Re: Zones-unable-update

2020-01-06 Thread Fajar A. Nugraha 
On Mon, Jan 6, 2020 at 3:16 PM MEjaz  wrote:
> 1. My  primary name server,  /etc/named.conf,  and here am forcing transfer 
> to only few trusted servers, as mentioned in the below clause.
> transfers-out 2000;
> allow-transfer {212.119.93.5;213.230.0.10; 212.119.93.10; 212.119.92.6;};

> 2. secondary/slave  name server
> allow-transfer {"none";};
> I can't run this dig command from both dns server  " dig soa kalam.com.sa 
> @ns1.cyberia.net.sa axfr" since Secondary is not allowed to transfer any data,

Ok. So you ran this on ns2, right?

> Just now again I noticed at 11:03 GMT+3,  secondary server attempt to fetch 
> the data from master but no luck. same error as denied.

No, that might not be it.

> Jan  6 08:38:43 ns2 named[24436]: zone kalam.com.sa/IN: notify from 
> 212.119.92.5#37487: zone is up to date
> Jan  6 08:41:58 ns2 named[24436]: zone kalam.com.sa/IN: notify from 
> 212.119.92.5#52519: serial 2019434249
> Jan  6 09:15:33 ns2 named[24436]: client @0x7f1228224460 212.119.92.5#42430 
> (kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied
> Jan  6 09:15:43 ns2 named[24436]: client @0x7f1228272ed0 212.119.93.5#36083 
> (kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied
> Jan  6 10:40:38 ns2 named[24436]: zone kalam.com.sa/IN: Transfer started.
> Jan  6 10:40:38 ns2 named[24436]: zone kalam.com.sa/IN: transferred serial 
> 2019434249
> Jan  6 11:03:14 ns2 named[24436]: client @0x7f1228138510 212.119.92.5#33050 
> (kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied

You're pasting the logs on ns2. While that helps, we also need the
logs on ns1. What does it say?

"denied" on ns2 is expected, since you have 'allow-transfer
{"none";};' on ns2. The question is "why does your ns2 ask ns2
(itself), when it should've asked only ns1 (the master)".

Did you perhaps set named.conf (or named.conf.local, depending on the
distro) on the ns2 incorrectly? Something like

zone "kalam.com.sa" {
type slave;
...
masters {
212.119.92.5;
};
};

How many IPs, and what IPs, did you put on the masters there? It
should only be ns1 (the master). If you put two, change it.


... then there's also the question of "why does 212.119.92.5 (ns1) ask
ns2 for zone transfer (which caused one of the denied lines), when the
master shouldn't even need to ask anyone. Not sure about this one
though.

> Do you advise simulate the setup on testing environment. Without the firewall.

In this case, only if you've setup named.conf correctly.

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zones-unable-update

2020-01-05 Thread Fajar A. Nugraha 
On Mon, Jan 6, 2020 at 2:03 PM MEjaz  wrote:
>
> Thank you for your emai.
>
>
>
> I am not cutting any logs,  I am capturing only for that particular zone 
> which I have chooses for the test, as I can't do the test on live zones.
>
> This time I have noticed "denied"  in my slave server logs as below,  this is 
> something very strange sometimes zone transferred perfect after two hours.
>
> However this time I need to wait and see whether this zone would transfer 
> after few hours as seen before.
>
> Jan  6 09:15:33 ns2 named[24436]: client @0x7f1228224460 212.119.92.5#42430 
> (kal am.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied
> Jan  6 09:15:43 ns2 named[24436]: client @0x7f1228272ed0 212.119.93.5#36083 
> (kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied

Well, fix that.

Something is causing the transfer to fail. Is 212.119.92.5 and
212.119.93.5 both allowed to transfer data (e.g. allow-transfer
configuration)?

> [root@ns2 ~]# dig soa kalam.com.sa @ns1.cyberia.net.sa axfr,  "with this I 
> can fetch all the correct update records"

Did you run this on both 212.119.92.5 and 212.119.93.5?

> Thanks in advance for your assistance.  Do you think that should I take look 
> from our network side for the MTU size??

It's somewhat harder to check for temporary errors.

The easiest way, since you say that this is a "test", is to replicate
(i.e. same OS/distro, software versions, configs) your setup on test
VMs (or servers, if you have that), on the same network (e.g. VMs with
private network 10.x.x.x is fine), and see if it always works there.

If yes, then most likely the problem is somewhere in your network
(e.g. firewall).
If no, then the problem is somewhere in your bind configuration.

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zones-unable-update

2020-01-05 Thread Fajar A. Nugraha 
On Thu, Jan 2, 2020 at 7:58 PM MEjaz  wrote:
>
> Hello all.
>
> My setup which has one primary and slave server was working fine since years.
>
> All of sudden I started  getting the  problem of zones updates on slaves. 
> Which are not happening on time. it takes two hours to take the updates.
>
>
>
> Below logs for the reference, when I do required changes on masters, the 
> slave getting notified but without transferring the updated zone.
>
>
>
> Jan  2 09:17:50 ns2 named[25563]: zone kalam.com.sa/IN: notify from 
> 212.119.92.5#34424: serial 2019434243
>
> Jan  2 09:24:45 ns2 named[25563]: zone kalam.com.sa/IN: notify from 
> 212.119.92.5#54651: serial 2019434245: refresh in progress, refresh check 
> queued
>
> Jan  2 11:12:53 ns2 named[25563]: zone kalam.com.sa/IN: Transfer started.
>
> Jan  2 11:12:53 ns2 named[25563]: zone kalam.com.sa/IN: transferred serial 
> 2019434245


Are you cutting out some logs?
If yes, please include all logs for the zone (kalam.com.sa) and the
master (212.119.92.5)

>
> Therefore, I wanted to know. How to force secondary/slave Name server to 
> update/refresh dns zones from primary DNS server? Just I  want a slave name 
> server to initiate a zone transfer immediately


>From https://kb.isc.org/docs/aa-00726:

notify from 192.0.2.1#62160: refresh in progress, refresh check queued

A notify was received, but the zone being notified was already in the
process of being refreshed or is waiting to be refreshed, so the check
is queued and will be processed later.


You can try:
- check your logs for what previously triggered the refresh process
(another notify?), and when did it happen
- check your logs on WHY the previous transfer took a long time (and
check what the log means on the KB). e.g does it show "connection
reset"? something else?
- are there lots of other slaves or zones currently transferring data
from the master at the same time?
- test whether you can manually request all records. Something like
running this on the slave: "dig kalam.com.sa @ns1.cyberia.net.sa axfr"

Some possible problems which comes to mind:
- there's something in the middle (e.g. IPS) that's sending TCP
resets, that might cause your transfers to fail
- TCP MTU or similar problems

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-9.11.0-P2 on Debian 9.0 (stretch)

2017-01-27 Thread Fajar A. Nugraha 
On Fri, Jan 27, 2017 at 7:20 PM, Wolfgang Riedel  wrote:

> Just wonder if there is some agreed guidance on what steps I SHOULD take
> to get bind-9.11.0-P2 successfully build on Debian 9.0?
>
>
The generic recommendation on debian would probably be 'use whatever the
distro comes with, as they maintain security fixes for those as well'.
Debian's bind9 package uses native-pkcs11 with libsofthsm2.so, but I
haven't been able to get this to work with bind-9.11.0-P2.

