RE: Diagnostic help part 2

[Eli Heady]

On Sep 30, 2014 7:11 PM, "John Anderson" @
ccbill.com > wrote:
>
> >If named is running and doesn't respond on the external interface, it's
> >possible that your listen-on {}; directive is set to only localhost.
>
> >TCP connections to 205.238.182.102 come back "Connection refused", so
> >it's possible that BIND just isn't listening on the interface or perhaps
> >you're filtering the inbound queries.   Do you see the queries come in to
> >the box, either via packet dump or query logs?
>
>
> Is your BIND server behind a firewall?  Is it only listening on
localhost, or on an internal interface?  If '~]$ netstat -nlp | grep named'
tells you that named is only listening on127.0.0.1 :53
, then you need to adjust listen-on in named.conf.  If
you are running iptables, you need to allow at least UDP/53 in, if this is
a master transferring to slaves, it might be a good idea to allow TCP/53 in
as well.   If you are behind a firewall, you need to open up UDP/53 or port
forward UDP/53 to your bind server.
>

I know Bill's issue is solved, but I want to point out that anyone running
DNS would be wise to not block TCP/53. TCP service for queries is specified
in the protocol design, and not just for transfers. Failing UDP queries
should result in retries over TCP

With response sizes growing (dnssec, ipv6), answers are more likely to be
too large for UDP.

If you enable response rate limiting (try it, you'll like it), you must
also respond to TCP queries. The RRL implementation is designed to cause
legitimate clients to retry queries over TCP.

There are a variety of reasons UDP  responses won't make it to clients,
many of which are outside your control. Not offering TCP service means
clients that can't reliably get UDP responses likely won't get any answer
from your servers at all.

Eli
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Diagnostic help part 2

[Bill Christensen]

On 9/30/14, 5:52 PM, Rich Goodson wrote:
If named is running and doesn't respond on the external interface, 
it's possible that your listen-on {}; directive is set to only localhost.


You may have hit on hit there.  It was set to
listen-on { 127.0.0.1; };

I just changed that to:
listen-on { 205.238.182.102; };
and it appears to have made all the difference.

I'm no longer seeing the errors from (at least, some of) the online DNS 
tests that 102 doesn't respond.  I'm guessing the others have cached 
info from lookups earlier today.


Please let me know if you see otherwise.

Now to get on with some of the other cleanup tasks.

Thanks for the help.


TCP connections to 205.238.182.102 come back "Connection refused", so 
it's possible that BIND just isn't listening on the interface or 
perhaps you're filtering the inbound queries.   Do you see the queries 
come in to the box, either via packet dump or query logs?



-Rich


On Sep 30, 2014, at 5:30 PM, Bill Christensen 
mailto:billc_li...@greenbuilder.com>> 
wrote:



On 9/30/14, 4:15 PM, Charles Swiger wrote:

Hi--

On Sep 30, 2014, at 1:59 PM, Bill Christensen 
mailto:billc_li...@greenbuilder.com>> 
wrote:

Fair enough.

Africabound.org 


SustainableSources.com 

The server that's giving problems is ns1.sustainablesources.com 
 205.238.182.102


Your 102 box doesn't seem responding to 53/udp or 53/tcp from the 
outside:


http://www.dnsinspect.com/sustainablesources.com/1412110958

There's a bunch of other issues.  In particular, BIND 9.6-ESV is the 
oldest version
which anyone should be running on the public internet, and even that 
is sufficiently

obsolete that I think support for that ended this year.

Regards,
--
-Chuck

I'm aware that the BIND 9.6 on the other machine is rather ancient, 
and have plans to move off it in the reasonably near future.  And the 
other issues.  Trying to clean them all up.


But I still have the initial problem of getting 
ns1.sustainablesources.com  
205.238.182.102 to answer.  This is a clean install of the latest 
BIND available, after a system upgrade, so there's probably something 
wrong with my config. Problem is, I don't know what.  I've been over 
it dozens of times and am stuck, otherwise I wouldn't have posted here.


Is it kosher to post the config file here?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


bind-users mailing list
bind-users@lists.isc.org 
https://lists.isc.org/mailman/listinfo/bind-users




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Diagnostic help part 2

[John Anderson]

>If named is running and doesn't respond on the external interface, it's 
>possible that your listen-on {}; directive is set to only localhost.

>TCP connections to 205.238.182.102 come back "Connection refused", so 
>it's possible that BIND just isn't listening on the interface or perhaps 
>you're filtering the inbound queries.   Do you see the queries come in to 
>the box, either via packet dump or query logs?


Is your BIND server behind a firewall?  Is it only listening on localhost, or 
on an internal interface?  If '~]$ netstat -nlp | grep named' tells you that 
named is only listening on 127.0.0.1:53, then you need to adjust listen-on in 
named.conf.  If you are running iptables, you need to allow at least UDP/53 in, 
if this is a master transferring to slaves, it might be a good idea to allow 
TCP/53 in as well.   If you are behind a firewall, you need to open up UDP/53 
or port forward UDP/53 to your bind server.

