Re: Zones-unable-update
On Mon, Jan 6, 2020 at 3:16 PM MEjaz wrote: > 1. My primary name server, /etc/named.conf, and here am forcing transfer > to only few trusted servers, as mentioned in the below clause. > transfers-out 2000; > allow-transfer {212.119.93.5;213.230.0.10; 212.119.93.10; 212.119.92.6;}; > 2. secondary/slave name server > allow-transfer {"none";}; > I can't run this dig command from both dns server " dig soa kalam.com.sa > @ns1.cyberia.net.sa axfr" since Secondary is not allowed to transfer any data, Ok. So you ran this on ns2, right? > Just now again I noticed at 11:03 GMT+3, secondary server attempt to fetch > the data from master but no luck. same error as denied. No, that might not be it. > Jan 6 08:38:43 ns2 named[24436]: zone kalam.com.sa/IN: notify from > 212.119.92.5#37487: zone is up to date > Jan 6 08:41:58 ns2 named[24436]: zone kalam.com.sa/IN: notify from > 212.119.92.5#52519: serial 2019434249 > Jan 6 09:15:33 ns2 named[24436]: client @0x7f1228224460 212.119.92.5#42430 > (kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied > Jan 6 09:15:43 ns2 named[24436]: client @0x7f1228272ed0 212.119.93.5#36083 > (kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied > Jan 6 10:40:38 ns2 named[24436]: zone kalam.com.sa/IN: Transfer started. > Jan 6 10:40:38 ns2 named[24436]: zone kalam.com.sa/IN: transferred serial > 2019434249 > Jan 6 11:03:14 ns2 named[24436]: client @0x7f1228138510 212.119.92.5#33050 > (kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied You're pasting the logs on ns2. While that helps, we also need the logs on ns1. What does it say? "denied" on ns2 is expected, since you have 'allow-transfer {"none";};' on ns2. The question is "why does your ns2 ask ns2 (itself), when it should've asked only ns1 (the master)". Did you perhaps set named.conf (or named.conf.local, depending on the distro) on the ns2 incorrectly? Something like zone "kalam.com.sa" { type slave; ... masters { 212.119.92.5; }; }; How many IPs, and what IPs, did you put on the masters there? It should only be ns1 (the master). If you put two, change it. ... then there's also the question of "why does 212.119.92.5 (ns1) ask ns2 for zone transfer (which caused one of the denied lines), when the master shouldn't even need to ask anyone. Not sure about this one though. > Do you advise simulate the setup on testing environment. Without the firewall. In this case, only if you've setup named.conf correctly. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zones-unable-update
On Mon, Jan 6, 2020 at 2:03 PM MEjaz wrote: > > Thank you for your emai. > > > > I am not cutting any logs, I am capturing only for that particular zone > which I have chooses for the test, as I can't do the test on live zones. > > This time I have noticed "denied" in my slave server logs as below, this is > something very strange sometimes zone transferred perfect after two hours. > > However this time I need to wait and see whether this zone would transfer > after few hours as seen before. > > Jan 6 09:15:33 ns2 named[24436]: client @0x7f1228224460 212.119.92.5#42430 > (kal am.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied > Jan 6 09:15:43 ns2 named[24436]: client @0x7f1228272ed0 212.119.93.5#36083 > (kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied Well, fix that. Something is causing the transfer to fail. Is 212.119.92.5 and 212.119.93.5 both allowed to transfer data (e.g. allow-transfer configuration)? > [root@ns2 ~]# dig soa kalam.com.sa @ns1.cyberia.net.sa axfr, "with this I > can fetch all the correct update records" Did you run this on both 212.119.92.5 and 212.119.93.5? > Thanks in advance for your assistance. Do you think that should I take look > from our network side for the MTU size?? It's somewhat harder to check for temporary errors. The easiest way, since you say that this is a "test", is to replicate (i.e. same OS/distro, software versions, configs) your setup on test VMs (or servers, if you have that), on the same network (e.g. VMs with private network 10.x.x.x is fine), and see if it always works there. If yes, then most likely the problem is somewhere in your network (e.g. firewall). If no, then the problem is somewhere in your bind configuration. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zones-unable-update
On Thu, Jan 2, 2020 at 7:58 PM MEjaz wrote: > > Hello all. > > My setup which has one primary and slave server was working fine since years. > > All of sudden I started getting the problem of zones updates on slaves. > Which are not happening on time. it takes two hours to take the updates. > > > > Below logs for the reference, when I do required changes on masters, the > slave getting notified but without transferring the updated zone. > > > > Jan 2 09:17:50 ns2 named[25563]: zone kalam.com.sa/IN: notify from > 212.119.92.5#34424: serial 2019434243 > > Jan 2 09:24:45 ns2 named[25563]: zone kalam.com.sa/IN: notify from > 212.119.92.5#54651: serial 2019434245: refresh in progress, refresh check > queued > > Jan 2 11:12:53 ns2 named[25563]: zone kalam.com.sa/IN: Transfer started. > > Jan 2 11:12:53 ns2 named[25563]: zone kalam.com.sa/IN: transferred serial > 2019434245 Are you cutting out some logs? If yes, please include all logs for the zone (kalam.com.sa) and the master (212.119.92.5) > > Therefore, I wanted to know. How to force secondary/slave Name server to > update/refresh dns zones from primary DNS server? Just I want a slave name > server to initiate a zone transfer immediately >From https://kb.isc.org/docs/aa-00726: notify from 192.0.2.1#62160: refresh in progress, refresh check queued A notify was received, but the zone being notified was already in the process of being refreshed or is waiting to be refreshed, so the check is queued and will be processed later. You can try: - check your logs for what previously triggered the refresh process (another notify?), and when did it happen - check your logs on WHY the previous transfer took a long time (and check what the log means on the KB). e.g does it show "connection reset"? something else? - are there lots of other slaves or zones currently transferring data from the master at the same time? - test whether you can manually request all records. Something like running this on the slave: "dig kalam.com.sa @ns1.cyberia.net.sa axfr" Some possible problems which comes to mind: - there's something in the middle (e.g. IPS) that's sending TCP resets, that might cause your transfers to fail - TCP MTU or similar problems -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-9.11.0-P2 on Debian 9.0 (stretch)
On Fri, Jan 27, 2017 at 7:20 PM, Wolfgang Riedelwrote: > Just wonder if there is some agreed guidance on what steps I SHOULD take > to get bind-9.11.0-P2 successfully build on Debian 9.0? > > The generic recommendation on debian would probably be 'use whatever the distro comes with, as they maintain security fixes for those as well'. Debian's bind9 package uses native-pkcs11 with libsofthsm2.so, but I haven't been able to get this to work with bind-9.11.0-P2. If you 'just want to build bind-9.11.0-P2', debian stretch has libssl1.0-dev. Install that, then bind's simple ./configure (plus --prefix=/opt/bind9, if you want) should be able to pick it up correctly. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Is there any reverse proxy software for dns or udp?
