Re: Postgres v MySQL v Berkely backend for BIND
Are there performance increases/decreases involved with using a db in place of bind's normal zone files? Is there a sqlite3 backend to bind? Regards, Chris. -- http://www.finalcog.com/ 2009/5/4 David Ford : > I use the DLZ/PG backend and it's rock solid. I use Ant with a few > modifications for my front end. > > Stephen Carville wrote: >> I have to bother you all again. >> >> I was asked Friday afternoon about using a database with the new BIND >> servers. To me it seems using MySQL or PostgreSQL is a bit like >> hunting rabbits with a howitzer though Berkely DB looks like a good >> fit. I can find patches for all three but no real information on >> reliability or performance. Performance is not the big deal but >> reliability and ease of maintenance is. >> >> Anyone here have experience or an informed opinion in using a database >> backend to BIND? >> >> This is for BIND 9 on a CentOS or Redhat 5 system. >> >> > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: approach on parsing the query-log file
You may be interested in using circular buffers, instead of a log file. http://www.finalcog.com/replace-logs-emlog-circular-buffer I've used emlog successfully in the past and been very pleased with it's performance. Hope this is useful. Chris. 2009/4/29 Scott Haneda : > I have read the other posts here, and it looks like you are setting on tail, > or a pipe, but that log rotation is causing you headaches. > > I have had to deal with things like this in the past, and took a different > approach. Here are some ideas to think about. > > Since you mentioned below you wanted this in real time, and that parsing an > old log file is out, what about setting up a second log in named, of the > same data, but do not rotate the log at all? > > This gives you a log that you can run tail on. It probably is going to grow > too large. I solved this for a different server in the past, by telling the > log that was a clone to be be limited in size. In this way, it was not > rolled out, but rather, truncated. > > I am not sure how named would do this. If it will not truncate it, you can > write a small script to do it for you. Now that you have a log that is > maintained at a fixed size that is manageable, you can do your tail business > on it. > > I also seem to remember, tail has some flags that may help you with dealing > with the log ration issues. I only remember them vaguely, as they were not > applicable to what I was doing at the time. > > Hope this helps some. > > On Apr 27, 2009, at 10:26 PM, Jonathan Petersson wrote: > >> Hi all, >> >> I'm thinking of writing a quick tool to archive the query-log in a >> database to allow for easier reports. >> >> The obvious question that occurs is; What would be what's the best >> approach to do this? >> >> Running scripts that parses through the query-log would cause locking >> essentially killing BIND on a heavy loaded server and only parsing >> archived files wouldn't allow real-time information, also re-parsing >> the same set of data over and over again until the log has rotated >> would cause unnecessary I/O load. I'm guessing the best would be to >> have BIND write directly to a script that dumps the data where-ever it >> makes sense to. >> >> I've used BIND statistics and found it highly useful but then again it >> doesn't allow me to make breakdowns based on host/query. >> >> If anyone has done something like this or having pointers on how this >> could achieved any information is welcome! > > -- > Scott * If you contact me off list replace talklists@ with scott@ * > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- http://www.finalcog.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "stealth master" DNS Security
IPSEC really isn't too onerous between machines with static IP addresses just a thought. 2009/3/25 Ram Akuka : > 2009/3/25 Alan Clegg : >> Ram Akuka wrote: >> >>> Is there's any way I can encrypt the zone transfer date (without using >>> any third-party encryption tool)? >> >> Why exactly do you want to do this? >> >> DNS data is NOT PROTECTED DATA. >> >> As long as queries and responses are permitted in the clear (which is >> the way DNS works), you are only fooling yourself by doing all of this >> "encryption". >> >> AlanC > > indeed this is not protected data , but i don't want to give to a > potential intruder all the data of all my clients just by listening to > my zone transfer data. > but in the overall i agree the best way to do it is by securing my servers. > > thanks anyway , > > > Ram > >> >> >> ___ >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Psuedo-Master Zones
No, we've had to work around these limitations of axfr/notify, so that we can take this concern away from our customers. I would love to find a nice bind-supported way of dealing with views/axfr/notify, so if you find anything, please let me know. Thanks, Chris http://www.finalcog.com 2009/3/25 : > > > > > I would use a #include in the zone file on the internal machine to include > the contents of zone file on the external machine. (NFS mount, or > cron'ed rsync copy.) > > > > You could use views/split horizon dns and run them both off of one server, > but this seems unneeded and nasty. > http://www.finalcog.com/dns-views-split-horizon-brain-dribble > > > > Thanks for the reference. > I have been also meeting bind's sync problems for multi-views between master > and slave. > Is there any official way to resolve this? > > Regards. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "stealth master" DNS Security
