Re: Authoritative DNS High Memory Usage
Jordan Tinsley wrote: > > DNS01 has extremely high memory usage while DNS02 has memory usage around > 50% and fluctuates up and down. I have seen some cases where reconfiguring the server (e.g. adding/removing views) can cause it to reconstruct all its zone configuration. Although the old zone data is freed, there is likely to be enough heap fragmentation that the memory can't be given back to the OS, so the memory usage effectively doubles. A restart fixes it. Tony. -- f.anthony.n.finchhttp://dotat.at/ Faeroes, Southeast Iceland: Cyclonic 4 or 5,becoming northwesterly 5 to 7. Rough or very rough, occasionally high at first. Wintry showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RPZ question autoritative/recursive servers
Hello, I tried to dissociate roles and have:- 1 set of authoritative master/slave server- 1 set of recursive servers For a zone that I owned, the "recursive" servers forwards the request to the authoritative server. Otherwise the server resolves the query directly on the Internet.The authoritative servers hold my zones and recursion is disabled. I was reading about RPZ zones but it seems to me these are implemented on authoritative servers ?I'm interested in RPZ zone in order to intercept some queries aiming to the internet youp*rn or wannacry. As I explained, my authoritative servers are not on the path to Internet, only my forward servers are, should I implement the RPZ functionality on these forward only servers ? Any thoughts on this ? Thank you ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ question autoritative/recursive servers
On 1/22/19 9:41 AM, Mik J via bind-users wrote: > Internet, only my forward servers are, should I implement the RPZ > functionality on these forward only servers ? That's exactly what I do. My "forward only" servers are "forward only" because I'm testing DoH. Other than that, they are normal recursive servers. AlanC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ question autoritative/recursive servers
On Tue, Jan 22, 2019 at 9:41 AM Mik J via bind-users < bind-users@lists.isc.org> wrote: > Hello, > > I tried to dissociate roles and have: > - 1 set of authoritative master/slave server > - 1 set of recursive servers > > For a zone that I owned, the "recursive" servers forwards the request to > the authoritative server. Otherwise the server resolves the query directly > on the Internet. > The authoritative servers hold my zones and recursion is disabled. > > I was reading about RPZ zones but it seems to me these are implemented on > authoritative servers ? > I'm interested in RPZ zone in order to intercept some queries aiming to > the internet youp*rn or wannacry. > > As I explained, my authoritative servers are not on the path to Internet, > only my forward servers are, should I implement the RPZ functionality on > these forward only servers ? > > Any thoughts on this ? > > Thank you > The RPZ function only runs on the Recursive DNS servers. The RPZ zone could be mastered on an Authoritative server, but it should not be visible to the public. Better to keep it only on internal servers, like only on the resolvers. -- Bob Harold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ question autoritative/recursive servers
Mik J via bind-users wrote: > For a zone that I owned, the "recursive" servers forwards the request to > the authoritative server. Beware: when you are forwarding the target server must be a recursive server. If you want to "forward" to an authoritative-only server, you must use "static-stub" zone configurations. You can sometimes get away with forwarding to an authoritative-only server, but it will break if you have a delegation to a zone that is hosted on different servers. This is because the recursive server will expect a full answer, but it will get a referral which it will fail to follow. My recursive servers are configured to have their own authoritative copies of our zones, rather than relying on our authoritative servers. This is to reduce the number of things that can go wrong, and so that the recursive servers can provide service even if all our other servers are unavailable. > I was reading about RPZ zones but it seems to me these are implemented > on authoritative servers? An RPZ zone must be authoritative, but normally it is configured on a recursive server. Tony. -- f.anthony.n.finchhttp://dotat.at/ Faeroes, Southeast Iceland: Cyclonic 4 or 5,becoming northwesterly 5 to 7. Rough or very rough, occasionally high at first. Wintry showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Named Service
Hello, Just wondering how to get the named service setup when compiling from source? When I tried on a test machine to enable named for startup using systemctl enable named or systemctl start named I get an error that named.service doesn't exist. I may be overlooking documentation somewhere, but I don't see anything about this. Thanks, Jordan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Named Service
On 01/22/2019 08:12 AM, Jordan Tinsley wrote: I get an error that named.service doesn’t exist. I may be overlooking documentation somewhere, but I don’t see anything about this. I don't think that the BIND source code includes distro / init daemon specific scripts / files. It's going to be up to you to create something. If BIND does include something, it will likely be old style Sys V init scripts that go into the /etc/init.d directory and require creation of sym-links from the /etc/rc* directories to start and stop appropriately. I'd be surprised if BIND came with systemd unit files. (I think that's the proper term.) -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Named Service
On 1/22/19 10:12 AM, Jordan Tinsley wrote: > Just wondering how to get the named service setup when compiling from > source? I'm kinda old school, but adding "/usr/local/sbin/named" to /etc/rc.local has always worked for me. AlanC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Named Service
You didn't mention your OS. I'm assuming Redhat Linux. The files you are
looking for are /usr/lib/systemd/system/named{-chroot}.service. The files
are not included in the BIND source. The easiest thing is to pull them out
of one of the existing redhat BIND packages and edit for your needs. There
is nothing in the script that is version specific.