On Fri, Jan 30, 2015 at 9:07 AM, WXR 474745...@qq.com wrote: Is there any reverse proxy software for dns , which can do load balance、cache for dns service, just like squid for http service? What functionality do you need that can't be provided by bind? e.g. https://www.safaribooksonline.com/library/view/dns-bind/0596004109/ch07s04.html From that example, ns1.foo.example (192.168.0.1, the master) is your real server (in http service, the one that gets proxied) while the slaves (e.g. ns2.foo.example and ns.isp.net, the one that is listed on your registrar as nameservers for foo.example) runs the equivalent of squid in http service. Load-balancing the slaves should happen automatically due to the way that DNS works, while load-balancing the master should not even be necessary due to the fact that it is rarely used (e.g. when configured correctly, the slaves can run just fine even when the master is down for several hours) -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Digging to the final IP
What are you using this for? If it's part of a script, it might be easier to just use gethostbyname. For example, in php: http://php.net/manual/en/function.gethostbyname.php , Returns the IPv4 address or a string containing the unmodified hostname on failure. -- Fajar On Mon, Oct 20, 2014 at 10:43 AM, Frank Bulk frnk...@iname.com wrote: Thanks, what I ended up using. Didn't think that there was anything host could do that dig couldn't do. Frank -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Barry Margolin Sent: Sunday, October 19, 2014 5:00 AM To: comp-protocols-dns-b...@isc.org Subject: Re: Digging to the final IP In article mailman.1097.1413711142.26362.bind-us...@lists.isc.org, Sten Carlsen st...@s-carlsen.dk wrote: Would host be closer to what you want? Host also tells you about aliases it encounters along the way. -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! On 19 Oct 2014, at 08:05, Karl Auer ka...@biplane.com.au wrote: On Sun, 2014-10-19 at 00:26 -0500, Frank Bulk wrote: Is there a dig option that will list out the final (IPs) or query result?? By default, even with +short, it can list intermediate CNAME(s) and not what IP(s) that CNAME may have. Not great, but might be enough to be helpful: dig +nonssearch $1 | egrep -i STATUS|^$1 Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389 GPG fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882 Old fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Value of memory
On Thu, Aug 7, 2014 at 10:39 AM, Robert Moskowitz r...@htt-consult.com wrote: I have a server that is only running bind 9.8.2 (Centos 6.5). It has 2Gb memory and free reports ~1.7Gb used. I am looking at replacing this server with an armv7 board running Redsleeve (until Centos 7 is out and stable for armv7). I have a choice of boards, one with 1Gb memory ($60) and one with 2Gb memory ($90). This server servers out my zones and supports the couple handfull of systems on my net. I would like to eventually get to DNSSEC, but that is another stalled project. About the only meaningful difference between the two boards (btw, Cubieboard2 and Cubietruck) for my needs is the memory. I know more memory is better, but how much better? Oh, why the move to arm? Power consumption. ROI for the C2 board is one year just on power saving. It depends on how much load your server currently handle, and how your cache is configured. I'd start with looking at your server load. Arm still have lower per-core performance compared to x86, so if you currently see high CPU utilization by named, I'd stick with x86. Next see how your memory cache is configured. That should be where bind uses most memory. AFAIK by default max-cache-size is unlimited and max-cache-ttl is set to several days. See how much memory bind currently uses for cache, and then you can try configuring those two parameters (e.g. set an explicit max-cache-size to 512MB) and see how much memory bind (and the rest of the OS) uses then, and how well it performs. If it's still acceptable, then you can probably go with the 1GB board. Cache can reduce the number of queries issued upstream and is very important on busy servers, but if you serve a relatively low number of queries from your clients then you won't see much difference between (e.g.) 512MB and 1GB cache. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Does bind read /etc/hosts?