Here's what I see when looking at the IP you provided:

~]$ sudo nmap -sT -sU -p 53 205.238.182.102

Starting Nmap 5.51 ( http://nmap.org ) at 2014-09-30 16:02 MST
Nmap scan report for www3.greenbuilder.com (205.238.182.102)
Host is up (1.1s latency).
PORT   STATE  SERVICE
53/tcp closed domain
53/udp closed domain

Here is what I should see, using Google's DNS server as an example:

~]$ sudo nmap -sT -sU -p 53 8.8.8.8

Starting Nmap 5.51 ( http://nmap.org ) at 2014-09-30 16:03 MST
Nmap scan report for google-public-dns-a.google.com (8.8.8.8)
Host is up (0.062s latency).
PORT   STATE SERVICE
53/tcp open  domain
53/udp open|filtered domain

John A.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Diagnostic help part 2

[Rich Goodson]

If named is running and doesn’t respond on the external interface, it’s 
possible that your listen-on {}; directive is set to only localhost.

TCP connections to 205.238.182.102 come back “Connection refused”, so it’s 
possible that BIND just isn’t listening on the interface or perhaps you’re 
filtering the inbound queries.   Do you see the queries come in to the box, 
either via packet dump or query logs?


-Rich


On Sep 30, 2014, at 5:30 PM, Bill Christensen  
wrote:

> On 9/30/14, 4:15 PM, Charles Swiger wrote:
>> Hi--
>> 
>> On Sep 30, 2014, at 1:59 PM, Bill Christensen  
>> wrote:
>>> Fair enough.  
>>> 
>>> Africabound.org
>>> SustainableSources.com
>>> 
>>> The server that's giving problems is ns1.sustainablesources.com 
>>> 205.238.182.102
>> 
>> Your 102 box doesn't seem responding to 53/udp or 53/tcp from the outside:
>> 
>>   http://www.dnsinspect.com/sustainablesources.com/1412110958
>> 
>> There's a bunch of other issues.  In particular, BIND 9.6-ESV is the oldest 
>> version
>> which anyone should be running on the public internet, and even that is 
>> sufficiently
>> obsolete that I think support for that ended this year.
>> 
>> Regards,
>> -- 
>> -Chuck
>> 
> I'm aware that the BIND 9.6 on the other machine is rather ancient, and have 
> plans to move off it in the reasonably near future.  And the other issues.  
> Trying to clean them all up. 
> 
> But I still have the initial problem of getting ns1.sustainablesources.com 
> 205.238.182.102 to answer.  This is a clean install of the latest BIND 
> available, after a system upgrade, so there's probably something wrong with 
> my config.  Problem is, I don't know what.  I've been over it dozens of times 
> and am stuck, otherwise I wouldn't have posted here. 
> 
> Is it kosher to post the config file here?  
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Diagnostic help part 2

[Bill Christensen]

On 9/30/14, 4:15 PM, Charles Swiger wrote:

Hi--

On Sep 30, 2014, at 1:59 PM, Bill Christensen 
mailto:billc_li...@greenbuilder.com>> 
wrote:

Fair enough.

Africabound.org 


SustainableSources.com

The server that's giving problems is ns1.sustainablesources.com 
205.238.182.102


Your 102 box doesn't seem responding to 53/udp or 53/tcp from the outside:

http://www.dnsinspect.com/sustainablesources.com/1412110958

There's a bunch of other issues.  In particular, BIND 9.6-ESV is the 
oldest version
which anyone should be running on the public internet, and even that 
is sufficiently

obsolete that I think support for that ended this year.

Regards,
--
-Chuck

I'm aware that the BIND 9.6 on the other machine is rather ancient, and 
have plans to move off it in the reasonably near future.  And the other 
issues.  Trying to clean them all up.


But I still have the initial problem of getting 
ns1.sustainablesources.com 205.238.182.102 to answer.  This is a clean 
install of the latest BIND available, after a system upgrade, so there's 
probably something wrong with my config.  Problem is, I don't know 
what.  I've been over it dozens of times and am stuck, otherwise I 
wouldn't have posted here.


Is it kosher to post the config file here?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Diagnostic help part 2

[Charles Swiger]

Hi--

On Sep 30, 2014, at 1:59 PM, Bill Christensen  
wrote:
> Fair enough.  
> 
> Africabound.org
> SustainableSources.com
> 
> The server that's giving problems is ns1.sustainablesources.com 
> 205.238.182.102

Your 102 box doesn't seem responding to 53/udp or 53/tcp from the outside:

  http://www.dnsinspect.com/sustainablesources.com/1412110958

There's a bunch of other issues.  In particular, BIND 9.6-ESV is the oldest 
version
which anyone should be running on the public internet, and even that is 
sufficiently
obsolete that I think support for that ended this year.

Regards,
-- 
-Chuck

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Diagnostic help part 2

[Bill Christensen]

Fair enough.

Africabound.org
SustainableSources.com

The server that's giving problems is ns1.sustainablesources.com 
205.238.182.102


(yes, I'm aware of intermittent problems with ns3 as well.  That one's 
not under my control, and I'm moving clients off it.)


Thanks.