So you want to store data on the slaves which will not be accessible to an attacker who has root privileges on the same slave? This looks difficult. One possibility is to replace bind's operations on the slave's zone file (the loading and saving of data) with a hack to bind which stores the data in a process-specific buffer (instead of a file), perhaps with simple symmetric encryption. The zone data would be lost on reboot, but it would be non-trivial for a root-privileged hacker to read the data, without reverse-engineering the bind hack. Less exotically, it could just run a simple encryption scheme and store the data as the originally-specified filename. This may be more useful if zones are huge in size or number. All the best, Chris. http://www.finalcog.com 2009/3/25 Ram Akuka : > Thanks Cris, > but encrypting the file system won't do the work here. > i agree that storing the key and the encrypted data on the same > machine is useless in security terms. that why i'm looking for a build > in solution . > is there's any way the slave server can save the zone in format > diffent then clear text ? > > Thanks > > -- > Ram > > On Wed, Mar 25, 2009 at 12:17 PM, Chris Dew wrote: >> You could use the ecrypt fs for the location of the zone data - it >> would require a passphrase when bind starts up on the slave - this >> could cause trouble if the slave crashes. >> >> In general there is NO way of having encrypted data on a machine AND >> having the keys on that same machine AND making it 100% secure. >> >> Regards, >> >> Chris >> >> http://www.finalcog.com >> >> >> 2009/3/25 Ram Akuka >>> >>> Hi, >>> I want to design a DNS system for secure authoritative server. >>> I’ll use one master server to store the data zone and use zone >>> transfer mechanism for the 2 public slave servers (which will defined >>> as masters in the internet). That way I’ll update and backup only >>> server. >>> I using TSIG for secure zone transfer but I have few questions, >>> Is there’s any way I can encrypt the zone files in the slave server, >>> that way no one can have access to the actual zone data beside the >>> master server. >>> (if for example someone will hack to the slave DNS he won’t have the >>> zones data). >>> >>> Thanks in advance, >>> >>> >>> -- >>> Ram >>> ___ >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users >> > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "stealth master" DNS Security
You could use the ecrypt fs for the location of the zone data - it would require a passphrase when bind starts up on the slave - this could cause trouble if the slave crashes. In general there is NO way of having encrypted data on a machine AND having the keys on that same machine AND making it 100% secure. Regards, Chris http://www.finalcog.com 2009/3/25 Ram Akuka > > Hi, > I want to design a DNS system for secure authoritative server. > I’ll use one master server to store the data zone and use zone > transfer mechanism for the 2 public slave servers (which will defined > as masters in the internet). That way I’ll update and backup only > server. > I using TSIG for secure zone transfer but I have few questions, > Is there’s any way I can encrypt the zone files in the slave server, > that way no one can have access to the actual zone data beside the > master server. > (if for example someone will hack to the slave DNS he won’t have the > zones data). > > Thanks in advance, > > > -- > Ram > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Psuedo-Master Zones
I would use a #include in the zone file on the internal machine to include the contents of zone file on the external machine. (NFS mount, or cron'ed rsync copy.) You could use views/split horizon dns and run them both off of one server, but this seems unneeded and nasty. http://www.finalcog.com/dns-views-split-horizon-brain-dribble Regards, Chris. http://www.finalcog.com 2009/3/24 Corey Shaw > Bind version: 9.6OS: Gentoo Linux > > I am currently setting up an internal DNS server. I have a separate DNS > server that is publicly accessible. Both servers have a zone for " > example.com". How do I set the internal DNS server to forward queries > for entries that it does not have for "example.com" to the public DNS? > > An example: > > "server2.example.com" exists on both DNS servers. I query the internal > server and get the internal address. I query the public DNS and get the > public address. That works as it should. > > Now let's say "server1.example.com" exists on the public DNS, but not on > the Internal DNS. I query the internal DNS for "server1.example.com" and > it doesn't return anything. How can I make it forward that query to the > public DNS which does have an entry for "server1.example.com"? > > Thanks for your help. > > _ > Corey > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Fwd: No name resolution when slave is down
-- Forwarded message -- From: Chris Dew Date: 2009/3/20 Subject: Re: No name resolution when slave is down To: "Dennis J." Asking the obvious here, but does your domain registrar list both your master and your slave as authoritative nameservers for your domain? Could you provide the domain name in question? Regards, Chris Dew http://www.finalcog.com 2009/3/20 Dennis J. Hi, > This morning the slave in our nameserver setup went down and surprisingly > none of the domains hosted on these system could be resolved anymore even > with the master working perfectly fine. > When I send queries directly to the master it resolves the domains fine so > I'm not sure why a failure of the slave leads to a total failure of the > service. > Does anyone have an idea what might cause this behavior? > > Regards, > Dennis > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to archieve this?
Have you considered dynamically regenerating view definitions based on your rules? If the results of your rules are stable for minutes at a time, it may work. Regards, Chris. 2008/12/5 Ken DBA <[EMAIL PROTECTED]> > > > > --- On Fri, 12/5/08, Kevin Darcy <[EMAIL PROTECTED]> wrote: > > > From: Kevin Darcy <[EMAIL PROTECTED]> > > Subject: Re: how to archieve this? > > To: "bind-users" > > Date: Friday, December 5, 2008, 2:17 PM > > If you have money to spend, just buy a commercial > > load-balancing solution. > > > > I checked F5's 3DNS, it's about $40,000.Too expensive to us.:-( > > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