On Wed, Jul 16, 2014 at 9:55 AM, Mark Andrews ma...@isc.org wrote: In message 53c5e714.5080...@thelounge.net, Reindl Harald writes: Can the LDNS return 10.10.10.1 defined in the /etc/hosts to the client? maybe some special configuration in named can support this feature wrong tool - dnsmasq can but on the other hand has no bind-like zonefiles Neither dnsmasq nor named read /etc/hosts. From dnsmasq man page: ... It loads the contents of /etc/hosts so that local hostnames which do not appear in the global DNS can be resolved and also answers DNS queries for DHCP configured hosts So dnsmasq does read /etc/hosts. Or did you mean something else? -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AIX and 9.9.5 compiling
On Fri, May 9, 2014 at 5:36 PM, Tony Finch d...@dotat.at wrote: Edward DeLargy eddela...@gmail.com wrote: I just want to verify that 9.9.5 can be compiled in AIX The README says: Building BIND 9 currently requires a UNIX system with an ANSI C compiler, basic POSIX support, and a 64 bit integer type. We've had successful builds and tests on the following systems: ... Fedora Core 6 ... Ubuntu 7.04, 7.10 Wow. Fedora core 6 and Ubuntu 7.04? I wonder if anybody is actually still using those. Makes you wonder just how often the README was updated :) -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Caching server - named process is limit at 500MB
On Wed, Apr 17, 2013 at 9:46 AM, Chu Ha Khanh khanh@svtech.com.vn wrote: Hi, Here is my output from command. It looks like my bind version is actually 32 bit. But there are some default applications also 32 bit although all are installed on a 64 bit OS. I have to check this for a moment. Correct. If you want to blame someone, blame Oracle. I assume you HAVE some kind of support contract for Solaris, since its free for development purposes only, and other uses require support subscription. If you do, you might be able to open a support ticket and get them to explain in detail why they made that choice. Short version is solaris use and compile 32bit programs by default. In past I've forced some programs to compile as 64bit by using something like export CFLAGS=-m64 ./configure ... Since you wrote you can't compile it with sun studio, try gcc witch that flag. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: limiting number of requests of a single hosts
On Fri, Jun 15, 2012 at 9:37 PM, Holemans Wim wim.holem...@ua.ac.be wrote: Wim Holemans Netwerkdienst Universiteit Antwerpen Network Services University of Antwerp One of the problems is that these firewalls are going to be replaced soon and we don't want to spend to much effort in trying to fix what seems an annoying side-effect of something caused by a DNS system. You DO realize that DNS is (mostly) UDP packets, and an attacker (or in your case, the ADs) can simply send UDP packet floods to kill your firewall (in your current state), regardless how your DNS server is configured, even when the DNS server is down? -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: a domain can ns of itself?
On Thu, Mar 29, 2012 at 6:33 AM, Mohsen Pahlevanzadeh moh...@pahlevanzadeh.org wrote: pahlevanzadeh.info. 14400 IN NS shared.pahlevanzadeh.info. Is it Possible? Yes. Google does it $ dig google.com ns ; DiG 9.8.1-P1 google.com ns ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 62917 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;google.com.IN NS ;; ANSWER SECTION: google.com. 86399 IN NS ns4.google.com. google.com. 86399 IN NS ns2.google.com. google.com. 86399 IN NS ns1.google.com. google.com. 86399 IN NS ns3.google.com. ;; Query time: 150 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Mar 29 06:42:55 2012 ;; MSG SIZE rcvd: 100 To do so, you must add glue records in your registrar. Different registrars might have different ways to do so. Example for godaddy: http://www.ehow.com/how_8116690_add-glue-records-godaddy.html -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: huge count of DNS deny hits
On Wed, Jan 11, 2012 at 1:27 PM, babu dheen babudh...@yahoo.co.in wrote: Dear Fajar, Below logs taken from Internal DNS server running in Microsoft DNS. Then why did you ask this list instead of contacting MS support? I checked with client AV status, everything is fine( system is up to date with DAT from Mcafee AV and no threat found in the complete scan output). But really no idea.. why it happens.. Client is pointed to use different DNS server but DNS flood query is being sent to another DNS server AV doesn't catch all threats. Anyway, from bind's perspective, a dns query asking for bind version is a valid TXT query. But the query can be used by malware, vulnerability scanners, or hackers looking for vulnerable bind versions. In a way, it's similar to ICMP echo (i.e. ping) packets. It's a valid packet, but a lot of virus/malware is using it to determine which neighbour hosts to attack. How do you handle ICMP flood cases? The same mechanism should be applicable in this case. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: huge count of DNS deny hits
On Wed, Jan 11, 2012 at 12:11 PM, babu dheen babudh...@yahoo.co.in wrote: Hi, I enabled the logs in DNS server and i found below lines from this client continiously.. 1/10/2012 9:14:30 AM 0FDC PACKET 05B489B0 UDP Snd Client IP 1f23 Q [0005 A D NOERROR] TXT (7)version(4)bind(0) 1/10/2012 9:14:30 AM 0FDC PACKET 07342360 UDP Rcv Client IP c63c Q [0005 A D NOERROR] TXT (7)version(4)bind(0) 1/10/2012 9:14:30 AM 0FDC PACKET 07342360 UDP Snd Client IP c63c Q [0005 A D NOERROR] TXT (7)version(4)bind(0) 1/10/2012 9:14:30 AM 0FDC PACKET 04D728F0 UDP Rcv Client IP a96a Q [0005 A D NOERROR] TXT (7)version(4)bind(0) What log is this? AFAIK BIND log does not look like this. Is this firewall log? Is it something to do with Malticast DNS. ... and how did you determine that? wild guess? Can you give me more details about Multicast DNS Try google, although I don't think that's your problem. It might simply be the case that the client is infected with virus/malware which targets vulnerability in certain versions of bind, so it'd make sense that it first sends out a DNS query that asks for bind version number (e.g. http://www.brandonhutchinson.com/Determining_hiding_BIND_version_number.html) Some things you might be able to do: - setup a firewall rule that can ratelimit udp packets from any client (e.g. iptables can do this) - make sure your bind versions is up-to-date (well, it's true for any other software) - configure named.conf not to show it's version (use Google or bind manual to find out how) With those three steps in place, it shouldn't matter what queries the client does, as the system will either ignore it, reply with useless information, or automatically block it. However, if it still cause problems (e.g. lots of UDP traffic eat up your bandwitdh), then simply block the client manually. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: huge count of DNS deny hits
On Mon, Jan 9, 2012 at 1:37 PM, babu dheen babudh...@yahoo.co.in wrote: Unfortunately, i have not enabled logs in my internal DNS server. You just dismissed the only reliable source of information Any idea .. Without logs, you only have assumptions. The best assumption at this point is that the client probably has a virus/malware, whose activity (one of them anyway) is to look for vulnerable DNS servers. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: register .org NS in root?
