Re: Solaris 11
John When you do compile from source maybe look at BIND 9.9.3rc1, as this have some fixes in for Solaris 11 in a 64-bit mode. We are running a patched version of 9.9.2 successfully in our environment. Regards On 15/04/2013 22:24, Manson, John wrote: I searched www.isc.org http://www.isc.org to no avail. Is bind 9.9.x compatible with Solaris 11? Anything out of the ordinary with compiling and such? Thanks John Manson CAO/HIR/NAF Data-Communications | U.S. House of Representatives | Washington, DC 20515 Desk: 202-226-4244 | TCC: 202-226-6430 | john.man...@mail.house.gov mailto:john.man...@mail.house.gov ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- --- Jaco Lesch SAIX HLS Email: ja...@saix.net ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding Kaminsky exploit w/bind
On 15.04.13 09:44, Jamie Ostrowski wrote: But that is the point of my question. Since it is relying on it's cached entry for the auth. nameserver for mydomain.com, the attacker, once the auth. nameserver for mydomain.com was cached, would have to wait until that cached NS entry for mydomain.com expires from the resolver's cache before they can make another attempt to send a forged NS record for mydomain.com, correct? no... the attacker simply send bunch of replies with spoofed source address of authoritative nameserver. The victim sees packets coming from authoritative nameserver and does not know if they were sent really by the server (source address is spoofed). It's quite easy to spoof 65535 reponses with different query ID in a few seconds nowadays. That is why random source ports are used now (it's not easy to spoof ~4 billions of replies) and that is why securedns is the only way to avoid this attack. Once the spoofed answer with guessed ID and containing NS records of attacker's servers is accepted, the attacker owns the domain at least within your nameserver. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
On 15.04.13 16:13, Denis Laventure wrote: I'm having the same problem but for those domains... hao.360.cn. openboxcdn.mobilem.360.cn. xliar.com. www.so.com. www.baidu.com. www.360.cn down.360.cn www.hao123.com 15-Apr-2013 15:00:08.485 security: info: client 117.21.187.20#52538: view external: query (cache) 'hao.360.cn/A/IN' denied Aren't thosedomains pointing their NS onto your nameserver? What's your IP, if it's not secret? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Boost your system's speed by 500% - DEL C:\WINDOWS\*.* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
On 15.04.13 10:02, Jose Manuel Delgado G. wrote: Subject: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an update to version 9.9.2-P2 as recommended but still continuous problems. 190.34.55.70 - 201.224.83.242 DNS C isc.org. Internet * ? 190.33.3.27 - 201.224.83.242 DNS C isc.org. Internet * ? 190.32.57.243 - 201.224.83.242 DNS C isc.org. Internet * ? 201.224.149.40 - 201.224.83.242 DNS C isc.org. Internet * ? 190.35.22.44 - 201.224.83.242 DNS C isc.org. Internet * ? 186.73.76.87 - 201.224.83.242 DNS C isc.org. Internet * ? 190.34.44.109 - 201.224.83.242 DNS C isc.org. Internet * ? 190.32.56.118 - 201.224.83.242 DNS C isc.org. Internet * ? 190.34.27.201 - 201.224.83.242 DNS C isc.org. Internet * ? 201.224.115.26 - 201.224.83.242 DNS C isc.org. Internet * ? 190.32.165.139 - 201.224.83.242 DNS C isc.org. Internet * ? 190.33.231.148 - 201.224.83.242 DNS C isc.org. Internet * ? 190.35.84.29 - 201.224.83.242 DNS C isc.org. Internet * ? % host 201.224.83.242 242.83.224.201.in-addr.arpa domain name pointer ns5.cwpanama.net. inetnum: 190.34/15 status: allocated aut-num: N/A owner: Cable Wireless Panama inetnum: 201.224/16 status: allocated aut-num: N/A owner: Cable Wireless Panama they apparently expect your nameserver to provide resursive DNS service for your company while it may not be intended for that use... some customers (well, not only customers...) do not understand the difference between authoritative and recursive DNS service and may try to use servers for purpose not intended. Some may also complain if the service does not work properly if you want to be really a bitch, you can set up recursive view with . domain providing * records. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