On Tue, Jan 22, 2019 at 10:13 AM Jordan Tinsley
wrote:
> Hello,
>
>
>
> Just wondering how to get the named service setup when compiling from
> source?
>
>
>
> When I tried on a test machine to enable named for startup using systemctl
> enable named or systemctl start named
>
>
>
> I get an error that named.service doesn’t exist. I may be overlooking
> documentation somewhere, but I don’t see anything about this.
>
>
>
> Thanks,
>
> Jordan
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Named Service
Thank you for the information! Also, do I need to use the {-chroot} portion?
Thanks,
Jordan
From: Peter DeVries
Sent: Tuesday, January 22, 2019 11:32 AM
To: Jordan Tinsley
Cc: bind-users
Subject: Re: Named Service
You didn't mention your OS. I'm assuming Redhat Linux. The files you are
looking for are /usr/lib/systemd/system/named{-chroot}.service. The files are
not included in the BIND source. The easiest thing is to pull them out of one
of the existing redhat BIND packages and edit for your needs. There is nothing
in the script that is version specific.
On Tue, Jan 22, 2019 at 10:13 AM Jordan Tinsley mailto:jtins...@lrecok.coop> > wrote:
Hello,
Just wondering how to get the named service setup when compiling from source?
When I tried on a test machine to enable named for startup using systemctl
enable named or systemctl start named
I get an error that named.service doesn’t exist. I may be overlooking
documentation somewhere, but I don’t see anything about this.
Thanks,
Jordan
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Named Service
You should want the -chroot portion so you are running named in a chroot
environment but you don't need it. There are two files named.service and
named-chroot.service. There is also rndc-startup.service (maybe the wrong
filename) that helps configure rndc if it isn't already. I typically
remove that and opt for my own manual rndc config.
Peter
On Tue, Jan 22, 2019 at 12:35 PM Jordan Tinsley
wrote:
> Thank you for the information! Also, do I need to use the {-chroot}
> portion?
>
>
>
> Thanks,
>
> Jordan
>
>
>
> *From:* Peter DeVries
> *Sent:* Tuesday, January 22, 2019 11:32 AM
> *To:* Jordan Tinsley
> *Cc:* bind-users
> *Subject:* Re: Named Service
>
>
>
> You didn't mention your OS. I'm assuming Redhat Linux. The files you
> are looking for are /usr/lib/systemd/system/named{-chroot}.service. The
> files are not included in the BIND source. The easiest thing is to pull
> them out of one of the existing redhat BIND packages and edit for your
> needs. There is nothing in the script that is version specific.
>
>
>
>
>
> On Tue, Jan 22, 2019 at 10:13 AM Jordan Tinsley
> wrote:
>
> Hello,
>
>
>
> Just wondering how to get the named service setup when compiling from
> source?
>
>
>
> When I tried on a test machine to enable named for startup using systemctl
> enable named or systemctl start named
>
>
>
> I get an error that named.service doesn’t exist. I may be overlooking
> documentation somewhere, but I don’t see anything about this.
>
>
>
> Thanks,
>
> Jordan
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Named Service
Okay, if that doesn’t work, then temporarily until I can get the service
figured out I will just do - adding "/usr/local/sbin/named" to
/etc/rc.local
From: Peter DeVries
Sent: Tuesday, January 22, 2019 11:38 AM
To: Jordan Tinsley
Cc: bind-users
Subject: Re: Named Service
You should want the -chroot portion so you are running named in a chroot
environment but you don't need it. There are two files named.service and
named-chroot.service. There is also rndc-startup.service (maybe the wrong
filename) that helps configure rndc if it isn't already. I typically remove
that and opt for my own manual rndc config.
Peter
On Tue, Jan 22, 2019 at 12:35 PM Jordan Tinsley mailto:jtins...@lrecok.coop> > wrote:
Thank you for the information! Also, do I need to use the {-chroot} portion?