On Mon, Jan 2, 2012 at 10:58 AM, DNSbed.com supp...@dnsbedhosting.com wrote: Hi, I just noticed namecheap's NS servers are five .org hostnames: namecheap.com. 86400 IN NS ns3.mydyndns.org. namecheap.com. 86400 IN NS ns2.mydyndns.org. namecheap.com. 86400 IN NS ns1.mydyndns.org. namecheap.com. 86400 IN NS ns4.mydyndns.org. namecheap.com. 86400 IN NS ns5.mydyndns.org. .org is not served by the com/net NS servers group. So I want to know how they register ns1-5.mydyndns.org into the root's NS servers? They don't. The easy way to add NS for your zone is to use NS servers on another zone. For example: namecheap.com - NS = ns*.mydyndns.org mydyndns.org - NS= ns*.dynamicnetworkservices.net. I ask this because, for example, I have the domain nsbeta.info. (info and org are served by the same NS servers group) I registered two NS records of dwdns1.nsbeta.info and dwdns2.nsbeta.info in org's NS servers. nsbeta.info itself is resolved by this two NS servers. But when I tried to setup a .net/.com domain to use these two NS, it can't setup, says NS is not registered. You need to add glue records. For example, here's the instruction for godaddy: http://www.ehow.com/how_8116690_add-glue-records-godaddy.html -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: register .org NS in root?
On Mon, Jan 2, 2012 at 12:35 PM, DNSbed.com supp...@dnsbedhosting.com wrote: Well, say I want to setup the domain mydots.net to use these two NS: dwdns1.nsbeta.info dwdns2.nsbeta.info How can I setup the glue in Godaddy? Glue records are only needed if the ns is on the same domain. e.g. nsbeta.info - NS = dwdns1.nsbeta.info. If you want another domain (e.g. mydots.net) to use dwdns1.nsbeta.info. as NS, you should be able to just add it. doman manager - select domain name - set nameservers - I have specific nameservers for my domains. Anyway, since this is not BIND issue, you should contact godaddy support if you still have problems. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Re: .TLD minimum number of nameservers rule
On Tue, Dec 13, 2011 at 3:53 PM, nudge...@fastmail.fm wrote: For instance, would this be a problem when implementing a wide area bonjour subdomain using my own local dns server for clients that are mobile (internal/external) ? Bonjour should work even without a DNS server. Reminds me of Cool Hand Luke : what we have here is a failure to communicate : Seems that way. I'm not very familiar with bonjour :) Apologies for any incorrect suggestion on my part. You could always create your own DNS server if you REALLY need those record types :) The cheapest VPS is about $15/year, which should be more than enough for a secondary DNS server. I'm running Bind 9.6 and dnsextd (llq and tsig handling). I have split DNS views based on source ip address and possession of a tsig key: internal-trusted/external-trusted/internal-visitor/external-visitor. The DNS server and clients are all mac 10.6+ so I'm taking advantage of mDNSResponder features such as looking in the system keychain for the tsig keys. I have a WAB subdomain for dns-sd, etc. I've had to replace dnsextd with an older version, since current macosx versions are dead. I wondered if the limited access to DNS records at the top level of my domain would be a problem. It would if you setup WAB directly on that domain, as it seems that WAB requires PTR records. My first thought was to take over the DNS for this domain but rfc882 saying a domain must have at least 2 nameservers rules that out. Frankly, I probably don't understand enough about how glue records function... The easiest way seems to be just create a subdomain. So if your main domain is abc.dom, you can have an NS entry on that domain for the subdomain office.abc.com pointing to your public IP address. After that, just setup everything (PTR records, etc) inside that subdomain. Another option would be to just rent a VPS for your secondary nameserver. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Re: .TLD minimum number of nameservers rule
On Tue, Dec 13, 2011 at 6:20 AM, nudge...@fastmail.fm wrote: Thanks all. Chris, Anand that's very useful to know, sorry Jeff and Philippe, your interesting suggestions wont work in this case. If I attack the problem from the other way down instead, the fact my current registra doesn't allow me to add PTR or DNAME records to my top level domain limits what exactly ? What IS the problem, exactly? You're describing two things that doesn't seem to be related: number of NS for a zone, and PTR/DNAME records. If you don't own an IP address, then usually you don't need to bother about PTR records at all. If you need to change PTR record for an IP address that you use (e.g. VPS, colo, home connection, etc) you usually need to ask your ISP to update/change it. DNAME creates an alias for one or more subdomains of a domain. Chances are you won't need it for common uses. For instance, would this be a problem when implementing a wide area bonjour subdomain using my own local dns server for clients that are mobile (internal/external) ? Bonjour should work even without a DNS server. I'm only allowed to add A NS MX CNAME TXT and SRV records via the web interface ... because those are the ones mostly used. of my registra and I imagined that I'd need PTRs or a DNAME or some ther glue frustratingly unavailable. Having heard your response to my original question, I'm now desperately wishing that I got that wrong... You could always create your own DNS server if you REALLY need those record types :) The cheapest VPS is about $15/year, which should be more than enough for a secondary DNS server. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse delegation from Telco
On Fri, Nov 4, 2011 at 1:11 PM, Jim Pazarena b...@paz.bz wrote: but that non-auth kinda bugs me, because for my 'full' /24 subnets, that never happens. And it's delegated from the same Telco (Telus) That's because full /24 subnets can be delegated easily using subdomains, while a /28 needs classless delegation (http://www.ietf.org/rfc/rfc2317.txt), which requires the use of CNAMES. As Chris said, your nameserver is NOT authoritave for the PTR record (85.147.34.207.in-addr.arpa, which is a CNAME to 85.80-95.147.34.207.in-addr.arpa), but it IS authorized for the PTR record 85.80-95.147.34.207.in-addr.arpa. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host versus nslookup