If you 'just want to build bind-9.11.0-P2', debian stretch has
libssl1.0-dev. Install that, then bind's simple ./configure (plus
--prefix=/opt/bind9, if you want) should be able to pick it up correctly.

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is there any reverse proxy software for dns or udp?

2015-01-30 Thread Fajar A. Nugraha 
On Fri, Jan 30, 2015 at 9:07 AM, WXR 474745...@qq.com wrote:

 Is there any reverse proxy software for dns‍ , which can do load
 balance、cache for dns service, just like squid for http service?


What functionality do you need that can't be provided by bind? e.g.
https://www.safaribooksonline.com/library/view/dns-bind/0596004109/ch07s04.html

From that example, ns1.foo.example (192.168.0.1, the master) is your
real server (in http service, the one that gets proxied) while the slaves
(e.g. ns2.foo.example and  ns.isp.net, the one that is listed on your
registrar as nameservers for foo.example) runs the equivalent of squid in
http service.

Load-balancing the slaves should happen automatically due to the way that
DNS works, while load-balancing the master should not even be necessary due
to the fact that it is rarely used (e.g. when configured correctly, the
slaves can run just fine even when the master is down for several hours)

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Digging to the final IP

2014-10-19 Thread Fajar A. Nugraha 
What are you using this for?

If it's part of a script, it might be easier to just use gethostbyname. For
example, in php: http://php.net/manual/en/function.gethostbyname.php ,
Returns the IPv4 address or a string containing the unmodified hostname on
failure.

-- 
Fajar


On Mon, Oct 20, 2014 at 10:43 AM, Frank Bulk frnk...@iname.com wrote:

 Thanks, what I ended up using.

 Didn't think that there was anything host could do that dig couldn't do.

 Frank

 -Original Message-
 From: bind-users-boun...@lists.isc.org
 [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Barry Margolin
 Sent: Sunday, October 19, 2014 5:00 AM
 To: comp-protocols-dns-b...@isc.org
 Subject: Re: Digging to the final IP

 In article mailman.1097.1413711142.26362.bind-us...@lists.isc.org,
  Sten Carlsen st...@s-carlsen.dk wrote:

  Would host be closer to what you want?

 Host also tells you about aliases it encounters along the way.

 
 
  --
  Best regards
 
  Sten Carlsen
 
  No improvements come from shouting:
 
MALE BOVINE MANURE!!!
 
   On 19 Oct 2014, at 08:05, Karl Auer ka...@biplane.com.au wrote:
  
   On Sun, 2014-10-19 at 00:26 -0500, Frank Bulk wrote:
   Is there a dig option that will list out the final (IPs) or query
 result??
   By default, even with +short, it can list intermediate CNAME(s) and
 not

   what
   IP(s) that CNAME may have.
  
   Not great, but might be enough to be helpful:
  
 dig +nonssearch $1 | egrep -i STATUS|^$1
  
   Regards, K.
  
