Re: Preference of Master Name Servers
On 06/12/12 14:12, Matus UHLAR - fantomas wrote: On 05.12.12 17:28, David Hall wrote: Question 1: In our secondary / slave name servers we specify the master name servers in the normal manner: zone mysample.me.uk { type slave; file m/y/db.mysample.me.uk; masters { 10.10.100.12; 10.10.101.12; 10.10.102.5; }; }; What I have found is that the order of the master name servers does not matter and one is used at random. That name server is tried for all AXFR / IXFR attempts until it is unreachable. Is there a way to set a dedicated preference of which name servers to use first? No. all masters are treated equally. Do you know a reason why they should not? However, if slave received notify from a master, it prefers fetching from that master, afaik. Question 2: I am also seeing many entries in our logs that look like: Dec 4 10:28:49 mysys named[28103]: zone mysample.me.uk/IN: refresh: retry limit for master 10.10.101.12#53 exceeded (source 10.10.100.25#0) Does this mean that the master name server is unreachable? I have confirmed that it is reachable by UDP and TCP. Or does it mean that we are hitting one of our limits? Our current values are: serial-query-rate 500; transfers-out 300; transfers-in 300; transfers-per-ns 100; I would try increasing limits, starting with transfer-in. you can check in logs or via netstat (or packet dump), how many transfers were executed in parallel (to know which parameter to increase) Question 3: We have over 100,000 domains on the name servers. What we see is that once we start seeing many of these exceeded messages in the logs then our soa queries in progress will go up significantly and never goes back down. We have to shut down the name server and restart it, and then the soa queries in progress goes down to 0 or 1 and he exceeded messages go away. Has anyone had a similar problem? If so, how did you resolve this? with 100k of zones, you must increase limits. Or, use different technique for distributing changes, e.g. NOTIFY and increase the refresh (and retry) times to avoid useless timeouts. Does this KB article help at all? https://kb.isc.org/article/AA-00726/0/Tuning-your-BIND-configuration-effectively-for-zone-transfers-particularly-with-many-frequently-updated-zones.html (It's one you'll need to register to see - but it's otherwise available to all). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind not forwarding all requests
Hello, I am currently running two bind9 server on Debian Squeeze. 1:9.7.3.dfsg-1~squeeze8 Server 1 is internal dns server and serve some local zone. This server should forward all unknown requests to our public DNS server. So I configured this server as follow : /etc/bind/named.conf.options forward only; forwarders { ip_server_2; }; The second server is allowed to do DNS request on the internet, so there is no forwarder configured. The issue is that I see on my firewall that server1 is trying to do DNS requests on DNS ROOT server. Any idea why I do have this issue ? wrong configuration ? Regards, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind not forwarding all requests
It is probably related to forward first versus forward only. Forward first is default but will fall back to no forwarding if the forwarders fail. On Dec 7, 2012 12:06 PM, Romgo ro...@free.fr wrote: Hello, I am currently running two bind9 server on Debian Squeeze. 1:9.7.3.dfsg-1~squeeze8 Server 1 is internal dns server and serve some local zone. This server should forward all unknown requests to our public DNS server. So I configured this server as follow : /etc/bind/named.conf.options forward only; forwarders { ip_server_2; }; The second server is allowed to do DNS request on the internet, so there is no forwarder configured. The issue is that I see on my firewall that server1 is trying to do DNS requests on DNS ROOT server. Any idea why I do have this issue ? wrong configuration ? Regards, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind not forwarding all requests
Yes that was my first idea by reading the documentation. But has my configuration is clearly using forward only, I don't understand. Could this be a bug ? On 7 December 2012 18:10, Ben Croswell ben.crosw...@gmail.com wrote: It is probably related to forward first versus forward only. Forward first is default but will fall back to no forwarding if the forwarders fail. On Dec 7, 2012 12:06 PM, Romgo ro...@free.fr wrote: Hello, I am currently running two bind9 server on Debian Squeeze. 1:9.7.3.dfsg-1~squeeze8 Server 1 is internal dns server and serve some local zone. This server should forward all unknown requests to our public DNS server. So I configured this server as follow : /etc/bind/named.conf.options forward only; forwarders { ip_server_2; }; The second server is allowed to do DNS request on the internet, so there is no forwarder configured. The issue is that I see on my firewall that server1 is trying to do DNS requests on DNS ROOT server. Any idea why I do have this issue ? wrong configuration ? Regards, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Getting RPZ statistics
I recently (as of 2 days ago) enabled RPZ on all of my name servers. I currently use rndc stats, perl, and SNMP to make certain global stats available to our network monitoring system to make charts (number of queries across all views and such). I'd like to do the same for just the RPZ zone so I can get an idea of how many queries are getting handled by RPZ itself. I added zone-statistics yes; to the RPZ zone, and the statistics file showed the header for that zone, but then there were no stats there. I enabled the zone-statistics for a regular zone and it provided stats as expected. Here's what my stats file looks like with zone-statistics enabled in the RPZ zone and one other zone for comparison. ++ Per Zone Query Statistics ++ [utc.edu (view: view1)] 3 queries resulted in successful answer 9 queries resulted in authoritative answer 2 queries resulted in nxrrset 4 queries resulted in NXDOMAIN [rpz (view: view2)] [rpz (view: view1)] My assumption is that since the RPZ zone is special it therefore can't keep track of stats. Is this the case or am I overlooking something obvious? I guess I could CNAME all the RPZ records to a single host in a separate domain and then do zone-statistics on that one zone, but that's kinda dirty. -Christopher ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Getting RPZ statistics