On Thu, Oct 13, 2011 at 1:05 PM, listmail listm...@entertech.com wrote: On Thu, 13 Oct 2011 03:33:30 +0700, Fajar A. Nugraha wrote If you're concern about what address programs gets when they resolve host names, then getent is a better choice as it also respects nsswitch.conf and hosts file. According to the (almost useless) manpage for getent, Yes, it can be improved :) all it does is lookups in local files, not name resolution. I can see how this would be useful if you were not using DNS, but If your purpose is to diagnose can the DNS server used as resolver for my server resolve a particular FQDN, then either host or nslookup will usually suffice, with dig giving more detailed output. However, if your concern is can my program find the IP address for a particular FQDN, then getent will give more accurate info as it also takes into consideration the content of nsswitch.conf and the sources listed on that file. So getent might search for local files, DNS, NIS, or whatever source listed for hosts database in nsswitch.conf. What am I missing here? From the man page: The getent program gathers entries from the specified administrative database using the specified search keys. Where database is one of passwd, group, hosts, services, protocols, or networks. In this particular case we're only interested in hosts. I found more detailed explanation in a Solaris reference, which basically say getent asks the database source in order specified in /etc/nsswitch.conf. So for example if your /etc/nsswitch.conf has something like this: hosts: files dns and your /etc/hosts has this entry 111.90.255.252 archive.ubuntu.com then getent and host will give different results for archive.ubuntu.com, since getent will search /etc/hosts first. $ host archive.ubuntu.com archive.ubuntu.com has address 91.189.92.180 archive.ubuntu.com has address 91.189.92.181 archive.ubuntu.com has address 91.189.92.182 archive.ubuntu.com has address 91.189.92.183 archive.ubuntu.com has address 91.189.92.184 archive.ubuntu.com has address 91.189.92.188 archive.ubuntu.com has address 91.189.92.190 archive.ubuntu.com has address 91.189.92.169 archive.ubuntu.com has address 91.189.92.170 archive.ubuntu.com has address 91.189.92.171 archive.ubuntu.com has address 91.189.92.176 archive.ubuntu.com has address 91.189.92.177 archive.ubuntu.com has address 91.189.92.179 $ getent hosts archive.ubuntu.com 111.90.255.252 archive.ubuntu.com on the other hand both will give same result for google.com (which is not in /etc/hosts) www.google.com is an alias for www.l.google.com. www.l.google.com has address 209.85.175.99 www.l.google.com has address 209.85.175.104 www.l.google.com has address 209.85.175.105 www.l.google.com has address 209.85.175.103 www.l.google.com has address 209.85.175.106 www.l.google.com has address 209.85.175.147 $ getent hosts www.google.com 209.85.175.99 www.l.google.com www.google.com 209.85.175.104 www.l.google.com www.google.com 209.85.175.105 www.l.google.com www.google.com 209.85.175.103 www.l.google.com www.google.com 209.85.175.106 www.l.google.com www.google.com 209.85.175.147 www.l.google.com www.google.com -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host versus nslookup
On Thu, Oct 13, 2011 at 3:23 AM, Sten Carlsen st...@s-carlsen.dk wrote: Use dig. Always use dig. I don't quite agree, for debugging bind, use dig - for debugging lookup issues on some machine, host will behave more like any normal program, using resolv.conf and what else and can point to some issues dig will not discover. E.g. normal SW using something else than DNS, because of some setup. Dig will never catch this. If you're concern about what address programs gets when they resolve host names, then getent is a better choice as it also respects nsswitch.conf and hosts file. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about the dig
On Tue, Jul 19, 2011 at 12:32 PM, Feng He short...@gmail.com wrote: Hi list, When I deleted all the entries in /etc/resolv.conf (I am using Linux), dig can't work. I was thinking since dig is a standard resolver, what makes you think that? From the man page dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. it should have the capibility to follow the referrel from root, thus it will work fine even there is no system dns resolving. A resolver software capable of recursive operation should work fine. dig's not it. Am I right? Also from the man page: Unless it is told to query a specific name server, dig will try each of the servers listed in /etc/resolv.conf. So something like dig google.com @8.8.8.8 would work even without any entries on /etc/resolv.conf, but if you don't tell it to use a specific name server it won't work. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Client cannot resolve communities.intel.com
On Tue, Jul 5, 2011 at 10:29 AM, vr bind-u...@iotk.net wrote: Hello, I am trying to visit http://communities.intel.com; using Iceweasel on a Debian desktop PC. No proxies. My clients etc/resolv.conf point to my own Debian BIND 9.7.3 installed on a separate server and installed from distribution packages (bind9 1:9.7.3.dfsg-1~squeeze2). From myDesktop, NSLOOKUP fails but DIG shows a CNAME record. I see the same results from the BIND server so I've included just the output from myDesktop below. Also included below is my named.conf. Do I have something obvious in BIND screwed up? Quite possibly so. And you use dig incorrectly too. me@myDesktop:~$ dig communities.intel.com ns.iotk.net this should be $ dig communities.intel.com @ns.iotk.net ;; ANSWER SECTION: communities.intel.com. 207 IN CNAME intel-2.hs.llnwd.net. so it finds the cname ... ;; AUTHORITY SECTION: llnwd.net. 604800 IN SOA localhost. root.localhost. 2008071301 604800 86400 2419200 604800 ... but your DNS has a broken record for llnwd.net. It should be ;; ANSWER SECTION: llnwd.net. 3600IN SOA dns11.llnwd.net. hostmaster.llnwd.net. 210 900 300 604800 300 ;; QUESTION SECTION: ;ns.iotk.net. IN A this part is irrelevant, it's the result of your incorrect dig syntax named.conf on 99.30.25.1 I can't see why the response for llnwd.net is incorrect. Try: - rndc flush (or restart named) - dig soa llnwd.net @99.30.25.1 (to retest your name server) - dig soa llnwd.net @8.8.8.8 (to compare the result with google's public dns) - dig soa llnwd.net +trace (to trace delegation path) it might show where the errors come from -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: better performance with 32 bit ! why?
