Re: I need to find statistics on a running server.

2023-01-12 Thread Howard, Christopher 
You can use "rndc stats" to have bind dump a file with stats in it.  This is 
how I get stats from our servers.  I store the values every 2 minutes and 
create a dashboard from that.  Stuff like total queries, total queries from 
ipv4 clients, total queries from ipv6 clients, total A//CNAME/PTR/NXDOMAIN 
requests/answers.  With it stored every 2 minutes it's easy to chart out number 
per second, of course that's averaged out over the 2 minute window.

-Christopher


On Thu, 2023-01-12 at 18:30 +, King, Harold Clyde (Hal) via bind-users 
wrote:
That's not bad idea.


--

Hal King  - h...@utk.edu
Systems Administrator
Office of Information Technology
Shared Services

The University of Tennessee
103c5 Kingston Pike Building
2309 Kingston Pk. Knoxville, TN 37996
Phone: 974-1599
[cid:f2542891-ff64-48e7-b76e-8dcf8558e0d7]

From: Jeff Sumner 
Sent: Thursday, January 12, 2023 1:22 PM
To: King, Harold Clyde (Hal) ; bind-users 

Subject: Re: I need to find statistics on a running server.

You don't often get email from kc4...@gmail.com. Learn why this is 
important

I’ve turned on query logging, then grepped for the count of lines logged in a 
particular second.



Worked well enough for the job at the time.



J



De: bind-users  em nome de "King, Harold 
Clyde (Hal) via bind-users" 
Responder A: "King, Harold Clyde (Hal)" 
Data: quinta-feira, 12 de janeiro de 2023 1:20 PM
Para: bind-users 
Assunto: I need to find statistics on a running server.



I need to find some answers like queries per second.  Any fast ideas folks?

--

Hal King  - h...@utk.edu
Systems Administrator
Office of Information Technology
Shared Services

The University of Tennessee
103c5 Kingston Pike Building
2309 Kingston Pk. Knoxville, TN 37996
Phone: 974-1599

[cid:ddc53916-50a2-4e86-8dac-18eabfd73205]

-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list ISC funds the development of this software with paid support 
subscriptions. Contact us at https://www.isc.org/contact/ for more information. 
bind-users mailing list bind-users@lists.isc.org 
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Openssl issue

2018-11-08 Thread Howard, Christopher 
I had that exact same issue. I had to drop down to 9.11 to get it to work.

-Christopher


On Thu, 2018-11-08 at 18:12 +, Stewart, Larry C Sr CTR DISA JT (USA) wrote:

I am running Solaris 10 and I downloaded bind 9.12.3 today and compiled it 
using the enable threads option, the prefix=/ option and the --without-gost 
option just as I have in the past when compiling 9.10. The compilation seems to 
go well but when I run named with -t /nithr -u nithr named fails to start and I 
get daemon.crit openssl_link.c:296: fatal error:and Openssl pseudorandom number 
generator cannot be initialized (see the 'PRNG not seeded message in the 
Openssl FAQ). Then exiting (due to fatal error in library).


My chrooted directory does contain /dev/random


Does anyone have any suggestions on how to overcome this issue?


Larry Stewart, CISSP

Contractor - Jacobs Technology

Network Engineer

Office: 520-538-4227

DSN: 879-4227

Cell phone: 520-227-8251

larry.c.stewart@mail.mil




___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list


bind-users mailing list

bind-users@lists.isc.org

https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: PRNG not seeded, service won't start

2018-09-20 Thread Howard, Christopher 
I’ve downgraded as well, but at some point the last working version will be end 
of life.  Hopefully you get somewhere with your bug report.

-Christopher

On Sep 20, 2018, at 3:02 PM, Reindl Harald 
mailto:h.rei...@thelounge.net>> wrote:

well, i just downgraded since it's a resolver without dnssec at all

https://bugzilla.redhat.com/show_bug.cgi?id=1631515

Am 20.09.18 um 20:27 schrieb Howard, Christopher:
I'm not the only one! Whew, I thought I was losing my mind.

