Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
On 2013-09-28 09:37, loran42o wrote:
Le 28.09.2013 00:08, Terje Elde a écrit :
On 28. sep. 2013, at 00:03, Frank Leonhardt fra...@fjl.co.uk wrote:
If I understand the way it works correctly, the resolver pulls a list of the NS
and hard-sets the port number for each to 53 (via a manifest constant) . See
libc/resolv/res_init.c. All you need to do(!) is change this to a value of your
choice and recompile libc
Sorry, but this is startin to look a lot like a complicated solution to a
problem that isn't really there...
Why not just point from resolv.conf to localhost, run a caching and/or
recursive dns-server there, and point it whereever?
As far as I can tell, that'd solve everything, add caching, and let it all be
controlled from the config of the DNS-server?
Terje
Hi,
I guess this is the way that'll end.
Laurent SALIN
You'll need to setup your bind.conf;
zone fqdn IN {
type forward;
forward first;
forwarders {
127.0.0.1 port 530;
};
};
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
Hi, for the list archive, here's how I solved my problem. Some on the thread tell me to run BIND on the 1rst VPS, as DNS autoritative server and as caching resolver who let only hosts from my network send him queries. Well I'm quite happy my setup with NSD as DNS autoritative and UNBOUND as caching resolver so I don't really want to change them for BIND, but i'd do it if this is the only way. I descide to focus on the 2nd VPS, the one who can't send queries directly to tcp/udp 5353, I configure UNBOUND to forward all queries to my 1rst VPS with few dedicated lines in the /usr/local/etc/unbound/unbound.conf: file ...snip... forward-zone: name: . forward-addr: public_ip_v4@5353 # forward to port 5353. forward-first: yes /file and modify my /etc/resolv.conf to only have localhost as nameserver. The system footprint of UNBOUND is very small so it's just fine to me. Thanks all for the help. Laurent SALIN ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
Le 28.09.2013 00:08, Terje Elde a écrit : On 28. sep. 2013, at 00:03, Frank Leonhardt fra...@fjl.co.uk wrote: If I understand the way it works correctly, the resolver pulls a list of the NS and hard-sets the port number for each to 53 (via a manifest constant) . See libc/resolv/res_init.c. All you need to do(!) is change this to a value of your choice and recompile libc Sorry, but this is startin to look a lot like a complicated solution to a problem that isn't really there... Why not just point from resolv.conf to localhost, run a caching and/or recursive dns-server there, and point it whereever? As far as I can tell, that'd solve everything, add caching, and let it all be controlled from the config of the DNS-server? Terje Hi, I guess this is the way that'll end. Laurent SALIN ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
Le 27.09.2013 23:31, jb a écrit : Well, I hope I understand you. You use DNS Proxy server, like BIND or DNSMASQ. hi, actually I use two daemons, one to serve as a autoritative DNS server : nsd the other one to serve as a recursive DNS resolver with caching : unbound I can't set them both listening on the same tcp/udp 53 port, so i configure unbound to listen on a unusual one. My problem is, on my other FreeBSD box, I can't set a alternative port for nameserver in /etc/resolv.conf. With BIND you have options in /etc/named.conf: http://www.zytrax.com/books/dns/ch7/queries.html forward forwarders If I can't use PF to solve this, maybe I'll have to take a look at BIND. Thanks Laurent SALIN ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
Le 28.09.2013 01:11, Frank Leonhardt a écrit : It was more of an explanation as to /why/ it's not easy to do what asked in the original reasonable-sounding question. Hi, Thanks for the explanation of how it works from the behind. I don't think I'll compile and maintain my own libc just for DNS queries :-) Laurent SALIN ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
On 28/09/2013 00:20, Michael Sierchio wrote: On Fri, Sep 27, 2013 at 4:11 PM, Frank Leonhardt fra...@fjl.co.uk wrote: On 27/09/2013 23:08, Terje Elde wrote: On 28. sep. 2013, at 00:03, Frank Leonhardt fra...@fjl.co.uk wrote: If I understand the way it works correctly, the resolver pulls a list of the NS and hard-sets the port number for each to 53 (via a manifest constant) . See libc/resolv/res_init.c. All you need to do(!) is change this to a value of your choice and recompile libc Sorry, but this is startin to look a lot like a complicated solution to a problem that isn't really there... It was more of an explanation as to /why/ it's not easy to do what asked in the original reasonable-sounding question. Beg to differ. The question isn't reasonable. There's no point in having a dns recursive resolver listening on a port other than the one that clients will contact it on. Far better to have the authoritative server listen on 127.53.0.1 and use the routable address for the cache, which can forward requests for the authoritative server when appropriate. The original qustion was actually I wondering how I can send queries to a dns resolver listening on a different port than the normaly 53 tcp/udp? Given that BIND can happily listen on ports other than 53 and OpenBSD allows a port to be specified against each nameserver in resolv.conf, it does not seem an unreasonable question to me. Read the rest of the post quoted selectively above for the full story. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
On 28. sep. 2013, at 15:50, Frank Leonhardt fra...@fjl.co.uk wrote: Given that BIND can happily listen on ports other than 53 and OpenBSD allows a port to be specified against each nameserver in resolv.conf, it does not seem an unreasonable question to me. Just to avoid any misunderstanding... Not sure if I misunderstood what you're trying to do, but the way I recall it, you have two boxes, one running with one recursive and one authoritative nameserver, and you wanted a second box to quey the recursive nameserver on the first box, which is running on another port than 53? Given your setup, that's a valid question. It's getting down to patching the resolver I felt was a bit overkill, and a possible source of future pain. How to solve it is a perfectly valid question. Personally I'd just think it cleaner to solve it by running a caching resolver on the second host (on port 53), that could forward queries where you'd like, rather than patching or usik firewall redirects. Terje ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
Le 28.09.2013 18:32, Terje Elde a écrit : Not sure if I misunderstood what you're trying to do, but the way I recall it, you have two boxes, one running with one recursive and one authoritative nameserver, and you wanted a second box to quey the recursive nameserver on the first box, which is running on another port than 53? You just right Given your setup, that's a valid question. that's why I submit it to the FreeBSD-Question list :-) It's getting down to patching the resolver I felt was a bit overkill, and a possible source of future pain. How to solve it is a perfectly valid question. I was hoping it'll be possible to map destination port with Packet Filter from nameserver:53 to nameserver:5353 for exemple. Personally I'd just think it cleaner to solve it by running a caching resolver on the second host (on port 53), that could forward queries where you'd like, rather than patching or usik firewall redirects. I guess that's how I'll fix my problem Thanks, Laurent SALIN ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
On 9/28/2013 at 7:16 PM Laurent SALIN wrote: |Le 28.09.2013 18:32, Terje Elde a écrit : | Not sure if I misunderstood what you're trying to do, but the way I |recall it, you have two boxes, one running with one recursive and one |authoritative nameserver, and you wanted a second box to quey the |recursive nameserver on the first box, which is running on another port |than 53? | = The way I solved this problem on my setup, I assigned another IP address to the network interface via ifconfig alias. I put the authoritative namesever on one IP address, and the recursive nameserver on the other IP address. They both are still listening on port 53, but on different IP addresses. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
Le 28.09.2013 21:28, Mike. a écrit : The way I solved this problem on my setup, I assigned another IP address to the network interface via ifconfig alias. I put the authoritative namesever on one IP address, and the recursive nameserver on the other IP address. They both are still listening on port 53, but on different IP addresses. hi, If I could it would be just fine. I got only one public IPv4 with each VPS. I've got a IPv6 too but I'm not easy with IPv6 yet. The provider (Tilaa) where I rent one of the 2 VPS, the one who may need 2 IPv4, is a bit short about his range of IPv4 and I guess it's not raisonable to ask for a second IPv4 just for my personal use in case of studying *BSD and networking stuff, I don't have a professional use here. Thanks. Laurent SALIN ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
On Sep 28, 2013, at 2:24 PM, Laurent SALIN salin.laur...@laposte.net wrote:
Le 28.09.2013 21:28, Mike. a écrit :
The way I solved this problem on my setup, I assigned another IP
address to the network interface via ifconfig alias.
I put the authoritative namesever on one IP address, and the
recursive nameserver on the other IP address.
They both are still listening on port 53, but on different IP
addresses.
hi,
If I could it would be just fine.
I got only one public IPv4 with each VPS. I've got a IPv6 too but I'm
not easy with IPv6 yet.
The provider (Tilaa) where I rent one of the 2 VPS, the one who may need
2 IPv4, is a bit short about his range of IPv4 and I guess it's not
raisonable to ask for a second IPv4 just for my personal use in case of
studying *BSD and networking stuff, I don't have a professional use here.
You only need to run one name server. It is both authoritative and recursive
by default. To limit recursion to only your own IP address space add the
following option in named.conf
options {
allow-recursion {
192.168.1.0/24;
127.0.0.1;
};
};
Change the address space to suit. Make sure you include localhost.
And after an rndc reload only your internal network will be able to make
recursive requests.
Dan
Thanks.
