Allow recursion for esternal resources in a authoritative zone on a not open dns server
Hello all. I have a closed bind dns server. It answers only to queries related to zones it is authoritative for (a normal behaviour... right?). I have dns zones that contain cname that points to hostnames in domains not managed by that server. So it won't resolve that names returning the cname to the client. I'd like to know if there is a way to tell to BIND if the external resource is in a domain managed by you, resolve (do recourse) Do you know if it is possible? Thanks in advance, Stefano. Stefano Chiesa Wolters Kluwer Italia Network Specialist Strada 1, Palazzo F6 20090 Milanofiori Assago (Mi) - Italia Phone +39 0282476279 (20279 Voip) Fax +39 0282476815 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Allow recursion for esternal resources in a authoritative zone on a not open dns server
On 18.11.13 13:57, Chiesa Stefano wrote: I have a closed bind dns server. It answers only to queries related to zones it is authoritative for (a normal behaviour... right?). I have dns zones that contain cname that points to hostnames in domains not managed by that server. So it won't resolve that names returning the cname to the client. I'd like to know if there is a way to tell to BIND if the external resource is in a domain managed by you, resolve (do recourse) There is not. Either bind does recurse, or it does not. If a DNS server is authoritative-only, it is only contacted by other (recursive) DNS servers that would (or, at least should) not trust what it says in ADDITIONAL section of its responses (where the CNAME content in non-authoritative cases belongs to). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: Let God Debug It!. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Can I have Inbound load balancing achieved with below settings
From a networking perspective though (in a multi-homed environment)... this really should be handled by using IGRP and AS numbers. In a situation where the link is bouncing, there may be sporadic packets getting though the link. IE the DNS gets back 1.1.1.1 but on the next packet its down again. Using an AS number and IGRP you don't need to have different DNS servers providing different IP addresses for the same server. You simply provide the same IP address out of both links and the routers (in determining best rout) choose which router to take, via ISP 1 or ISP 2 which serves up the same information. This is also important for applications like Apache when handling session information as a cookie at 1.1.1.1 is different than a cookie at 2.2.2.2 (if security is enforced properly). The bellow configuration can also make SSL difficult, a lot of application layer stuff can go wrong when the link starts bouncing or is intermittent which IGRP and ASN can handle transparently. IMHO trying to solve this via DNS is really complicating the issue far greater than it needs to be. Date: Wed, 13 Nov 2013 10:46:23 +0530 Subject: Can I have Inbound load balancing achieved with below settings From: manish...@gmail.com To: bind-users@lists.isc.org Hey Fellas, I am thinking on this perspective need some help on this. Please guide me if I am wrong or let me know if I can achieve the stuff 1. I have a firewall with TWO ISP links, lets assume ISP1 and ISP2. And then I have internal webserver www.foobar.com with IP 192.168.1.10 2. I have natted 192.168.1.10 with ISP1 and ISP2 Public IP addresses 1.1.1.1 [ISP1] == 192.168.1.10 Port 802.2.2.2 [ISP2] == 192.168.1.10 Port 80 3. NS server for foobar.com is on Internet lets assume ns.xyz.com. Added a sub-domain www.foobar.com 4. Now this sub-domain with www.foobar.com is on BIND server and kept it in my network say IP 192.168.1.20 which is again natted with Public IP addresses for ISP1 [1.1.1.10] and ISP2 [2.2.2.20] 5. So, if both the links are up, client coming on either of the link would get both the IP addresses6.Assume if ISP1 goes down, client coming on ISP1 would never be able to reach; hence as per DNS protocol will try for another link and come on ISP2 and then probably get an IP address of Link 2 i.e. 2.2.2.2. 7. I am sure in this case he would get both the IP addresses even if he is coming from other link; that's what puzzles me or wondering if I can return only IP of ISP2 in case of IPS1 is down? That way I achieve HA or loadbalance? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Listen queue overflow