On Wed, Jun 29, 2011 at 8:33 PM, iharrathi@orange-ftgroup.com wrote: on server1(64 bit) i have 2 Intel E5310 quad-core 1.6Ghz and on server2(32 bit) i have 2 Intel Xeon dual-core 2.33Ghz. means 8*1.6 Ghz on server1 and 4*2.33 on server2. 8*1.6 is better and faster than 4*2.33, no? Sometimes I wonder if people REALLY read the replies sent to the list. If they don't read it, then why bother asking? David has mentioned that the reason your 32bit server is faster is because it has higher clock speed (2.33 GHz). Elvin has also mentioned that the 32 bit 2.33GHz CPU might actually win out purely based on the higher clock frequency. Basically what they're saying is that for BIND, clock speed of a SINGLE core is more important that the TOTAL sum of all core speeds. So if you've read their response you wouldn't say 8*1.6 is better and faster than 4*2.33. Cause the total doesn't matter in this case. From my experience: - clock speed of a SINGLE core matters. A lot. - going from 2 cores to 4 cores give about 50% improvement, but going from 4 to 8 cores doesn't give any signifcant improvement - x86_64 simply kick ass compared to power or sparc. Stick with x86_64 if If you're using BIND, don't bother with other arch (which are more expensive, give lower performance. At least it was true at that time). - 64 bit OS and userland gives the benefit of more addressable memory. In BIND's case, this means more memory for cache, which (depends on the type of load) can lead to higher performance (only if you configure it to use the memory for cache, of course). -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What is DNS Tunneling
On Mon, Jun 20, 2011 at 1:56 PM, babu dheen babudh...@yahoo.co.in wrote: Hi, Can anyone explain what is DNS tunneling because i am seeing large number of DNS tunneling attack in IPS from one machine in the LAN. Did you try Google? First entry is very informative: http://www.dnstunnel.de/ -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Help needed
On Tue, Jun 14, 2011 at 3:04 PM, Vignesh Gadiyar vcgadi...@gmail.com wrote: Hi, I am Vignesh from Bangalore and i was developing an application using Open source BIND wherein i needed to know where exactly, i mean from which function do we get the IP addresses looked up from the Domain names inputted, so as to perform the required functions on those ip addresses and return my result back to the client.i don't want to hack the the name server as such. I just want to know where i will be able to get the results obtained from the name server as in from which function?.Any sort of help will be appreciated. Regards, Vignesh. What will you use BIND for? If it's just to resolve hostnames, most programming language has gethostbyname() and gethostbyaddr() which should work even without having BIND explicitly installed. -- Fajar ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Help needed
Please don't remove cc to the list On Tue, Jun 14, 2011 at 5:27 PM, Vignesh Gadiyar vcgadi...@gmail.com wrote: BIND gives us the resolved IP addresses right before sending back the reply. I have a code which ranks those based on some parameters. I wanted to know where exactly in BIND should we add that code. Regards. Now that you're giving more details, hopefuly others will be able to help you. -- Fajar On Tue, Jun 14, 2011 at 3:08 PM, Fajar A. Nugraha w...@fajar.net wrote: On Tue, Jun 14, 2011 at 3:04 PM, Vignesh Gadiyar vcgadi...@gmail.com wrote: Hi, I am Vignesh from Bangalore and i was developing an application using Open source BIND wherein i needed to know where exactly, i mean from which function do we get the IP addresses looked up from the Domain names inputted, so as to perform the required functions on those ip addresses and return my result back to the client.i don't want to hack the the name server as such. I just want to know where i will be able to get the results obtained from the name server as in from which function?.Any sort of help will be appreciated. Regards, Vignesh. What will you use BIND for? If it's just to resolve hostnames, most programming language has gethostbyname() and gethostbyaddr() which should work even without having BIND explicitly installed. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Hosting my company DNS server in Internet
On Mon, May 30, 2011 at 3:45 PM, babu dheen babudh...@yahoo.co.in wrote: Dear Olsen, thanks for the update. I can follow all the steps but i couldn't understand below two points - register/buy the domain name(s) if you haven't already done so. - tell your registrar to configure your parent domain so it'll delegate your domain to your nameservers Have you EVER manage a domain before, whether hosted or not? If not, then I HIGHLY recommend you just use a hosting provider and have them manage both your website and DNS. Back to your original question: My concern if i want to host my own website, do i need to pay to my ISP? That depends. You obviously pay them for internet access. You MIGHT need to pay them if you also use other services, like - buy your domain from your ISP - use your ISP's name server for secondary name server - use your ISP's MX - use additional IP address for your website and please suggest me that if we want to host our parent domain (company.com) also in our own DNS server. Again, it depends. If you know how to set it up, then no, you don't need to pay additional money to your ISP. But it could be YES, if you use some of their services (see above). If you have no idea what I'm talking about, here's a somewhat simple checklist you can look at before you decide whether to run your own DNS/web server: (1) Do you know which service you want to create? Is it a web server? Is it a mail server? Is it a DNS server? All of them? (2) Do you know the difference between difference between the services you're trying to create? What it does? Which software to use? etc. (3) Do you know how they work? Can you setup a web server from scratch? Can you setup a DNS server from scratch? Do you know about DNS hierarchy? etc. (4) Can you manage the servers/services? Do you know how to keep your system secure? Do you know how to update a web page or a DNS record? Do you need a HA setup? etc. If the answer to any one of them if NO, then just use a hosting provider and have them manage both your website and DNS. This list is about the DNS software BIND, not about creating your own website/DNS server. If you have a specific question about BIND, feel free to ask. -- Fajar ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Operating system recommendation
On Mon, Mar 14, 2011 at 1:43 AM, Ben McGinnes b...@adversary.org wrote: On 12/03/11 12:30 AM, Lightner, Jeff wrote: As the prior poster said RedHat is still supports RHEL4 (7 years or more) and RHEL5 (4 years or more) and has now relased RHEL6. Actually EOL for RHEL4 was announced last month, one more year and it's gone (not counting paying exorbitant sums for additional support): https://rhn.redhat.com/errata/RHSA-2011-0219.html There's nothing really new in that announcement, as the end regular life cycle have been determined long ago. In any case, back to the OP's original question, if he's concerned about Debian is changing to soon their versions and only have support for 1 version then RHEL/Centos is a good choice. Choosing RHEL6 will guarantee regular life cycle availability until 2017. If you don't have money to pay for support, you can download a 30-day RHEL trial, and either get support or switch to Centos later. -- Fajar ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Operating system recommendation
