: Business Information Systems The University of Tennessee 135D Kingston Pike Building 2309 Kingston Pk. Knoxville, TN 37996 Phone: 974-1599 From: Hal King h...@utk.edu Date: Fri, 18 Nov 2011 15:19:18 + To: Bind Users bind-users@lists.isc.org Subject: Not able to resolve a domain I have found that www.thisisgame.com does not resolve on our DNS servers. Google DNS works fine. According to
Re: Not able to resolve a domain
I have found that www.thisisgame.com does not resolve on our DNS servers You haven't done anything wrong. thisisgame.com has a single name server, and that is currently not open to business, at least not from my part of the world, maybe due to some firewall rule. (Google's NS do indeed have access.) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Question About max-clients-per-query
I had a situation a couple of days ago where a compromised machine in the DMZ portion of my network began sending an incredible number of queries to a couple of the primary internal DNS servers. The traffic was so intense that legitimate queries were unable to get through, or the customer timed out before the response came back. It took me a while to diagnose, because tailing the logs with querylog on was not possible. The data were coming too fast for my terminal to display them. Only after several Cntl-C commands was I able to escape from the tail, and a portion of the logs was displayed. Only queries from the compromised machine were visible. Nothing else got through during that time period. My customers and bosses are naturally furious. So is it possible to limit the number of queries for one name from one client, or even better, limit the number in a certain time, or the number of queries in a row from one client. If not we are going to have to be creative with some iptables or firewall rules. Thanks for any help you can lend. Alan V. Shackelford Sr. Systems Software Engineer The Johns Hopkins University and Johns Hopkins Medical Institutions Baltimore, Maryland USA 410-735-4773ashac...@jhmi.edu PGP.sig Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Not able to resolve a domain
Oops, left off the most important part: thisisgame.com. 1800IN A 1.234.35.120 thisisgame.com. 1800IN NS ns1.thisisgame.com. ;; Received 82 bytes from 1.234.35.141#53(ns1.thisisgame.com) in 187 ms Full results: ; DiG 9.8.0-P2 +trace thisisgame.com ;; global options: +cmd . 431870 IN NS d.root-servers.net. . 431870 IN NS h.root-servers.net. . 431870 IN NS e.root-servers.net. . 431870 IN NS g.root-servers.net. . 431870 IN NS f.root-servers.net. . 431870 IN NS a.root-servers.net. . 431870 IN NS k.root-servers.net. . 431870 IN NS c.root-servers.net. . 431870 IN NS m.root-servers.net. . 431870 IN NS j.root-servers.net. . 431870 IN NS l.root-servers.net. . 431870 IN NS b.root-servers.net. . 431870 IN NS i.root-servers.net. ;; Received 512 bytes from 127.0.0.1#53(10.1.6.203) in 0 ms com.172800 IN NS c.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS a.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. ;; Received 492 bytes from 192.228.79.201#53(b.root-servers.net) in 78 ms thisisgame.com. 172800 IN NS ns1.thisisgame.com. ;; Received 66 bytes from 192.41.162.30#53(l.gtld-servers.net) in 38 ms thisisgame.com. 1800IN A 1.234.35.120 thisisgame.com. 1800IN NS ns1.thisisgame.com. ;; Received 82 bytes from 1.234.35.141#53(ns1.thisisgame.com) in 187 ms -Will On Fri, Nov 18, 2011 at 9:27 AM, Will Lists listsw...@gmail.com wrote: Maybe a network/firewall issue? My results below. dig +trace thisisgame.com ; DiG 9.8.0-P2 +trace thisisgame.com ;; global options: +cmd . 432154 IN NS b.root-servers.net. . 432154 IN NS l.root-servers.net. . 432154 IN NS h.root-servers.net. . 432154 IN NS f.root-servers.net. . 432154 IN NS m.root-servers.net. . 432154 IN NS i.root-servers.net. . 432154 IN NS d.root-servers.net. . 432154 IN NS k.root-servers.net. . 432154 IN NS j.root-servers.net. . 432154 IN NS g.root-servers.net. . 432154 IN NS a.root-servers.net. . 432154 IN NS e.root-servers.net. . 432154 IN NS c.root-servers.net. ;; Received 512 bytes from 127.0.0.1#53(10.1.6.203) in 0 ms com.172800 IN NS a.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. ;; Received 492 bytes from 199.7.83.42#53(l.root-servers.net) in 200 ms thisisgame.com. 172800 IN NS ns1.thisisgame.com. ;; Received 66 bytes from 192.35.51.30#53(f.gtld-servers.net) in 60 ms - Will On Fri, Nov 18, 2011 at 9:23 AM, King, Harold Clyde (Hal) h...@utk.eduwrote: This is the trace I get trying