On 2013-11-14 17:04, Mark Andrews wrote: In message fd9b2cb2b33e394fae3b7466954760571d666...@dfwx10hmptc01.amer.dell.co M, vinny_abe...@dell.com writes: Hi Everyone, I recently had a recursive server running BIND 9.9.4 on FreeBSD 9.2 appear to wedge and stop responding to clients. I had a flurry of these errors on the console: sonewconn: pcb 0xfe007211d930: Listen queue overflow: 16 already in queue awaiting acceptance I couldn't trace that directly back to the named process by the time I looked at it, but I suspect that's what it was since it's really the only thing this machine is used for and it stopped working. It seems to have oddly become unstuck when I logged into the machine and started looking around. I never restarted named. Everything else on the server was running normally from what I could tell and no other errors existed that I could find. Unfortunately my logs rolled over too fast to check if named had logged anything else interesting. From what I've found in googling, this is an OS level error stating the process isn't accepting new TCP connections and it's an application fault. I've only ever seen this on this particular machine, and just this once. My other recursive servers are running older versions of FreeBSD. Or it's just a plain DoS attack. For any service it is possible to send tcp connection requests faster than the service can handle it. Has anyone come across this before and know how to prevent or correct this properly? You can tune tcp-listen-queue in named.conf. The current default is 10. Thanks! -Vinny My logs have been filling up with sonewconn: pcb 0xfe02bb7187a8: Listen queue overflow: 10 already in queue awaiting acceptance Which seems to have started since upgrading to FreeBSD 9.2 (though there have been other changes, but on the email front...so looking at BIND hadn't crossed my mind at all until I spotted this thread), though its only on one server, so I had been hunting around trying to figure out where its been coming from. The hex number doesn't correspond to any socket that shows up with lsof, though the sockets that lsof show some resemblence. doing lsof -i -T fqs and looking at QLIM=, I had thought sendmail was the culprit since its default Listen queue is 10. But bumping it to 128, didn't stop the messages. And, I couldn't find any other sockets this way with QLIM=10. The sockets associated with named ... the tcp domain sockets have QLIM=3 and the rndc socket has a QLIM=128. For these systems, they're all running the system BIND (9.8.4-P2). named 1276 bind 20uIPv4 0xfe00a73697a0 0t0TCP zen:domain (LISTEN QR=0 QS=0 SO=ACCEPTCONN,NOSIGPIPE,PQLEN=0,QLEN=0,QLIM=3,RCVBUF=524288,REUSEADDR,SNDBUF=524288 SS=NBIO TF=MSS=536,REQ_SCALE,REQ_TSTMP,SACK_PERMIT) named 1276 bind 21uIPv4 0xfe00a73693d0 0t0TCP zen2:domain (LISTEN QR=0 QS=0 SO=ACCEPTCONN,NOSIGPIPE,PQLEN=0,QLEN=0,QLIM=3,RCVBUF=524288,REUSEADDR,SNDBUF=524288 SS=NBIO TF=MSS=536,REQ_SCALE,REQ_TSTMP,SACK_PERMIT) named 1276 bind 22uIPv4 0xfe00a738b3d0 0t0TCP localhost:domain (LISTEN QR=0 QS=0 SO=ACCEPTCONN,NOSIGPIPE,PQLEN=0,QLEN=0,QLIM=3,RCVBUF=524288,REUSEADDR,SNDBUF=524288 SS=NBIO TF=MSS=536,REQ_SCALE,REQ_TSTMP,SACK_PERMIT) named 1276 bind 23uIPv4 0xfe00a75223d0 0t0TCP localhost:rndc (LISTEN QR=0 QS=0 SO=ACCEPTCONN,NOSIGPIPE,PQLEN=0,QLEN=0,QLIM=128,RCVBUF=524288,REUSEADDR,SNDBUF=524288 SS=NBIO TF=MSS=536,REQ_SCALE,REQ_TSTMP,SACK_PERMIT) FWIW, the only socket with QLIM=16 on my system is upsd (nut). -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- SafeZone Ally ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Allow recursion for esternal resources in a authoritative zone on a not open dns server