On Thu, Mar 10, 2011 at 2:52 AM, pollex andres.vi...@gmail.com wrote: Hi, I want to know in your experience what is the best operating system to run bind for an ISP. We currently have Debian for the 5 Cache servers and for the 2 Authoritative servers. We have around 111851 success querys in the cache servers and around 7267 zones created in the authoritative servers. We are doing a major re analysis for all the arquitecture and Debian is changing to soon their versions and only have support for 1 version before so I dont know if this is best option If your main concern is OS support I suggest go with RHEL (or if you don't have money and just need updates, Centos). RHEL currently supports three versions of their OS: RHEL 4 - 6 as part of 7-year regular life cycle (https://access.redhat.com/support/policy/updates/errata/). If your concern is performance, then I say CPU arch matters more than OS. I've had much better performance with bind running on top of x86_64 compared to sparc or ppc. -- Fajar ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Operating system recommendation
On Fri, Mar 11, 2011 at 9:55 AM, Dan d...@sunsaturn.com wrote: I think there are really 2 sides to this, whether your after an OS easy to maintain, with great stability, or best performance. I think you'll fall in love with freebsd if you give it a try, Try explaining that to managerial types who thinks we will only use enterprise-class software, anything else is inferior. It took about ten years to get them to use RHEL/x86_64 as the default first choice (to get price-performance-managability balance). Previously they rather use solaris on a 650-MHz ultrasparc-ii instead of Linux on 2GHz-Xeon (which kicked ultrasparc-ii's ass in both price and performance). The reasoning back then was simple: none of the local big guys (HP, IBM, etc.) offers support down to OS level when it comes to Linux. Even when the current support contract with Sun does not include OS support (it's pretty much I feel safe cause they offer it, but I don't wanna buy it). We had to show Our in-house team can manage by themselves even without the local big guys and you can always purchase additional support from principal if you need to. After several hundred installations, they finally see that RHEL/x86_64 gets the job done (for most purposes anyway) with only a fraction of cost. ... and they still reject using Ubuntu/Gentoo/*BSD/opensolaris/whatever-other-*nix-you-name-it until today :P Since Pollex mentioned the need for support, IMHO RHEL/Centos is a good start. on otherhand if your after as many queries per second for a machine as possible, I have had better experience using epoll on linux vs kqueue on freebsd, programming network applications with libevent. That's another thing. I haven't found other *nix running on x86 that is able to reliably beat Linux performance-wise. (open)Solaris was once promising (they published some benchmark about how solaris is better than RHEL for running MySQL), but the current license/support model made it unattractive for running on non-Sun/Oracle hardware. Then you have to factor in if you plan on getting the latest hardware all the time, which linux tends to support much quicker. Factor I usually consider is how much more performance vs headache of linux administration. Also consider freebsd has native ZFS support making it easy to swap in/out drives quickly for any I/O bottlenecks, as well as much more configuration options for anything you install though a make config in ports directory. I used Gentoo (comes with Portage, similar to BSD ports) in the past. While it's highly flexible, it becomes a hassle to compile the same thing several hundred times. Native zfs support is very attractive, but for the moment we can substitue that by using (depending on circumstances): - storage appliance (like NetApp) - hw/sw raid + LVM - btrfs - zfs-fuse and zfsonlinux The last consideration should be your knowledge set of unix in general, if your linux understanding is really good, then it may be time to graduate from newbie linux admin to senior solaris/freebsd admin, only installing linux where necessary to make your life as easy as possible. In my case it's the reverse direction :D Started with Tru64, then move to Solaris and AIX, then found out Linux makes life easier while still being able to reuse *nix knowledge (LVM, clustering, journaling filesystem, etc). And then after being an experienced Linux sysadmin, you'll began to see how those Unix-local-support guys used to do stupid things (like NOT using UFS journal by default on Solaris, resulting the need to fsck on every abnormal shutdown). In the end, to each his own preference, I guess. -- Fajar ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multi-master with mysql backend
On Mon, Feb 14, 2011 at 6:24 AM, Doug Barton do...@dougbarton.us wrote: On 2/13/2011 8:06 AM, fddi wrote: I do not know why you really don't liket this mysql solution. It isn't a matter of not liking it. Given that you have steadfastly refused to answer any of the questions from people who are trying to help you, my feeling is that you have decided that you want to use mysql no matter what, and you're not really interested in discussing A) What you're actually trying to accomplish, and B) What might be the best tool for doing that job. All things considered, it might be the best tool for that specific need is not bind at all, but something like mydns. -- Fajar ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind hang out when named reach to 5-600 Mb
On Thu, Jul 8, 2010 at 4:30 PM, khanh rua duonghoahoc_k4...@yahoo.com wrote: Hi, I install bind as a cache server on Solaris 10, Sun Sparc T5140. It has problem, bind always hang out when named reach to 5-600 Mb ('prstat' check). How did you determine that it hang? If you enable query log, you might be able to see if it's actually serving queries at that time. Also, how is the cpu and disk usage at that time (I'm trying to see if you have cpu or disk as bottleneck? My guess is that: - one of your CPU thread is at 100% usage - named is busy serving queries alreadt, so that the new query you issued does not get processed in a timely manner. I have several servers and all have this problem even when i install bind in zone or try with a 64bit version. T5140's a powerful server but bind can't make use of its power. IMHO, it's not really named-specific problem. The thing is Sun/Oracle T-series processors doesn't perform well with single thread loads. And (last time I check anyway) even though bind can make use of multi processor/threads, single thread performance still matters a lot. So you'd probably get much better performance when running named with say ... a generic x86 server/PC with Intel Xeon/Core i-series. -- Fajar ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: hosts or subnet number in delegation?