Re: Not able to resolve a domain
Site is based in Korea based on the IP and whois, so it does sound like some sort of access controls are in place on one end or the other. I was able to access the site. -Will On Fri, Nov 18, 2011 at 9:30 AM, Jan-Piet Mens jpmens@gmail.com wrote: I have found that www.thisisgame.com does not resolve on our DNS servers You haven't done anything wrong. thisisgame.com has a single name server, and that is currently not open to business, at least not from my part of the world, maybe due to some firewall rule. (Google's NS do indeed have access.) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Not able to resolve a domain
On Friday 18 November 2011 09:19:18 King, Harold Clyde (Hal) wrote: I have found that www.thisisgame.com does not resolve on our DNS servers. Google DNS works fine. Looks fine from here. According to dns.14x.org the top level domain com is w. I do not see a w server. I have the most recent named.root file from June. What have I done wrong? I don't know what that means. IWFM using both normal recursion and direct-to-NS: ;; ANSWER SECTION: www.thisisgame.com. 1800IN A 1.234.35.120 ;; AUTHORITY SECTION: thisisgame.com. 1800IN NS ns1.thisisgame.com. ;; ADDITIONAL SECTION: ns1.thisisgame.com. 1800IN A 1.234.35.141 I'll toss out a couple of WAGs at no extra charge! 1. When was 1/8 allocated, recently? Maybe you need to update your bogon filter? 2. It's Korean, are you blocking APNIC space? -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Not able to resolve a domain
Never mind it's blocked on the IP level. Sorry to bring up stuff on a busy week. Thanks for all the help folks! -- Hal King - h...@utk.edu Systems Administrator Office of Information Technology Systems: Business Information Systems The University of Tennessee 135D Kingston Pike Building 2309 Kingston Pk. Knoxville, TN 37996 Phone: 974-1599 On 11/18/11 10:49 AM, /dev/rob0 r...@gmx.co.uk wrote: On Friday 18 November 2011 09:19:18 King, Harold Clyde (Hal) wrote: I have found that www.thisisgame.com does not resolve on our DNS servers. Google DNS works fine. Looks fine from here. According to dns.14x.org the top level domain com is w. I do not see a w server. I have the most recent named.root file from June. What have I done wrong? I don't know what that means. IWFM using both normal recursion and direct-to-NS: ;; ANSWER SECTION: www.thisisgame.com.1800IN A 1.234.35.120 ;; AUTHORITY SECTION: thisisgame.com.1800IN NS ns1.thisisgame.com. ;; ADDITIONAL SECTION: ns1.thisisgame.com.1800IN A 1.234.35.141 I'll toss out a couple of WAGs at no extra charge! 1. When was 1/8 allocated, recently? Maybe you need to update your bogon filter? 2. It's Korean, are you blocking APNIC space? -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Not able to resolve a domain
1. When was 1/8 allocated, recently? Maybe you need to update your bogon filter? Can we anyhow find when an IP block is assigned to an organization by RIR ??? I have tried WHOIS but didn't find anything for the same. Thanks and Regards, Gaurav Kansal 8860785630 9910118448 -Original Message- From: bind-users-bounces+gaurav.kansal=nic...@lists.isc.org [mailto:bind-users-bounces+gaurav.kansal=nic...@lists.isc.org] On Behalf Of /dev/rob0 Sent: Friday, 18 November, 2011 9:19 PM To: bind-users@lists.isc.org Subject: Re: Not able to resolve a domain On Friday 18 November 2011 09:19:18 King, Harold Clyde (Hal) wrote: I have found that http://www.thisisgame.com www.thisisgame.com does not resolve on our DNS servers. Google DNS works fine. Looks fine from here. According to dns.14x.org the top level domain com is w. I do not see a w server. I have the most recent named.root file from June. What have I done wrong? I don't know what that means. IWFM using both normal recursion and direct-to-NS: ;; ANSWER SECTION: http://www.thisisgame.com www.thisisgame.com. 1800 IN A 1.234.35.120 ;; AUTHORITY SECTION: thisisgame.com. 1800 IN NS ns1.thisisgame.com. ;; ADDITIONAL SECTION: ns1.thisisgame.com. 1800 IN A 1.234.35.141 I'll toss out a couple of WAGs at no extra charge! 