I have rngd and haveged running and there is large pool of entropy and I
still can't get newer versions of bind to start. Very frustrating.

-Christopher


On Thu, 2018-09-20 at 20:14 +0200, Reindl Harald wrote:
OK, this is *really* foolish

on a heavily used machine with 2 days uptime, rngd and haveged there is
*for sure* enough random

bind-9.11.4-8.P1.fc28.x86_64 just found on Fedora koji

Sep 20 20:08:17 srv-rhsoft named[988479]:
../../../lib/dns/openssl_link.c:294: fatal error:
Sep 20 20:08:17 srv-rhsoft named[988479]: OpenSSL pseudorandom number
generator cannot be initialized (see the `PRNG not seeded' message in
the OpenSSL FAQ)
Sep 20 20:08:17 srv-rhsoft named[988479]: exiting (due to fatal error in
library)

who the hell does such invasive obviously not proper tested changes in
minor updates?

Am 18.09.18 um 15:44 schrieb Howard, Christopher:
I found that link previously and tried it. It didn't complain about that
not being a valid setting, but it didn't change the outcome. I'm
beginning to believe I may just have to upgrade to CentOS 7. It needs to
be done at some point anyway, I just didn't want to do it now.

-Christopher


On Tue, 2018-09-18 at 09:33 +0100, Tony Finch wrote:
Howard, Christopher mailto:christopher-how...@utc.edu> <mailto:christopher-how...@utc.edu 
<mailto:christopher-how...@utc.edu>>> wrote:

Does any one have any ideas of what I'm missing or what I can do to
resolve this (besides upgrading this box to CentOS 7)?

Try setting `random-device "/dev/urandom";` in `named.conf`.

See 
https://gitlab.isc.org/isc-projects/bind9/commit/24172bd2eeba91441ab1c65d2717b0692309244a

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: PRNG not seeded, service won't start

2018-09-20 Thread Howard, Christopher 
I'm not the only one! Whew, I thought I was losing my mind.

I have rngd and haveged running and there is large pool of entropy and I still 
can't get newer versions of bind to start. Very frustrating.

-Christopher


On Thu, 2018-09-20 at 20:14 +0200, Reindl Harald wrote:

OK, this is *really* foolish


on a heavily used machine with 2 days uptime, rngd and haveged there is

*for sure* enough random


bind-9.11.4-8.P1.fc28.x86_64 just found on Fedora koji


Sep 20 20:08:17 srv-rhsoft named[988479]:

../../../lib/dns/openssl_link.c:294: fatal error:

Sep 20 20:08:17 srv-rhsoft named[988479]: OpenSSL pseudorandom number

generator cannot be initialized (see the `PRNG not seeded' message in

the OpenSSL FAQ)

Sep 20 20:08:17 srv-rhsoft named[988479]: exiting (due to fatal error in

library)


who the hell does such invasive obviously not proper tested changes in

minor updates?


Am 18.09.18 um 15:44 schrieb Howard, Christopher:

I found that link previously and tried it. It didn't complain about that

not being a valid setting, but it didn't change the outcome. I'm

beginning to believe I may just have to upgrade to CentOS 7. It needs to

be done at some point anyway, I just didn't want to do it now.


-Christopher



On Tue, 2018-09-18 at 09:33 +0100, Tony Finch wrote:

Howard, Christopher 
mailto:christopher-how...@utc.edu> 
<mailto:christopher-how...@utc.edu<mailto:christopher-how...@utc.edu>>> wrote:


Does any one have any ideas of what I'm missing or what I can do to

resolve this (besides upgrading this box to CentOS 7)?


Try setting `random-device "/dev/urandom";` in `named.conf`.