In article mailman.130.1366101804.20661.bind-us...@lists.isc.org, Matus UHLAR - fantomas uh...@fantomas.sk wrote: they apparently expect your nameserver to provide resursive DNS service for your company while it may not be intended for that use... some customers (well, not only customers...) do not understand the difference between authoritative and recursive DNS service and may try to use servers for purpose not intended. Some may also complain if the service does not work properly If they were using his server as a resolver, wouldn't he see queries for lots of random hostnames (including popular domains like www.google.com, www.yahoo.com, etc.), not just isc.org? -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
On Tue, 2013-04-16 at 05:27 -0400, Barry Margolin wrote: In article mailman.130.1366101804.20661.bind-us...@lists.isc.org, Matus UHLAR - fantomas uh...@fantomas.sk wrote: they apparently expect your nameserver to provide resursive DNS service for your company while it may not be intended for that use... some customers (well, not only customers...) do not understand the difference between authoritative and recursive DNS service and may try to use servers for purpose not intended. Some may also complain if the service does not work properly If they were using his server as a resolver, wouldn't he see queries for lots of random hostnames (including popular domains like www.google.com, www.yahoo.com, etc.), not just isc.org? These seems like some attack going on, after reading the mails i also check my recursive server and found a lot of these in my logs: 16-Apr-2013 11:31:35.743 security: info: client 101.226.167.13#55818: query (cache) 'xliar.com/A/IN' denied 16-Apr-2013 11:31:35.776 security: info: client 101.226.167.13#53710: query (cache) 'www.baidu.com/A/IN' denied 16-Apr-2013 11:31:35.813 security: info: client 182.118.40.31#42505: query (cache) 'www.baidu.com/A/IN' denied 16-Apr-2013 11:31:36.187 security: info: client 220.181.156.90#59278: query (cache) 'hao.360.cn/A/IN' denied 16-Apr-2013 11:31:36.225 security: info: client 220.181.156.90#50194: query (cache) 'www.360.cn/A/IN' denied 16-Apr-2013 11:31:36.253 security: info: client 220.181.156.90#33551: query (cache) 'www.so.com/A/IN' denied 16-Apr-2013 11:31:36.574 security: info: client 182.118.40.31#36470: query (cache) 'xliar.com/A/IN' denied 16-Apr-2013 11:31:36.587 security: info: client 182.118.40.31#51191: query (cache) 'www.so.com/A/IN' denied 16-Apr-2013 11:31:36.691 security: info: client 117.21.187.20#47169: query (cache) 'hao.360.cn/A/IN' denied 16-Apr-2013 11:31:36.705 security: info: client 183.60.211.65#32809: query (cache) 'www.so.com/A/IN' denied 16-Apr-2013 11:31:36.722 security: info: client 117.21.187.20#54942: query (cache) 'www.so.com/A/IN' denied 16-Apr-2013 11:31:36.733 security: info: client 117.21.187.20#50493: query (cache) 'down.360.cn/A/IN' denied 16-Apr-2013 11:31:36.761 security: info: client 182.118.40.31#54391: query (cache) 'hao.360.cn/A/IN' denied 16-Apr-2013 11:31:36.762 security: info: client 120.128.6.42#56439: query (cache) 'down.360.cn/A/IN' denied 16-Apr-2013 11:31:36.798 security: info: client 120.128.6.42#52172: query (cache) 'www.360.cn/A/IN' denied my server is not an open recursive server its only open to my clients and these are not even from my country. Kebba ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
On 16/04/13 12:41, Kebba Foon wrote: my server is not an open recursive server its only open to my clients and these are not even from my country. You're right, it's probably a spoofed-source DNS amplification attack. If your DNS server isn't open (good to hear) you could consider just ACLing it at your network border. Alternatively, you could consider the RRL patches to bind. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
On Tue, 2013-04-16 at 13:00 +0100, Phil Mayers wrote: On 16/04/13 12:41, Kebba Foon wrote: my server is not an open recursive server its only open to my clients and these are not even from my country. You're right, it's probably a spoofed-source DNS amplification attack. If your DNS server isn't open (good to hear) you could consider just ACLing it at your network border. Alternatively, you could consider the RRL patches to bind. These looks definitely like an attack, its the same thing on both my recursive servers just check the other now and saw the same queries. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
