Re: ISC Bind in Active Directory

2012-10-18 Thread G.W. Haywood 

Hi there,

On Thu, 18 Oct 2012, bind-users-requ...@lists.isc.org wrote:

ISC Bind in Active Directory (Aaron Thompson)


I'm hopping


Sometimes AD has that effect. :)


to get some feedback from people who use ISC Bind and DHCPD in
Active Directory environments.


I've been working on a client's (small) system using Bind in an AD
environment for almost ten years.

When I first met the system it was Windows only.  It had been sending
the same two megabyte mail message to quite a long list of recipients
every two hours for just over two years.  In unrelated incidents it had
been riddled with viruses which for example were logging keystrokes in
the accounts department.  Oh, and the PDC's disc was full, but 80% of
the contents was garbage generated by a wayward third-party backup
Windows package which wasn't doing anything useful at all.  The firm's
directors didn't appreciate that there might be a problem until I told
them that their passwords were being sent to China as they were typed.

I cleaned out the viruses and binned the Microsoft mail, name and DHCP
services and the backup package.  I installed open source replacements.
Peace at last.  Unfortunately I'm unable (yet:) to bin the Windows DCs
or I'd do that tomorrow.  One of them crashes within seconds if I log
on using remote desktop and I still don't know why.  I can't take it
to bits to find out so I simply don't do it any more.  To manage the
dodgy DC I added another one, a virtual machine on a Linux box which
by now hosts half a dozen other Windows VMs.  Eventually I hope that
all the Windows machines will be VMs so I can fix them when they go
wrong without leaving my office...


Currently we use Bind/DHCPD for dynamic DNS and DHCP.  It's been a
pretty stable service, redundant and we are polling statistics with
Cacti.  There is concern by Management ...


Where have I heard all that before? :)


...of using a somewhat non standard approach for Active Directory
SRV records being handled by ISC services and not AD.


At the moment I'm chasing down a particular AD problem which _might_
have been caused by the promotion of a server to a DC.  The symptoms
are (1) a bunch of clients being unable to find resources that they
could find last week and (2) all the SRV records disappearing from the
DCs.  I've spent most of the past week hitting the search engines but
I don't think I'm nearer now to knowing if these things are related
(and how I'm going to fix them) than I was a week ago although tonight
I did stumble upon this little gem:

http://support.microsoft.com/kb/241505

If your Management is concerned about their software, ask them how
they audit the source. :)


Overall it's been a very stable design for the last 5+ years.
If you have any relevant feed back I would appreciate it.


If it ain't broke, don't fix it.


I'm looking for information on experience with Active Directory
integration with ISC or if anyone has had problems/stability issues
with AD doing DNS/DHCP or AD working with ISC.


To be fair I don't think there are any big interoperability problems
with the services you're asking about, and if they aren't accessible
to the Big Nasty World out there they shouldn't present too much of a
security risk.  Nevertheless the main things which prevent me from
throwing out the rest of my client's Windows boxes are a niche market
accounting package that you've never heard of, a few printer drivers,
Microsoft Office and AutoCAD.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Bind in Active Directory

2012-10-18 Thread Michael Sinatra 
On 10/18/12 11:03 AM, Aaron Thompson wrote:
> Hi All,
> 
> I'm hopping to get some feedback from people who use ISC Bind and DHCPD
> in Active Directory environments.
> 
> Currently we use Bind/DHCPD for dynamic DNS and DHCP.  It's been a
> pretty stable service, redundant and we are polling statistics with
> Cacti.  There is concern by Management of using a somewhat non standard
> approach for Active Directory SRV records being handled by ISC services
> and not AD.

Microsoft may tell management that it's non-standard, but it's not.
What you're describing is very common, especially among EDUs.

Management's attitude appears to be based on two myths:

1. You must use AD integrated DNS for your AD installation.
2. You must use DDNS for your AD installation (at least for the relevant
SRV records).

Neither of these are true, and plenty of places have gotten by for at
least a decade with *static* SRV records in a BIND server.

A few years ago, Gartner did a paper where they discussed "new features"
that Microsoft claims "require" AD-integrated DNS.  Gartner's conclusion
was that this is basically not true and that if the current BIND-AD
integration is working for you, then you should stick with it.

[snip]

> Overall it's been a very stable design for the last 5+ years.

It sounds like something that's not broken and shouldn't be fixed.
Again, this is the experience at other EDUs.

