Re: max-cache-size query
On Wed 02 of Jun 2010 00:45:42 you wrote: > One obvious solution to keeping the firewall guys happy would just be > to make them not burn state entries for the nameserver at all > Firewalls in front of nameservers cause an ungodly amount of issues > for no real benefit... I will transfer that to our vendors, but, my question is still not answered. Why on earth such huge defference in the number of connections on the firewall with the max-cache-size on and off? I still don't get it. P. > > Just sayin'... > > W > > On Jun 1, 2010, at 8:35 AM, Techi wrote: > > Hallo, > > Recently, I faced huge problems with my DNS servers (bind crashed > > with no > > apparent reason). Some of the symptons were: > > * Huge number of connections on our firewalls (>15). > > * A lot of errors in syslog about max file descriptors limits reached > > (currently on system, the FD limit is 4096, the default of centos) > > > > Anyway, after the proposal of a friend of mine, I removed the the > > max-cache- > > size limit (that was set to 256MB. > > After a restart of bind, the FW guys reported a huge drop on > > connections > > (<1)! > > Additionally, I have no crashes so far (in contract with 1-2 per > > week). > > So, why: > > a. bind generated so much traffic? > > b. Is it possible to have bind crash because I could not handle the > > cache > > clean-up and on the same time to serve requests? > > > > Thank you > > ___ > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > --- > Schizophrenia beats being alone. > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: max-cache-size query
On Tue 01 of Jun 2010 15:43:54 you wrote: > What version of BIND are you running? If you're getting FD limits, I'd > think it's an older version with a bug, and your problems might also be > alleviated by upgrading. Version: bind-9.3.6-4.P1.el5_4.2 I cannot upgrade. Company's policy is to use only Centos packages :( Anyway, I believe that it is not a "true" 9.3 since for example, I can set the "allow-query-cache" statement of 9.5. Of course, only RH can say that and I am not RH. Cheers. > Todd. > > -Original Message- > From: bind-users-bounces+tsnyder=rim@lists.isc.org > [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of > Techi Sent: Tuesday, June 01, 2010 8:36 AM > To: bind-users@lists.isc.org > Subject: max-cache-size query > > Hallo, > Recently, I faced huge problems with my DNS servers (bind crashed with no > apparent reason). Some of the symptons were: > * Huge number of connections on our firewalls (>15). > * A lot of errors in syslog about max file descriptors limits reached > (currently on system, the FD limit is 4096, the default of centos) > > Anyway, after the proposal of a friend of mine, I removed the the > max-cache- size limit (that was set to 256MB. > After a restart of bind, the FW guys reported a huge drop on connections > (<1)! > Additionally, I have no crashes so far (in contract with 1-2 per week). > So, why: > a. bind generated so much traffic? > b. Is it possible to have bind crash because I could not handle the cache > clean-up and on the same time to serve requests? > > Thank you > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > - > This transmission (including any attachments) may contain confidential > information, privileged material (including material protected by the > solicitor-client or other applicable privileges), or constitute non-public > information. Any use of this information by anyone other than the intended > recipient is prohibited. If you have received this transmission in error, > please immediately reply to the sender and delete this information from > your system. Use, dissemination, distribution, or reproduction of this > transmission by unintended recipients is not authorized and may be > unlawful. > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
max-cache-size query
Hallo, Recently, I faced huge problems with my DNS servers (bind crashed with no apparent reason). Some of the symptons were: * Huge number of connections on our firewalls (>15). * A lot of errors in syslog about max file descriptors limits reached (currently on system, the FD limit is 4096, the default of centos) Anyway, after the proposal of a friend of mine, I removed the the max-cache- size limit (that was set to 256MB. After a restart of bind, the FW guys reported a huge drop on connections (<1)! Additionally, I have no crashes so far (in contract with 1-2 per week). So, why: a. bind generated so much traffic? b. Is it possible to have bind crash because I could not handle the cache clean-up and on the same time to serve requests? Thank you ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC for recursive server
