Re: Detailed Log Analysis based on rndc stats!!
Hi Peter Thanks a lot for your reply. I had enabled query-errors with debug level 2 in my bind logging, now i am able to log all SERVFAIL related error logs in query-errors.log. But i am unable to log the NXDOMAIN error logs . Referring to Bind documentation, i enabled delegation-only option(which Logs queries that have returned NXDOMAIN as the result of a delegation-only zone or a delegation-only statement in a hint or stub zone declaration) , but this also not logging the NXDOMAIN errors. Kindly guide me whether any additional parameters to be enabled in query-errors to log NXDOMAIN also. Regards Shiva Raman On Tue, Jan 17, 2012 at 9:11 PM, Peter Andreev andreev.pe...@gmail.comwrote: 2012/1/17 Shiva Raman raman.shi...@gmail.com Hi All i am running Bind version 9.8.1 as an Authoritative Name server. From the rndc.stats , i observe that there are some query failures happening in the server. I am trying to get a detailed information of this query failures, but the current logging options is not allowing me to get a detailed report on the reason of failure. I tried enabling detailed logs, but that is also not providing me which all queries failed with NXDOMAIN , SERVFAILetc. Please find the ouptut of named.stats and Logging options enabled in named.conf Output of /chroot/named/conf/named.stats -- +++ Statistics Dump +++ (1326803941) ++ Incoming Requests ++ 75808 QUERY ++ Incoming Queries ++ 75786 A 22 PTR ++ Outgoing Queries ++ [View: default] 7374 A 13410 NS 97 PTR [View: _bind] ++ Name Server Statistics ++ 75808 IPv4 requests received 75781 requests with ADNS(0) received 75019 responses sent 75003 responses with ADNS(0) sent 2848 queries resulted in successful answer 72340 queries resulted in authoritative answer 2239 queries resulted in non authoritative answer 440 queries resulted in SERVFAIL 71731 queries resulted in NXDOMAIN 3466 queries caused recursion 789 duplicate queries received ++ Zone Maintenance Statistics ++ ++ Resolver Statistics ++ [Common] [View: default] 20881 IPv4 queries sent 5283 IPv4 responses received 111 NXDOMAIN received 2533 SERVFAIL received 16195 query retries 15598 query timeouts 450 IPv4 NS address fetches 6 IPv4 NS address fetch failed 4226 queries with RTT 10ms 17 queries with RTT 10-100ms 869 queries with RTT 100-500ms 82 queries with RTT 500-800ms 37 queries with RTT 800-1600ms 52 queries with RTT 1600ms [View: _bind] ++ Cache DB RRsets ++ [View: default] 72 A 24 NS 5 CNAME 5 NXDOMAIN [View: _bind (Cache: _bind)] ++ Socket I/O Statistics ++ 20886 UDP/IPv4 sockets opened 4 TCP/IPv4 sockets opened 20883 UDP/IPv4 sockets closed 3910 TCP/IPv4 sockets closed 2 UDP/IPv4 socket bind failures 20881 UDP/IPv4 connections established 3911 TCP/IPv4 connections accepted ++ Per Zone Query Statistics ++ --- Statistics Dump --- (1326803941) Logging options in /etc/named.conf // Logging options logging { // logging option for named process channel default_debug { file /logs/named.log versions 10 size 500m; print-time yes; print-category yes; severity dynamic; }; channel queries { // logging option for queries to named file /logs/query.log versions 20 size 500m; print-time yes; print-category yes; severity dynamic; }; category default { default_debug; }; category queries { null; }; // comment this line to log queries category queries { queries; };// uncomment this to log queries category config { default_debug; }; category security { default_debug; }; category network { default_debug; }; category lame-servers { null; }; category general { null; }; category edns-disabled { null; }; }; --- Kindly let me know the procedure to follow/options to enabled in logs to get a detailed report of queries w.r.to the following lines. 440 queries resulted in SERVFAIL 71731
DNS latency!!!
Hi All Which is the best method to measure dns latency ? Is there any scripts / programs available to measure the dns latency directly? Regards Shiva Raman ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Protecting bind from DNS cache poisoning!!!