On Wed, Feb 24, 2010 at 2:01 PM, sasa sasa sasasa20...@yahoo.com wrote: Hello, for a 192.168.199.64/26 in zone file to delegate to a customer; should i put subnet number: 64/26 IN NS ns1.example.com. 64/26 IN NS ns2.example.com. or host ranges: 64-126 IN NS ns1.example.com. 64-126 IN NS ns2.example.com. Doesn't really matter. With the former, the client needs to create a zone called 64/26.199.169.192.in-addr.arpa, while in the later the zone would be 64-126.199.169.192.in-addr.arpa See http://www.zytrax.com/books/dns/ch9/reverse.html for example. -- Fajar ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Building 9.6.1-P2 for 32-bit Redhat RHEL 5.4
On Sat, Nov 28, 2009 at 5:00 PM, Howard Wilkinson how...@cohtech.com wrote: At present I do not have a 32-bit build environment I can try to natively build this on, and was hoping that somebody could suggest how I can get round this problem in the build environment I am using. a generic workaround that has worked for me so far is to create a 32bit chroot environment, plus (for some special cases) setarch. Easiest way to do that is by copying the entire filesystem from a freshly-installed 32bit OS. -- Fajar ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: File System Choice
2009/11/26 万善义 w...@114.com.cn: 500,000 domains, with the Ext3 file system, DNS service starts very slow and therefore require several hours before they can work properly. For the bind file system choices, there are any suggestions advice? Are you sure it's filesystem issue? ext3 has a feature, dir_index, which uses hashed b-trees to speed up lookups in large directories. It's activated by default (at least on RHEL Ubuntu, should be the same on other modern distros). Try checking with dumpe2fs -h to make sure you have it. Also, you could organize the zone files (manually) so that they spread over many directories instead of one. -- Fajar ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind-9.6 and Heavy Cpu Load
On Sat, Sep 26, 2009 at 5:43 PM, Bind b...@dci.ir wrote: Hello I have SunFire V880 (2 cpu +4G Ram) and installed bind 9.6.1-P1 on solaris 10. but my cpu load is very high!(above 90% during the pick time) bash-3.00# prstat -a PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/NLWP 562 root 2517M 2498M cpu0 0 0 1503:30:2 95% named/5 2394 root 3808K 3168K cpu2 59 0 0:00:00 0.9% prstat/1 here are some relatde information: rndc status recursive clients: 841/9900/1 My input traffic which shown by MRTG is about 2.5 Mbps recieved requests(udp 53) and is normal in our network behavior during the pick time. my question is: does this high cpu load relate to input requests and is normall or it relate to something else? Can you get the number of request per sec? I think you can get that from output of two rndc stats. On modern hardware it should be able to handle several thousands reqs per sec easily. Also, does named only use cpu0? It should be able to use all available cpus. If not, you should be able to force it using -n. For comparison purposes, you might want to try using x86 server for DNS server and see the results. From my experience it's a lot cheaper and more powerful (compared to sparc or ppc) when used with bind. YMMV though. -- Fajar ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind-9.6 and Heavy Cpu Load
On Sun, Sep 27, 2009 at 1:28 AM, Bind b...@dci.ir wrote: The number of requests is 2700 recieved pps and 2500 transmit pps. also i forced it to use both cpu`s,(in prstat -a command the STATE column,shows named uses cpu0 then after moment it changed to cpu2) but heavy cpu load exists. Assuming: - the numbers you gave are queries per second - your v880 has 1.5GHz Ultra sparc III CPU (or similar) and considering: - BIND's atomic locking performs better on some platform than others (my experience was on x86 vs ppc) - query per second numbers on http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/376a455035df10c6 I'd say you're probably cpu bound and there's nothing much you can do about it. You already disabled logging, right? This is just a rough estimate though, YMMV. If you have a 2 or 4-way x86 server you can try it and see if it performs better. -- Fajar ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: hardware requirements per hits
On Wed, Aug 19, 2009 at 12:47 AM, Subhan Malickmali...@illinois.edu wrote: On 8/17/09 10:15 PM, Fajar A. Nugraha wrote: Here are some pointers from my experience though: - syslog query logging is expensive. NEVER enable it. If you need to log client queries, log it directly to file instead. I would like to hear more about why this is so. We are currently debating sending query logs to a remote syslog server to enhance some security tools. It depends on your requirement. In my case, sending query log to syslog makes disk I/O the bottleneck. Not really sure why logging to file directly fix this issue, perhaps syslog does a sync() for every line or something. We are running BIND 9.6.1-P1 with multithreading enabled on RHEL 4 (2 dual-core 2.8 GHz Opterons with 1MB cache, 4G of RAM). I have run some tests and while there is some queries/sec hit, the RTTs are not terrible. Queries per second: 2425.385916 qps I got around 6000 qps on a smiliar test. Jinmei mentioned something about getting 24k qps on a 4-way Opteron. Again, it depends on your requirement. If your load is low enough, you might be able to live with performance penalty imposed by syslog. -- Fajar ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: hardware requirements per hits
On Mon, Aug 17, 2009 at 8:50 PM, Alansbatpowe...@yahoo.co.uk wrote: @Matus: let me put it in this way, if I want to create a budget for next year for example, then I should know what upgrades I need for next year (estimated needs), and let's assume dns queries increase monthly by x hits, now, if I know how many hits will make me upgrade cpu and memory then I can find out my cpu and memory needs for next year, hope this explain to you why my question is not usless, at least for me. I'll be happy if you tell me another way to know my needs for next year. I'm assuming you already have a running DNS server? In that case I'd simply gather stats from it. What kind of hardware it currently has, how much is current CPU and disk load, how many queries per second it currently serves, etc. Based on that you can have a rough estimate as to what you'd need to upgrade. Here are some pointers from my experience though: - syslog query logging is expensive. NEVER enable it. If you need to log client queries, log it directly to file instead. - disk I/O can be a serious bottleneck. If that's the case consider disable logging. - BIND would generally work better with faster CPU compared to multiple CPUs/cores, e.g. 1 x 3GHZ CPU could outperform 2 x 1.5GHz CPU. - memory cache can speedup things to a point. Try allocating about 2-4G when you're handing lots of clients. Those are very general pointers though, YMMV. You might find it easier to simply add aonther server instead of upgrading. -- Fajar ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users