From: Howard, Christopher Bryan christopher-how...@utc.edu I recently (as of 2 days ago) enabled RPZ on all of my name servers. I cur= rently use rndc stats, perl, and SNMP to make certain global stats availa= ble to our network monitoring system to make charts (number of queries acro= ss all views and such). I'd like to do the same for just the RPZ zone so I= can get an idea of how many queries are getting handled by RPZ itself. In a useless sense probably not intended, the number of queries handled by RPZ is the same as the number of queries handled by the normal zones in the views with response-policy{} statements, because all queries are tested against the policy zones. The short answer to the likely intended question is that there are no RPZ specific statistics. One might want the number of responses rewritten according to each policy zone, but those statistics don't exist. I agree that the idea is worth thinking about. Recent versions of the BIND9 RPZ code has improved logging. On DNS servers that are not too busy, it might be possible to synthesize useful RPZ statistics with awk/perl/whatever applied to the RPZ log category. Vernon Schryverv...@rhyolite.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Getting RPZ statistics
We point our DNS-RPZ records at a server (here-be-dragons) that records connections at that point. Also the webserver listening there sends back either and image or javascript+html which explains to the user the reason they are not seeing the webpage they expect. The web server gives us a convenient way to gather statistics on which client machines are attempting to access which bad hosts. One of the stats we generate each night is the ten machines which accessed the here-be-dragons server the most, which we send to the help desk so they can let the person know their machine is probably infected with malware. John --- John Hascall, j...@iastate.edu Team Lead, NIADS (Network Infrastructure, Authentication Directory Services) IT Services, The Iowa State University of Science and Technology --===6413295337217726361== Content-Language: en-US Content-Type: multipart/alternative; boundary=_000_0601178566817C499DF95E59CF72205D853A4DUTCMBX2utctenness_ --_000_0601178566817C499DF95E59CF72205D853A4DUTCMBX2utctenness_ Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable I recently (as of 2 days ago) enabled RPZ on all of my name servers. I cur= rently use rndc stats, perl, and SNMP to make certain global stats availa= ble to our network monitoring system to make charts (number of queries acro= ss all views and such). I'd like to do the same for just the RPZ zone so I= can get an idea of how many queries are getting handled by RPZ itself. I added zone-statistics yes; to the RPZ zone, and the statistics file sho= wed the header for that zone, but then there were no stats there. I enable= d the zone-statistics for a regular zone and it provided stats as expecte= d. Here's what my stats file looks like with zone-statistics enabled in th= e RPZ zone and one other zone for comparison. ++ Per Zone Query Statistics ++ [utc.edu (view: view1)] 3 queries resulted in successful answer 9 queries resulted in authoritative answer 2 queries resulted in nxrrset 4 queries resulted in NXDOMAIN [rpz (view: view2)] [rpz (view: view1)] My assumption is that since the RPZ zone is special it therefore can't ke= ep track of stats. Is this the case or am I overlooking something obvious? I guess I could CNAME all the RPZ records to a single host in a separate do= main and then do zone-statistics on that one zone, but that's kinda dirty. -Christopher --_000_0601178566817C499DF95E59CF72205D853A4DUTCMBX2utctenness_ Content-Type: text/html; charset=us-ascii Content-ID: 65511fa01bdc6743bba57a4c6b520...@mail.tennessee.edu Content-Transfer-Encoding: quoted-printable html head meta http-equiv=3DContent-Type content=3Dtext/html; charset=3Dus-ascii= /head body style=3Dword-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin= e-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-fami= ly: Calibri, sans-serif; divI recently (as of 2 days ago) enabled RPZ on all of my name servers. = nbsp;I currently use quot;rndc statsquot;, perl, and SNMP to make certain= global stats available to our network monitoring system to make charts (nu= mber of queries across all views and such). nbsp;I'd like to do the same for just the RPZ zone so I can get an idea of how many= queries are getting handled by RPZ itself./div div divbr /div divI added quot;zone-statistics yes;quot; to the RPZ zone, and the stat= istics file showed the header for that zone, but then there were no stats t= here. nbsp;I enabled the zone-statistics for a quot;regularquot; zone an= d it provided stats as expected. nbsp;Here's what my stats file looks like with zone-statistics enabled in the RPZ zone and one other zone= for comparison./div divbr /div div div#43;#43; Per Zone Query Statistics #43;#43;/div div[utc.edu (view: view1)]/div divnbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; 3 queri= es resulted in successful answer/div divnbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; 9 queri= es resulted in authoritative answer/div divnbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; 2 queri= es resulted in nxrrset/div divnbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; nbsp; 4 queri= es resulted in NXDOMAIN/div div[rpz (view: view2)]/div div[rpz (view: view1)]/div /div divbr /div divMy assumption is that since the RPZ zone is quot;specialquot; it the= refore can't keep track of stats. nbsp;Is this the case or am I overlookin= g something obvious?/div divbr /div divI guess I could CNAME all the RPZ records to a single host in a separa= te domain and then do zone-statistics on that one zone, but that's kinda di= rty./div divbr /div div-Christopher/div br /div /body /html --_000_0601178566817C499DF95E59CF72205D853A4DUTCMBX2utctenness_--