1. When was 1/8 allocated, recently? Maybe you need to update your bogon filter? 2. It's Korean, are you blocking APNIC space? -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list mailto:bind-users@lists.isc.org bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Not able to resolve a domain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 How does one get a current bogons list? I'm assuming that there are entries that are generally recommended to be in there (and that they're provided with BIND's source when installing). On 11/18/2011 11:33 AM, Evan Hunt wrote: 1. When was 1/8 allocated, recently? Maybe you need to update your bogon filter? That's my guess. 1.0.0.0/8 was one of the last network blocks allocated--last April, IIRC--and prior to that time it was often filtered because it was commonly used in spoofing attacks. In fact, the BIND 9 documentation contains a sample blackhole ACL which, until recently, specifically recommended filtering addresses in that block. The advice is outdated but I think someone is still following it. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7Gi+8ACgkQmb+gadEcsb7MxACfW/gPhip/wbyztsBFB5nJLwZs okkAoJSQcjkEybXyd90BFjq8Aoa9HFmV =gAZG -END PGP SIGNATURE- attachment: novosirj.vcf___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Not able to resolve a domain
On Fri, 18 Nov 2011, Ryan Novosielski wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 How does one get a current bogons list? I'm assuming that there are entries that are generally recommended to be in there (and that they're provided with BIND's source when installing). SOURCE=http://www.cymru.com/Documents/bogon-bn-agg.txt; # Aggregated list. Here's a script I use: http://www.maplepark.com/~drf/consults/Getblackhole -- David Forrest St. Louis, Missouri ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Question About max-clients-per-query
Not an answer to your basic question but I did want to mention that on most UNIX/Linux terminal sessions you can hit Ctrl-s to stop scrolling and Ctrl-q to resume it. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Alan Shackelford Sent: Friday, November 18, 2011 10:32 AM To: bind-users@lists.isc.org Subject: Question About max-clients-per-query I had a situation a couple of days ago where a compromised machine in the DMZ portion of my network began sending an incredible number of queries to a couple of the primary internal DNS servers. The traffic was so intense that legitimate queries were unable to get through, or the customer timed out before the response came back. It took me a while to diagnose, because tailing the logs with querylog on was not possible. The data were coming too fast for my terminal to display them. Only after several Cntl-C commands was I able to escape from the tail, and a portion of the logs was displayed. Only queries from the compromised machine were visible. Nothing else got through during that time period. My customers and bosses are naturally furious. So is it possible to limit the number of queries for one name from one client, or even better, limit the number in a certain time, or the number of queries in a row from one client. If not we are going to have to be creative with some iptables or firewall rules. Thanks for any help you can lend. Alan V. Shackelford Sr. Systems Software Engineer The Johns Hopkins University and Johns Hopkins Medical Institutions Baltimore, Maryland USA 410-735-4773ashac...@jhmi.edu Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question About max-clients-per-query