Hallo, I try to setup (=prepare) the our DNS servers for the DNSSEC era. I have a Centos 5.x with Bind 9.3.6-4. I have one problem and 2 questions. The problem is that the specific version seems to lack support for DNSSEC validation! named-checkconf returns the following error: /etc/named.conf:212: unknown option 'dnssec-validation' !!! Now the questions: 1. I try to understand the concepts of DNSSEC and the signing of root zones. As far as I understand, all I need to add in my bind's configuration are the following lines: dnssec-enable yes; dnssec-validation yes; Is that correct? If not so, then what DLV should I use? That if ISC, IANA's, RIPE, what? And how? 2. At another server (opensuse with bind 9.6) I modified the named.conf files are above and then performed the query: dig +multiline +cd +dnssec dlv.isc.org dnskey @localhost The answer was: * ; <<>> DiG 9.6.1-P3 <<>> +multiline +cd +dnssec dlv.isc.org dnskey @localhost ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16333 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dlv.isc.org. IN DNSKEY ** So, the specific server is DNSSEC aware and I will not face any issues with the root zones signing at 01/07/2010. Correct? Thank you. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind9 logging options
No! Log files are indicating any issue! The only indication I have about the problem, is the lack if queries in the log files. No timeouts, no failures. I even tried to query a fake domain. The result was a normal record (with A+). I did not find any error! So, how on earth do I log them? On Tue 18 of May 2010 10:58:53 Matus UHLAR - fantomas wrote: > On 17.05.10 13:38, Techi wrote: > > I have a problem in my recursive DNS servers (Bind 9, on RHEL 5). > > Intalled package on my system is the latest bind-9.3.6-4.P1.el5_4.2 from > > Red Hat. My problem is that sometimes, queries are failed with timeouts > > and that the one of my 2 DNS servers (the one set as primaryin my users) > > has 3 time more failed queries than the secondary, while the succesful > > queries are almost the same. . I am almost sure that the problem is > > network related (hardware or software), but I need a proof for that. Is > > there any way to log the timed-out queries in a log file? > > and there is nothing in the bind log files? > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind9 logging options
The DNS Servers are authoritive. I have more than 100 users for them, and the number of queries performed per minute is very high due to the nature of our organization. Moreover, I do not have a specific time window in which the timeouts occur, so, it is impossible to run it 24/7! From your answer I conclude that there is no such option, correct? On Mon 17 of May 2010 16:09:46 you wrote: > Are the timed out queries recursive or authoritative? > > I'd suggest tcpdump running on both the BIND servers and the client, so > you can match send/receive and show missed packets directly. > > Cheers, > > Todd. > > -Original Message- > From: bind-users-bounces+tsnyder=rim@lists.isc.org > [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of > Techi > Sent: Monday, May 17, 2010 6:39 AM > To: bind-users@lists.isc.org > Subject: Bind9 logging options > > Hallo, > I have a problem in my recursive DNS servers (Bind 9, on RHEL 5). > Intalled > package on my system is the latest bind-9.3.6-4.P1.el5_4.2 from Red Hat. > My > problem is that sometimes, queries are failed with timeouts and that the > one > of my 2 DNS servers (the one set as primaryin my users) has 3 time more > failed > queries than the secondary, while the succesful queries are almost the > same. . > I am almost sure that the problem is network related (hardware or > software), > but I need a proof for that. Is there any way to log the timed-out > queries in > a log file? > > Thank you > Techi > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > - > This transmission (including any attachments) may contain confidential > information, privileged material (including material protected by the > solicitor-client or other applicable privileges), or constitute non-public > information. Any use of this information by anyone other than the intended > recipient is prohibited. If you have received this transmission in error, > please immediately reply to the sender and delete this information from > your system. Use, dissemination, distribution, or reproduction of this > transmission by unintended recipients is not authorized and may be > unlawful. > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind9 logging options
Hallo, I have a problem in my recursive DNS servers (Bind 9, on RHEL 5). Intalled package on my system is the latest bind-9.3.6-4.P1.el5_4.2 from Red Hat. My problem is that sometimes, queries are failed with timeouts and that the one of my 2 DNS servers (the one set as primaryin my users) has 3 time more failed queries than the secondary, while the succesful queries are almost the same. . I am almost sure that the problem is network related (hardware or software), but I need a proof for that. Is there any way to log the timed-out queries in a log file? Thank you Techi ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