Laurent SALIN
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
How to ask a DNS resolver listening on a different port than the tcp/udp 53
Hello, I wondering how i can send queries to a dns resolver listening on a different port than the normaly 53 tcp/udp ? The situation: I've got a vps who running NSD as a autoritative nameserver, listening on tcp/udp 53 and unbound as personnal resolver, listening on a different tcp/udp port. It work very well on his own or with my OpenBSD gateway at home as DNS cache. Recently i've got a new FreeBSD VPS and I want to use the first VPS as DNS nameserver for the second VPS but FreeBSD is unable to send queries to nameserver on a different port as the normal one (tcp/udp 53). I've got a bad solution, use unbound on the second VPS and maybe tell him to ask the 1rst VPS on the unusual tcp/udp port, but I wonder myself if is it possible with Packet Filter to change the destination port of the queries forwarded to my 1rst VPS from tcp/udp 53 to tcp/udp 5353 for exemple ? Or maybe anybody got a other solution ? I hope you'll understand me :-/ Laurent SALIN ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
On Fri, Sep 27, 2013, at 13:20, Laurent SALIN wrote: Hello, I wondering how i can send queries to a dns resolver listening on a different port than the normaly 53 tcp/udp ? The situation: I've got a vps who running NSD as a autoritative nameserver, listening on tcp/udp 53 and unbound as personnal resolver, listening on a different tcp/udp port. It work very well on his own or with my OpenBSD gateway at home as DNS cache. Is there any way to use multiple IPs? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
On 27. sep. 2013, at 20:20, Laurent SALIN salin.laur...@laposte.net wrote: I've got a bad solution, use unbound on the second VPS and maybe tell him to ask the 1rst VPS on the unusual tcp/udp port Why is that a bad solution? You'd cache locally, which is often considered a good thing? Granted, it's a bit of a weird setup, but still. Terje ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
Is there any way to use multiple IPs? hi, no I can't. Each VPS got only one IPv4 and I'm really not aware yet about how IPv6 works. Laurent SALIN ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
Le 27/09/2013 22:28, Terje Elde a écrit : Why is that a bad solution? You'd cache locally, which is often considered a good thing? Granted, it's a bit of a weird setup, but still. I hope it could be esay as put the ip of my resolver VPS in the /etc/resolv.conf and let PF translate the destination port. Does anybody know why in FreeBSD we can't set a alternative port in the /etc/resolv.conf as in the OpenBSD one ? (for my knowledge :-) Laurent SALIN ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
Laurent SALIN salin.laurent at laposte.net writes: Hello, I wondering how i can send queries to a dns resolver listening on a different port than the normaly 53 tcp/udp ? The situation: I've got a vps who running NSD as a autoritative nameserver, listening on tcp/udp 53 and unbound as personnal resolver, listening on a different tcp/udp port. It work very well on his own or with my OpenBSD gateway at home as DNS cache. Recently i've got a new FreeBSD VPS and I want to use the first VPS as DNS nameserver for the second VPS but FreeBSD is unable to send queries to nameserver on a different port as the normal one (tcp/udp 53). I've got a bad solution, use unbound on the second VPS and maybe tell him to ask the 1rst VPS on the unusual tcp/udp port, but I wonder myself if is it possible with Packet Filter to change the destination port of the queries forwarded to my 1rst VPS from tcp/udp 53 to tcp/udp 5353 for exemple ? Or maybe anybody got a other solution ? I hope you'll understand me :-/ Laurent SALIN Well, I hope I understand you. You use DNS Proxy server, like BIND or DNSMASQ. With BIND you have options in /etc/named.conf: http://www.zytrax.com/books/dns/ch7/queries.html forward forwarders I do not know how DNSMASQ configures it, if at all - you would have to download original package with full documentation. jb ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
On 27/09/2013 19:20, Laurent SALIN wrote: Hello, I wondering how i can send queries to a dns resolver listening on a different port than the normaly 53 tcp/udp ? The situation: I've got a vps who running NSD as a autoritative nameserver, listening on tcp/udp 53 and unbound as personnal resolver, listening on a different tcp/udp port. It work very well on his own or with my OpenBSD gateway at home as DNS cache. Recently i've got a new FreeBSD VPS and I want to use the first VPS as DNS nameserver for the second VPS but FreeBSD is unable to send queries to nameserver on a different port as the normal one (tcp/udp 53). I've got a bad solution, use unbound on the second VPS and maybe tell him to ask the 1rst VPS on the unusual tcp/udp port, but I wonder myself if is it possible with Packet Filter to change the destination port of the queries forwarded to my 1rst VPS from tcp/udp 53 to tcp/udp 5353 for exemple ? Or maybe anybody got a other solution ? I hope you'll understand me :-/ Laurent SALIN If I understand the way it works correctly, the resolver pulls a list of the NS and hard-sets the port number for each to 53 (via a manifest constant) . See libc/resolv/res_init.c. All you need to do(!) is change this to a value of your choice and recompile libc (and anything that links to it statically) and it should be sorted. Or find an easier work-around. I don't see any reason why the resolver library can't be modified to pick up a range of port numbers from the config (as other systems have), but AFAIK it can't. The resolver isn't part of the kernel - it's the application doing the lookup, not FreeBSD (except in libc being part of the base system). Oh you know what I mean! Each application makes its own lookup. I could be spectacularly out-of-date with this. Regards, Frank. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
On 28. sep. 2013, at 00:03, Frank Leonhardt fra...@fjl.co.uk wrote: If I understand the way it works correctly, the resolver pulls a list of the NS and hard-sets the port number for each to 53 (via a manifest constant) . See libc/resolv/res_init.c. All you need to do(!) is change this to a value of your choice and recompile libc Sorry, but this is startin to look a lot like a complicated solution to a problem that isn't really there... Why not just point from resolv.conf to localhost, run a caching and/or recursive dns-server there, and point it whereever? As far as I can tell, that'd solve everything, add caching, and let it all be controlled from the config of the DNS-server? Terje ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
On 27/09/2013 23:08, Terje Elde wrote: On 28. sep. 2013, at 00:03, Frank Leonhardt fra...@fjl.co.uk wrote: If I understand the way it works correctly, the resolver pulls a list of the NS and hard-sets the port number for each to 53 (via a manifest constant) . See libc/resolv/res_init.c. All you need to do(!) is change this to a value of your choice and recompile libc Sorry, but this is startin to look a lot like a complicated solution to a problem that isn't really there... It was more of an explanation as to /why/ it's not easy to do what asked in the original reasonable-sounding question. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to ask a DNS resolver listening on a different port than the tcp/udp 53
On Fri, Sep 27, 2013 at 4:11 PM, Frank Leonhardt fra...@fjl.co.uk wrote: On 27/09/2013 23:08, Terje Elde wrote: On 28. sep. 2013, at 00:03, Frank Leonhardt fra...@fjl.co.uk wrote: If I understand the way it works correctly, the resolver pulls a list of the NS and hard-sets the port number for each to 53 (via a manifest constant) . See libc/resolv/res_init.c. All you need to do(!) is change this to a value of your choice and recompile libc Sorry, but this is startin to look a lot like a complicated solution to a problem that isn't really there... It was more of an explanation as to /why/ it's not easy to do what asked in the original reasonable-sounding question. Beg to differ. The question isn't reasonable. There's no point in having a dns recursive resolver listening on a port other than the one that clients will contact it on. Far better to have the authoritative server listen on 127.53.0.1 and use the routable address for the cache, which can forward requests for the authoritative server when appropriate. - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
DNS Proxy
Hi all, I'm running FreeBSD 9.2 with squid for a friend who owns an ISP outside the U.S and uses my FreeBSD squid proxy to access netflix. I've been told this can be also accomplished via DNS Proxy. Is it true? If yes which one do you recommend? Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: System Calls that do DNS
On 3 June 2013, at 22:21, Doug Hardie bc...@lafn.org wrote: On 3 June 2013, at 20:39, staticsafe m...@staticsafe.ca wrote: On Mon, Jun 03, 2013 at 07:57:07PM -0700, Doug Hardie wrote: I have an unusual situation. A program is doing a DNS lookup and often the IP address has no reverse DNS entries. As a result the program hangs for several timeouts. The call is not being made directly in its code, but is occurring in a system call. There are no specific calls to DNS, its something else doing it. I have been trying to track down which system call is doing it, but without success so far. I have tried syslog calls around each of the system calls I thought might be the culprit, but my guessing is not very good. How can I identify the system call that is calling DNS? If I can find it, I hopefully can find another way to do whatever it does that does not involve a reverse DNS lookup. Use truss: http://www.freebsd.org/cgi/man.cgi?query=truss The truss utility traces the system calls called by the specified process or program. -- staticsafe O ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post - http://goo.gl/YrmAb Don't CC me! I'm subscribed to whatever list I just posted on. Unfortunately truss does not show anything more than ktrace. I know what is going out on the internet connection. Its a plain old reverse DNS request. The question is what library module (probably not a system call now that I think about it) is making that request. Interestingly enough, adding the IP address with a dummy name in /etc/hosts causes the reverse request to succeed and there are no time delays. So whatever module it is, is not using bind. Bind doesn't check the hosts files as far as I can tell. ___ After considering all the advice I received, the method I found that worked was to start the process and when it entered the reverse DNS timeout, quickly find the process ID and do a gdb on that process. Then a where command showed the entire stack which included all the module calls. I had to rebuild the process with debugging first. The IPv6 API when getting the client information will also do a reverse DNS lookup unless you specifically tell it not to do so. Changing that eliminated the lookup and the timeouts. Thanks to all. -- Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: System Calls that do DNS
On Mon, 03 Jun 2013 21:57:07 -0500, Doug Hardie bc...@lafn.org wrote: I have an unusual situation. A program is doing a DNS lookup and often the IP address has no reverse DNS entries. As a result the program hangs for several timeouts. The call is not being made directly in its code, but is occurring in a system call. There are no specific calls to DNS, its something else doing it. I have been trying to track down which system call is doing it, but without success so far. I have tried syslog calls around each of the system calls I thought might be the culprit, but my guessing is not very good. How can I identify the system call that is calling DNS? If I can find it, I hopefully can find another way to do whatever it does that does not involve a reverse DNS lookup. The system DNS lookups are handled by libc. Probably somewhere in the code here: http://svnweb.freebsd.org/base/head/lib/libc/nameser/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: System Calls that do DNS
On Jun 3, 2013 10:22 PM, Doug Hardie bc...@lafn.org wrote: On 3 June 2013, at 20:39, staticsafe m...@staticsafe.ca wrote: On Mon, Jun 03, 2013 at 07:57:07PM -0700, Doug Hardie wrote: I have an unusual situation. A program is doing a DNS lookup and often the IP address has no reverse DNS entries. As a result the program hangs for several timeouts. The call is not being made directly in its code, but is occurring in a system call. There are no specific calls to DNS, its something else doing it. I have been trying to track down which system call is doing it, but without success so far. I have tried syslog calls around each of the system calls I thought might be the culprit, but my guessing is not very good. How can I identify the system call that is calling DNS? If I can find it, I hopefully can find another way to do whatever it does that does not involve a reverse DNS lookup. Use truss: http://www.freebsd.org/cgi/man.cgi?query=truss The truss utility traces the system calls called by the specified process or program. -- staticsafe O ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post - http://goo.gl/YrmAb Don't CC me! I'm subscribed to whatever list I just posted on. Unfortunately truss does not show anything more than ktrace. I know what is going out on the internet connection. Its a plain old reverse DNS request. The question is what library module (probably not a system call now that I think about it) is making that request. Interestingly enough, adding the IP address with a dummy name in /etc/hosts causes the reverse request to succeed and there are no time delays. So whatever module it is, is not using bind. Bind doesn't check the hosts files as far as I can tell. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org maybe try ldd and see if it is linked to a library like c-ares? or try running it in gdb to see whats going on? some ideas. Waitman Gobble San Jose California USA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: System Calls that do DNS
On Tue, Jun 4, 2013 at 12:21 AM, Doug Hardie bc...@lafn.org wrote: Unfortunately truss does not show anything more than ktrace. Normally most people use truss first, then fall back to ktrace ;) Bind doesn't check the hosts files as far as I can tell. System requests obey nsswitch.conf(5) -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: System Calls that do DNS
See if whois can tell you who owns the block the IP is in. That may give you some insight into what is asking for the reverse. E. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: System Calls that do DNS
On 4 June 2013, at 22:19, Enno Davids e...@metva.com wrote: See if whois can tell you who owns the block the IP is in. That may give you some insight into what is asking for the reverse. Its ATT. Its probably at least a state's worth of DSL addresses. I am physically at one of them for a couple more days. After that I have no way to test this. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
System Calls that do DNS
I have an unusual situation. A program is doing a DNS lookup and often the IP address has no reverse DNS entries. As a result the program hangs for several timeouts. The call is not being made directly in its code, but is occurring in a system call. There are no specific calls to DNS, its something else doing it. I have been trying to track down which system call is doing it, but without success so far. I have tried syslog calls around each of the system calls I thought might be the culprit, but my guessing is not very good. How can I identify the system call that is calling DNS? If I can find it, I hopefully can find another way to do whatever it does that does not involve a reverse DNS lookup. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: System Calls that do DNS
On Mon, Jun 03, 2013 at 07:57:07PM -0700, Doug Hardie wrote: I have an unusual situation. A program is doing a DNS lookup and often the IP address has no reverse DNS entries. As a result the program hangs for several timeouts. The call is not being made directly in its code, but is occurring in a system call. There are no specific calls to DNS, its something else doing it. I have been trying to track down which system call is doing it, but without success so far. I have tried syslog calls around each of the system calls I thought might be the culprit, but my guessing is not very good. How can I identify the system call that is calling DNS? If I can find it, I hopefully can find another way to do whatever it does that does not involve a reverse DNS lookup. Use truss: http://www.freebsd.org/cgi/man.cgi?query=truss The truss utility traces the system calls called by the specified process or program. -- staticsafe O ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post - http://goo.gl/YrmAb Don't CC me! I'm subscribed to whatever list I just posted on. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: System Calls that do DNS
On 3 June 2013, at 20:39, staticsafe m...@staticsafe.ca wrote: On Mon, Jun 03, 2013 at 07:57:07PM -0700, Doug Hardie wrote: I have an unusual situation. A program is doing a DNS lookup and often the IP address has no reverse DNS entries. As a result the program hangs for several timeouts. The call is not being made directly in its code, but is occurring in a system call. There are no specific calls to DNS, its something else doing it. I have been trying to track down which system call is doing it, but without success so far. I have tried syslog calls around each of the system calls I thought might be the culprit, but my guessing is not very good. How can I identify the system call that is calling DNS? If I can find it, I hopefully can find another way to do whatever it does that does not involve a reverse DNS lookup. Use truss: http://www.freebsd.org/cgi/man.cgi?query=truss The truss utility traces the system calls called by the specified process or program. -- staticsafe O ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post - http://goo.gl/YrmAb Don't CC me! I'm subscribed to whatever list I just posted on. Unfortunately truss does not show anything more than ktrace. I know what is going out on the internet connection. Its a plain old reverse DNS request. The question is what library module (probably not a system call now that I think about it) is making that request. Interestingly enough, adding the IP address with a dummy name in /etc/hosts causes the reverse request to succeed and there are no time delays. So whatever module it is, is not using bind. Bind doesn't check the hosts files as far as I can tell. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Problems with IPFW causing failed DNS and FTP sessions
Well I tried changing them to various numbers up to 180 from 1 and 5 respectively and that didn't help. Anyone else get around all this DNS mess with timeouts? It's causing my mail server to throw errors; host lookup did not complete and not deliver mail. -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Michael Sierchio Sent: Sunday, March 31, 2013 10:04 PM To: Don O'Neil Cc: freebsd-questions@freebsd.org Subject: Re: Problems with IPFW causing failed DNS and FTP sessions net.inet.ip.fw.dyn_short_lifetime ? net.inet.ip.fw.dyn_udp_lifetime ? You might want to increase these, given the current state of things... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Problems with IPFW causing failed DNS and FTP sessions
Okay, what's your DNS setup? Are you running a recursive cache that contacts the root servers directly? Using your ISP's servers? Etc. As a mitigation step, I tried pointing my caches to 8.8.8.8 and 8.8.4.4. - but it turns out that Google is intentionally blocking (returning NX responses to) many netblocks right now because they contain hosts known to be part of the botnet in the DDOS DNS amplification attack. I'm mirroring the root zone everywhere I have a cache, and it's helping. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Problems with IPFW causing failed DNS and FTP sessions
My DNS config is pretty generic. I did try putting in the options to stop
recursive lookups, but all that did was cause even more failures (permission
denied lookups, etc...), so I removed that.