   --
   ~~~
   Karl Auer (ka...@biplane.com.au)
   http://www.biplane.com.au/kauer
   http://twitter.com/kauer389
  
   GPG fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882
   Old fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A
  
  
   ___
   Please visit https://lists.isc.org/mailman/listinfo/bind-users to
   unsubscribe from this list
  
   bind-users mailing list
   bind-users@lists.isc.org
   https://lists.isc.org/mailman/listinfo/bind-users

 --
 Barry Margolin
 Arlington, MA
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Value of memory

2014-08-06 Thread Fajar A. Nugraha 
On Thu, Aug 7, 2014 at 10:39 AM, Robert Moskowitz r...@htt-consult.com wrote:
 I have a server that is only running bind 9.8.2 (Centos 6.5).  It has 2Gb
 memory and free reports ~1.7Gb used.

 I am looking at replacing this server with an armv7 board running Redsleeve
 (until Centos 7 is out and stable for armv7).  I have a choice of boards,
 one with 1Gb memory ($60) and one with 2Gb memory ($90).

 This server servers out my zones and supports the couple handfull of systems
 on my net.  I would like to eventually get to DNSSEC, but that is another
 stalled project.

 About the only meaningful difference between the two boards (btw,
 Cubieboard2 and Cubietruck) for my needs is the memory.  I know more memory
 is better, but how much better?

 Oh, why the move to arm?  Power consumption.  ROI for the C2 board is one
 year just on power saving.

It depends on how much load your server currently handle, and how your
cache is configured.

I'd start with looking at your server load. Arm still have lower
per-core performance compared to x86, so if you currently see high CPU
utilization by named, I'd stick with x86.

Next see how your memory cache is configured. That should be where
bind uses most memory. AFAIK by default max-cache-size is unlimited
and max-cache-ttl is set to several days. See how much memory bind
currently uses for cache, and then you can try configuring those two
parameters (e.g. set an explicit max-cache-size to 512MB) and see how
much memory bind (and the rest of the OS) uses then, and how well it
performs. If it's still acceptable, then you can probably go with the
1GB board.

Cache can reduce the number of queries issued upstream and is very
important on busy servers, but if you serve a relatively low number of
queries from your clients then you won't see much difference between
(e.g.) 512MB and 1GB cache.

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Does bind read /etc/hosts?

2014-07-15 Thread Fajar A. Nugraha 
On Wed, Jul 16, 2014 at 9:55 AM, Mark Andrews ma...@isc.org wrote:

 In message 53c5e714.5080...@thelounge.net, Reindl Harald writes:
  Can the LDNS  return 10.10.10.1 defined in the /etc/hosts to the
  client?
  maybe some special configuration in named can support this feature

 wrong tool -  dnsmasq can but on the other hand has no bind-like
 zonefiles

 Neither dnsmasq nor named read /etc/hosts.

From dnsmasq man page:

...  It loads the contents of /etc/hosts so that local hostnames which
do not appear in the global DNS can be resolved and also answers DNS
queries for DHCP configured hosts

So dnsmasq does read /etc/hosts. Or did you mean something else?

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: AIX and 9.9.5 compiling

2014-05-09 Thread Fajar A. Nugraha 
On Fri, May 9, 2014 at 5:36 PM, Tony Finch d...@dotat.at wrote:

 Edward DeLargy eddela...@gmail.com wrote:

  I just want to verify that 9.9.5 can be compiled in AIX

 The README says:

 Building

 BIND 9 currently requires a UNIX system with an ANSI C compiler,
 basic POSIX support, and a 64 bit integer type.

 We've had successful builds and tests on the following systems:
...
 Fedora Core 6
...
 Ubuntu 7.04, 7.10

Wow. Fedora core 6 and Ubuntu 7.04? I wonder if anybody is actually
still using those. Makes you wonder just how often the README was
updated :)

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Caching server - named process is limit at 500MB

2013-04-26 Thread Fajar A. Nugraha 
On Wed, Apr 17, 2013 at 9:46 AM, Chu Ha Khanh khanh@svtech.com.vn wrote:
 Hi,

 Here is my output from command. It looks like my bind version is actually 32
 bit. But there are some default applications also 32 bit although all are
 installed on a 64 bit OS. I have to check this for a moment.

Correct.

If you want to blame someone, blame Oracle. I assume you HAVE some
kind of support contract for Solaris, since its free for development
purposes only, and other uses require support subscription. If you do,
you might be able to open a support ticket and get them to explain in
detail why they made that choice.

Short version is solaris use and compile 32bit programs by default. In
past I've forced some programs to compile as 64bit by using something
like

export CFLAGS=-m64
./configure ...

Since you wrote you can't compile it with sun studio, try gcc witch that flag.

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: limiting number of requests of a single hosts

2012-06-15 Thread Fajar A. Nugraha 
On Fri, Jun 15, 2012 at 9:37 PM, Holemans Wim wim.holem...@ua.ac.be wrote:


 Wim Holemans
 Netwerkdienst Universiteit Antwerpen
 Network Services University of Antwerp


 One of the problems is that these firewalls are going to be replaced soon and 
 we don't want to spend to much effort in trying to fix what seems an annoying 
 side-effect of something caused by a DNS system.

You DO realize that DNS is (mostly) UDP packets, and an attacker (or
in your case, the ADs) can simply send UDP packet floods to kill your
firewall (in your current state), regardless how your DNS server is
configured, even when the DNS server is down?

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: a domain can ns of itself?

2012-03-28 Thread Fajar A. Nugraha 
On Thu, Mar 29, 2012 at 6:33 AM, Mohsen Pahlevanzadeh
moh...@pahlevanzadeh.org wrote:
 pahlevanzadeh.info. 14400 IN NS shared.pahlevanzadeh.info.

 Is it Possible?

Yes. Google does it


$ dig google.com ns

;  DiG 9.8.1-P1  google.com ns
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 62917
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.IN  NS

;; ANSWER SECTION:
google.com. 86399   IN  NS  ns4.google.com.
google.com. 86399   IN  NS  ns2.google.com.
google.com. 86399   IN  NS  ns1.google.com.
google.com. 86399   IN  NS  ns3.google.com.

;; Query time: 150 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Mar 29 06:42:55 2012
;; MSG SIZE  rcvd: 100


To do so, you must add glue records in your registrar. Different
registrars might have different ways to do so. Example for godaddy:
http://www.ehow.com/how_8116690_add-glue-records-godaddy.html

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: huge count of DNS deny hits

2012-01-11 Thread Fajar A. Nugraha 
On Wed, Jan 11, 2012 at 1:27 PM, babu dheen babudh...@yahoo.co.in wrote:

 Dear Fajar,

  Below logs taken from Internal DNS server running in Microsoft DNS.

Then why did you ask this list instead of contacting MS support?

 I checked with client AV status, everything is fine( system is up to date 
 with DAT from Mcafee AV and no threat found in the complete scan output).

 But really no idea.. why it happens..  Client is pointed to use different DNS 
 server but DNS flood query is being sent to another DNS server

AV doesn't catch all threats.

Anyway, from bind's perspective, a dns query asking for bind version
is a valid TXT query. But the query can be used by malware,
vulnerability scanners, or hackers looking for vulnerable bind
versions.

In a way, it's similar to ICMP echo (i.e. ping) packets. It's a valid
packet, but a lot of virus/malware is using it to determine which
neighbour hosts to attack. How do you handle ICMP flood cases? The