Hello, Read the BIND ARM (Admin Ref. Manual) about these settings, but here is an example of what I use: clients-per-query 10 ; max-clients-per-query 20 ; http://www.isc.org/software/bind/documentation Previously, this resource was posted on this list which is good info to have when investigating BIND behavior: https://deepthought.isc.org/article/AA-00341/0 HTH From: Alan Shackelford ashac...@jhmi.edu To: bind-users@lists.isc.org bind-users@lists.isc.org Sent: Friday, November 18, 2011 10:32 AM Subject: Question About max-clients-per-query I had a situation a couple of days ago where a compromised machine in the DMZ portion of my network began sending an incredible number of queries to a couple of the primary internal DNS servers. The traffic was so intense that legitimate queries were unable to get through, or the customer timed out before the response came back. It took me a while to diagnose, because tailing the logs with querylog on was not possible. The data were coming too fast for my terminal to display them. Only after several Cntl-C commands was I able to escape from the tail, and a portion of the logs was displayed. Only queries from the compromised machine were visible. Nothing else got through during that time period. My customers and bosses are naturally furious. So is it possible to limit the number of queries for one name from one client, or even better, limit the number in a certain time, or the number of queries in a row from one client. If not we are going to have to be creative with some iptables or firewall rules. Thanks for any help you can lend. Alan V. Shackelford Sr. Systems Software Engineer The Johns Hopkins University and Johns Hopkins Medical Institutions Baltimore, Maryland USA 410-735-4773 ashac...@jhmi.edu ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
9.9.0b1 inline-signing questions
I am testing bind 9.9.0b1 compiled on Ubuntu Oneiric x64 (nstest.jaspain.net). I configured a zone as follows: zone jaspain.net { type master; file /var/lib/bind/jaspain.net/jaspain.net.db; key-directory /var/lib/bind/jaspain.net; update-policy local; auto-dnssec maintain; inline-signing yes; }; On initial startup, bind created jaspain.net.db.signed and jaspain.net.db.signed.jnl. Looking at the latter with named-journalprint, the entries appear to be consistent with the zone signing process. I used nsupdate -l to create a new A record, and that succeeded. The file jaspain.net.db.jnl was created in the process. I attempted to freeze the zone using rndc freeze jaspain.net, and this resulted in the error message rndc: 'freeze' failed: not dynamic. rndc thaw jaspain.net yielded no messages, but added a syslog entry that it was successful. The freeze failure is contrary to what I would have expected. Are update-policy local; and inline-signing yes; incompatible? The serial numbers in the SOA records in the various zone-related files are different, but I believe they are consistent. In jaspain.net.db, the SOA serial number was originally 201501. Looking at jaspain.net.db.signed.jnl, the SOA serial number got updated to 201504 as a result of the initial signing process. Following the record addition with nsupdate, the SOA serial number in jaspain.net.db.jnl was updated to 201502. Twelve minutes later bind rewrote jaspain.net.db with this same serial number and the added A record. Immediately after the nsupdate, jaspain.net.db.signed.jnl showed the signing activity for the new A record and an update of the SOA serial number to 201505. This is the serial number that is returned by a dig of the SOA record. The named-journalprint output for both jaspain.net.db.jnl and jaspain.net.db.signed.jnl starts with the line BITWS=201502. What does that mean? Fourteen minutes after the nsupdate, bind rewrote jaspain.net.db.signed. Is there a utility akin to named-journalprint that would display the contents of jaspain.net.db.signed in human-readable form? Thanks for providing this interesting new feature, which I hope to understand more fully. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.9.0b1 inline-signing questions
I attempted to freeze the zone using rndc freeze jaspain.net, and this resulted in the error message rndc: 'freeze' failed: not dynamic. rndc thaw jaspain.net yielded no messages, but added a syslog entry that it was successful. The freeze failure is contrary to what I would have expected. Are update-policy local; and inline-signing yes; incompatible? It shouldn't be, that's probably a bug. Can you open a ticket at bind9-b...@isc.org about it? Fourteen minutes after the nsupdate, bind rewrote jaspain.net.db.signed. Is there a utility akin to named-journalprint that would display the contents of jaspain.net.db.signed in human-readable form? It's a raw-format zonefile; you can convert it to text using named-checkzone: named-checkzone -D -f raw jaspain.net jaspain.net.db.signed -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: 9.9.0b1 inline-signing questions