Here's my basic config;
options {
directory /etc/namedb;
pid-file/var/run/named/pid;
dump-file /var/dump/named_dump.db;
statistics-file /var/stats/named.stats;
};
zone . {
type hint;
file named.root;
};
I'm not sure the problem is specific to named, but something more systemic
with IPFW like I said, FTP sessions are timing out as well, and when I
turn off IPFW that fixes that problem too.
Is there any way to monitor what IPFW is dropping, by some sort of counters
rather than logging everything, and see what's going on internally to IPFW?
Thanks!
-Original Message-
From: Michael Sierchio [mailto:ku...@tenebras.com]
Sent: Monday, April 01, 2013 7:23 AM
To: Don O'Neil
Cc: freebsd-questions@freebsd.org
Subject: Re: Problems with IPFW causing failed DNS and FTP sessions
Okay, what's your DNS setup? Are you running a recursive cache that
contacts the root servers directly? Using your ISP's servers? Etc.
As a mitigation step, I tried pointing my caches to 8.8.8.8 and
8.8.4.4. - but it turns out that Google is intentionally blocking
(returning NX responses to) many netblocks right now because they
contain hosts known to be part of the botnet in the DDOS DNS
amplification attack.
I'm mirroring the root zone everywhere I have a cache, and it's helping.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Problems with IPFW causing failed DNS and FTP sessions
Hi everyone. recently my server started having issues with DNS and FTP sessions either not resolving or timing out. I've tracked the issue down to IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues go away. I have the basic rules like this for dns; 01160 allow udp from any to any dst-port 53 in keep-state 01161 allow tcp from any to any dst-port 53 in keep-state 01162 allow udp from any to any dst-port 53 out keep-state 01163 allow tcp from any to any dst-port 53 out keep-state When I try an nslookup sometimes they fail, sometimes they get through, even if I change my DNS server to google, my ISP, or even OpenDNS. the firewall seems to be causing the issue. I have about 65 rules in all. Any ideas what could be causing this? My server load is low, usually hovering around .2 How can I look at the actual amount of traffic that the IPFW module is processing and track down potential performance issues? My server isn't pushing much data, only around 4-5 Mbps sustained. Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Problems with IPFW causing failed DNS and FTP sessions
Hi everyone. recently my server started having issues with DNS and FTP sessions either not resolving or timing out. I've tracked the issue down to IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues go away. I have the basic rules like this for dns; 01160 allow udp from any to any dst-port 53 in keep-state 01161 allow tcp from any to any dst-port 53 in keep-state 01162 allow udp from any to any dst-port 53 out keep-state 01163 allow tcp from any to any dst-port 53 out keep-state When I try an nslookup sometimes they fail, sometimes they get through, even if I change my DNS server to google, my ISP, or even OpenDNS. the firewall seems to be causing the issue. I have about 65 rules in all. Any ideas what could be causing this? My server load is low, usually hovering around .2 How can I look at the actual amount of traffic that the IPFW module is processing and track down potential performance issues? My server isn't pushing much data, only around 4-5 Mbps sustained. Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Problems with IPFW causing failed DNS and FTP sessions
It would be really helpful if you'd post the ruleset. At first glance, your stateful rules seem rather wrong, unless there's a check-state above. Also, in and out aren't discriminating enough - every packet is seen by the ruleset more than once. You should think in terms of interfaces, direction, etc. Are you doing NAT? Stateful rules with NAT are indeed possible, but subtle. Your problem has nothing to do with server load, and probably everything to do with not-terribly-well-conceived ruleset. Please post yours here. - M On Sun, Mar 31, 2013 at 8:34 PM, Don O'Neil li...@lizardhill.com wrote: Hi everyone. recently my server started having issues with DNS and FTP sessions either not resolving or timing out. I've tracked the issue down to IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues go away. I have the basic rules like this for dns; 01160 allow udp from any to any dst-port 53 in keep-state 01161 allow tcp from any to any dst-port 53 in keep-state 01162 allow udp from any to any dst-port 53 out keep-state 01163 allow tcp from any to any dst-port 53 out keep-state When I try an nslookup sometimes they fail, sometimes they get through, even if I change my DNS server to google, my ISP, or even OpenDNS. the firewall seems to be causing the issue. I have about 65 rules in all. Any ideas what could be causing this? My server load is low, usually hovering around .2 How can I look at the actual amount of traffic that the IPFW module is processing and track down potential performance issues? My server isn't pushing much data, only around 4-5 Mbps sustained. Thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Problems with IPFW causing failed DNS and FTP sessions
Thanks for the response... here's my full rullset: # ipfw list 00100 check-state 00101 allow tcp from any to any established 00102 allow ip from any to any out keep-state 00103 allow icmp from any to any 00201 allow ip from any to any via lo0 00202 allow ip from any to 127.0.0.0/8 00203 allow ip from 127.0.0.0/8 to any 00204 deny tcp from any to any frag 00301 deny log logamount 50 ip from any to any ipoptions rr 00302 deny log logamount 50 ip from any to any ipoptions ts 00303 deny log logamount 50 ip from any to any ipoptions lsrr 00304 deny log logamount 50 ip from any to any ipoptions ssrr 00305 deny log logamount 50 tcp from any to any tcpflags syn,fin 00306 deny log logamount 50 tcp from any to any tcpflags syn,rst 01110 allow tcp from any to any dst-port 20 in 0 allow tcp from any to any dst-port 20 out 01112 allow tcp from any to any dst-port 21 in 01113 allow tcp from any to any dst-port 21 out 01114 allow tcp from any to any dst-port 990 in 01115 allow tcp from any to any dst-port 990 out 01116 allow udp from any to any dst-port 990 in 01117 allow udp from any to any dst-port 990 out 01118 allow tcp from any to any dst-port 989 in 01119 allow tcp from any to any dst-port 989 out 01120 allow udp from any to any dst-port 989 in 01121 allow udp from any to any dst-port 989 out 01122 allow tcp from any to any dst-port 1024-65000 keep-state 01125 allow tcp from any to any dst-port 22 in 01126 allow tcp from any to any dst-port 22 out 01130 allow tcp from any to any dst-port 25 in 01131 allow tcp from any to any dst-port 25 out 01132 allow tcp from any to any dst-port 587 in 01133 allow tcp from any to any dst-port 587 out 01134 allow tcp from any to any dst-port 2525 in 01135 allow tcp from any to any dst-port 2525 out 01140 allow tcp from any to any dst-port 110 in 01141 allow tcp from any to any dst-port 110 out 01142 allow tcp from any to any dst-port 995 in 01143 allow tcp from any to any dst-port 995 out 01144 allow tcp from any to any dst-port 2110 in 01145 allow tcp from any to any dst-port 2110 out 01150 allow tcp from any to any dst-port 143 in 01151 allow tcp from any to any dst-port 143 out 01152 allow tcp from any to any dst-port 993 in 01153 allow tcp from any to any dst-port 993 out 01160 allow udp from any to any dst-port 53 in keep-state 01161 allow tcp from any to any dst-port 53 in keep-state 01162 allow udp from any to any dst-port 53 out keep-state 01163 allow tcp from any to any dst-port 53 out keep-state 01170 allow tcp from any to any dst-port 80 in 01171 allow tcp from any to any dst-port 80 out 01172 allow tcp from any to any dst-port 443 in 01172 allow tcp from any to any dst-port 443 out 01180 allow tcp from any to any dst-port in 01181 allow tcp from any to any dst-port out 65535 deny ip from any to any I've tried these rules; 01160 allow udp from any to any dst-port 53 in 01161 allow tcp from any to any dst-port 53 in 01162 allow udp from any to any dst-port 53 out 01163 allow tcp from any to any dst-port 53 out Without the keep-state option, and the problem is still persisting... The weird thing is that I've run these rules for a number of years without any issues until just recently. I've checked my interface stats to make sure there aren't a bunch of fragmented packets or errors, and there aren't. I'm not running NAT, it's a publically accessible IP address. -Original Message- From: Michael Sierchio [mailto:ku...@tenebras.com] Sent: Sunday, March 31, 2013 8:58 PM To: Don O'Neil Cc: freebsd-questions@freebsd.org Subject: Re: Problems with IPFW causing failed DNS and FTP sessions It would be really helpful if you'd post the ruleset. At first glance, your stateful rules seem rather wrong, unless there's a check-state above. Also, in and out aren't discriminating enough - every packet is seen by the ruleset more than once. You should think in terms of interfaces, direction, etc. Are you doing NAT? Stateful rules with NAT are indeed possible, but subtle. Your problem has nothing to do with server load, and probably everything to do with not-terribly-well-conceived ruleset. Please post yours here. - M On Sun, Mar 31, 2013 at 8:34 PM, Don O'Neil li...@lizardhill.com wrote: Hi everyone. recently my server started having issues with DNS and FTP sessions either not resolving or timing out. I've tracked the issue down to IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues go away. I have the basic rules like this for dns; 01160 allow udp from any to any dst-port 53 in keep-state 01161 allow tcp from any to any dst-port 53 in keep-state 01162 allow udp from any to any dst-port 53 out keep-state 01163 allow tcp from any to any dst-port 53 out keep-state When I try an nslookup sometimes they fail, sometimes they get through, even if I change my DNS server to google, my ISP, or even OpenDNS. the firewall seems to be causing the issue. I have about 65 rules in all. Any ideas what could
Re: Problems with IPFW causing failed DNS and FTP sessions
Don O'Neil wrote: Hi everyone. recently my server started having issues with DNS and FTP sessions either not resolving or timing out. I've tracked the issue down to IPFW. if I issue a 'sysctl net.inet.ip.fw.enable=0' then my issues go away. [snip] I'm probably not smart enough to be able to help directly with your problem but I'd like to add that there is a snowballing DNS Amplification ddos attack against SpamHaus going on which is spilling over. I was looking at some weird stuff my Suricata was reporting today when I noticed a large majority of it was coming from CloudFlare CDN. They use anycast packet traffic to deflect and diffuse such attacks for their customers. I'm wondering if your box has just been sitting there doing it's thing and you've made zero changes to it so it is essentially 'steady state' and this problem just sort of came up seemingly out of nowhere. Consider a possibility that the cause may be external and what you're seeing is just IPFW's reaction to it. A friend of mine is on a nearby Verizon subnet and he uses their DNS servers. He noticed minimal hiccup while I have my DNS pointed at OpenDNS and it took them almost a day to get their situation under control. Once they did traffic seemed to return to normal, then I noticed Suricata alerting on return traffic in my pf DNS firewall rule. All the traffic Suricata was complaining about was coming from the CloudFlare CDN. I've never seen this before, so I'm not completely certain what to make of it. My hypothesis is OpenDNS subscribed to CloudFlare's protection, and since it is legit return traffic from my DNS server's lookups the firewall never touched it. I would never have noticed if it wasn't for Suricata. I just don't know enough about it all, just that I was having some flaky DNS stalling and hanging and when it seemed like it returned to normal I began to see this weird stuff from CloudFlare CDN on my DNS traffic. Just would like to point out it may be possible your problem is somehow just a reflection of some noise going on outside your box. As for exactly what you might do about it is for smarter people than me. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Problems with IPFW causing failed DNS and FTP sessions