In message e81ed6071f7e3e44a69bc960c04469250c1a2...@s-mi-mail2.milano.wkitaly.it, Chiesa Stefano writes: Hello all. I have a closed bind dns server. It answers only to queries related to zones it is authoritative for (a normal behaviour... right?). I have dns zones that contain cname that points to hostnames in domains not managed by that server. So it won't resolve that names returning the cname to the client. This is correct operation. Recursive/iterative servers talking to it do not need your server to resolve the target of the cname. They will go ask the nameservers for the target of the cname themselves then combine the two answers and return that to the caller. Stub resolvers need to talk to a recursive server so it can do this work on their behalf. I'd like to know if there is a way to tell to BIND if the external resource is in a domain managed by you, resolve (do recourse) Do you know if it is possible? No. Thanks in advance, Stefano. Stefano Chiesa Wolters Kluwer Italia Network Specialist Strada 1, Palazzo F6 20090 Milanofiori Assago (Mi) - Italia Phone +39 0282476279 (20279 Voip) Fax +39 0282476815 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Allow recursion for esternal resources in a authoritative zone on a not open dns server
In article mailman.1694.1384820048.20661.bind-us...@lists.isc.org, Mark Andrews ma...@isc.org wrote: In message e81ed6071f7e3e44a69bc960c04469250c1a2...@s-mi-mail2.milano.wkitaly.it, Chiesa Stefano writes: I'd like to know if there is a way to tell to BIND if the external resource is in a domain managed by you, resolve (do recourse) Do you know if it is possible? No. If the server is authoritative for both the CNAME and the target of the CNAME, no recursion should be necessary -- the target is already in its memory. Doesn't the server normally fill in the whole CNAME chain in this case? -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Allow recursion for esternal resources in a authoritative zone on a not open dns server
In message barmar-90ddc3.19453818112...@news.eternal-september.org, Barry Margolin writes: In article mailman.1694.1384820048.20661.bind-us...@lists.isc.org, Mark Andrews ma...@isc.org wrote: In message e81ed6071f7e3e44a69bc960c04469250c1a2...@s-mi-mail2.milano.wkitaly.it, Chiesa Stefano writes: I'd like to know if there is a way to tell to BIND if the external resource is in a domain managed by you, resolve (do recourse) Do you know if it is possible? No. If the server is authoritative for both the CNAME and the target of the CNAME, no recursion should be necessary -- the target is already in its memory. Doesn't the server normally fill in the whole CNAME chain in this case? The targets of the CNAME records are not on the machine as per the original description of the problem. I have dns zones that contain cname that points to hostnames in domains not managed by that server. Mark -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Allow recursion for esternal resources in a authoritative zone on a not open dns server
In article mailman.1696.1384823151.20661.bind-us...@lists.isc.org, Mark Andrews ma...@isc.org wrote: In message barmar-90ddc3.19453818112...@news.eternal-september.org, Barry Margolin writes: In article mailman.1694.1384820048.20661.bind-us...@lists.isc.org, Mark Andrews ma...@isc.org wrote: In message e81ed6071f7e3e44a69bc960c04469250c1a2...@s-mi-mail2.milano.wkitaly.it, Chiesa Stefano writes: I'd like to know if there is a way to tell to BIND if the external resource is in a domain managed by you, resolve (do recourse) Do you know if it is possible? No. If the server is authoritative for both the CNAME and the target of the CNAME, no recursion should be necessary -- the target is already in its memory. Doesn't the server normally fill in the whole CNAME chain in this case? The targets of the CNAME records are not on the machine as per the original description of the problem. I have dns zones that contain cname that points to hostnames in domains not managed by that server. I saw that, but the question says If the external resource is in a domain managed by you. The external resource is the target of the CNAME, and managed by you means the server is authoritative for it. I admit I found the question confusing, since it seems to start with one premise, but then ask a question about a different one. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users