See 
https://gitlab.isc.org/isc-projects/bind9/commit/24172bd2eeba91441ab1c65d2717b0692309244a
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: PRNG not seeded, service won't start

2018-09-18 Thread Howard, Christopher 
I found that link previously and tried it. It didn't complain about that not 
being a valid setting, but it didn't change the outcome. I'm beginning to 
believe I may just have to upgrade to CentOS 7. It needs to be done at some 
point anyway, I just didn't want to do it now.

-Christopher


On Tue, 2018-09-18 at 09:33 +0100, Tony Finch wrote:

Howard, Christopher 
mailto:christopher-how...@utc.edu>> wrote:


Does any one have any ideas of what I'm missing or what I can do to

resolve this (besides upgrading this box to CentOS 7)?


Try setting `random-device "/dev/urandom";` in `named.conf`.


See 
https://gitlab.isc.org/isc-projects/bind9/commit/24172bd2eeba91441ab1c65d2717b0692309244a


Tony.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: PRNG not seeded, service won't start

2018-09-18 Thread Howard, Christopher 
Those are both good. Recent versions of bind are now using OpenSSL for random 
number generation and not /dev/random or /dev/urandom. Since the old version 
still works the /dev devices are obviously working.

-Christopher


On Tue, 2018-09-18 at 07:52 +, Alberto Colosi wrote:

ON INTERNET IS LIKE TO BE LINKED TO RANDOM SEED GENERATION


check


# ls -l /dev/random /dev/urandom

crw-r--r-- 1 root system 39, 0 Jan 22 10:48 /dev/random

crw-r--r-- 1 root system 39, 1 Jan 22 10:48 /dev/urandom




From: bind-users  on behalf of Howard, 
Christopher 
Sent: Tuesday, September 18, 2018 1:11 AM
To: bind-users@lists.isc.org
Subject: PRNG not seeded, service won't start

I'm attempting to upgrade from bind 9.10.4-P8 to 9.12.2-P1 and the service 
refuses to start. This is on a CentOS 6.10 machine. I ran into the same issue 
on CentOS 7 and was able to fix it by making sure that rngd is running before 
the named service starts. That same fix is not working for CentOS 6. I'm at a 
loss as to how to fix this and Google is failing me now.

The error in the log says:
Sep 17 18:59:08 nsm named[3926]: openssl_link.c:296: fatal error:
Sep 17 18:59:08 nsm named[3926]: OpenSSL pseudorandom number generator cannot 
be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)

Does any one have any ideas of what I'm missing or what I can do to resolve 
this (besides upgrading this box to CentOS 7)?

-Christopher


___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list


bind-users mailing list

bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>

https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: PRNG not seeded, service won't start

2018-09-18 Thread Howard, Christopher 
I've tried this one. It doesn't work. There is plenty of entropy on the box, 
but it still won't start with the same error.

-Christopher


On Tue, 2018-09-18 at 01:22 +0200, Reindl Harald wrote:

https://wiki.archlinux.org/index.php/Haveged


Am 18.09.18 um 01:11 schrieb Howard, Christopher:

I'm attempting to upgrade from bind 9.10.4-P8 to 9.12.2-P1 and the

service refuses to start. This is on a CentOS 6.10 machine. I ran into

the same issue on CentOS 7 and was able to fix it by making sure that

rngd is running before the named service starts. That same fix is not

working for CentOS 6. I'm at a loss as to how to fix this and Google is

failing me now.


The error in the log says:

Sep 17 18:59:08 nsm named[3926]: openssl_link.c:296: fatal error:

Sep 17 18:59:08 nsm named[3926]: OpenSSL pseudorandom number generator

cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)


Does any one have any ideas of what I'm missing or what I can do to

resolve this (besides upgrading this box to CentOS 7)?