same mechanism should be applicable in this case.

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: huge count of DNS deny hits

2012-01-10 Thread Fajar A. Nugraha 
On Wed, Jan 11, 2012 at 12:11 PM, babu dheen babudh...@yahoo.co.in wrote:

 Hi,

 I enabled the logs in DNS server and i found  below lines from this client 
 continiously..

 1/10/2012 9:14:30 AM 0FDC PACKET  05B489B0 UDP Snd Client IP    
 1f23   Q [0005 A D   NOERROR] TXT    (7)version(4)bind(0)
 1/10/2012 9:14:30 AM 0FDC PACKET  07342360 UDP Rcv Client IP   
 c63c   Q [0005 A D   NOERROR] TXT    (7)version(4)bind(0)
 1/10/2012 9:14:30 AM 0FDC PACKET  07342360 UDP Snd Client IP 
 c63c   Q [0005 A D   NOERROR] TXT    (7)version(4)bind(0)
 1/10/2012 9:14:30 AM 0FDC PACKET  04D728F0 UDP Rcv Client IP   
 a96a   Q [0005 A D   NOERROR] TXT    (7)version(4)bind(0)


What log is this? AFAIK BIND log does not look like this. Is this firewall log?

 Is it something to do with Malticast DNS.

... and how did you determine that? wild guess?

 Can you give me more details about Multicast DNS

Try google, although I don't think that's your problem.

It might simply be the case that the client is infected with
virus/malware which targets vulnerability in certain versions of bind,
so it'd make sense that it first sends out a DNS query that asks for
bind version number (e.g.
http://www.brandonhutchinson.com/Determining_hiding_BIND_version_number.html)

Some things you might be able to do:
- setup a firewall rule that can ratelimit udp packets from any client
(e.g. iptables can do this)
- make sure your bind versions is up-to-date (well, it's true for any
other software)
- configure named.conf not to show it's version (use Google or bind
manual to find out how)

With those three steps in place, it shouldn't matter what queries the
client does, as the system will either ignore it, reply with useless
information, or automatically block it. However, if it still cause
problems (e.g. lots of UDP traffic eat up your bandwitdh), then simply
block the client manually.

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: huge count of DNS deny hits

2012-01-08 Thread Fajar A. Nugraha 
On Mon, Jan 9, 2012 at 1:37 PM, babu dheen babudh...@yahoo.co.in wrote:
 Unfortunately, i have not enabled logs in my internal DNS server.

You just dismissed the only reliable source of information


 Any idea ..

Without logs, you only have assumptions. The best assumption at this
point is that the client probably has a virus/malware, whose activity
(one of them anyway) is to look for vulnerable DNS servers.

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: register .org NS in root?

2012-01-01 Thread Fajar A. Nugraha 
On Mon, Jan 2, 2012 at 10:58 AM, DNSbed.com supp...@dnsbedhosting.com wrote:
 Hi,

 I just noticed namecheap's NS servers are five .org hostnames:

 namecheap.com.  86400   IN  NS  ns3.mydyndns.org.
 namecheap.com.  86400   IN  NS  ns2.mydyndns.org.
 namecheap.com.  86400   IN  NS  ns1.mydyndns.org.
 namecheap.com.  86400   IN  NS  ns4.mydyndns.org.
 namecheap.com.  86400   IN  NS  ns5.mydyndns.org.

 .org is not served by the com/net NS servers group.

 So I want to know how they register ns1-5.mydyndns.org into the root's NS
 servers?

They don't.

The easy way to add NS for your zone is to use NS servers on another
zone. For example:

namecheap.com - NS = ns*.mydyndns.org
mydyndns.org - NS= ns*.dynamicnetworkservices.net.


 I ask this because, for example, I have the domain nsbeta.info.

 (info and org are served by the same NS servers group)

 I registered two NS records of dwdns1.nsbeta.info and dwdns2.nsbeta.info in
 org's NS servers.

 nsbeta.info itself is resolved by this two NS servers.

 But when I tried to setup a .net/.com domain to use these two NS, it can't
 setup, says NS is not registered.

You need to add glue records. For example, here's the instruction for
godaddy: http://www.ehow.com/how_8116690_add-glue-records-godaddy.html

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: register .org NS in root?

2012-01-01 Thread Fajar A. Nugraha 
On Mon, Jan 2, 2012 at 12:35 PM, DNSbed.com supp...@dnsbedhosting.com wrote:
 Well, say I want to setup the domain mydots.net to use these two NS:
 dwdns1.nsbeta.info
 dwdns2.nsbeta.info
 How can I setup the glue in Godaddy?

Glue records are only needed if the ns is on the same domain. e.g.
nsbeta.info - NS = dwdns1.nsbeta.info.

If you want another domain (e.g. mydots.net) to use
dwdns1.nsbeta.info. as NS, you should be able to just add it.

doman manager - select domain name - set nameservers - I have
specific nameservers for my domains.

Anyway, since this is not BIND issue, you should contact godaddy
support if you still have problems.

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Re: .TLD minimum number of nameservers rule

2011-12-13 Thread Fajar A. Nugraha 
On Tue, Dec 13, 2011 at 3:53 PM,  nudge...@fastmail.fm wrote:
  For instance, would this be a problem when implementing a
  wide area bonjour subdomain using my own local dns server for clients that 
  are
  mobile (internal/external) ?

 Bonjour should work even without a DNS server.

 Reminds me of Cool Hand Luke  : what we have here is a failure to 
 communicate :


Seems that way. I'm not very familiar with bonjour :) Apologies for
any incorrect suggestion on my part.

 You could always create your own DNS server if you REALLY need those
 record types :)
 The cheapest VPS is about $15/year, which should be more than enough
 for a secondary DNS server.

 I'm running Bind 9.6 and dnsextd (llq and tsig handling). I have split DNS 
 views based on source ip address
 and possession of a tsig key: 
 internal-trusted/external-trusted/internal-visitor/external-visitor.
 The DNS server and clients are all mac 10.6+ so I'm taking advantage of 
 mDNSResponder features such as
 looking in the system keychain for the tsig keys. I have a WAB subdomain for 
 dns-sd, etc. I've had to replace
 dnsextd with an older version, since current macosx versions are dead.

 I wondered if the limited access to DNS records at the top level of my domain 
 would be a problem.

It would if you setup WAB directly on that domain, as it seems that
WAB requires PTR records.

 My first thought was to take over the DNS for this domain but rfc882 saying a 
 domain must have at least
 2 nameservers rules that out. Frankly, I probably don't understand enough 
 about how glue records function...

The easiest way seems to be just create a subdomain. So if your main
domain is abc.dom, you can have an NS entry on that domain for the
subdomain office.abc.com pointing to your public IP address. After
that, just setup everything (PTR records, etc) inside that subdomain.

Another option would be to just rent a VPS for your secondary nameserver.

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Re: .TLD minimum number of nameservers rule

2011-12-12 Thread Fajar A. Nugraha 
On Tue, Dec 13, 2011 at 6:20 AM,  nudge...@fastmail.fm wrote:
 Thanks all. Chris, Anand that's very useful to know, sorry Jeff and Philippe,
 your interesting suggestions wont work in this case.

 If I attack the problem from the other way down instead, the fact my current
 registra doesn't allow me to add PTR or DNAME records to my top level domain
 limits what exactly ?

What IS the problem, exactly? You're describing two things that
doesn't seem to be related: number of NS for a zone, and PTR/DNAME
records.

If you don't own an IP address, then usually you don't need to
bother about PTR records at all. If you need to change PTR record for
an IP address that you use (e.g. VPS, colo, home connection, etc) you
usually need to ask your ISP to update/change it.

DNAME creates an alias for one or more subdomains of a domain. Chances