These seems like some attack going on, after reading the mails i also check my recursive server and found a lot of these in my logs: my server is not an open recursive server its only open to my clients and these are not even from my country. Same here, my DNS are open to my clients only and are not open resolver. Good to see that I'm not the only one with that problem. Finally, I got this list of IPs blocked on my firewall and I don't have issue anymore for now : object-group network N_DENY_DNS_OUTSIDE network-object host 101.226.167.13 network-object host 109.0.64.16 network-object host 109.0.64.17 network-object host 109.0.65.16 network-object host 109.0.65.17 network-object host 111.1.44.35 network-object host 111.1.44.36 network-object host 111.1.44.37 network-object host 111.1.44.38 network-object host 112.195.31.70 network-object host 113.18.252.17 network-object host 113.187.17.178 network-object host 113.57.142.156 network-object host 117.21.187.19 network-object host 117.21.187.20 network-object host 117.21.187.21 network-object host 117.21.187.22 network-object host 120.128.3.249 network-object host 120.128.3.250 network-object host 120.128.3.251 network-object host 120.128.3.252 network-object host 120.128.6.42 network-object host 120.192.83.233 network-object host 122.143.14.49 network-object host 122.143.14.52 network-object host 122.48.244.142 network-object host 122.70.131.153 network-object host 122.70.131.154 network-object host 122.70.131.155 network-object host 122.70.131.156 network-object host 122.70.131.157 network-object host 122.70.131.158 network-object host 122.70.131.159 network-object host 122.70.131.160 network-object host 123.125.67.189 network-object host 124.205.11.218 network-object host 125.89.73.39 network-object host 125.89.73.40 network-object host 125.89.73.41 network-object host 125.89.73.42 network-object host 140.207.197.67 network-object host 14.18.17.29 network-object host 142.4.200.12 network-object host 142.4.200.13 network-object host 173.242.116.155 network-object host 174.93.193.124 network-object host 174.94.53.156 network-object host 175.25.243.15 network-object host 182.118.40.31 network-object host 183.60.211.65 network-object host 184.161.199.73 network-object host 190.120.202.203 network-object host 206.123.31.9 network-object host 217.156.250.10 network-object host 217.156.250.150 network-object host 217.156.250.152 network-object host 217.156.250.153 network-object host 217.156.250.154 network-object host 217.156.250.155 network-object host 217.156.250.157 network-object host 218.206.207.75 network-object host 220.181.126.4 network-object host 220.181.126.42 network-object host 220.181.156.90 network-object host 220.181.156.91 network-object host 221.130.199.65 network-object host 221.130.199.66 network-object host 221.130.199.67 network-object host 221.130.199.68 network-object host 221.204.197.13 network-object host 24.226.178.180 network-object host 31.222.72.4 network-object host 49.128.160.50 network-object host 63.251.28.10 network-object host 63.251.28.215 network-object host 70.49.212.28 network-object host 72.14.165.194 network-object host 74.131.77.13 network-object host 74.217.66.10 network-object host 74.217.66.11 network-object host 75.98.70.11 network-object host 75.98.70.210 network-object host 75.98.70.215 network-object host 75.98.70.216 network-object host 94.102.51.196 Denis my server is not an open recursive server its only open to my clients and these are not even from my country. Kebba ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
On 16/04/13 14:04, Denis Laventure wrote: These seems like some attack going on, after reading the mails i also check my recursive server and found a lot of these in my logs: my server is not an open recursive server its only open to my clients and these are not even from my country. Same here, my DNS are open to my clients only and are not open resolver. Good to see that I'm not the only one with that problem. Finally, I got this list of IPs blocked on my firewall and I don't have issue anymore for now : Instead of blocking the source (which aren't even real - they're spoofed) why not just block access to your recursive resolver on port 53. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
Instead of blocking the source (which aren't even real - they're spoofed) why not just block access to your recursive resolver on port 53. I need my DNS server to resolve for my authoritative domain, I have 30+ domains here I can't block acces to port 53. Denis ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I'm having thousands of queries a domain isc.org and this increases my cpu percentage to 100%. That may be happening and how I can control this? is an attack? attachment of the log I made an updat