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

PRNG not seeded, service won't start

2018-09-17 Thread Howard, Christopher 
I'm attempting to upgrade from bind 9.10.4-P8 to 9.12.2-P1 and the service 
refuses to start. This is on a CentOS 6.10 machine. I ran into the same issue 
on CentOS 7 and was able to fix it by making sure that rngd is running before 
the named service starts. That same fix is not working for CentOS 6. I'm at a 
loss as to how to fix this and Google is failing me now.

The error in the log says:
Sep 17 18:59:08 nsm named[3926]: openssl_link.c:296: fatal error:
Sep 17 18:59:08 nsm named[3926]: OpenSSL pseudorandom number generator cannot 
be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)

Does any one have any ideas of what I'm missing or what I can do to resolve 
this (besides upgrading this box to CentOS 7)?

-Christopher

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Share RPZ Zones between views

2015-02-20 Thread Howard, Christopher 
There are three ways that I know of to do it.  The first would be to load the 
same RPZ data in each view from the same source files.  The second would be to 
zone transfer the RPZ data from one view to the others.  The third would be to 
have completely separate RPZ files for each view that you manually update each 
so you can block different domains per view.  I do not believe it is possible 
to have the other views reference records that are only loaded in another view. 
 If you reference the RPZ data at all in the other views it's going to load 
another copy.  But I could be wrong. :)

-Christopher

From: José Alonso j...@transtelco.netmailto:j...@transtelco.net
Date: Friday, February 20, 2015 at 9:46 AM
To: bind-users@lists.isc.orgmailto:bind-users@lists.isc.org 
bind-users@lists.isc.orgmailto:bind-users@lists.isc.org
Subject: Re: Share RPZ Zones between views

Hi guys,

Any idea on this ?

Thanks!
Jose Alonso

On Thu, Feb 19, 2015 at 6:50 PM, José Alonso 
j...@transtelco.netmailto:j...@transtelco.net wrote:
Hi all !

I'm having a problem guys, I want to know if there's a way to share RPZ zones 
between views in a single server.

Let's say that I have a view common and I have in there a zone called porn 
with all the domains that I want to block, then I have 2 views that matches for 
2 different IP sources and I want to also block the zone porn in those 2 
views, is there a way to share the already loaded zone in the common view in 
order to save memory on the server ?

I would really appreciate any help with this,

Thanks!
Jose Alonso

--
[image.png]http://www.transtelco.net/ | Jose A. Hernandez | RD Manager | MX: 
+52 (656) 257-1189 | US: +1 (915) 534-8116


CONFIDENTIALITY NOTICE:  This communication is intended only for the use of the 
individual or entity to which it is addressed and may contain information that 
is privileged, confidential, and exempt from disclosure under applicable law.  
If you are not the intended recipient of this information, you are notified 
that any use, dissemination, distribution, or copying of the communication is 
strictly prohibited.

AVISO DE CONFIDENCIALIDAD: Esta comunicación es sólo para el uso de la persona 
o entidad a la que se dirige y puede contener información privilegiada, 
confidencial y exenta de divulgación bajo la legislación aplicable. Si no es el 
destinatario de esta información, se le notifica que cualquier uso, difusión, 
distribución o copia de la comunicación está estrictamente prohibido.



--
[image.png]http://www.transtelco.net/ | Jose A. Hernandez | RD Manager | MX: 
+52 (656) 257-1189 | US: +1 (915) 534-8116


CONFIDENTIALITY NOTICE:  This communication is intended only for the use of the 
individual or entity to which it is addressed and may contain information that 
is privileged, confidential, and exempt from disclosure under applicable law.  
If you are not the intended recipient of this information, you are notified 
that any use, dissemination, distribution, or copying of the communication is 
strictly prohibited.