are you won't need it for common uses.

 For instance, would this be a problem when implementing a
 wide area bonjour subdomain using my own local dns server for clients that are
 mobile (internal/external) ?

Bonjour should work even without a DNS server.


 I'm only allowed to add A NS MX CNAME TXT and SRV records via the web 
 interface

... because those are the ones mostly used.

 of my registra and I imagined that I'd need PTRs or a DNAME or some ther glue
 frustratingly unavailable. Having heard your response to my original question,
 I'm now desperately wishing that I got that wrong...

You could always create your own DNS server if you REALLY need those
record types :)
The cheapest VPS is about $15/year, which should be more than enough
for a secondary DNS server.

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse delegation from Telco

2011-11-04 Thread Fajar A. Nugraha 
On Fri, Nov 4, 2011 at 1:11 PM, Jim Pazarena b...@paz.bz wrote:
 but that non-auth kinda bugs me, because for my 'full' /24 subnets,
 that never happens. And it's delegated from the same Telco (Telus)

That's because full /24 subnets can be delegated easily using
subdomains, while a /28 needs classless delegation
(http://www.ietf.org/rfc/rfc2317.txt), which requires the use of
CNAMES.

As Chris said, your nameserver is NOT authoritave for the PTR record
(85.147.34.207.in-addr.arpa, which is a CNAME to
85.80-95.147.34.207.in-addr.arpa), but it IS authorized for the PTR
record 85.80-95.147.34.207.in-addr.arpa.

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: host versus nslookup

2011-10-13 Thread Fajar A. Nugraha 
On Thu, Oct 13, 2011 at 1:05 PM, listmail listm...@entertech.com wrote:
 On Thu, 13 Oct 2011 03:33:30 +0700, Fajar A. Nugraha wrote
 If you're concern about what address programs gets when they resolve
 host names, then getent is a better choice as it also respects
 nsswitch.conf and hosts file.

 According to the (almost useless) manpage for getent,

Yes, it can be improved :)

 all it does is lookups
 in local files, not name resolution.

 I can see how this would be useful if you were not using DNS, but


If your purpose is to diagnose can the DNS server used as resolver
for my server resolve a particular FQDN, then either host or nslookup
will usually suffice, with dig giving more detailed output.

However, if your concern is can my program find the IP address for a
particular FQDN, then getent will give more accurate info as it also
takes into consideration the content of nsswitch.conf and the sources
listed on that file. So getent might search for local files, DNS, NIS,
or whatever source listed for hosts database in nsswitch.conf.

 What am I missing here?

From the man page:


The getent program gathers entries from the specified administrative
database using the specified search keys.  Where database is
   one of passwd, group, hosts, services, protocols, or networks.


In this particular case we're only interested in hosts.

I found more detailed explanation in a Solaris reference, which
basically say getent asks the database source in order specified in
/etc/nsswitch.conf. So for example if your /etc/nsswitch.conf has
something like this:

hosts:  files dns

and your /etc/hosts has this entry

111.90.255.252  archive.ubuntu.com

then getent and host will give different results for
archive.ubuntu.com, since getent will search /etc/hosts first.


$ host archive.ubuntu.com
archive.ubuntu.com has address 91.189.92.180
archive.ubuntu.com has address 91.189.92.181
archive.ubuntu.com has address 91.189.92.182
archive.ubuntu.com has address 91.189.92.183
archive.ubuntu.com has address 91.189.92.184
archive.ubuntu.com has address 91.189.92.188
archive.ubuntu.com has address 91.189.92.190
archive.ubuntu.com has address 91.189.92.169
archive.ubuntu.com has address 91.189.92.170
archive.ubuntu.com has address 91.189.92.171
archive.ubuntu.com has address 91.189.92.176
archive.ubuntu.com has address 91.189.92.177
archive.ubuntu.com has address 91.189.92.179

$ getent hosts archive.ubuntu.com
111.90.255.252  archive.ubuntu.com


on the other hand both will give same result for google.com (which is
not in /etc/hosts)


www.google.com is an alias for www.l.google.com.
www.l.google.com has address 209.85.175.99
www.l.google.com has address 209.85.175.104
www.l.google.com has address 209.85.175.105
www.l.google.com has address 209.85.175.103
www.l.google.com has address 209.85.175.106
www.l.google.com has address 209.85.175.147

$ getent hosts www.google.com
209.85.175.99   www.l.google.com www.google.com
209.85.175.104  www.l.google.com www.google.com
209.85.175.105  www.l.google.com www.google.com
209.85.175.103  www.l.google.com www.google.com
209.85.175.106  www.l.google.com www.google.com
209.85.175.147  www.l.google.com www.google.com

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: host versus nslookup

2011-10-12 Thread Fajar A. Nugraha 
On Thu, Oct 13, 2011 at 3:23 AM, Sten Carlsen st...@s-carlsen.dk wrote:
 Use dig.

 Always use dig.

 I don't quite agree, for debugging bind, use dig - for debugging lookup
 issues on some machine, host will behave more like any normal program, using
 resolv.conf and what else and can point to some issues dig will not
 discover. E.g. normal SW using something else than DNS, because of some
 setup. Dig will never catch this.

If you're concern about what address programs gets when they resolve
host names, then getent is a better choice as it also respects
nsswitch.conf and hosts file.

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: about the dig

2011-07-19 Thread Fajar A. Nugraha 
On Tue, Jul 19, 2011 at 12:32 PM, Feng He short...@gmail.com wrote:
 Hi list,

 When I deleted all the entries in /etc/resolv.conf (I am using Linux),
 dig can't work.
 I was thinking since dig is a standard resolver,

what makes you think that? From the man page

   dig (domain information groper) is a flexible tool for
interrogating DNS name servers. It performs DNS lookups and displays
the answers that are returned from the name server(s) that were
queried.

 it should have the
 capibility to follow the referrel from root, thus it will work fine
 even there is no system dns resolving.

A resolver software capable of recursive operation should work fine.
dig's not it.

 Am I right?

Also from the man page:

   Unless it is told to query a specific name server, dig will try
each of the servers listed in /etc/resolv.conf.

So something like dig google.com @8.8.8.8 would work even without
any entries on /etc/resolv.conf, but if you don't tell it to use a
specific name server it won't work.

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Client cannot resolve communities.intel.com

2011-07-04 Thread Fajar A. Nugraha 
On Tue, Jul 5, 2011 at 10:29 AM, vr bind-u...@iotk.net wrote:
 Hello,

 I am trying to visit http://communities.intel.com; using Iceweasel on a
 Debian desktop PC. No proxies.

 My clients etc/resolv.conf point to my own Debian BIND 9.7.3 installed on a
 separate server and installed from distribution packages (bind9
  1:9.7.3.dfsg-1~squeeze2).

 From myDesktop, NSLOOKUP fails but DIG shows a CNAME record. I see the same
 results from the BIND server so I've included just the output from myDesktop
 below. Also included below is my named.conf.

 Do I have something obvious in BIND screwed up?

Quite possibly so. And you use dig incorrectly too.

 me@myDesktop:~$ dig communities.intel.com ns.iotk.net

this should be

$ dig communities.intel.com @ns.iotk.net

 ;; ANSWER SECTION:
 communities.intel.com.  207     IN      CNAME   intel-2.hs.llnwd.net.

so it finds the cname ...


 ;; AUTHORITY SECTION:
 llnwd.net.              604800  IN      SOA     localhost. root.localhost.