I'll give you a more cogent reply tomorrow - if you use keep-state rules, you want to be a little more specific - for tcp, you want allow tcp from X to Y setup keep-state - i.e. you start the stateful rule on packets that have the SYN flag set. There are some other oddities here - I'm guessing that the firewall rules are there to protect this box itself... in which case your stateful rules really need only to consider outbound traffic, and to allow replies. Let me know if that assumption is erroneous. More later. Time for - M On Sun, Mar 31, 2013 at 9:33 PM, Don O'Neil li...@lizardhill.com wrote: Thanks for the response... here's my full rullset: # ipfw list 00100 check-state 00101 allow tcp from any to any established 00102 allow ip from any to any out keep-state 00103 allow icmp from any to any 00201 allow ip from any to any via lo0 00202 allow ip from any to 127.0.0.0/8 00203 allow ip from 127.0.0.0/8 to any 00204 deny tcp from any to any frag 00301 deny log logamount 50 ip from any to any ipoptions rr 00302 deny log logamount 50 ip from any to any ipoptions ts 00303 deny log logamount 50 ip from any to any ipoptions lsrr 00304 deny log logamount 50 ip from any to any ipoptions ssrr 00305 deny log logamount 50 tcp from any to any tcpflags syn,fin 00306 deny log logamount 50 tcp from any to any tcpflags syn,rst 01110 allow tcp from any to any dst-port 20 in 0 allow tcp from any to any dst-port 20 out 01112 allow tcp from any to any dst-port 21 in 01113 allow tcp from any to any dst-port 21 out 01114 allow tcp from any to any dst-port 990 in 01115 allow tcp from any to any dst-port 990 out 01116 allow udp from any to any dst-port 990 in 01117 allow udp from any to any dst-port 990 out 01118 allow tcp from any to any dst-port 989 in 01119 allow tcp from any to any dst-port 989 out 01120 allow udp from any to any dst-port 989 in 01121 allow udp from any to any dst-port 989 out 01122 allow tcp from any to any dst-port 1024-65000 keep-state 01125 allow tcp from any to any dst-port 22 in 01126 allow tcp from any to any dst-port 22 out 01130 allow tcp from any to any dst-port 25 in 01131 allow tcp from any to any dst-port 25 out 01132 allow tcp from any to any dst-port 587 in 01133 allow tcp from any to any dst-port 587 out 01134 allow tcp from any to any dst-port 2525 in 01135 allow tcp from any to any dst-port 2525 out 01140 allow tcp from any to any dst-port 110 in 01141 allow tcp from any to any dst-port 110 out 01142 allow tcp from any to any dst-port 995 in 01143 allow tcp from any to any dst-port 995 out 01144 allow tcp from any to any dst-port 2110 in 01145 allow tcp from any to any dst-port 2110 out 01150 allow tcp from any to any dst-port 143 in 01151 allow tcp from any to any dst-port 143 out 01152 allow tcp from any to any dst-port 993 in 01153 allow tcp from any to any dst-port 993 out 01160 allow udp from any to any dst-port 53 in keep-state 01161 allow tcp from any to any dst-port 53 in keep-state 01162 allow udp from any to any dst-port 53 out keep-state 01163 allow tcp from any to any dst-port 53 out keep-state 01170 allow tcp from any to any dst-port 80 in 01171 allow tcp from any to any dst-port 80 out 01172 allow tcp from any to any dst-port 443 in 01172 allow tcp from any to any dst-port 443 out 01180 allow tcp from any to any dst-port in 01181 allow tcp from any to any dst-port out 65535 deny ip from any to any I've tried these rules; 01160 allow udp from any to any dst-port 53 in 01161 allow tcp from any to any dst-port 53 in 01162 allow udp from any to any dst-port 53 out 01163 allow tcp from any to any dst-port 53 out Without the keep-state option, and the problem is still persisting... The weird thing is that I've run these rules for a number of years without any issues until just recently. I've checked my interface stats to make sure there aren't a bunch of fragmented packets or errors, and there aren't. I'm not running NAT, it's a publically accessible IP address. -Original Message- From: Michael Sierchio [mailto:ku...@tenebras.com] Sent: Sunday, March 31, 2013 8:58 PM To: Don O'Neil Cc: freebsd-questions@freebsd.org Subject: Re: Problems with IPFW causing failed DNS and FTP sessions It would be really helpful if you'd post the ruleset. At first glance, your stateful rules seem rather wrong, unless there's a check-state above. Also, in and out aren't discriminating enough - every packet is seen by the ruleset more than once. You should think in terms of interfaces, direction, etc. Are you doing NAT? Stateful rules with NAT are indeed possible, but subtle. Your problem has nothing to do with server load, and probably everything to do with not-terribly-well-conceived ruleset. Please post yours here. - M On Sun, Mar 31, 2013 at 8:34 PM, Don O'Neil li...@lizardhill.com wrote: Hi everyone. recently my server started having issues with DNS and FTP
Re: Problems with IPFW causing failed DNS and FTP sessions
On Sun, Mar 31, 2013 at 9:39 PM, Michael Powell nightre...@hotmail.com wrote: I'm probably not smart enough to be able to help directly with your problem but I'd like to add that there is a snowballing DNS Amplification ddos attack against SpamHaus going on which is spilling over Yes, this is very much true. The ICANN servers are dropping packets like mad, and many of the .com servers as well. I am mirroring the root zone locally to mitigate. It works to forward DNS to Google's servers (8.8.8.8, 8.8.4.4.) EXCEPT - they are blocking some net blocks (issuing spurious negative responses) because of large numbers of nets with hosts in the botnet participating in the attack. - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Problems with IPFW causing failed DNS and FTP sessions
net.inet.ip.fw.dyn_short_lifetime ? net.inet.ip.fw.dyn_udp_lifetime ? You might want to increase these, given the current state of things... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pppoe configuration and dns name resolution
Hi This time I configured as simple as possible with minimal settings, and voila things worked. I successfully connected to internet in both cases - DHCP server disabled in adsl modem, and DHCP server enabled in adsl modem. Thanks all of you guys for helping. :) Here are config files: ## /etc/rc.config hostname=jacks_lappy ifconfig_fxp0=DHCP # The below line is to be used if DHCP server on adsl # modem is disabled. #ifconfig_fxp0=inet 192.168.1.4 netmask 255.255.255.0 # This is assigned to telnet to adsl modem and configure it, # if you don't wanna communicate with modem, remove # this line. It doesn't affect ppp connectivity, in any way - # I tried removing it and got connected successfully. sshd_enable=YES moused_enable=YES powerd_enable=YES # Set dumpdev to AUTO to enable crash dumps, NO to disable dumpdev=AUTO hald_enable=YES dbus_enable=YES --- ## /etc/ppp/ppp.conf: default: set log Phase tun command adsl: set device PPPoE:fxp0 #MRU is optional too, you can remove it # w/o affecting ppp connectivity. set mru 1492 #set mtu 1492 # This was the cause of failure. # See man ppp for more info. # If MTU is set, ppp will not accept MRU values less than MTU. # e.g. MTU = 1492. Now if your ISP has MTU = 1460(my case), then # ppp on your PC, will not connect to ppp server at your ISP side. # So DO NOT set MTU explicitly. set authname myusername set authkey mypassword set dial set login add default HISADDR enable dns # a must, if DHCP server is enabled in adsl modem # and if you don't wanna edit /etc/resolv.conf # each time before connecting tp ISP's ppp server. #Now you don't need to touch /etc/resolv.conf - My /etc/resolv.conf is updated each time I start ppp, so I didn't needed to edit it. I simply started ppp via ppp -ddial adsl I also didn't start ppp at bootup, as it requires that your adsl modem must be powered on before FreeBSD begins booting, which is not the usual case for me. Also, as soon as I started ppp, an ip address is assigned to tun0 interface by ISP, while fxp0 was assigned its ip address via DHCP server enabled in adsl modem, even before I attempted to dial ppp. That is expected. I also tested this configuration with DHCP server disabled in adsl modem and it too worked successfully, except I need to chnage the line fxp0=DHCP to manually assigned ip address one, no other change was needed. The problem might be I was I trying to explcitly set MTU to be 1492, which ppp takes as minimum value - ie no MTU value less than 1492 is agreed upon by user ppp. My ISP's MTU was 1460, and since 1460 1492, so ppp was not agreeing upon MTU value and no connection was made. Thanks again all of you guys for sorting this out. :) Mean while I created a script to start and stop ppp service for a profile. This script is specifically written for csh/tcsh shell - the default one for FreeBSD, so some changes need to be made if it is to be run in other shells. Just go to c shell and type pppdo profilename start | stop where 'profilename' is the desired profilename defined in etc/ppp/ppp.conf, and either you 'start' ppp or 'stop' ppp. Here goes the script: pppdo.sh #!/bin/csh if ( $#argv != 2 ) then echo Usage: $0 ppp_profile start | stop exit endif switch ($2) case start: /usr/sbin/ppp -ddial $1 ; breaksw case stop: killall -INT ppp killall -HUP ppp ; breaksw default: echo $0 : Invalid Cmd ; breaksw endsw - NOTE: before executing this script make sure it is executable If not, type this at shell: chmod +x ./pppdo.sh After executing this script try pinging to a remote site to confirm connectivity, e.g. type this at shell: ping -c5 freebsd.org If you get 0.0% packet loss, then you made it! So, the only files that require modifications are /etc/ppp/ppp.conf and /etc/rc.conf No other file need to be modified to use user ppp, no matter whether DHCP server on your adsl modem is enabled or disabled, it doesn't matter - just use the configuration mention above. Then use the script as: ./pppdo adsl start to start the ppp profile named adsl(tun0 interface is created), and use ./pppdo adsl stop to stop the ppp. This will destroy the tun0 interface too. PS: The user account from which this script is to be run, must be a member of network group too, though network group need not to be the user's login group. This is the requirement of user ppp itself, and not of this script. Regards -- Jack ___ freebsd-questions
Re: pppoe configuration and dns name resolution