On 16/04/13 14:28, Denis Laventure wrote: Instead of blocking the source (which aren't even real - they're spoofed) why not just block access to your recursive resolver on port 53. I need my DNS server to resolve for my authoritative domain, I have 30+ domains here I can't block acces to port 53. (replying on-list for posterity) Ah, it's a shared auth/recursive. In which case that's probably the best you can do. Just be aware these IPs are probably spoofed - they are the victims - so you should have some process to expire them over time. FWIW this is one reason not to mix auth/recursive on the same server; it tempts you to use the same IP. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Caching server - named process is limit at 500MB
Hi, How to check 64 bit version of bind? I often download source code from isc.org and compile on 64 bit Solaris 10 OS then. I always consider my version is 64 bit. Thanks and Best Regards, Website: www.svtech.com.vn http://www.svtech.com.vn/ E-mail: khanh@svtech.com.vn From: Jaco Lesch [mailto:ja...@saix.net] Sent: Friday, April 12, 2013 12:51 PM To: Chu Ha Khanh Cc: bind-users@lists.isc.org Subject: Re: Caching server - named process is limit at 500MB Chu Had the same issue in the past on Solaris 8 and 9 day as the default compiled binaries is 32-bit which seem to limit memory usage to 512 MB. You can modify the configure script/source to use more memory in 32-bit, but I will suggest you to move to 64-bit versions of BIND. When we migrated to Solaris 10, I compiled from source with 64-bit support, this you need to specify in the configure script and there is some other edits you might have yo do if you need SSL support for DNSsec. You can compile the source with GCC or Studio, they both work fine. If you need any specific help, you are welcome to contact me directly. Regards On 12/04/2013 05:25, Chu Ha Khanh wrote: Hi, We deploy bind 9.x.x cache server, solaris 10 sparc on a system that servicing large customers. We face an issue that bind process on a server is limit at 500MB. If number of request to the server is increase, bind is hang and unable to response queries. We recognize the named process is at 500MB when it is hang. To face this issue we make many virtual machines on a physical server ( zones in solaris sparc, and xen on intel ) to increase performance. Because we can increase the performance on a physical server, so we can deduce that the issue is not cause by hardware limit. It may be a software bug or miss configuration. Please take a look for my issue. I would appreciate any help. Thanks and Best Regards, Website: www.svtech.com.vn http://www.svtech.com.vn/ E-mail: khanh@svtech.com.vn ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Caching server - named process is limit at 500MB
Hi, Here is my output from command. It looks like my bind version is actually 32 bit. But there are some default applications also 32 bit although all are installed on a 64 bit OS. I have to check this for a moment. bash-3.2# file `which named` /usr/local/sbin/named: ELF 32-bit LSB executable 80386 Version 1, dynamically linked, not stripped bash-3.2# bash-3.2# file /usr/local/bin/gcc /usr/local/bin/gcc: ELF 32-bit LSB executable 80386 Version 1 [FPU], dynamically linked, not stripped bash-3.2# file `which java` /usr/bin/java: ELF 32-bit LSB executable 80386 Version 1 [FPU], dynamically linked, not stripped, no debugging information available bash-3.2# isainfo -kv 64-bit amd64 kernel modules Thanks and Best Regards, Website: www.svtech.com.vn E-mail: khanh@svtech.com.vn -Original Message- From: Mike Hoskins (michoski) [mailto:micho...@cisco.com] Sent: Wednesday, April 17, 2013 9:34 AM To: Chu Ha Khanh; 'Jaco Lesch' Cc: bind-users@lists.isc.org Subject: Re: Caching server - named process is limit at 500MB -Original Message- From: Chu Ha Khanh khanh@svtech.com.vn Date: Tuesday, April 16, 2013 10:25 PM To: 'Jaco Lesch' ja...@saix.net Cc: bind-users@lists.isc.org bind-users@lists.isc.org Subject: RE: Caching server - named process is limit at 500MB Hi, How to check 64 bit version of bind? I often download source code from isc.org and compile on 64 bit Solaris 10 OS then. I always consider my version is 64 bit. $ file `which named` /usr/sbin/named: ELF 64-bit LSB shared object, AMD x86-64, version 1 (SYSV), for GNU/Linux 2.6.9, stripped (or whatever path to the right named executable...) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users