 2008071301 604800 86400 2419200 604800

... but your DNS has a broken record for llnwd.net. It should be

;; ANSWER SECTION:
llnwd.net.  3600IN  SOA dns11.llnwd.net. 
hostmaster.llnwd.net. 210 900
300 604800 300

 ;; QUESTION SECTION:
 ;ns.iotk.net.                   IN      A

this part is irrelevant, it's the result of your incorrect dig syntax


 named.conf on 99.30.25.1

I can't see why the response for llnwd.net is incorrect. Try:

- rndc flush (or restart named)
- dig soa llnwd.net @99.30.25.1 (to retest your name server)
- dig soa llnwd.net @8.8.8.8 (to compare the result with google's public dns)
- dig soa llnwd.net +trace (to trace delegation path)

it might show where the errors come from

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: better performance with 32 bit ! why?

2011-06-29 Thread Fajar A. Nugraha 
On Wed, Jun 29, 2011 at 8:33 PM,  iharrathi@orange-ftgroup.com wrote:
 on server1(64 bit) i have 2 Intel E5310 quad-core 1.6Ghz and on server2(32
 bit) i have 2 Intel Xeon dual-core 2.33Ghz.
 means 8*1.6 Ghz on server1 and 4*2.33 on server2.

 8*1.6 is better and faster than 4*2.33, no?

Sometimes I wonder if people REALLY read the replies sent to the list.
If they don't read it, then why bother asking?

David has mentioned that the reason your 32bit server is faster is
because it has higher clock speed (2.33 GHz). Elvin has also mentioned
that the 32 bit 2.33GHz CPU might actually win out purely based on the
higher clock frequency. Basically what they're saying is that for
BIND, clock speed of a SINGLE core is more important that the TOTAL
sum of all core speeds. So if you've read their response you wouldn't
say 8*1.6 is better and faster than 4*2.33. Cause the total doesn't
matter in this case.

From my experience:
- clock speed of a SINGLE core matters. A lot.
- going from 2 cores to 4 cores give about 50% improvement, but going
from 4 to 8 cores doesn't give any signifcant improvement
- x86_64 simply kick ass compared to power or sparc. Stick with x86_64
if If you're using BIND, don't bother with other arch (which are more
expensive, give lower performance. At least it was true at that time).
- 64 bit OS and userland gives the benefit of more addressable memory.
In BIND's case, this means more memory for cache, which (depends on
the type of load) can lead to higher performance (only if you
configure it to use the memory for cache, of course).

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What is DNS Tunneling

2011-06-20 Thread Fajar A. Nugraha 
On Mon, Jun 20, 2011 at 1:56 PM, babu dheen babudh...@yahoo.co.in wrote:

 Hi,

  Can anyone explain what is DNS tunneling because i am seeing large number of 
 DNS tunneling attack in IPS from one machine in the LAN.

Did you try Google?

First entry is very informative: http://www.dnstunnel.de/

-- 
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help needed

2011-06-14 Thread Fajar A. Nugraha 
On Tue, Jun 14, 2011 at 3:04 PM, Vignesh Gadiyar vcgadi...@gmail.com wrote:
 Hi,
 I am Vignesh from Bangalore and i was developing an application using Open
 source BIND wherein i needed to know where exactly, i mean from which
 function do we get the IP addresses looked up from the Domain names
 inputted, so as to perform the required functions on those ip addresses and
 return my result back to the client.i don't want to hack the the name server
 as such. I just want to know
 where i will be able to get the results obtained from the name server as
 in from which function?.Any sort of help will be appreciated.
 Regards,
 Vignesh.

What will you use BIND for?

If it's just to resolve hostnames, most programming language has
gethostbyname() and gethostbyaddr() which should work even without
having BIND explicitly installed.

-- 
Fajar
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help needed

2011-06-14 Thread Fajar A. Nugraha 
Please don't remove cc to the list

On Tue, Jun 14, 2011 at 5:27 PM, Vignesh Gadiyar vcgadi...@gmail.com wrote:
 BIND gives us the resolved IP addresses right before sending back the reply.
 I have a code which ranks those based on some parameters. I wanted to know
 where exactly in BIND should we add that code.
 Regards.

Now that you're giving more details, hopefuly others will be able to help you.

-- 
Fajar


 On Tue, Jun 14, 2011 at 3:08 PM, Fajar A. Nugraha w...@fajar.net wrote:

 On Tue, Jun 14, 2011 at 3:04 PM, Vignesh Gadiyar vcgadi...@gmail.com
 wrote:
  Hi,
  I am Vignesh from Bangalore and i was developing an application using
  Open
  source BIND wherein i needed to know where exactly, i mean from which
  function do we get the IP addresses looked up from the Domain names
  inputted, so as to perform the required functions on those ip addresses
  and
  return my result back to the client.i don't want to hack the the name
  server
  as such. I just want to know
  where i will be able to get the results obtained from the name server as
  in from which function?.Any sort of help will be appreciated.
  Regards,
  Vignesh.

 What will you use BIND for?

 If it's just to resolve hostnames, most programming language has
 gethostbyname() and gethostbyaddr() which should work even without
 having BIND explicitly installed.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hosting my company DNS server in Internet

2011-05-30 Thread Fajar A. Nugraha 
On Mon, May 30, 2011 at 3:45 PM, babu dheen babudh...@yahoo.co.in wrote:

 Dear Olsen,

 thanks for the update. I can follow all the steps but i couldn't understand 
 below two points

  - register/buy the domain name(s) if you haven't already done so.
 - tell your registrar to configure your parent domain so it'll delegate
 your domain to your nameservers


Have you EVER manage a domain before, whether hosted or not?
If not, then I HIGHLY recommend you just use a hosting provider and
have them manage both your website and DNS.

Back to your original question:

  My concern if i want to host my own website, do i need to pay to my ISP?

That depends. You obviously pay them for internet access. You MIGHT
need to pay them if you also use other services, like
- buy your domain from your ISP
- use your ISP's name server for secondary name server
- use your ISP's MX
- use additional IP address for your website

 and please suggest me that if we want to host our parent domain (company.com) 
 also in our own DNS server.

Again, it depends.
If you know how to set it up, then no, you don't need to pay
additional money to your ISP. But it could be YES, if you use some of
their services (see above).


If you have no idea what I'm talking about, here's a somewhat simple
checklist you can look at before you decide whether to run your own
DNS/web server:

(1) Do you know which service you want to create?
Is it a web server? Is it a mail server? Is it a DNS server? All of them?

(2) Do you know the difference between difference between the services
you're trying to create?
What it does? Which software to use? etc.

(3) Do you know how they work?
Can you setup a web server from scratch? Can you setup a DNS server
from scratch? Do you know about DNS hierarchy? etc.

(4) Can you manage the servers/services?
Do you know how to keep your system secure? Do you know how to update
a web page or a DNS record? Do you need a HA setup? etc.


If the answer to any one of them if NO, then just use a hosting
provider and have them manage both your website and DNS.

This list is about the DNS software BIND, not about creating your own
website/DNS server. If you have a specific question about BIND, feel
free to ask.

-- 
Fajar
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Operating system recommendation

2011-03-13 Thread Fajar A. Nugraha 
On Mon, Mar 14, 2011 at 1:43 AM, Ben McGinnes b...@adversary.org wrote:
 On 12/03/11 12:30 AM, Lightner, Jeff wrote:
 As the prior poster said RedHat is still supports RHEL4 (7 years or
 more) and RHEL5 (4 years or more) and has now relased RHEL6.

 Actually EOL for RHEL4 was announced last month, one more year and
 it's gone (not counting paying exorbitant sums for additional
 support):

 https://rhn.redhat.com/errata/RHSA-2011-0219.html

There's nothing really new in that announcement, as the end regular
life cycle have been determined long ago. In any case, back to the
OP's original question, if he's concerned about Debian is changing to
soon their versions and only have support for 1 version then
RHEL/Centos is a good choice. Choosing RHEL6 will guarantee regular
life cycle availability until 2017.

If you don't have money to pay for support, you can download a 30-day
RHEL trial, and either get support or switch to Centos later.

-- 
Fajar
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Operating system recommendation

2011-03-10 Thread Fajar A. Nugraha 
On Thu, Mar 10, 2011 at 2:52 AM, pollex andres.vi...@gmail.com wrote:
 Hi, I want to know in your experience what is the best operating
 system to run bind for an ISP. We currently have Debian for the 5
 Cache servers and for the 2 Authoritative servers.
 We have around 111851 success querys in the cache servers and around
 7267 zones created in the authoritative servers.
 We are doing a major re analysis for all the arquitecture and Debian
 is changing to soon their versions and only have support for 1 version
 before so I dont know if this is best option

If your main concern is OS support I suggest go with RHEL (or if you
don't have money and just need updates, Centos). RHEL currently
supports three versions of their OS: RHEL 4 - 6 as part of 7-year
regular life cycle
(https://access.redhat.com/support/policy/updates/errata/).

If your concern is performance, then I say CPU arch matters more than
OS. I've had much better performance with bind running on top of
x86_64 compared to sparc or ppc.

-- 
Fajar
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Operating system recommendation

2011-03-10 Thread Fajar A. Nugraha 
On Fri, Mar 11, 2011 at 9:55 AM, Dan d...@sunsaturn.com wrote:

 I think there are really 2 sides to this, whether your after an OS easy to
 maintain, with great stability, or best performance. I think you'll fall in
 love with freebsd if you give it a try,

Try explaining that to managerial types who thinks we will only use
enterprise-class software, anything else is inferior.

It took about ten years to get them to use RHEL/x86_64 as the default
first choice (to get price-performance-managability balance).
Previously they rather use solaris on a 650-MHz ultrasparc-ii instead
of Linux on 2GHz-Xeon (which kicked ultrasparc-ii's ass in both price
and performance). The reasoning back then was simple: none of the
local big guys (HP, IBM, etc.) offers support down to OS level when it
comes to Linux. Even when the current support contract with Sun does
not include OS support (it's pretty much I feel safe cause they offer
it, but I don't wanna buy it).

We had to show Our in-house team can manage by themselves even
without the local big guys and you can always purchase additional
support from principal if you need to. After several hundred
installations, they finally see that RHEL/x86_64 gets the job done
(for most purposes anyway) with only a fraction of cost.

... and they still reject using
Ubuntu/Gentoo/*BSD/opensolaris/whatever-other-*nix-you-name-it until
today :P

Since Pollex mentioned the need for support, IMHO RHEL/Centos is a good start.

 on otherhand if your after as many
 queries per second for a machine as possible, I have had better experience
 using epoll on linux vs kqueue on freebsd, programming network applications
 with libevent.

That's another thing. I haven't found other *nix running on x86 that
is able to reliably beat Linux performance-wise. (open)Solaris was
once promising (they published some benchmark about how solaris is
better than RHEL for running MySQL), but the current license/support
model made it unattractive for running on non-Sun/Oracle hardware.


 Then you have to factor in if you plan on getting the latest hardware all
 the time, which linux tends to support much quicker. Factor I usually
 consider is how much more performance vs headache of linux administration.
 Also consider freebsd has native ZFS support making it easy to swap in/out
 drives quickly for any I/O bottlenecks, as well as much more configuration
 options for anything you install though a make config in ports directory.

I used Gentoo (comes with Portage, similar to BSD ports) in the past.
While it's highly flexible, it becomes a hassle to compile the same
thing several hundred times.

Native zfs support is very attractive, but for the moment we can
substitue that by using (depending on circumstances):
- storage appliance (like NetApp)
- hw/sw raid + LVM
- btrfs
- zfs-fuse and zfsonlinux


 The last consideration should be your knowledge set of unix in general,
 if your linux understanding is really good, then it may be time to graduate
 from newbie linux admin to senior solaris/freebsd admin, only installing
 linux where necessary to make your life as easy as possible.

In my case it's the reverse direction :D

Started with Tru64, then move to Solaris and AIX, then found out Linux
makes life easier while still being able to reuse *nix knowledge (LVM,
clustering, journaling filesystem, etc). And then after being an
experienced Linux sysadmin, you'll began to see how those
Unix-local-support guys used to do stupid things (like NOT using UFS
journal by default on Solaris, resulting the need to fsck on every
abnormal shutdown).

In the end, to each his own preference, I guess.

-- 
Fajar
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: multi-master with mysql backend

2011-02-13 Thread Fajar A. Nugraha 
On Mon, Feb 14, 2011 at 6:24 AM, Doug Barton do...@dougbarton.us wrote:
 On 2/13/2011 8:06 AM, fddi wrote:

 I do not know why you really don't liket this mysql solution.

 It isn't a matter of not liking it. Given that you have steadfastly
 refused to answer any of the questions from people who are trying to help
 you, my feeling is that you have decided that you want to use mysql no
 matter what, and you're not really interested in discussing A) What you're
 actually trying to accomplish, and B) What might be the best tool for doing
 that job.

All things considered, it might be the best tool for that specific
need is not bind at all, but something like mydns.

-- 
Fajar
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind hang out when named reach to 5-600 Mb

2010-07-08 Thread Fajar A. Nugraha 
On Thu, Jul 8, 2010 at 4:30 PM, khanh rua duonghoahoc_k4...@yahoo.com wrote:
 Hi,

 I install bind as a cache server on Solaris 10, Sun Sparc T5140. It has
 problem, bind always hang out when named reach to 5-600 Mb ('prstat' check).

How did you determine that it hang?
If you enable query log, you might be able to see if it's actually
serving queries at that time.

Also, how is the cpu and disk usage at that time (I'm trying to see if
you have cpu or disk as bottleneck?

My guess is that:
- one of your CPU thread is at 100% usage
- named is busy serving queries alreadt, so that the new query you
issued does not get processed in a timely manner.

 I have several servers and all have this problem even when i install bind in
 zone or try with a 64bit version.  T5140's a powerful server but bind can't
 make use of its power.

IMHO, it's not really named-specific problem. The thing is Sun/Oracle
T-series processors doesn't perform well with single thread loads. And
(last time I check anyway) even though bind can make use of multi