On Sat, 20 Oct 2012 09:42:31 +0530, Jack wrote: Hi again, This time I disabled DHCP on my fxp0 interface and in my adsl modem too. But the problem still exists. This time I tried both approaches: assigned an IP address explicitly to fxp0, and then no explicit assignment to fxp0. That should be the easiest test setting. I still don' get why FreeBSD is having trouble connecting via PPP. Seems to be a specific problem. There is no general problem with PPPoE on FreeBSD. I am trying every combinations that might work, but still no luck. Any help will be appreciated. Try to limit variables as much as possible. Control one thing per time. I'm posting my config files. The statements in comments are those that I already tried enabling them. ## /etc/rc.conf hostname=jacks_lappy #ifconfig_fxp0=DHCP #ifconfig_tun0= ifconfig_fxp0=inet 192.168.1.4 netmask 255.255.255.0 #ifconfig_fxp0= Is this IP inside your network? In my old setting, I had defined the IP for the NIC connected to the modem as 192.168.0.1, but my own network (and therefor also the 2nd NIC in the machine) in 192.168.1.* - I don't know if the first could have been omitted, just doing =up for the NIC connected to the modem. sshd_enable=YES moused_enable=YES powerd_enable=YES # Set dumpdev to AUTO to enable crash dumps, NO to disable dumpdev=AUTO hald_enable=YES dbus_enable=YES No problem here, not related. routerenable=NO This option does not exist. See /etc/defaults/rc.conf for a list of them. I haven't used that option in the working setup. #defaultrouter=192.168.1.1 Correct - I also did not define a default router. ppp_enable=YES ppp_mode=ddial ppp_nat=NO ppp_profile=adsl ppp_adsl_unit=0 I've also not used the last parameter. The tun0 interface would have been generated automatically. Everything implies that the _kernel_ has all the neccessary functionality enabled (tun interface, PPPoE related netgraph modules and NIC support). I tried to specify tun0 interface explicitly, but still no luck. No need to do so. When I start ppp using: service ppp start It shows tun0 is busy. Which is correct. ## etc/resolv.conf #Open DNS nameservers: nameserver 208.67.222.222 nameserver 208.67.220.220 Those are OpenDNS resolvers. I've been using two provided by my ISP, and also ran named myself later on. ## /etc/ppp/ppp.conf default: set log Phase chat lcp ipcp ccp tun command lqm set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0 # set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.255 0.0.0.0 nat enable no adsl: set device PPPoE:fxp0 #set device PPPoE:tun0 set mru 1492 set mtu 1492 set ctsrts off set speed sync set dial enable lqr set login set authname myusername set authkey mypassword set timeout 120 set redial 0 0 add default HISADDR #enable dns Why not try a minimal configuration? myispname: set device PPPoE:fxp0 set authname myusername set authkey mypassword set dial set login add default HISADDR That should be everything which is needed. For better diagnostics, add your custom options (like lpr or redial) later on. As I said, all my examples and suggestions are taken from a working example, different OS versions, different physical modems. -- ## output of ifconfig just after boot: fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=2009RXCSUM,VLAN_MTU,WOL_MAGIC ether 00:16:d3:0c:42:22 inet 192.168.1.4 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::216:d3ff:fe0c:4222%fxp0 prefixlen 64 scopeid 0x6 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL media: Ethernet autoselect (100baseTX full-duplex) status: active Looks good so far - connected to the modem. tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST metric 0 mtu 1500 options=8LINKSTATE nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL Opened by PID 1231 Does not look good - no IP assigned. ## output of ifconfig after I started ppp using ## service ppp start The ppp should have been started automatically... fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=2009RXCSUM,VLAN_MTU,WOL_MAGIC ether 00:16:d3:0c:42:22 inet 192.168.1.4 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::216:d3ff:fe0c:4222%fxp0 prefixlen 64 scopeid 0x6 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL media: Ethernet autoselect (100baseTX full-duplex) status: active Again, looks correct. tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST metric 0 mtu 1500 options=8LINKSTATE nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL Opened by PID 1231 And again no IP here
Re: pppoe configuration and dns name resolution
On Sat, 20 Oct 2012 09:42:31 +0530 Jack wrote: Hi again, This time I disabled DHCP on my fxp0 interface and in my adsl modem too. But the problem still exists. This time I tried both approaches: assigned an IP address explicitly to fxp0, and then no explicit assignment to fxp0. I'd leave fxp0 unset until you've fixed the other problems - it's not necessary for PPP. Modems and routers in PPPoE bridging mode don't normally require any adjustment or other access so there's probably no need to assign address anyway. I still don' get why FreeBSD is having trouble connecting via PPP. The original problem you quoted was with DNS and that's explained by the DHCP on fxp0 overwriting resolv.conf with the router/modem's own non-functional DNS proxy. As regards ppp.conf mine was simply: default: set log Phase tun command adsl: set device PPPoE:vr0 set authname my username set authkey my password add default HISADDR ppp_adsl_unit=0 I tried to specify tun0 interface explicitly, but still no luck. When I start ppp using: service ppp start It shows tun0 is busy. Don't try to specify the tun device number. I've noticed in the past that occasionally tun0 becomes unusable and ppp will switch to tun1. I've seen this happen when I've been restarting ppp a lot. From my understanding it shoud not matter whether fxp0 is assigned the ip address via DHCP server on local lan or via manually - at least this concept works on windows. But in FreeBSD, if I enable dhcp on fxp0, then /etc/resolv.conf is created each time I boot in FreeBSD, so the only nameserver being 192.168.1.1, ie adsl modem ethernet interface. Even if I edit it to include nameservers of my ISP or OpenDNS this file is created each time FreeBSD boots, and these entries are lost, with only entry being 192.168.1.1 There's no good reason to use DHCP in this case, you can simply set a static private IP address (typically a high address in the same /24 as the modem). If you really must use DHCP then it can be reconfigured globally or per interface (type apropos dhclient). I notice that the original resolv.conf you quoted was set by resolvconf. I've never used this so I can't comment on whether it's helping or hindering. I suspect it aimed at laptops switching between different networks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pppoe configuration and dns name resolution
On Thu, 18 Oct 2012 20:03:50 +0100, RW wrote: On Tue, 16 Oct 2012 20:38:47 +0530 Jack wrote: /etc/resolv.conf # Generated by resolvconf nameserver 192.168.1.1 If 192.168.1.1 is the modem, how can it be a proxy nameserver? It doesn't have an internet connection if it's not terminating PPP. You have ifconfig_fxp0=DHCP which means you are picking up DHCP from the modem itself not the other side of the PPP link. In bridging mode you only need to configure the underlying ethernet device if you want to route back-out into the router's LAN (PPPoE and IP can share a lan). You don't necessarily need DHCP with PPPoE because PPP can deliver the IP address, DNS etc by itself. If the ISP requires you to use DHCP you should probably have configured the tun0 interface instead of fxp0. Exactly that's what I did describe in my message: Configuration data is set in ppp.conf, no DHCP involved, and the actual IP will be delivered to the tun0 interface, while fxp0 (in this case) can be used for involving with NAT (if required). Setting the nameserver to an _actual_ nameserver (either running named on the machine, or relying on the ISP's nameservers) is required. This is the easiest approach to dealing with PPPoE modems (if they are used as actual modems without any additional routing, DHCP or other functionality). -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pppoe configuration and dns name resolution
Hi again, This time I disabled DHCP on my fxp0 interface and in my adsl modem too. But the problem still exists. This time I tried both approaches: assigned an IP address explicitly to fxp0, and then no explicit assignment to fxp0. I still don' get why FreeBSD is having trouble connecting via PPP. I am trying every combinations that might work, but still no luck. Any help will be appreciated. I'm posting my config files. The statements in comments are those that I already tried enabling them. ## /etc/rc.conf hostname=jacks_lappy #ifconfig_fxp0=DHCP #ifconfig_tun0= ifconfig_fxp0=inet 192.168.1.4 netmask 255.255.255.0 #ifconfig_fxp0= sshd_enable=YES moused_enable=YES powerd_enable=YES # Set dumpdev to AUTO to enable crash dumps, NO to disable dumpdev=AUTO hald_enable=YES dbus_enable=YES routerenable=NO #defaultrouter=192.168.1.1 ppp_enable=YES ppp_mode=ddial ppp_nat=NO ppp_profile=adsl ppp_adsl_unit=0 I tried to specify tun0 interface explicitly, but still no luck. When I start ppp using: service ppp start It shows tun0 is busy. -- ## etc/resolv.conf #Open DNS nameservers: nameserver 208.67.222.222 nameserver 208.67.220.220 -- ## /etc/ppp/ppp.conf default: set log Phase chat lcp ipcp ccp tun command lqm set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0 # set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.255 0.0.0.0 nat enable no adsl: set device PPPoE:fxp0 #set device PPPoE:tun0 set mru 1492 set mtu 1492 set ctsrts off set speed sync set dial enable lqr set login set authname myusername set authkey mypassword set timeout 120 set redial 0 0 add default HISADDR #enable dns -- ## output of ifconfig just after boot: fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=2009RXCSUM,VLAN_MTU,WOL_MAGIC ether 00:16:d3:0c:42:22 inet 192.168.1.4 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::216:d3ff:fe0c:4222%fxp0 prefixlen 64 scopeid 0x6 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL media: Ethernet autoselect (100baseTX full-duplex) status: active fwe0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8VLAN_MTU ether 06:e4:0a:1b:50:36 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL ch 1 dma -1 fwip0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500 lladdr 6.e4.a.0.28.1b.50.36.a.2.ff.fe.0.0.0.0 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 options=63RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x9 inet 127.0.0.1 netmask 0xff00 nd6 options=21PERFORMNUD,AUTO_LINKLOCAL tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST metric 0 mtu 1500 options=8LINKSTATE nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL Opened by PID 1231 -- ## output of ifconfig after I started ppp using ## service ppp start fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=2009RXCSUM,VLAN_MTU,WOL_MAGIC ether 00:16:d3:0c:42:22 inet 192.168.1.4 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::216:d3ff:fe0c:4222%fxp0 prefixlen 64 scopeid 0x6 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL media: Ethernet autoselect (100baseTX full-duplex) status: active fwe0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8VLAN_MTU ether 06:e4:0a:1b:50:36 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL ch 1 dma -1 fwip0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500 lladdr 6.e4.a.0.28.1b.50.36.a.2.ff.fe.0.0.0.0 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 options=63RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x9 inet 127.0.0.1 netmask 0xff00 nd6 options=21PERFORMNUD,AUTO_LINKLOCAL tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST metric 0 mtu 1500 options=8LINKSTATE nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL Opened by PID 1231 -- Now it seems to me that there might be some sequence of statements
Re: pppoe configuration and dns name resolution
On Tue, 16 Oct 2012 20:38:47 +0530 Jack wrote: My network schematic is: PC --- ADSL modem - Internet 192.168.1.2 192.168.1.1 ... /etc/resolv.conf # Generated by resolvconf nameserver 192.168.1.1 If 192.168.1.1 is the modem, how can it be a proxy nameserver? It doesn't have an internet connection if it's not terminating PPP. You have ifconfig_fxp0=DHCP which means you are picking up DHCP from the modem itself not the other side of the PPP link. In bridging mode you only need to configure the underlying ethernet device if you want to route back-out into the router's LAN (PPPoE and IP can share a lan). You don't necessarily need DHCP with PPPoE because PPP can deliver the IP address, DNS etc by itself. If the ISP requires you to use DHCP you should probably have configured the tun0 interface instead of fxp0. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pppoe configuration and dns name resolution
On Tue, Oct 16, 2012 at 9:19 PM, Mark Blackman m...@exonetric.com wrote: On 16 Oct 2012, at 16:38, Jack jacks.1...@gmail.com wrote: I 'll try mpd5. Thanks. Actually, I was concerned with userland ppp, becoz of the scenarios where we have a FreeBSD machine and the only way to connect to internet is an adsl modem in bridge mode (assuming the mode in modem, can't be changed). In such case the only utilty is ppp, which can be of help. Ok, usually bridge mode implies PPPoE and mpd5 does PPPoE. Maybe I'm missing your point. - Mark Mark, what I meant is when we have, say a fresh FreeBSD install, then the only service we have at expose is ppp. To be able to use mpd5, or other ports/packages we first need to connect to internet then only we can install/use mpd5. So, by default we are stuck at using ppp builtin with FreeBSD. And yes by bridge mode I meant that username and password are to be provided to OS, rather than storing them inside adsl modem. The bridge mode works fine in my Windows XP setup. Nothing special to configure, just need to go to network connections and create a new connection, using username and password. In XP, I'm using DHCP too, so that I don't need to manually confgure interface IP address. That's why I'm sure that my network setup is not a issue. The issue lies somewhere in FreeBSD configuration or somewhere else. Regards -- Jack ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pppoe configuration and dns name resolution