Thanks, Evan. Can you also comment about the meaning of BITWS=201502 at the beginning of the output of named-journalprint? Jeff. -Original Message- From: Evan Hunt [mailto:e...@isc.org] Sent: Friday, November 18, 2011 1:59 PM To: Spain, Dr. Jeffry A. Cc: bind-users@lists.isc.org Subject: Re: 9.9.0b1 inline-signing questions I attempted to freeze the zone using rndc freeze jaspain.net, and this resulted in the error message rndc: 'freeze' failed: not dynamic. rndc thaw jaspain.net yielded no messages, but added a syslog entry that it was successful. The freeze failure is contrary to what I would have expected. Are update-policy local; and inline-signing yes; incompatible? It shouldn't be, that's probably a bug. Can you open a ticket at bind9-b...@isc.org about it? Fourteen minutes after the nsupdate, bind rewrote jaspain.net.db.signed. Is there a utility akin to named-journalprint that would display the contents of jaspain.net.db.signed in human-readable form? It's a raw-format zonefile; you can convert it to text using named-checkzone: named-checkzone -D -f raw jaspain.net jaspain.net.db.signed -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: avoid-v4-udp-ports ineffective? (BIND 9.8.1-P1)
I wrote: I don't understand why named would try to use these ports in the first place as they appear in avoid-v4-udp-ports. Mark Andrews replied: The :: in the log message is the IPv6 equivalent of 0.0.0.0 in IPv4. You machine *is* dual stacked even if it only has IPv6 on loopback. Ah. Adding avoid-v6-udp-ports has indeed solved my issue. Thank you. (I'd assumed BIND wouldn't be trying to open IPv6 sockets since I'd not configured any IPv6 interfaces on the host. '/sbin/ifconfig -a inet6; /sbin/ifconfig -a inet' is showing only IPv4 interfaces, not even a IPv6 loopback.) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
another INSIST bug?
Hello, I have upgraded some of our servers and enabled DNSSEC validation on others (9.8.0_p4). After short time, one of old servers crashed ith different error: Nov 18 19:30:19 t04.nx named[9527]: dnssec: info: validating @0x924cde0: 207.10.168.122.zen.spamhaus.org.dlv.isc.org DLV: bad cache hit (org.dlv.isc.org/DS) Nov 18 19:30:19 t04.nx named[9527]: lame-servers: info: error (broken trust chain) resolving '207.10.168.122.zen.spamhaus.org.dlv.isc.org/DLV/IN': 156.154.101.23#53 Nov 18 19:30:19 t04.nx named[9527]: general: critical: time.c:241: INSIST(t1-nanoseconds 10 t2-nanoseconds 10) failed Nov 18 19:30:19 t04.nx named[9527]: general: critical: exiting (due to assertion failure) Is this different appearance of the bug fixed 2 days ago, or completely new bug? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nanny (was Re: bind-9.8.1: INSIST(! dns_rdataset _isassociated(sigrdataset)) failed)
On 11/17/2011 13:24, Jeremy C. Reed wrote: Also what other types of nanny scripts do you use? (I already saw other emails with a few suggestions.) Personally I have always thought that the perl script in contrib is overly complex. #!/bin/sh while : ; do /path/named -f whatever other flags you use sleep 17 done You can tart this idea up with various redirections of stdout/stderr, a signal catcher to make it easier to kill, etc. Hopefully this is enough to get people thinking. hth, Doug -- We could put the whole Internet into a book. Too practical. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.9.0b1 inline-signing questions
Thanks, Evan. Can you also comment about the meaning of BITWS=201502 at the beginning of the output of named-journalprint? Jeff. That's the serial number of the unsigned version of the zone, as of the last time the signed version was updated from it. (BITWS is an abbreviation for bump in the wire signing, which is what we were calling this feature for a while, and there are a few leftover bits of code that still use the term.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nanny (was Re: bind-9.8.1: INSIST(! dns_rdataset _isassociated(sigrdataset)) failed)