processor/threads, single thread performance still matters a lot.

So you'd probably get much better performance when running named with
say ... a generic x86 server/PC with Intel Xeon/Core i-series.

-- 
Fajar
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: hosts or subnet number in delegation?

2010-02-23 Thread Fajar A. Nugraha 
On Wed, Feb 24, 2010 at 2:01 PM, sasa sasa sasasa20...@yahoo.com wrote:
 Hello,
 for a 192.168.199.64/26 in zone file to delegate to a customer;
 should i put subnet number:
 64/26 IN NS ns1.example.com.
 64/26 IN NS ns2.example.com.
 or host ranges:
 64-126 IN NS ns1.example.com.
 64-126 IN NS ns2.example.com.

Doesn't really matter.
With the former, the client needs to create a zone called
64/26.199.169.192.in-addr.arpa, while in the later the zone would be
64-126.199.169.192.in-addr.arpa

See http://www.zytrax.com/books/dns/ch9/reverse.html for example.

-- 
Fajar
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Building 9.6.1-P2 for 32-bit Redhat RHEL 5.4

2009-11-28 Thread Fajar A. Nugraha 
On Sat, Nov 28, 2009 at 5:00 PM, Howard Wilkinson how...@cohtech.com wrote:
 At present I do not have a 32-bit build environment I can try to natively 
 build this on, and was hoping that somebody could suggest how I can get round 
 this problem in the build environment I am using.

a generic workaround that has worked for me so far is to create a
32bit chroot environment, plus (for some special cases) setarch.
Easiest way to do that is by copying the entire filesystem from a
freshly-installed 32bit OS.

-- 
Fajar
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: File System Choice

2009-11-25 Thread Fajar A. Nugraha 
2009/11/26 万善义 w...@114.com.cn:
 500,000 domains, with the Ext3 file system, DNS service starts very slow and 
 therefore require several hours before they can work properly. For the bind 
 file system choices, there are any suggestions advice?

Are you sure it's filesystem issue? ext3 has a feature, dir_index,
which uses hashed b-trees to speed up lookups in large directories.
It's activated by default (at least on RHEL  Ubuntu, should be the
same on other modern distros). Try checking with dumpe2fs -h to make
sure you have it.

Also, you could organize the zone files (manually) so that they spread
over many directories instead of one.

-- 
Fajar
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind-9.6 and Heavy Cpu Load

2009-09-26 Thread Fajar A. Nugraha 
On Sat, Sep 26, 2009 at 5:43 PM, Bind b...@dci.ir wrote:
 Hello
 I have SunFire V880 (2 cpu +4G Ram) and installed bind 9.6.1-P1 on solaris
 10.
 but my cpu load is very high!(above 90% during the pick time)
 bash-3.00# prstat -a
    PID USERNAME  SIZE   RSS STATE  PRI NICE  TIME  CPU PROCESS/NLWP

    562 root 2517M 2498M cpu0 0    0 1503:30:2  95% named/5
   2394 root 3808K 3168K cpu2    59    0   0:00:00 0.9% prstat/1

 here are some relatde information:
 rndc status
 recursive clients: 841/9900/1
 My input traffic which shown by MRTG is about 2.5 Mbps recieved
 requests(udp 53) and is normal in our network behavior during the pick time.
 my question is:
 does this high cpu load relate to input requests and is normall or it relate
 to something else?

Can you get the number of request per sec? I think you can get that
from output of two rndc stats. On modern hardware it should be able
to handle several thousands reqs per sec easily.

Also, does named only use cpu0? It should be able to use all available
cpus. If not, you should be able to force it using -n.

For comparison purposes, you might want to try using x86 server for
DNS server and see the results. From my experience it's a lot cheaper
and more powerful (compared to sparc or ppc) when used with bind. YMMV
though.

-- 
Fajar
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind-9.6 and Heavy Cpu Load

2009-09-26 Thread Fajar A. Nugraha 
On Sun, Sep 27, 2009 at 1:28 AM, Bind b...@dci.ir wrote:
 The number of requests is 2700 recieved pps and 2500 transmit pps.

 also i forced it to use both cpu`s,(in prstat -a command the STATE
 column,shows named uses cpu0 then after moment it changed to cpu2) but heavy
 cpu load exists.

Assuming:
- the numbers you gave are queries per second
- your v880 has 1.5GHz Ultra sparc III CPU (or similar)

and considering:
- BIND's atomic locking performs better on some platform than others
(my experience was on x86 vs ppc)
- query per second numbers on
http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/376a455035df10c6

I'd say you're probably cpu bound and there's nothing much you can do
about it. You already disabled logging, right? This is just a rough
estimate though, YMMV. If you have a 2 or 4-way x86 server you can try
it and see if it performs better.

-- 
Fajar
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: hardware requirements per hits

2009-08-19 Thread Fajar A. Nugraha 
On Wed, Aug 19, 2009 at 12:47 AM, Subhan Malickmali...@illinois.edu wrote:
 On 8/17/09 10:15 PM, Fajar A. Nugraha wrote:

 Here are some pointers from my experience though:
 - syslog query logging is expensive. NEVER enable it. If you need to
 log client queries, log it directly to file instead.

 I would like to hear more about why this is so. We are currently debating
 sending query logs to a remote syslog server to enhance some security tools.

It depends on your requirement.
In my case, sending query log to syslog makes disk I/O the bottleneck.
Not really sure why logging to file directly fix this issue, perhaps
syslog does a sync() for every line or something.

 We are running BIND 9.6.1-P1 with multithreading enabled on RHEL 4 (2
 dual-core 2.8 GHz Opterons with 1MB cache, 4G of RAM). I have run some tests
 and while there is some queries/sec hit, the RTTs are not terrible.

  Queries per second:   2425.385916 qps

I got around 6000 qps on a smiliar test. Jinmei mentioned something
about getting 24k qps on a 4-way Opteron.

Again, it depends on your requirement. If your load is low enough, you
might be able to live with performance penalty imposed by syslog.

-- 
Fajar
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: hardware requirements per hits

2009-08-17 Thread Fajar A. Nugraha 
On Mon, Aug 17, 2009 at 8:50 PM, Alansbatpowe...@yahoo.co.uk wrote:
 @Matus: let me put it in this way, if I want to create a budget for next
 year for example, then I should know what upgrades I need for next year
 (estimated needs), and let's assume dns queries increase monthly by x hits,
 now, if I know how many hits will make me upgrade cpu and memory then I can
 find out my cpu and memory needs for next year, hope this explain to you why
 my question is not usless, at least for me.
 I'll be happy if you tell me another way to know my needs for next year.

I'm assuming you already have a running DNS server? In that case I'd
simply gather stats from it. What kind of hardware it currently has,
how much is current CPU and disk load, how many queries per second it
currently serves, etc. Based on that you can have a rough estimate as
to what you'd need to upgrade.

Here are some pointers from my experience though:
- syslog query logging is expensive. NEVER enable it. If you need to
log client queries, log it directly to file instead.
- disk I/O can be a serious bottleneck. If that's the case consider
disable logging.
- BIND would generally work better with faster CPU compared to
multiple CPUs/cores, e.g. 1 x 3GHZ CPU could outperform 2 x 1.5GHz
CPU.
- memory cache can speedup things to a point. Try allocating about
2-4G when you're handing lots of clients.

Those are very general pointers though, YMMV. You might find it easier
to simply add aonther server instead of upgrading.

-- 
Fajar
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users