Hi, Thank you guys for your suggestions, and sharing your experiences with me. This time I deleted old /var/log/ppp.log file, and I did modify /etc/ppp/ppp.conf - just the location of ifaddr line is changed and some more logging options set -nothing else is changed. . The file is this now: /etc/ppp/ppp.conf : default: adsl: set log Phase chat lcp ipcp ccp tun command lqm set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 set device PPPoE:fxp0 set mru 1492 set mtu 1492 set ctsrts off set speed sync set dial enable lqr set login set authname myusername set authkey mypassword set timeout 120 set redial 0 0 # set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 # now this interface is set up at 2nd line in adsl profile add default HISADDR enable dns nat enable no - Then I rebooted FreeBSD, in verbose mode enabled. After it booted, I started ppp like this: #ppp -ddial adsl Here is the shell o/p along with verbose lines /usr/sbin/ppp -ddial adsl Working in ddial mode Using interface: tun0 ;verbose lines tun0: buf attached WARNING: attempt to domain_add(netgraph) after domainfinalize() - The output of ifconfig is: fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=2009RXCSUM,VLAN_MTU,WOL_MAGIC ether 00:16:d3:0c:42:22 inet 192.168.1.2 netmask 0xff00 broadcast 192.168.1.255 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL media: Ethernet autoselect (100baseTX full-duplex) status: active fwe0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8VLAN_MTU ether 06:e4:0a:1b:50:36 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL ch 1 dma -1 fwip0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500 lladdr 6.e4.a.0.28.1b.50.36.a.2.ff.fe.0.0.0.0 nd6 options=29PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 options=63RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x9 inet 127.0.0.1 netmask 0xff00 nd6 options=21PERFORMNUD,AUTO_LINKLOCAL tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST metric 0 mtu 1500 options=8LINKSTATE nd6 options=21PERFORMNUD,AUTO_LINKLOCAL Opened by PID 1731 - The /var/log/ppp.log file contents: http://justpaste.it/1fcw Is there some standard sequence for the contents of /etc/ppp/ppp.conf ? I guess that may be the problem. The bridge mode works fine in my Windows XP setup. Nothing special to configure, just need to go to network connections and create a new connection, using username and password. In XP, I'm using DHCP too, so that I don't need to manually confgure interface IP address. That's why I'm sure that my network setup is not a issue. The issue lies somewhere in FreeBSD configuration or somewhere else. On Tue, Oct 16, 2012 at 9:19 PM, Mark Blackman m...@exonetric.com wrote: On 16 Oct 2012, at 16:38, Jack jacks.1...@gmail.com wrote: I 'll try mpd5. Thanks. Actually, I was concerned with userland ppp, becoz of the scenarios where we have a FreeBSD machine and the only way to connect to internet is an adsl modem in bridge mode (assuming the mode in modem, can't be changed). In such case the only utilty is ppp, which can be of help. Ok, usually bridge mode implies PPPoE and mpd5 does PPPoE. Maybe I'm missing your point. Mark, what I meant to say is when we have, say a fresh FreeBSD install, then the only service we have at expose is ppp. To be able to use mpd5, or other ports/packages we first need to connect to internet then only we can install/use mpd5. So, by default we are stuck at using ppp builtin with FreeBSD. :( By bridge mode I meant that username and password are to be provided to OS, rather than storing them inside adsl modem. PS: I sent this mail with /var/log/ppp.log contents yesterday but it seems that list moderator rejected the post due to its large size. So, I'm pasting the link for contents of /var/log/ppp.log Regards -- Jack ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pppoe configuration and dns name resolution
On 16 Oct 2012, at 16:08, Jack jacks.1...@gmail.com wrote: Hi I'm new as a FreeBSD user, and trying to configure my pppoe connection. [snip] fxp0 is the ethernet interface of my PC via which adsl modem is connected. Any suggestions ... Consider using the ports mpd5 daemon for a PPPoE connection instead. I had a lot of trouble getting PPPoE to work with userland 'ppp', but mpd5 worked fine. - Mark ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pppoe configuration and dns name resolution
On Tue, Oct 16, 2012 at 8:49 PM, Mark Blackman m...@exonetric.com wrote: On 16 Oct 2012, at 16:08, Jack jacks.1...@gmail.com wrote: Hi I'm new as a FreeBSD user, and trying to configure my pppoe connection. [snip] fxp0 is the ethernet interface of my PC via which adsl modem is connected. Any suggestions ... Consider using the ports mpd5 daemon for a PPPoE connection instead. I had a lot of trouble getting PPPoE to work with userland 'ppp', but mpd5 worked fine. - Mark I 'll try mpd5. Thanks. Actually, I was concerned with userland ppp, becoz of the scenarios where we have a FreeBSD machine and the only way to connect to internet is an adsl modem in bridge mode (assuming the mode in modem, can't be changed). In such case the only utilty is ppp, which can be of help. I'm using FreeBSD 9.1 RC-2. Regards -- Jack ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pppoe configuration and dns name resolution
On 16 Oct 2012, at 16:38, Jack jacks.1...@gmail.com wrote: I 'll try mpd5. Thanks. Actually, I was concerned with userland ppp, becoz of the scenarios where we have a FreeBSD machine and the only way to connect to internet is an adsl modem in bridge mode (assuming the mode in modem, can't be changed). In such case the only utilty is ppp, which can be of help. Ok, usually bridge mode implies PPPoE and mpd5 does PPPoE. Maybe I'm missing your point. - Mark ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pppoe configuration and dns name resolution
On 16 Oct 2012, at 16:49, Mark Blackman m...@exonetric.com wrote: On 16 Oct 2012, at 16:38, Jack jacks.1...@gmail.com wrote: I 'll try mpd5. Thanks. Actually, I was concerned with userland ppp, becoz of the scenarios where we have a FreeBSD machine and the only way to connect to internet is an adsl modem in bridge mode (assuming the mode in modem, can't be changed). In such case the only utilty is ppp, which can be of help. Ok, usually bridge mode implies PPPoE and mpd5 does PPPoE. Maybe I'm missing your point. More accurately, bridge mode (on the modem) means your FreeBSD box will need to be the termination point of the PPPoE link rather than the modem itself and so you need to run something to terminate the PPPoE packets and mpd5 will do that (among other things). - Mark ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pppoe configuration and dns name resolution
On Tue 2012-10-16 20:38:47 UTC+0530, Jack (jacks.1...@gmail.com) wrote: I'm new as a FreeBSD user, and trying to configure my pppoe connection. After reading handbook and searching on various forums, I prepared the ppp.conf file, and tried starting the ppp via # ppp -ddial adsl Here 'adsl' is the profile name, in /etc/ppp/ppp.conf. I also tried #ppp -auto adsl but the error message was same. ... I use a similar setup here except I use static IPs for both the ADSL modem (in bridge mode) and the FreeBSD box connecting to it. The FreeBSD box then runs a DHCP server (dns/dnsmasq in ports) for any other machines on my LAN to talk to. I'm pasting my related configuration files if they can help. Please tell me if any other files are needed. Nothing really stands out glancing at your configs. I'd be looking for clues in /var/log/ppp.log. tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST metric 0 mtu 1500 options=8LINKSTATE inet 10.0.0.1 -- 10.0.0.2 netmask 0xff00 nd6 options=21PERFORMNUD,AUTO_LINKLOCAL Opened by PID 1907 tun0 should have been reassigned a public address here by the remote PPP host (your ISP). Also the MTU is still stuck at 1500 despite you correctly configuring 1492 in ppp.conf. So I think the PPP negotiation is failing. ppp.log may explain why. Mine looks like this: tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST metric 0 mtu 1492 options=8LINKSTATE inet 58.6.247.132 -- 203.215.15.252 netmask 0x Opened by PID 45904 Below is my (edited) rc.conf ppp.conf. I simply start stop the PPP session with service ppp start service ppp stop as root. ## /etc/rc.conf hostname=blizzard.phoenix ifconfig_bge0=inet 192.168.1.4 netmask 255.255.255.0 zfs_enable=YES syslogd_flags=-c gateway_enable=YES sshd_enable=YES inetd_enable=YES fusefs_enable=YES openntpd_enable=YES dovecot_enable=YES named_enable=NO dnsmasq_enable=YES postfix_enable=YES sendmail_enable=NO sendmail_submit_enable=NO sendmail_outbound_enable=NO sendmail_msp_queue_enable=NO ppp_enable=YES ppp_mode=ddial ppp_nat=YES ppp_profile=iinet firewall_enable=YES firewall_script=/etc/ipfw.rules firewall_logging=YES ## /etc/ppp/ppp.conf default: set log phase chat lcp ipcp ccp tun command lqm set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.255 nat enable yes disable lqr disable ipv6cp set echoperiod 30 enable echo iinet: set device PPPoE:bge0 set authname myusername set authkey mypassword set dial set login set mru 1492 set mtu 1492 set redial 15 0 add default HISADDR ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: pppoe configuration and dns name resolution
On Tue, 16 Oct 2012 20:38:47 +0530, Jack wrote: I'm new as a FreeBSD user, and trying to configure my pppoe connection. I've been using PPPoE with a DSL modem for many years, using FreeBSD 4, 5 and 7 with the system's PPPoE tools. The IP was provided to the computer directly, so no DHCP in the modem involved (real modem mode). In /etc/ppp/ppp.conf, I did simply define: myispname: set device PPPoE:xl0 set authname customer1234567@myispname set authkey X set dial set login add default HISADDR No further changes to that file. Note that here, xl0 is the interface directly connected to the modem. And in /etc/rc.conf: ifconfig_xl0=192.168.0.1 netmask 0xff00 ppp_enable=YES ppp_profile=myispname ppp_mode=ddial ppp_nat=YES So the system would automatically start the connection at boot time. The tun0 interface would then be associated the public IP designated when the PPPoE connection was up and running. Note that ppp_nat only has been needed to transition the connection through a 2nd NIC into the local net, making my machine a gateway (including related services, such as natd and dhcpd). I also think initializing the NIC xl0 is not entirely needed, maybe up would have been sufficient. For actually being able to use PPPoE, I did add the required components to the kernel, because that approach was state of the art at those times. :-) In /etc/resolv.conf I did add the nameservers published by my ISP. Anything worked automatically, I did not need to make further changes. Basically my setup looks like yours, except that (as I said) I did not use any additional features of the DSL modem (as it did not have such features). :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
svn commit: r240807 - in stable/9/contrib/bind9: . lib/dns lib/dns/include/dns
Hi This morning at about 7 am, I noticed to commits to stable/9 that I wanted to pull in and so did and then rebuilt from source. Just now, I noticed this: svn commit: r240807 - in stable/9/contrib/bind9: . lib/dns lib/dns/include/dns I really can't be bother to requildworld again, can I just go into /usr/src/contrib/bind9 and make, build, install that bit? It does affect me do I should really update to this commit, up to now i've only rebuilt the entire system from source rather than individual code commits. Cheers, Jamie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Off Topic. DNS, Android.