AVISO DE CONFIDENCIALIDAD: Esta comunicación es sólo para el uso de la persona 
o entidad a la que se dirige y puede contener información privilegiada, 
confidencial y exenta de divulgación bajo la legislación aplicable. Si no es el 
destinatario de esta información, se le notifica que cualquier uso, difusión, 
distribución o copia de la comunicación está estrictamente prohibido.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Automatic flushing of the jnl files

2015-01-21 Thread Howard, Christopher 
The journal files get flushed to the zone file periodically, but old
transactions don't get removed so the journal file will continue to grow
forever.  If you're like me and on virtual machines with limited hard disk
capacity, you can limit the journal file size with the max-journal-size
configuration statement.  Just make sure that the size is large enough to
hold all of the transactions between flushes (I believe that's around
every 15 minutes).  Otherwise, after a crash you would be missing records.

-Christopher



On 1/21/15, 11:46 AM, Phil Mayers p.may...@imperial.ac.uk wrote:

On 21/01/15 15:46, eric.berthiaume.exter...@banque-france.fr wrote:

 So it it does seem to be rolling the changes but jnl files still
 persist.  It¹s not terribly bothering but I would like to know if this
 is the normal behavior.

It's normal. The .jnl files contain the data required to perform
incremental outbound zone transfers.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Automatic flushing of the jnl files

2015-01-21 Thread Howard, Christopher 
Oh, well that's good to know. :)

-Christopher



On 1/21/15, 12:18 PM, Chris Thompson c...@cam.ac.uk wrote:

On Jan 21 2015, Howard, Christopher wrote:

The journal files get flushed to the zone file periodically, but old
transactions don't get removed so the journal file will continue to grow
forever.  If you're like me and on virtual machines with limited hard
disk
capacity, you can limit the journal file size with the max-journal-size
configuration statement. Just make sure that the size is large enough to
hold all of the transactions between flushes (I believe that's around
every 15 minutes).  Otherwise, after a crash you would be missing
records.

I am fairly sure you are wrong on that last point. BIND will not flush
journal file entries that have not yet been committed to the master file,
even if they make the journal bigger than max-journal-size. If you specify
max-journal-size 512; you will find the journal gets emptied completely,
but only after the master file has been updated. (Of course, as Phil
Mayers
points out, this would cause downstream IXFRs to become AXFRs,)

-- 
Chris Thompson
Email: c...@cam.ac.uk

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RPZ seems to be hit and miss

2014-01-10 Thread Howard, Christopher Bryan 
For reference:
BIND 9.9.4-P1
CentOS 6.4
64bit arch

We use RPZ to CNAME all of the “bad” domains over to a catch-all type server 
that can display a message to the user.  Until recently it has been working 
perfectly (or we thought it was :-P ).

The problem:
RPZ appears to have stopped working properly about a month ago and we didn’t 
notice it until a domain we specifically added kept resolving.  After doing 
some spot checking, a large portion of the domains in the RPZ zone work as 
expected.  However, some of them are still getting recursively resolved.  I’m 
at a complete loss as to why this is happening.

We were running BIND 9.9.3-P2, but I upgraded it to 9.9.4-P1 in an attempt to 
fix it, with no luck.  I’ve flushed the cache on all of our servers, I’ve 
restarted the service on all of our servers.  I’ve not restarted the actual 
servers, but I don’t think that would get us anywhere.


Here are some examples (note that NXDOMAIN responses are due to IDS blocking 
the resolution):


$ host ads5.woamobile.com

ads5.woamobile.com is an alias for catchall.utc.edu.

catchall.utc.edu has address 192.168.56.23

$ host WhateverIWantToPutHere.ads5.woamobile.com

WhateverIWantToPutHere.ads5.woamobile.com is an alias for catchall.utc.edu.

catchall.utc.edu has address 192.168.56.23


$ host adsafeprotected.com

Host adsafeprotected.com not found: 3(NXDOMAIN)

$ host WhateverIWantToPutHere.adsafeprotected.com

WhateverIWantToPutHere.adsafeprotected.com is an alias for catchall.utc.edu.

catchall.utc.edu has address 192.168.56.23


$ host conduit-services.com

conduit-services.com is an alias for catchall.utc.edu.

catchall.utc.edu has address 192.168.56.23

$ host asdfasdf.conduit-services.com

asdfasdf.conduit-services.com is an alias for catchall.utc.edu.

catchall.utc.edu has address 192.168.56.23

$ host sp-translation.conduit-services.com

Host sp-translation.conduit-services.com not found: 3(NXDOMAIN)


And here is what’s in the zone file:


ads5.woamobile.com  IN  CNAME   catchall.utc.edu.

