Re: Detailed Log Analysis based on rndc stats!!
Hi Peter
Thanks a lot for your reply. I had enabled query-errors with debug level 2
in my bind logging, now i am able to log all SERVFAIL related error logs in
query-errors.log. But i am unable to log the NXDOMAIN error logs .
Referring to Bind documentation, i enabled delegation-only option(which
Logs queries that have returned NXDOMAIN as the result of a delegation-only
zone or a delegation-only statement in a hint or stub zone declaration) ,
but this also not logging the NXDOMAIN errors. Kindly guide me whether any
additional parameters to be enabled in query-errors to log NXDOMAIN also.
Regards
Shiva Raman
On Tue, Jan 17, 2012 at 9:11 PM, Peter Andreev andreev.pe...@gmail.comwrote:
2012/1/17 Shiva Raman raman.shi...@gmail.com
Hi All
i am running Bind version 9.8.1 as an Authoritative Name server. From
the rndc.stats , i observe that there are some query failures happening
in the server. I am trying to get a detailed information of this query
failures, but the current logging options is not allowing me to get a
detailed
report on the reason of failure. I tried enabling detailed logs, but that
is also not providing me which all queries failed with NXDOMAIN ,
SERVFAILetc.
Please find the ouptut of named.stats and Logging options enabled in
named.conf
Output of /chroot/named/conf/named.stats
--
+++ Statistics Dump +++ (1326803941)
++ Incoming Requests ++
75808 QUERY
++ Incoming Queries ++
75786 A
22 PTR
++ Outgoing Queries ++
[View: default]
7374 A
13410 NS
97 PTR
[View: _bind]
++ Name Server Statistics ++
75808 IPv4 requests received
75781 requests with ADNS(0) received
75019 responses sent
75003 responses with ADNS(0) sent
2848 queries resulted in successful answer
72340 queries resulted in authoritative answer
2239 queries resulted in non authoritative answer
440 queries resulted in SERVFAIL
71731 queries resulted in NXDOMAIN
3466 queries caused recursion
789 duplicate queries received
++ Zone Maintenance Statistics ++
++ Resolver Statistics ++
[Common]
[View: default]
20881 IPv4 queries sent
5283 IPv4 responses received
111 NXDOMAIN received
2533 SERVFAIL received
16195 query retries
15598 query timeouts
450 IPv4 NS address fetches
6 IPv4 NS address fetch failed
4226 queries with RTT 10ms
17 queries with RTT 10-100ms
869 queries with RTT 100-500ms
82 queries with RTT 500-800ms
37 queries with RTT 800-1600ms
52 queries with RTT 1600ms
[View: _bind]
++ Cache DB RRsets ++
[View: default]
72 A
24 NS
5 CNAME
5 NXDOMAIN
[View: _bind (Cache: _bind)]
++ Socket I/O Statistics ++
20886 UDP/IPv4 sockets opened
4 TCP/IPv4 sockets opened
20883 UDP/IPv4 sockets closed
3910 TCP/IPv4 sockets closed
2 UDP/IPv4 socket bind failures
20881 UDP/IPv4 connections established
3911 TCP/IPv4 connections accepted
++ Per Zone Query Statistics ++
--- Statistics Dump --- (1326803941)
Logging options in /etc/named.conf
// Logging options
logging {
// logging option for named process
channel default_debug {
file /logs/named.log versions 10 size 500m;
print-time yes;
print-category yes;
severity dynamic;
};
channel queries { // logging option for queries to
named
file /logs/query.log versions 20 size 500m;
print-time yes;
print-category yes;
severity dynamic;
};
category default { default_debug; };
category queries { null; }; // comment this line to log queries
category queries { queries; };// uncomment this to log queries
category config { default_debug; };
category security { default_debug; };
category network { default_debug; };
category lame-servers { null; };
category general { null; };
category edns-disabled { null; };
};
---
Kindly let me know the procedure to follow/options to enabled in logs to
get a detailed report of queries w.r.to the following lines.
440 queries resulted in SERVFAIL
71731
DNS latency!!!
Hi All Which is the best method to measure dns latency ? Is there any scripts / programs available to measure the dns latency directly? Regards Shiva Raman ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Protecting bind from DNS cache poisoning!!!