Hi Thanks for your valuable suggestions Run an up-to-date version of bind. Be fanatical about applying security patches promptly. Yes , i am running the latest version Bind-9.7.1-P2. Don't allow recursion /at all/ for queries from the general public to your authoritative servers, nor permit authoritative servers to send additional data from cache. I am running separate caching and authoritative servers. As suggested by you, i had disabled recursion to for the authoritative servers. Permit only your trusted clients to make recursive queries through your recursive servers. Yes, in caching servers, i have only enabled recursion for our trusted clients. If you have sufficient DNS traffic to warrant it, it is very good to run completely separate instances of bind as authoritative and recursive servers -- use of virtualization techniques like FreeBSD jails can help reduce hardware costs. Yes, i am running separate instances of authoritative and recursive servers. Allow bind to use as wide a range of port numbers as possible for UDP traffic. Yes this is allowed in the firewall. Make sure your firewalls don't do daft things like forcing any DNS traffic to come from a limited range of source ports, or blocking large UDP packets or EDNS. Allow DNS queries over TCP as well as UDP. Yes in firewall , both TCP and UDP DNS queries are allowed. Implement DNSSEC. I tried implementing dnssec using the following document http://blog.dustintrammell.com/2008/08/01/configuring-dnssec-in-bind/ After modifying named.conf for recursive server, i restarted named. Now named is working with dnssec enabled .But i am not able to verify the same. Kindly let me know how can we verify that dnssec is enabled and running , from the logs. Thanks in advance. Shiva Raman ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Protecting bind from DNS cache poisoning!!!
Dear All I am running Bind caching and bind authoritative servers with current 9.7 version. I would like to know the steps to be followed to protect bind from DNS Cache poisoning. The bind DNS server is running behind the firewall which allows only DNS queries . kindly share your views. Thanks in advance. Shiva Raman ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Performance tuning tips required for bind 9.6.1-P3!!!
Dear All This is in reference to the performance tuning , i had already gone through the mailing list archives , but could not find answer to my specific query mentioned here. I had installed bind as a caching name server for test purposes and planning to test performance that could give me around 1 qps. The os running Centos 5.4 64 bit , with minimal packages installed. The server is dual quad core Intel Xeon 2.53 GHz ,16 GB RAM with 300 GB Hdd( Raid 1) . *Bind version installed is bind 9.6.1-P3 . Source extracted and compiled with the following options. * ./configure --enable-epoll --enable-atomic --enable-ipv6 --enable-chroot --with-openssl --with-randomdev=/chroot/named --disable-openssl-version-check --with-libtool --enable-threads Chrooted bind installation is done. Only named, ssh and ntp services are running on the servers. Right now i am using queryperf to test the performance with sample query file of thousand entries. Right now i am getting only 2000 to 2300 qps . I am writing querylogs to a separate partition with noatime enabled for the partition. OS hardening is done by removing unwanted services, closing all unneccesary ports and securing the running services. My system is now using only 3 GB of RAM of total 16 GB. *Following is the output of uptime;free -m during performance testing* [r...@localhost ~]# uptime;free -m 22:19:52 up 1 day, 6:06, 3 users, load average: 2.03, 2.06, 1.34 total used free sharedbuffers cached Mem: 16047 3183 12864 0238 2037 -/+ buffers/cache:907 15140 Swap: 8189 0 8189 *Following is my named.conf* acl testsetup_net { 10.201.31.0/26; }; acl blacklistnets { 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 192.168.0.0/16; }; // Main options defined here options { directory /conf; dump-file named_dump.db; statistics-file named.stats; pid-file /var/run/named.pid; allow-recursion { localhost; ; testsetup_net; }; allow-query { localhost; testsetup_net; }; allow-query-cache { localhost; testsetup_net; }; allow-transfer { none; }; blackhole { blacklistnets; }; recursive-clients 2; version Not old!; datasize default; notify yes; }; // Logging options are defined here. logging { // logging option for named process channel default_debug { file /logs/named.log versions 10 size 50m; print-time yes; print-category yes; severity dynamic; }; channel queries { // logging option for queries to named file /logs/query.log versions 20 size 100m; print-time yes; print-category yes; severity dynamic; }; category default { default_debug; }; category queries { queries; };// uncomment this to log queries category config { default_debug; }; category security { default_debug; }; category network { default_debug; }; category lame-servers { null; }; category edns-disabled { null; }; }; zone . in { type hint; file db.rootcache; }; zone localhost in { type master; file db.local; notify no; }; zone 0.0.127.in-addr.arpa in { type master; file db.127.0.0; notify no; }; Kindly guide me for improving the bind performance from 2000 qps to nearly 1 qps. Which are the parameters i should change for improving the performance? Any os level parameters to be changed for improving the performance? thanks in advance Regards Shiva Raman ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users