*.ads5.woamobile.comIN  CNAME   catchall.utc.edu.


adsafeprotected.com IN  CNAME   catchall.utc.edu.

*.adsafeprotected.com   IN  CNAME   catchall.utc.edu.


conduit-services.comIN  CNAME   catchall.utc.edu.

*.conduit-services.com  IN  CNAME   catchall.utc.edu.

I can provide other information as needed.

Does anyone have any experience with RPZ and have a clue why it seems to be 
selectively resolving records?

-Christopher
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RPZ seems to be hit and miss

2014-01-10 Thread Howard, Christopher Bryan 
I¹ve just been using the RPZ built into BIND.  I don¹t think I was aware
of RPZ 2.

-Christopher




On 1/10/14, 3:23 PM, Alan Clegg a...@clegg.com wrote:


On Jan 10, 2014, at 1:32 PM, Howard, Christopher Bryan
christopher-how...@utc.edu wrote:

 For reference: 
 BIND 9.9.4-P1
 CentOS 6.4
 64bit arch
 
 We use RPZ to CNAME all of the ³bad² domains over to a catch-all type
server that can display a message to the user.  Until recently it has
been working perfectly (or we thought it was :-P ).
 
 The problem:
 RPZ appears to have stopped working properly about a month ago and we
didn¹t notice it until a domain we specifically added kept resolving.
After doing some spot checking, a large portion of the domains in the
RPZ zone work as expected.  However, some of them are still getting
recursively resolved.  I¹m at a complete loss as to why this is
happening.
 
 We were running BIND 9.9.3-P2, but I upgraded it to 9.9.4-P1 in an
attempt to fix it, with no luck.  I¹ve flushed the cache on all of our
servers, I¹ve restarted the service on all of our servers.  I¹ve not
restarted the actual servers, but I don¹t think that would get us
anywhere.

Did you accidentally move from RPZ 2 (via patches) to RPZ 1 (included in
BIND)?

I shot myself in the foot with thisŠ

AlanC
-- 
Alan Clegg | +1-919-355-8851 | a...@clegg.com



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Getting RPZ statistics

2012-12-07 Thread Howard, Christopher Bryan 
I recently (as of 2 days ago) enabled RPZ on all of my name servers.  I 
currently use rndc stats, perl, and SNMP to make certain global stats 
available to our network monitoring system to make charts (number of queries 
across all views and such).  I'd like to do the same for just the RPZ zone so I 
can get an idea of how many queries are getting handled by RPZ itself.

I added zone-statistics yes; to the RPZ zone, and the statistics file showed 
the header for that zone, but then there were no stats there.  I enabled the 
zone-statistics for a regular zone and it provided stats as expected.  Here's 
what my stats file looks like with zone-statistics enabled in the RPZ zone and 
one other zone for comparison.

++ Per Zone Query Statistics ++
[utc.edu (view: view1)]
  3 queries resulted in successful answer
  9 queries resulted in authoritative answer
  2 queries resulted in nxrrset
  4 queries resulted in NXDOMAIN
[rpz (view: view2)]
[rpz (view: view1)]

My assumption is that since the RPZ zone is special it therefore can't keep 
track of stats.  Is this the case or am I overlooking something obvious?

I guess I could CNAME all the RPZ records to a single host in a separate domain 
and then do zone-statistics on that one zone, but that's kinda dirty.

-Christopher

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users