Thanks,
Jordan
From: Peter DeVries mailto:pdevr...@quotient-inc.com> >
Sent: Tuesday, January 22, 2019 11:32 AM
To: Jordan Tinsley mailto:jtins...@lrecok.coop> >
Cc: bind-users mailto:bind-users@lists.isc.org> >
Subject: Re: Named Service
You didn't mention your OS. I'm assuming Redhat Linux. The files you are
looking for are /usr/lib/systemd/system/named{-chroot}.service. The files are
not included in the BIND source. The easiest thing is to pull them out of one
of the existing redhat BIND packages and edit for your needs. There is nothing
in the script that is version specific.
On Tue, Jan 22, 2019 at 10:13 AM Jordan Tinsley mailto:jtins...@lrecok.coop> > wrote:
Hello,
Just wondering how to get the named service setup when compiling from source?
When I tried on a test machine to enable named for startup using systemctl
enable named or systemctl start named
I get an error that named.service doesn’t exist. I may be overlooking
documentation somewhere, but I don’t see anything about this.
Thanks,
Jordan
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Selective forwarding?
On 22/01/2019 02:20, Grant Taylor via bind-users wrote: Before going into your requirements / desires below, I feel the need to say: I feel like this can be done with a single common zone. Site 1 is authoritative and handles dynamic updates. Site(s) 2 (and 3) slave the zone -and- forward dynamic updates to Site 1. I'm not fully against this idea but I'm not comfortable with Site2/3 depending on Site1 for the updates. If for some reason Site1 is unreachable and a host tries to update the DHCP lease, the DNS update would fail and the said host wouldn't be reachable by other direct neighbor hosts (same site) by DNS name just because a remote service is not available. Yes, I could lower the DHCP leases time to try again sooner but it looks inelegant to me. This reminds me of an infamous issue few years ago where a WiFi router brand cut the internet access to all hosts because their cloud service was down. The idiotic router firmware believed that internet was "down". Also like stupid Windows hosts displaying warning icons when they can't access www.msftncsi.com, etc. etc. I hate these kind of dependencies and I do whatever I can to avoid them. - Each site have its own "example.net" zone for the DHCP dyn DNS Why do you want to have multiple (three) distinct copies of the same zone? Rather, why don't you want a single common zone that is replicated and can relatively easily be converted from secondary to master. There would be no need to promote secondaries to primaries because Site1 is really the big one holding most of the information. Site2/3 are "satellites" really where only minimal service is provided. Note: I'm assuming a zone expiry of a week to a month. I think that would accommodate most outages. I thought of that too :-) A week would be far enough in my case. - If some host queries xxx.example.net via its local DNS server, try to resolve it locally. If not found, forward the query to "Site 1" DNS server which probably have the right answer. I feel like my "Duplicate authoritative DNS zones on purpose" article might help you. Link - Duplicate authoritative DNS zones on purpose - https://dotfiles.tnetconsulting.net/blog/2013/0610/Duplicate-authoritative-DNS-zones-on-purpose.html That's a nice idea, however I feel like it's starting to be a bit complicated for my use case. 2 DNS servers per site, maintaining RPZ zones, etc seems a bit overkill for my setup. You can have site local authoritative information in what I referred to as the DR instance. Then if the local authoritative information (DR instance) doesn't have what you want, forward to Site 1. If I understand correctly, each site would have 2 DNS servers, one "normal" and one forwarder. Would this kind of setup support dynDNS without trouble? 1/ All sites work independently of each other. Please elaborate how much this statement precludes the sites from sharing a DNS zone. What I meant is that each site would work on its own for normal traffic. Hosts and assets (printers, etc.) would boot up, DHCP, register DNS and access internet the usual way. That's what I mean by "independent". Only the DNS requests for "unknown records within the local example.com" would be forwarded to the "master" (Site1) Site1 would hold all the DNS records for its own hosts/assets (ie: host1, printer1, etc.). Site2/3 would do the same on their own (ie: host21,printer21, host31, printer31, etc.) but "app.example.com" and all the others would be forwarded to Site1. All of this to avoid duplicating the DNS records on each site (currently 3 of them but could grow). At least, that's the current idea but I'm open to other solutions if they fit the bill :-) 3/ If the main site (Site 1) is down, only the centralized services are unavailable to the other sites This is where a healthy expiry timer on a slave server comes into play. You can set the timer high enough to allow service / connectivity restoration -or- connecting into the server and reconfiguring it from a secondary zone to be a primary zone instead. I wouldn't need to promote secondary servers to be primary as all of this is purely internal to the company. Site2/3 people would to their work normally, just being unable to reach the centralized app only available at Site1. I assume that you are wanting to avoid manual replication, as in needing to enter the same record in multiple other sites. You assume correctly :) Is such a DNS configuration possible ? I think something close can probably be done. I personally would try to use the common zone that is replicated from Site 1 to the other sites combined with update forwarding from the remote sites back to Site 1. I think I'm now geared towards this solutions which seems to be the simpler one to implement. If that's unsatisfactory for some reason, I'd look into sets of the configuration described in my "Duplicate authoritative DNS zones on p
Re: Selective forwarding?