> If you have any relevant feed back I would appreciate it.  I'm looking
> for information on experience with Active Directory integration with ISC
> or if anyone has had problems/stability issues with AD doing DNS/DHCP or
> AD working with ISC.
> 
> Thanks in advance.
> 
> Here's a brief survey  for
> Schools that have ISC running in an AD environment.
> 
> http://www.surveymonkey.com/s/2VYNKWR

Done, on behalf of the "other" Berkeley. :)

michael

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Bind in Active Directory

2012-10-18 Thread Kevin Darcy 
You should think of DNS hosting, DNS resolution and DHCP, as separate 
services that can either be put together on a single platform, or run on 
separate platforms in various combinations, interoperating with each 
other. Another important factor is whether your AD domain is colocated 
with a bunch of other non-AD stuff, or whether it's a separate namespace 
(either a descendant of your main domain, or some namespace entirely).


In our case, our AD folks insist on AD-integrated zones, but on the 
other hand, they're in completely different namespaces. So it's a fairly 
simple matter of delegating from and (for reasons of performance and 
resiliency) replicating that data into our BIND-based infrastructure. We 
handle the DNS resolution and DHCP, and all of the clients can resolve 
the AD names from us, even though we're not the primary master for any 
of the zones. YMMV. One of the drawbacks of this approach is that Domain 
Controllers and certain other types of AD-related servers need to be 
added twice -- once into the AD-integrated zone for AD infrastructure 
purposes, and then again into a more generic zone, so that the proper 
forward/reverse mappings are created and kept in sync. Ideally, AD would 
generate outbound Dynamic Updates for the maintenance of reverse records 
for their resources, if they don't happen to control the relevant 
reverse zone(s), but good luck with that -- it's not in Microsoft's own 
best economic interests to foster interoperability with non-Microsoft 
DNS server implementations...


- Kevin

On 10/18/2012 2:03 PM, Aaron Thompson wrote:

Hi All,

I'm hopping to get some feedback from people who use ISC Bind and 
DHCPD in Active Directory environments.


Currently we use Bind/DHCPD for dynamic DNS and DHCP.  It's been a 
pretty stable service, redundant and we are polling statistics with 
Cacti.  There is concern by Management of using a somewhat non 
standard approach for Active Directory SRV records being handled by 
ISC services and not AD.


The options we are looking at is migrating to AD for DNS and DHCP 
services or to have Bind/DHCPD handle SRV records for AD.


Some technical info on our our BIND environment.

Some Client Identifiers
300 DHCP Pools
Dynamic DNS
Cacti Graphs - Reporting
Syslog via Splunk

Overall it's been a very stable design for the last 5+ years.

If you have any relevant feed back I would appreciate it.  I'm looking 
for information on experience with Active Directory integration with 
ISC or if anyone has had problems/stability issues with AD doing 
DNS/DHCP or AD working with ISC.


Thanks in advance.

Here's a brief survey  for 
Schools that have ISC running in an AD environment.


http://www.surveymonkey.com/s/2VYNKWR

-
Aaron Thompson
Network Architect for IT Operations

Berklee College of Music
1140 Boylston Street, MS-186-NETT
Boston, MA 02215-3693

www.berklee.edu
617.747.8656

-
Aaron Thompson
Network Architect for IT Operations

Berklee College of Music
1140 Boylston Street, MS-186-NETT
Boston, MA 02215-3693

www.berklee.edu
617.747.8656



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable log message

2012-10-18 Thread Chris Thompson 

On Oct 18 2012, Jeremy C. Reed wrote:


On Thu, 18 Oct 2012, Jack Tavares wrote:


I  am running bind9.8.x built from source and I see this message in the logs
built with '--prefix=/blah' '--sbindir=/blah' '--sysconfdir=/blah' '--localstatedir=/var' '--exec-prefix=/usr' '--libdir=/usr/lib' '--mandir=/usr/share/man' '--with-openssl=/blah' '--enable-fixed-rrset' '--enable-shared' '--enable-threads' '--enable-ipv6' '--with-libtool'  etc etc etc 


I would prefer to not have that show up in the log.

Short of modifying the source, is there an easy way to disable that?


No way to disable just it. It is in the "general" catch-all category.


Also, it is output before the configuration "logging" directives have been
processed, so it comes out with the internal defaults for category and
priority (daemon.notice). Any suppression would need to be done at the
syslog level.