On 9/30/14, 2:40 PM, Doug Barton wrote:

On 9/30/14 12:18 PM, Bill Christensen wrote:

Ok, since I theoretically have the allow-query correct I need to move on
to what else may be wrong.

When I test with http://www.intodns.com/ or other online tools, I'm
getting " ERROR: One or more of your nameservers did not respond"  (the
IP is the server in question)

BIND 9.10.1 *appears* to be running  - named has a PID.

Might it be a problem with system permissions or something like that?


If these are domains that are visible on the public Internet, tell us 
the domain names. It's really impossible to guess what might be wrong 
with your setup.


https://dougbarton.us/DNS/bind-users-FAQ.html#RealNames



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Diagnostic help part 2

[Doug Barton]

On 9/30/14 12:18 PM, Bill Christensen wrote:

Ok, since I theoretically have the allow-query correct I need to move on
to what else may be wrong.

When I test with http://www.intodns.com/ or other online tools, I'm
getting " ERROR: One or more of your nameservers did not respond"  (the
IP is the server in question)

BIND 9.10.1 *appears* to be running  - named has a PID.

Might it be a problem with system permissions or something like that?


If these are domains that are visible on the public Internet, tell us 
the domain names. It's really impossible to guess what might be wrong 
with your setup.


https://dougbarton.us/DNS/bind-users-FAQ.html#RealNames
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Diagnostic help part 2

[Bill Christensen]

Ok, since I theoretically have the allow-query correct I need to move on 
to what else may be wrong.


When I test with http://www.intodns.com/ or other online tools, I'm 
getting " ERROR: One or more of your nameservers did not respond"  (the 
IP is the server in question)


BIND 9.10.1 *appears* to be running  - named has a PID.

Might it be a problem with system permissions or something like that?

On 9/30/14, 2:41 AM, Matus UHLAR - fantomas wrote:

On 29.09.14 20:58, Ben Croswell wrote:
The default for allow query is local host local nets.  Basically the 
server

itself and directly connected networks


no, that is the default for allow_recursion (and allow_query_cache).
the default for allow_query is all.

On Sep 29, 2014 8:03 PM, "Bill Christensen" 


wrote:



Allow-query is commented out, which I assume will allow anyone to query
this server for the domains for which it has master or slave 
records, but

does not allow the general public to do recursive queries or queries on
domains not hosted here.

Let me know if I've got that right, or how to correct it if I don't.


correct.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Paper on IPv6 DNS Measurement

[Mukund Sivaraman]

Hi Gaurav

On Tue, Sep 30, 2014 at 03:57:49PM +0530, Gaurav Kansal wrote:
> Our finding was:-
> 
> 1. About 50% of the query is from Google AS
> 2. Around 7.4% queries are from Facebook AS (i.e., 32934)
> and many other..
> 
> Fb is on the 2nd spot in the AS wise query statistics. (Paper
> http://kansal15.blogspot.in/2014/09/ipv6-dns-measurement-stats.html )
> 
> I was wondering why Fb is querying us and that too in so much quantity ?
> Did anyone face similar behavior from FB ASn ??

(The dns-operations list may be better suited for such a question.)

The result you are seeing could be because Facebook is one of the most
popular applications used by the general public, and many people post
many links often on Facebook (including those in the .nic.in and .gov.in
domains), and when the Facebook application tries to download the
webpage, Facebook's resolvers contact your authoritative server using
IPv6.

See https://www.facebook.com/externalhit_uatext.php

It wouldn't be surprising if Facebook also refreshes information about a
URL after a time period, or periodically checks webpages during a user's
link click before a redirect, creating additional queries.

The statistic of IPv6 queries could be very different from overall
traffic, as you are measuring only networks that could contact your
servers over IPv6.

Mukund


pgpm1IWPg5Qnm.pgp
Description: PGP signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Paper on IPv6 DNS Measurement

[Gaurav Kansal]

Dear Team,

We have analyzed around 70 million query logs which we received on our 
IPv6 DNS Server in the month of August 2014 and tried to figure out the 
stats over that.


Our finding was:-

1. About 50% of the query is from Google AS
2. Around 7.4% queries are from Facebook AS (i.e., 32934)
and many other..

Fb is on the 2nd spot in the AS wise query statistics. (Paper 
http://kansal15.blogspot.in/2014/09/ipv6-dns-measurement-stats.html )


I was wondering why Fb is querying us and that too in so much quantity ?
Did anyone face similar behavior from FB ASn ??

Regards,
Gaurav Kansal
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Diagnostic help

[Matus UHLAR - fantomas]

On 29.09.14 20:58, Ben Croswell wrote:

The default for allow query is local host local nets.  Basically the server
itself and directly connected networks


no, that is the default for allow_recursion (and allow_query_cache).
the default for allow_query is all.


On Sep 29, 2014 8:03 PM, "Bill Christensen" 
wrote:



Allow-query is commented out, which I assume will allow anyone to query
this server for the domains for which it has master or slave records, but
does not allow the general public to do recursive queries or queries on
domains not hosted here.

Let me know if I've got that right, or how to correct it if I don't.


correct.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users