Hi Thanks for your valuable suggestions Run an up-to-date version of bind. Be fanatical about applying security patches promptly. Yes , i am running the latest version Bind-9.7.1-P2. Don't allow recursion /at all/ for queries from the general public to your authoritative servers, nor permit authoritative servers to send additional data from cache. I am running separate caching and authoritative servers. As suggested by you, i had disabled recursion to for the authoritative servers. Permit only your trusted clients to make recursive queries through your recursive servers. Yes, in caching servers, i have only enabled recursion for our trusted clients. If you have sufficient DNS traffic to warrant it, it is very good to run completely separate instances of bind as authoritative and recursive servers -- use of virtualization techniques like FreeBSD jails can help reduce hardware costs. Yes, i am running separate instances of authoritative and recursive servers. Allow bind to use as wide a range of port numbers as possible for UDP traffic. Yes this is allowed in the firewall. Make sure your firewalls don't do daft things like forcing any DNS traffic to come from a limited range of source ports, or blocking large UDP packets or EDNS. Allow DNS queries over TCP as well as UDP. Yes in firewall , both TCP and UDP DNS queries are allowed. Implement DNSSEC. I tried implementing dnssec using the following document http://blog.dustintrammell.com/2008/08/01/configuring-dnssec-in-bind/ After modifying named.conf for recursive server, i restarted named. Now named is working with dnssec enabled .But i am not able to verify the same. Kindly let me know how can we verify that dnssec is enabled and running , from the logs. Thanks in advance. Shiva Raman ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Protecting bind from DNS cache poisoning!!!
Dear All I am running Bind caching and bind authoritative servers with current 9.7 version. I would like to know the steps to be followed to protect bind from DNS Cache poisoning. The bind DNS server is running behind the firewall which allows only DNS queries . kindly share your views. Thanks in advance. Shiva Raman ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Performance tuning tips required for bind 9.6.1-P3!!!
Dear All
This is in reference to the performance tuning , i had already gone through
the mailing list archives , but could not find answer to my
specific query mentioned here.
I had installed bind as a caching name server for test purposes and
planning to test performance that could give me around 1 qps.
The os running Centos 5.4 64 bit , with minimal packages installed. The
server is dual quad core Intel Xeon 2.53 GHz ,16 GB RAM with 300 GB Hdd(
Raid 1) .
*Bind version installed is bind 9.6.1-P3 . Source extracted and compiled
with the following options. *
./configure --enable-epoll --enable-atomic --enable-ipv6 --enable-chroot
--with-openssl --with-randomdev=/chroot/named
--disable-openssl-version-check --with-libtool --enable-threads
Chrooted bind installation is done.
Only named, ssh and ntp services are running on the servers.
Right now i am using queryperf to test the performance with sample query
file of thousand entries. Right now
i am getting only 2000 to 2300 qps . I am writing querylogs to a separate
partition with noatime enabled for the
partition.
OS hardening is done by removing unwanted services, closing all
unneccesary ports and securing the running services.
My system is now using only 3 GB of RAM of total 16 GB.
*Following is the output of uptime;free -m during performance testing*
[r...@localhost ~]# uptime;free -m
22:19:52 up 1 day, 6:06, 3 users, load average: 2.03, 2.06, 1.34
total used free sharedbuffers cached
Mem: 16047 3183 12864 0238 2037
-/+ buffers/cache:907 15140
Swap: 8189 0 8189
*Following is my named.conf*
acl testsetup_net {
10.201.31.0/26; };
acl blacklistnets {
192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 192.168.0.0/16;
};
// Main options defined here
options {
directory /conf;
dump-file named_dump.db;
statistics-file named.stats;
pid-file /var/run/named.pid;
allow-recursion { localhost; ; testsetup_net; };
allow-query { localhost; testsetup_net; };
allow-query-cache { localhost; testsetup_net; };
allow-transfer { none; };
blackhole { blacklistnets; };
recursive-clients 2;
version Not old!;
datasize default;
notify yes;
};
// Logging options are defined here.
logging { // logging option for named process
channel default_debug {
file /logs/named.log versions 10 size 50m;
print-time yes;
print-category yes;
severity dynamic;
};
channel queries { // logging option for queries to named
file /logs/query.log versions 20 size 100m;
print-time yes;
print-category yes;
severity dynamic;
};
category default { default_debug; };
category queries { queries; };// uncomment this to log queries
category config { default_debug; };
category security { default_debug; };
category network { default_debug; };
category lame-servers { null; };
category edns-disabled { null; };
};
zone . in {
type hint;
file db.rootcache;
};
zone localhost in {
type master;
file db.local;
notify no;
};
zone 0.0.127.in-addr.arpa in {
type master;
file db.127.0.0;
notify no;
};
Kindly guide me for improving the bind performance from 2000 qps to
nearly 1 qps. Which are the parameters i should change for improving
the performance? Any os level parameters to be changed for improving the
performance?
thanks in advance
Regards
Shiva Raman
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