On 1/22/19 10:06 PM, ObNox wrote: I'm not fully against this idea but I'm not comfortable with Site2/3 depending on Site1 for the updates. Fair. If for some reason Site1 is unreachable and a host tries to update the DHCP lease, the DNS update would fail and the said host wouldn't be reachable by other direct neighbor hosts (same site) by DNS name just because a remote service is not available. Yes, I could lower the DHCP leases time to try again sooner but it looks inelegant to me. I would expect that DHCP would operate independently. Though the Dynamic DNS update may fail. I tend to prefer for DHCP to offer the same addresses to clients if it can. So even if one update did fail, chances are good that the last update was for the same IP and DNS still had correct data. But your concern is legitimate. I start to wonder if other BIND back ends might offer additional options via DLZ. This reminds me of an infamous issue few years ago where a WiFi router brand cut the internet access to all hosts because their cloud service was down. The idiotic router firmware believed that internet was "down". Also like stupid Windows hosts displaying warning icons when they can't access www.msftncsi.com, etc. etc. I hate these kind of dependencies and I do whatever I can to avoid them. See above. I think clients would still work using old information. There would be no need to promote secondaries to primaries because Site1 is really the big one holding most of the information. Site2/3 are "satellites" really where only minimal service is provided. Fair. I thought of that too :-) A week would be far enough in my case. ;-) That's a nice idea, however I feel like it's starting to be a bit complicated for my use case. 2 DNS servers per site, maintaining RPZ zones, etc seems a bit overkill for my setup. Ya. I felt like it might be overkill for your situation. But you asked a question, and I shared the (partial) answer that I was aware of. If I understand correctly, each site would have 2 DNS servers, one "normal" and one forwarder. Would this kind of setup support dynDNS without trouble? I don't know how dynamic DNS would integrate. I would think that you would want the updates to be sent to site 1 which would then replicate back to sites 2 & 3. The other local DNS server would be for overrides, which I doubt would change very often. What I meant is that each site would work on its own for normal traffic. Hosts and assets (printers, etc.) would boot up, DHCP, register DNS and access internet the usual way. That's what I mean by "independent". Yep. Only the DNS requests for "unknown records within the local example.com" would be forwarded to the "master" (Site1) Yep. So I guess you would want the dynamic updates to the local DNS server. I think you could direct updates there. Site1 would hold all the DNS records for its own hosts/assets (ie: host1, printer1, etc.). Site2/3 would do the same on their own (ie: host21,printer21, host31, printer31, etc.) but "app.example.com" and all the others would be forwarded to Site1. *nod* All of this to avoid duplicating the DNS records on each site (currently 3 of them but could grow). At least, that's the current idea but I'm open to other solutions if they fit the bill :-) Ya. Sometimes technical solutions are more of a problem than the lack of them is a problem. I wouldn't need to promote secondary servers to be primary as all of this is purely internal to the company. Site2/3 people would to their work normally, just being unable to reach the centralized app only available at Site1. ACK You assume correctly :) :-) I think I'm now geared towards this solutions which seems to be the simpler one to implement. I think it's at least worth playing out to see if it fails or if it works well enough for your needs. I like out-of-the-comfort-zone ideas but in my current case, this seems to be a bit overkill. Agreed. You asked a question, and I provided the only answer that I was aware of. I'm sure there are others. I'd like to see what other people suggest. I selfishly want to learn from their efforts. }:-) I think I'm a bit biased here because I thought about a multi-master DNS service like I already have with OpenLDAP! The multi-master setup of OpenLDAP works so magically well that I really wished it was possible for my DNS use case :-) I can update any LDAP server in the chain and it magically propagates everywhere in an instant. :-) Take a look at the BIND DLZ LDAP driver. I suspect you can get BIND to use (what sounds like) your multi-master OpenLDAP configuration. Link - BIND DLZ > Driver Docs > LDAP - http://bind-dlz.sourceforge.net/ldap_driver.html That's because I didn't find anything in the docs about the multi-master setup that I came up with the idea of a "selective forwarding" thing :) Sounds like you're trying to find a possible solution. More than one
Unbound 1.9 release date
Greetings, Is anyone knows unbound 1.9 release date? Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