But I have some difficulty understanding why anyone would want it suppressed.
It's true that BIND is a bit noisier than it used to be at this stage, but
can this really be a problem? Do you let the black hats see your system logs?

--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: squash 'client query (cache) denied' syslog entries

2012-10-18 Thread Jeremy C. Reed 
On Thu, 18 Oct 2012, David Dowdle wrote:

> Some of my external facing nameservers are under attack, and the biggiest
> fallout, is the machines goign into iowait from logging all the client query
> denied syslog messages.
> 
> note: yes, recursion is turned off on these machines.
> 
> The current logging is a very vanilla
> 
> logging {
> category default { default_syslog; default_debug; };
> category lame-servers { null; };
> // below 2 lines are for logging EVERY query. this can fill a drive
> //channel "querylog" { file "/var/log/named/query.log"; print-time
> yes; };
> //category queries { querylog; };
> };
> 
> 
> I'd like to keep logging going, for obvious reasns, but need to kill the
> 'client query (cache) denied' messages
> 
> sofar all the google-found  'solutions' are: turn off all logging

Maybe discard all security logging with:

category security { null; };

Or setup a new channel for handling security with a "severity" of 
"notice" or higher --and then set the category for security to use that 
custom channel. (This cache denied logging is at the "info" level so 
shouldn't be logged at notice or higher.)

A custom my_security_channel example is in the ARM documentation 
which may provide some hints.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

squash 'client query (cache) denied' syslog entries

2012-10-18 Thread David Dowdle 


Some of my external facing nameservers are under attack, and the biggiest 
fallout, is the machines goign into iowait from logging all the client 
query denied syslog messages.


note: yes, recursion is turned off on these machines.

The current logging is a very vanilla

logging {
category default { default_syslog; default_debug; };
category lame-servers { null; };
// below 2 lines are for logging EVERY query. this can fill a 
drive
//channel "querylog" { file "/var/log/named/query.log"; print-time 
yes; };

//category queries { querylog; };
};


I'd like to keep logging going, for obvious reasns, but need to kill the 
'client query (cache) denied' messages


sofar all the google-found  'solutions' are: turn off all logging

Thanks


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ISC Bind in Active Directory

2012-10-18 Thread Aaron Thompson 
Hi All,

I'm hopping to get some feedback from people who use ISC Bind and DHCPD in 
Active Directory environments.

Currently we use Bind/DHCPD for dynamic DNS and DHCP.  It's been a pretty 
stable service, redundant and we are polling statistics with Cacti.  There is 
concern by Management of using a somewhat non standard approach for Active 
Directory SRV records being handled by ISC services and not AD.

The options we are looking at is migrating to AD for DNS and DHCP services or 
to have Bind/DHCPD handle SRV records for AD.

Some technical info on our our BIND environment.

Some Client Identifiers
300 DHCP Pools
Dynamic DNS
Cacti Graphs - Reporting
Syslog via Splunk

Overall it's been a very stable design for the last 5+ years.

If you have any relevant feed back I would appreciate it.  I'm looking for 
information on experience with Active Directory integration with ISC or if 
anyone has had problems/stability issues with AD doing DNS/DHCP or AD working 
with ISC.

Thanks in advance.

Here's a brief survey for Schools that have ISC running in an AD environment.

http://www.surveymonkey.com/s/2VYNKWR

-
Aaron Thompson
Network Architect for IT Operations

Berklee College of Music 
1140 Boylston Street, MS-186-NETT
Boston, MA 02215-3693

www.berklee.edu
617.747.8656

-
Aaron Thompson
Network Architect for IT Operations

Berklee College of Music 
1140 Boylston Street, MS-186-NETT
Boston, MA 02215-3693

www.berklee.edu
617.747.8656

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable log message

2012-10-18 Thread Jeremy C. Reed 
On Thu, 18 Oct 2012, Jack Tavares wrote:

> I  am running bind9.8.x built from source and I see this message in the logs
> built with '--prefix=/blah' '--sbindir=/blah' '--sysconfdir=/blah' 
> '--localstatedir=/var' '--exec-prefix=/usr' '--libdir=/usr/lib' 
> '--mandir=/usr/share/man' '--with-openssl=/blah' '--enable-fixed-rrset' 
> '--enable-shared' '--enable-threads' '--enable-ipv6' '--with-libtool'  etc 
> etc etc 
> 
> I would prefer to not have that show up in the log.
> 
> Short of modifying the source, is there an easy way to disable that?