a) Normally any Domain name registered has to have 2 Nameservers. Some don't have to. but should. registry like the one responsible for .ORG requires 2 at least to propagate the domain. In teh case of .COM that is not a requirement, one nameserver could work. If for some reason I have 2 of them and one is configured to point to SERVER A , and the other to SERVER B. Differenet places, same configuration. Is there any preference over what is PRIMARY NAMESERVER or SECONDARY NAMESERVER? I mean, Primary is the one used mainly? actually when another DNS server resolve the name it may use any of them. Primary and secondary is mostly term for you - DNS operator. Primary is the way where you type in domain definition file, secondary is the one that fetches the file from primary every time it was modified. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Off Topic. DNS, Android.
Hello. I am sorry if the following 2 questions could sound too stupid. a) Normally any Domain name registered has to have 2 Nameservers. Some registry like the one responsible for .ORG requires 2 at least to propagate the domain. In teh case of .COM that is not a requirement, one nameserver could work. If for some reason I have 2 of them and one is configured to point to SERVER A , and the other to SERVER B. Differenet places, same configuration. Is there any preference over what is PRIMARY NAMESERVER or SECONDARY NAMESERVER? I mean, Primary is the one used mainly? b) I am looking for good list like this one for people developing, learning about Android Development. Any suggestion ? I am trying to setup a Freebsd machine for developing for Android, if possible. Thanks in advance. JB ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Off Topic. DNS, Android.
On Jun 22, 2012, at 8:28 PM, Jorge Biquez wrote: Hello. Hola! I am sorry if the following 2 questions could sound too stupid. a) Normally any Domain name registered has to have 2 Nameservers. Some registry like the one responsible for .ORG requires 2 at least to propagate the domain. In teh case of .COM that is not a requirement, one nameserver could work. It's always a good idea to have at least two nameservers configured for any public domain, and best practice involves having nameservers located on different networks. If for some reason I have 2 of them and one is configured to point to SERVER A , and the other to SERVER B. Differenet places, same configuration. Is there any preference over what is PRIMARY NAMESERVER or SECONDARY NAMESERVER? I mean, Primary is the one used mainly? No, DNS round-robin used on most platforms will rotate fairly evenly. And the traffic can be cached by other nameservers for a long(er) time by upping TTLs, if you wish to reduce network traffic load...at the tradeoff of making DNS changes take longer to be noticed, of course. Bigger sites might adjust DNS traffic onto server pools with a load-balancer which does liveness checks of the nameservers and could be told to adjust traffic routing in various ways. You can also do something similar via ipfw/natd's redirect_address (see RFC 2391). b) I am looking for good list like this one for people developing, learning about Android Development. Any suggestion ? I am trying to setup a Freebsd machine for developing for Android, if possible. Hmm. http://developer.android.com/sdk/index.html suggests that maybe the Linux distribution under FreeBSD's Linux emulation might be a possibility. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Off Topic. DNS, Android.
b) I am looking for good list like this one for people developing, learning about Android Development. Any suggestion ? I am trying to setup a Freebsd machine for developing for Android, if possible. Hmm. http://developer.android.com/sdk/index.html suggests that maybe the Linux distribution under FreeBSD's Linux emulation might be a possibility. On some blog, I read about http://bsdroid.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Dependencies for dns/unbound
On Mon, Jun 4, 2012 at 9:37 PM, Matthew Seaman matt...@freebsd.org wrote: On 04/06/2012 14:47, Rada alive wrote: [root@pladaks /usr/ports/dns/unbound]# make all-depends-list /usr/ports/devel/gmake /usr/ports/textproc/expat2 /usr/ports/dns/ldns /usr/ports/devel/gettext /usr/ports/devel/doxygen /usr/ports/devel/libtool /usr/ports/converters/libiconv /usr/ports/lang/perl5.12 /usr/ports/devel/tmake /usr/ports/graphics/graphviz /usr/ports/print/dvipsk-tetex /usr/ports/print/teTeX /usr/ports/lang/python27 /usr/ports/devel/bison /usr/ports/devel/qt4-corelib [... etc -- rest of exceeding long list of dependencies trimmed ...] Unset the DOCS option in dns/ldns. Almost all of those dependencies are due to the doxygen support that drags in. Thank you Matthew! I hoped it would be something simple like this. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Dependencies for dns/unbound
On 04/06/2012 20:37, Matthew Seaman wrote: On 04/06/2012 14:47, Rada alive wrote: [root@pladaks /usr/ports/dns/unbound]# make all-depends-list /usr/ports/devel/gmake /usr/ports/textproc/expat2 /usr/ports/dns/ldns /usr/ports/devel/gettext /usr/ports/devel/doxygen /usr/ports/devel/libtool /usr/ports/converters/libiconv /usr/ports/lang/perl5.12 /usr/ports/devel/tmake /usr/ports/graphics/graphviz /usr/ports/print/dvipsk-tetex /usr/ports/print/teTeX /usr/ports/lang/python27 /usr/ports/devel/bison /usr/ports/devel/qt4-corelib [... etc -- rest of exceeding long list of dependencies trimmed ...] Unset the DOCS option in dns/ldns. Almost all of those dependencies are due to the doxygen support that drags in. Actually, this is mixed up with the new OPTIONS framework. One of the changes involved is that the old NOPORTDOCS and NOPORTEXAMPLES variables are now treated as global options DOCS and EXAMPLES respectively. Which makes a lot of sense and is generally a good idea, but causes some confusion when a port has a pre-existing DOCS or EXAMPLES option -- the global DOCS and EXAMPLES are on by default, and this can lead to some ports having significantly enlarged dependency lists. On the other hand, the capability to have one global switch to turn on or off certain options is really interesting. At the moment it is only DOCS, EXAMPLES and NLS but surely there are more to come. X11 perhaps. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey signature.asc Description: OpenPGP digital signature
Re: Roster DNS Management
On Tue, 05 Jun 2012 10:58:39 -0500, Odhiambo Washington odhia...@gmail.com wrote: What does this linking look like? Do you mean like symlinking zone files, so that domainA is exactly a replica of domainB - as in conjoined?:) precisely -- foo.com foo.net - foo.com foo.org - foo.com foobar.net - foo.com foobar.com - foo.com foobar.org - foo.com foo2012.com - foo.com foo2012.net - foo.com foo2012.org - foo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Dependencies for dns/unbound
I was hoping to test dns/unbound as a lighter-weight DNS cache service to replace BIND. A few hours into make install i decided to abort and have a look at the dependencies. Can someone tell me why a DNS server needs packages like graphics/jpeg and x11/randrproto? Is there a way to build unbound on my system without all the trash? I tried emailing the port maintainer but my message bounced back. [root@pladaks /usr/ports/dns/unbound]# make all-depends-list /usr/ports/devel/gmake /usr/ports/textproc/expat2 /usr/ports/dns/ldns /usr/ports/devel/gettext /usr/ports/devel/doxygen /usr/ports/devel/libtool /usr/ports/converters/libiconv /usr/ports/lang/perl5.12 /usr/ports/devel/tmake /usr/ports/graphics/graphviz /usr/ports/print/dvipsk-tetex /usr/ports/print/teTeX /usr/ports/lang/python27 /usr/ports/devel/bison /usr/ports/devel/qt4-corelib /usr/ports/x11-toolkits/qt4-gui /usr/ports/devel/qt4-moc /usr/ports/devel/qmake4 /usr/ports/devel/qt4-rcc /usr/ports/textproc/qt4-xml /usr/ports/print/ghostscript9 /usr/ports/graphics/png /usr/ports/x11-toolkits/libXaw /usr/ports/x11/libXpm /usr/ports/x11-toolkits/libXmu /usr/ports/x11-toolkits/libXt /usr/ports/x11/libSM /usr/ports/x11/libICE /usr/ports/x11/libXext /usr/ports/x11/libX11 /usr/ports/x11/libXau /usr/ports/x11/libXdmcp /usr/ports/x11/libXp /usr/ports/x11/libXrender /usr/ports/devel/pkg-config /usr/ports/graphics/jpeg /usr/ports/print/freetype2 /usr/ports/x11-fonts/fontconfig /usr/ports/graphics/gd /usr/ports/devel/libltdl /usr/ports/devel/glib20 /usr/ports/x11-toolkits/pango /usr/ports/devel/gio-fam-backend /usr/ports/print/tex-texmflocal /usr/ports/print/teTeX-texmf /usr/ports/print/teTeX-base /usr/ports/www/libwww /usr/ports/devel/t1lib /usr/ports/print/cm-super /usr/ports/print/xdvik /usr/ports/devel/m4 /usr/ports/x11/inputproto /usr/ports/x11/libXrandr /usr/ports/x11/libXinerama /usr/ports/x11/libXfixes /usr/ports/x11/libXcursor /usr/ports/x11/libXi /usr/ports/devel/qt4-uic /usr/ports/devel/xdg-utils /usr/ports/devel/autoconf /usr/ports/dns/libidn /usr/ports/graphics/jbig2dec /usr/ports/graphics/tiff /usr/ports/print/libpaper /usr/ports/print/gsfonts /usr/ports/devel/cmake /usr/ports/x11/printproto /usr/ports/x11/xextproto /usr/ports/x11/xproto /usr/ports/x11/kbproto /usr/ports/devel/xorg-macros /usr/ports/x11/xtrans /usr/ports/x11/libxcb /usr/ports/x11/bigreqsproto /usr/ports/x11/xcmiscproto /usr/ports/x11-fonts/xf86bigfontproto /usr/ports/x11/renderproto /usr/ports/devel/pcre /usr/ports/devel/gobject-introspection /usr/ports/x11-fonts/libXft /usr/ports/graphics/cairo /usr/ports/x11-fonts/xorg-fonts-truetype /usr/ports/x11-fonts/encodings /usr/ports/devel/gamin /usr/ports/print/font-amsfonts /usr/ports/textproc/texi2html /usr/ports/archivers/unzip /usr/ports/x11-fonts/p5-type1inst /usr/ports/x11-toolkits/open-motif /usr/ports/x11/randrproto /usr/ports/x11/xineramaproto /usr/ports/x11/fixesproto /usr/ports/misc/hicolor-icon-theme /usr/ports/misc/help2man /usr/ports/devel/autoconf-wrapper /usr/ports/graphics/jbigkit /usr/ports/devel/libcheck /usr/ports/textproc/libxslt /usr/ports/x11/xcb-proto /usr/ports/devel/libpthread-stubs /usr/ports/devel/libffi /usr/ports/x11/xcb-util-renderutil /usr/ports/x11/pixman /usr/ports/x11-fonts/font-bh-ttf /usr/ports/x11-fonts/font-misc-meltho /usr/ports/x11-fonts/font-misc-ethiopic /usr/ports/x11-fonts/bitstream-vera /usr/ports/x11-fonts/mkfontscale /usr/ports/x11-fonts/bdftopcf /usr/ports/x11-fonts/font-util /usr/ports/x11-fonts/mkfontdir /usr/ports/x11/xbitmaps /usr/ports/devel/p5-Locale-gettext /usr/ports/security/libgcrypt /usr/ports/textproc/libxml2 /usr/ports/x11/xcb-util /usr/ports/x11-fonts/libfontenc /usr/ports/x11-fonts/libXfont /usr/ports/security/libgpg-error /usr/ports/devel/gperf /usr/ports/x11-fonts/fontsproto ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Dependencies for dns/unbound
Rada alive wrote: I was hoping to test dns/unbound as a lighter-weight DNS cache service to replace BIND. A few hours into make install i decided to abort and have a look at the dependencies. Can someone tell me why a DNS server needs packages like graphics/jpeg and x11/randrproto? This I do not know. Is there a way to build unbound on my system without all the trash? Try placing WITHOUT_X11= yes in /etc/make.conf I tried emailing the port maintainer but my message bounced back. [snip] -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Dependencies for dns/unbound
On Mon, 4 Jun 2012 15:47:29 +0200 Rada alive wrote: I was hoping to test dns/unbound as a lighter-weight DNS cache service to replace BIND. A few hours into make install i decided to abort and have a look at the dependencies. Can someone tell me why a DNS server needs packages like graphics/jpeg and x11/randrproto? It doesn't $ make all-depends-list /usr/ports/devel/gmake /usr/ports/textproc/expat2 /usr/ports/dns/ldns /usr/ports/devel/gettext /usr/ports/devel/libtool /usr/ports/converters/libiconv ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Dependencies for dns/unbound
On 04/06/2012 14:47, Rada alive wrote: [root@pladaks /usr/ports/dns/unbound]# make all-depends-list /usr/ports/devel/gmake /usr/ports/textproc/expat2 /usr/ports/dns/ldns /usr/ports/devel/gettext /usr/ports/devel/doxygen /usr/ports/devel/libtool /usr/ports/converters/libiconv /usr/ports/lang/perl5.12 /usr/ports/devel/tmake /usr/ports/graphics/graphviz /usr/ports/print/dvipsk-tetex /usr/ports/print/teTeX /usr/ports/lang/python27 /usr/ports/devel/bison /usr/ports/devel/qt4-corelib [... etc -- rest of exceeding long list of dependencies trimmed ...] Unset the DOCS option in dns/ldns. Almost all of those dependencies are due to the doxygen support that drags in. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey signature.asc Description: OpenPGP digital signature
Re: What happened to FreeBSD.org DNS earlier today?