Personally I have always thought that the perl script in contrib is overly complex. #!/bin/sh while : ; do /path/named -f whatever other flags you use sleep 17 done That works, but note that it won't catch the problem if named hangs. Running it in xinetd works too, but same note. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nanny (was Re: bind-9.8.1: INSIST(! dns_rdataset _isassociated(sigrdataset)) failed)
On 11/18/2011 11:48, Evan Hunt wrote: Personally I have always thought that the perl script in contrib is overly complex. #!/bin/sh while : ; do /path/named -f whatever other flags you use sleep 17 done That works, but note that it won't catch the problem if named hangs. Right, but that's what ${Monitoring_System:=nagios} is for. :) And it's been a looong time since I've had a running instance of BIND refuse to answer queries. -- We could put the whole Internet into a book. Too practical. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: OT: Bind 9.9.0B1 Inline-Signing Question
I'd like to ask for clarification on the operational issue stated below. Suppose there are no current changes to an inline-signed master zone, i.e. myzone.db.signed timestamp is later than myzone.db timestamp. In this circumstance, is it safe to stop and restart the bind service or reboot the system? What about the situation where changes made by nsupdate have been recorded in the journal files but have not yet been written to the zone files? In other words, myzone.db.jnl timestamp is later than myzone.db timestamp, and myzone.db.signed.jnl timestamp is later than myzone.db.signed timestamp, and myzone.db.signed.jnl timestamp is later than myzone.db.jnl timestamp. Thanks. Jeff. Jeffry A. Spain Network Administrator Cincinnati Country Day School -Original Message- From: bind-users-bounces+spainj=countryday@lists.isc.org [mailto:bind-users-bounces+spainj=countryday@lists.isc.org] On Behalf Of Evan Hunt Sent: Friday, November 11, 2011 12:48 PM To: Adam Tkac Cc: bind-users@lists.isc.org Subject: Re: OT: Bind 9.9.0B1 Inline-Signing Question I should mention that there is a known operational issue in the current version of inline-signing that you should be cautious about. If you're using inline-signing with a master zone, and you make changes to the zone file, you should *not* kill and restart your server to load the new file. Instead, use rndc reload or kill -HUP pid to force named to reload the zone while it's running. That way, named will be able to compare the former version against the new one, and generate the proper set of diffs to apply to the signed zone. If you kill and restart your server to load changes to your zone, then the signed version of the zone will fall out of sync with the raw version, and some of your data will not be accessible to queries. There's no way to recover from this condition except to delete the signed zone and start over, which generates big transfers to slaves and is generally undesirable. We'll have a fix for this in a future release. It's not a problem when using inline-signing on slave zones; slaves load their data via zone transfer, not from files, so this issue doesn't affect them at all. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OT: Bind 9.9.0B1 Inline-Signing Question
On Fri, Nov 18, 2011 at 11:57:51PM +, Spain, Dr. Jeffry A. wrote: I'd like to ask for clarification on the operational issue stated below. Suppose there are no current changes to an inline-signed master zone, i.e. myzone.db.signed timestamp is later than myzone.db timestamp. In this circumstance, is it safe to stop and restart the bind service or reboot the system? What about the situation where changes made by nsupdate have been recorded in the journal files but have not yet been written to the zone files? In other words, myzone.db.jnl timestamp is later than myzone.db timestamp, and myzone.db.signed.jnl timestamp is later than myzone.db.signed timestamp, and myzone.db.signed.jnl timestamp is later than myzone.db.jnl timestamp. Both of these should be fine. The only thing you need to worry about is if changes to a zone are loaded for the first time in a newly-started server: i.e., you've updated the zone and then shut down the server, or shut down the server and then updated the zone. We expect to have this addressed by the time 9.9.0 is final. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users