No way to disable just it. It is in the "general" catch-all category.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Disable log message

2012-10-18 Thread Jack Tavares 
Let me be more specific.

Is there a way to tell named to not log this message?

Thank you

--
Jack Tavares


From: Warren Kumari [war...@kumari.net]
Sent: Thursday, October 18, 2012 10:18
To: Jack Tavares
Cc: Warren Kumari; bind-us...@isc.org
Subject: Re: Disable log message

On Oct 18, 2012, at 1:13 PM, Jack Tavares  wrote:

> I  am running bind9.8.x built from source and I see this message in the logs
> built with '--prefix=/blah' '--sbindir=/blah' '--sysconfdir=/blah' 
> '--localstatedir=/var' '--exec-prefix=/usr' '--libdir=/usr/lib' 
> '--mandir=/usr/share/man' '--with-openssl=/blah' '--enable-fixed-rrset' 
> '--enable-shared' '--enable-threads' '--enable-ipv6' '--with-libtool'  etc 
> etc etc
>
> I would prefer to not have that show up in the log.
>
> Short of modifying the source, is there an easy way to disable that?

Erm… Depends on how you do your logging -- if this shows up in syslog, and you 
are using syslogng, you should be able to filter it out there…

W

>
> Thanks
>
>
> --
> Jack Tavares
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

--
Eagles soar but a weasel will never get sucked into a jet engine


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable log message

2012-10-18 Thread Warren Kumari 

On Oct 18, 2012, at 1:13 PM, Jack Tavares  wrote:

> I  am running bind9.8.x built from source and I see this message in the logs
> built with '--prefix=/blah' '--sbindir=/blah' '--sysconfdir=/blah' 
> '--localstatedir=/var' '--exec-prefix=/usr' '--libdir=/usr/lib' 
> '--mandir=/usr/share/man' '--with-openssl=/blah' '--enable-fixed-rrset' 
> '--enable-shared' '--enable-threads' '--enable-ipv6' '--with-libtool'  etc 
> etc etc 
> 
> I would prefer to not have that show up in the log.
> 
> Short of modifying the source, is there an easy way to disable that?

Erm… Depends on how you do your logging -- if this shows up in syslog, and you 
are using syslogng, you should be able to filter it out there…

W

> 
> Thanks
> 
> 
> --
> Jack Tavares
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

-- 
Eagles soar but a weasel will never get sucked into a jet engine 


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Disable log message

2012-10-18 Thread Jack Tavares 
I  am running bind9.8.x built from source and I see this message in the logs
built with '--prefix=/blah' '--sbindir=/blah' '--sysconfdir=/blah' 
'--localstatedir=/var' '--exec-prefix=/usr' '--libdir=/usr/lib' 
'--mandir=/usr/share/man' '--with-openssl=/blah' '--enable-fixed-rrset' 
'--enable-shared' '--enable-threads' '--enable-ipv6' '--with-libtool'  etc etc 
etc 

I would prefer to not have that show up in the log.

Short of modifying the source, is there an easy way to disable that?

Thanks


--
Jack Tavares
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dhcpd

2012-10-18 Thread Dwayne Hottinger 
Great to hear Im not the only one seeing this.  Havent seen any androids
yet.   I dont think it is any that are jailbroke.  One of the devices is
division owned so I know it isnt.  Just crappy os's.   The settings on the
ipads actually have a tab for bootp, but no way to change that.

ddh


On Thu, Oct 18, 2012 at 9:28 AM, Jim Glassford  wrote:

> Hi,
>
> Running 4.1.1-P1 and we these also from iThings and androids. Tried to
> verify if the ones doing it where jail broke or something else in common
> but never got to the bottom of it. Enabling bootp, they continued to ask.
> We just continue to deny bootp for subnets that have no need for it and
> ignore them. Five doing it so far today out of 4200.
>
> dhcpd: BOOTREQUEST from 14:5a:05:eb:dc:f3 via 144.80.36.19: bootp
> disallowed
>
> jim
>
> On 10/18/2012 8:42 AM, Dwayne Hottinger wrote:
>
>> I recently setup a new dhcp server.  In my logfiles yesterday I noticed
>> the following message:
>>
>>   BOOTP from dynamic client and no dynamic leases
>>
>> I checked the mac addresses of these clients and thus far they are all
>> ipads, ipods or iphones.  These devices have gotten ip's in the past.
>>   In my dhcpd.conf file I have:  deny dynamic bootp clients; .  I see
>> that Im handing out IP's for for the subnets, and my range should be
>> plenty big.   Has anyone else seen these messages with ipods, ipads or
>> iphones?   We have quite a few of these devices on the network now and I
>> want to ensure that they work correctly.   Im running dhcpd version
>> 3.0.5 built from rpm on Centos 6.
>>
>> --
>> Dwayne Hottinger
>> Network Administrator
>> Harrisonburg City Public Schools
>>
>>
>>
>> __**_
>> Please visit 
>> https://lists.isc.org/mailman/**listinfo/bind-usersto
>>  unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/**listinfo/bind-users
>>
>>  __**_
> Please visit 
> https://lists.isc.org/mailman/**listinfo/bind-usersto
>  unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/**listinfo/bind-users
>



-- 
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RPZ: log parsing

2012-10-18 Thread Hugo Maxwell Connery 
Hi,

I'm working on a little product which relies on the RPZ facility of BIND,
and particularly on parsing the logs from BIND.

I am using the logging/channel facility in BIND to separate a log which 
contains only
information relating to recursive queries which have been responded to
from an RPZ zone source.  This log I am parsing (to filter before sending the
relevant extracted data to a database).

I have noticed that there have been changes in the format of the log between
version 9.8.X and 9.9.Y of BIND for these log messages.

I ask: 

* is there a smarter way of obtaining the details of RPZ based recursive query
  responses than parsing the log?

* is it possible to actually specify a log format (a la Apache's CustomLog 
directive)?

* will BIND develop a stable log format for RPZ based responses?

Thanks to ISC for the RPZ faciltity, and thanks in advance for any responses.

Regards,
--
Hugo Connery, Head of IT, DTU Environment
http://www.env.dtu.dk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dhcpd

2012-10-18 Thread Jim Glassford 

Hi,

Running 4.1.1-P1 and we these also from iThings and androids. Tried to 
verify if the ones doing it where jail broke or something else in common 
but never got to the bottom of it. Enabling bootp, they continued to 
ask. We just continue to deny bootp for subnets that have no need for it 
and ignore them. Five doing it so far today out of 4200.


dhcpd: BOOTREQUEST from 14:5a:05:eb:dc:f3 via 144.80.36.19: bootp disallowed

jim

On 10/18/2012 8:42 AM, Dwayne Hottinger wrote:

I recently setup a new dhcp server.  In my logfiles yesterday I noticed
the following message:

  BOOTP from dynamic client and no dynamic leases

I checked the mac addresses of these clients and thus far they are all
ipads, ipods or iphones.  These devices have gotten ip's in the past.
  In my dhcpd.conf file I have:  deny dynamic bootp clients; .  I see
that Im handing out IP's for for the subnets, and my range should be
plenty big.   Has anyone else seen these messages with ipods, ipads or
iphones?   We have quite a few of these devices on the network now and I
want to ensure that they work correctly.   Im running dhcpd version
3.0.5 built from rpm on Centos 6.

--
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dhcpd

2012-10-18 Thread Dwayne Hottinger 
I recently setup a new dhcp server.  In my logfiles yesterday I noticed the
following message:

 BOOTP from dynamic client and no dynamic leases

I checked the mac addresses of these clients and thus far they are all
ipads, ipods or iphones.  These devices have gotten ip's in the past.  In
my dhcpd.conf file I have:  deny dynamic bootp clients; .  I see that Im
handing out IP's for for the subnets, and my range should be plenty big.
Has anyone else seen these messages with ipods, ipads or iphones?   We have
quite a few of these devices on the network now and I want to ensure that
they work correctly.   Im running dhcpd version 3.0.5 built from rpm on
Centos 6.

-- 
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Possible DDoS?

2012-10-18 Thread G.W. Haywood 

B0;261;0cHi there,

On Wed, 17 Oct 2012, Manson, John wrote:


Does this rise to the level of a DDoS attack?


82 queries in a second is modest, but you're in US government and that
IP is in China.  Given the recent publicity, IMO that's probable cause.


I blackhole IPs that behave like this.


I blackhole China. :)

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users