No -- you were not imagining things. The DNS for freebsd.org was temporarily broken. It was that most impossible to remove of causes: human error. Thats good, as it means not sun spots aka EMP aka gammma :-) Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Reply below not above, cumulative like a play script, indent with . Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable. Mail from @yahoo dumped @berklix. http://berklix.org/yahoo/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: What happened to FreeBSD.org DNS earlier today?
Julian H. Stacey writes: No -- you were not imagining things. The DNS for freebsd.org was temporarily broken. It was that most impossible to remove of causes: human error. Thats good, as it means not sun spots aka EMP aka gammma :-) Hulk _not_ eat sushi near puny human puny machine! Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: What happened to FreeBSD.org DNS earlier today?
On Sun, 11 Mar 2012 12:16:25 +0100 Julian H. Stacey j...@berklix.com wrote: No -- you were not imagining things. The DNS for freebsd.org was temporarily broken. It was that most impossible to remove of causes: human error. Thats good, as it means not sun spots aka EMP aka gammma :-) Cheers, Julian Or the first ominous foreshadowing of the apocalyptic event(s) to unfold later this year, come December. :-) I mean, if FreeBSD's DNS can go down, The End must certainly be near. The falcon cannot hear the falconer. Things fall apart. The center cannot hold. Mere anarchy is loosed upon the world, and so on and so forth. -- Conrad J. Sabatier conr...@cox.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: What happened to FreeBSD.org DNS earlier today?
On Sun, 11 Mar 2012 09:39:32 -0500 Conrad J. Sabatier conr...@cox.net wrote: On Sun, 11 Mar 2012 12:16:25 +0100 Julian H. Stacey j...@berklix.com wrote: No -- you were not imagining things. The DNS for freebsd.org was temporarily broken. It was that most impossible to remove of causes: human error. Thats good, as it means not sun spots aka EMP aka gammma :-) Cheers, Julian Or the first ominous foreshadowing of the apocalyptic event(s) to unfold later this year, come December. :-) I mean, if FreeBSD's DNS can go down, The End must certainly be near. The falcon cannot hear the falconer. Things fall apart. The center cannot hold. Mere anarchy is loosed upon the world, and so on and so forth. Let's just blame it on Bush! Everybody else does. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: What happened to FreeBSD.org DNS earlier today?
On Sun, 11 Mar 2012 11:36:28 -0700 Robert travelin...@cox.net wrote: Let's just blame it on Bush! Everybody else does. Are you sure it wasn't the evildoers? You know, the terrists? Maybe laying the groundwork for a nucular strike? -- Conrad J. Sabatier conr...@cox.net ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: What happened to FreeBSD.org DNS earlier today?
On Sun, 11 Mar 2012 11:36:28 -0700 Robert articulated: Let's just blame it on Bush! Everybody else does. Unless you are a right wing fascist; i.e. Limbaugh or Hannity, then you blame Obama or Clinton. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ No matter what problem you have with your computer - Its Always Microsoft's fault Corollary: If its not their fault - Blame them anyway :-) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: What happened to FreeBSD.org DNS earlier today?
Matthew Seaman wrote: On 10/03/2012 23:41, Da Rock wrote: On 03/11/12 07:01, Mark Felder wrote: On 10.03.2012 14:43, Conrad J. Sabatier wrote: Earlier today, for a period of about 30-45 minutes or so, any attempt to connect to www.freebsd.org was yielding failed hostname lookups. Did anyone else notice this? Any word on what was causing it? I have to admit, it was rather startling at first. Do you have any further details? What are you using for DNS servers, or are you doing lookups yourself? Actually, around the same time others were reporting another site (not fbsd, which I could access easily) was broken. So maybe a dark cloud passed over? ;) No -- you were not imagining things. The DNS for freebsd.org was temporarily broken. It was that most impossible to remove of causes: human error. Cheers, Matthew Aloha, Ah, To Bad Matthew, I was going to ask if it was the pesky Solar flares. ~Al Plant - Honolulu, Hawaii - Phone: 808-284-2740 + http://hawaiidakine.com + http://freebsdinfo.org + + http://aloha50.net - Supporting - FreeBSD 7.2 - 8.0 - 9* + email: n...@hdk5.net All that's really worth doing is what we do for others.- Lewis Carrol ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: DNS - slaving the root zone
On Sun, 19 Feb 2012 at 01:14:47, Doug Barton wrote: On 02/18/2012 03:23, Damien Fleuriot wrote: On 2/18/12 12:57 AM, Doug Barton wrote: To clarify, almost universally the opposition to the idea centers around the problems of users who enable this method, and then don't notice if something changes/breaks, resulting in a stale zone (or zones, depending on what you choose to slave). I have always acknowledged that this is a valid concern, just not one that I think overwhelms the virtues of doing the slaving in the first place. Could you elaborate on the something changes/breaks, admin doesn't notice, results in a stale zone bit ? Most commonly whatever auth. server the user is axfr'ing from suddenly stops offering that ability. [snip] I'm just done converting from named.root to slaving the root, I checked which servers allow axfr (at least for me...) and added them all as masters. Multiple masters would substantially decrease the risk of stale zones, yes? I have attached the relevant portion of my config, maybe it's useful. Also, I was wondering, now that I slave . and arpa, is it still beneficial to retain the 'empty zones' that fall within those or are they redundant? I figure they are, as the comments say 'Serving the following zones locally will prevent any queries for these zones leaving your network and going to the root name servers.' and now my server *is* the root as far as it knows. Thanks. -- Regards, T. Koeman, MTh/BSc/BPsy; Technical Monk MediaMonks B.V. (www.mediamonks.com) Please quote relevant replies in correspondence. named.conf Description: Binary data ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS - slaving the root zone
On 02/19/2012 10:39, Terrence Koeman wrote: I'm just done converting from named.root to slaving the root, I checked which servers allow axfr (at least for me...) and added them all as masters. Given that some of the root server operators don't really like people doing this routinely it would be net.friendlier to list the ICANN servers first. They are just as up to date as the live root servers. Multiple masters would substantially decrease the risk of stale zones, yes? Yes. Also, I was wondering, now that I slave . and arpa, is it still beneficial to retain the 'empty zones' that fall within those or are they redundant? They are not redundant, and yes, they are still beneficial. Doug -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS - slaving the root zone
On 2/18/12 12:57 AM, Doug Barton wrote: To clarify, almost universally the opposition to the idea centers around the problems of users who enable this method, and then don't notice if something changes/breaks, resulting in a stale zone (or zones, depending on what you choose to slave). I have always acknowledged that this is a valid concern, just not one that I think overwhelms the virtues of doing the slaving in the first place. Could you elaborate on the something changes/breaks, admin doesn't notice, results in a stale zone bit ? I fail to see the circumstances under which that could happen. The method currently in comments in /etc/namedb/named.conf suggests servers generously provided by ICANN that are dedicated to allowing AXFR of various infrastructure zones. (Note, ICANN does not necessarily endorse the idea of slaving these zones for resolvers, but I do have their permission to include these servers in our named.conf.) That alleviates one of the other criticisms of slaving these zones, as it presents no load on the actual root servers at all. So in short, this is an excellent idea, I've been doing it/recommending it for years, and assuming you have the knowledge/ability to keep your resolvers up to date (and/or you're tracking our named.conf where I do it for you) then it's totally safe to do. Indeed, been deleting the traditional hint file based . zone for a while and using the slaving mechanism for over a year already, works fine enough for us. You have me somewhat worried with the bit about something breaking though, thus the call for details ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS - slaving the root zone
On 02/18/2012 03:23, Damien Fleuriot wrote: On 2/18/12 12:57 AM, Doug Barton wrote: To clarify, almost universally the opposition to the idea centers around the problems of users who enable this method, and then don't notice if something changes/breaks, resulting in a stale zone (or zones, depending on what you choose to slave). I have always acknowledged that this is a valid concern, just not one that I think overwhelms the virtues of doing the slaving in the first place. Could you elaborate on the something changes/breaks, admin doesn't notice, results in a stale zone bit ? Most commonly whatever auth. server the user is axfr'ing from suddenly stops offering that ability. I fail to see the circumstances under which that could happen. I tend to agree, which is why I weight this particular objection pretty low. If you don't notice failed axfrs, you've already got deeper problems. :) To be fair however, there are a lot of people who believe (rightly or wrongly) that resolving DNS should be a fire and forget service. Those of us who do this for a living know that this was never true, and DNSSEC makes that even less true. However, if you happen to be one of those people, this method is not for you. Indeed, been deleting the traditional hint file based . zone for a while and using the slaving mechanism for over a year already, works fine enough for us. I'm glad to hear that. Makes me feel that my efforts in this area have been worthwhile. You have me somewhat worried with the bit about something breaking though, thus the call for details ;) Understood. You don't seem to be the type of operator who is likely to run afoul here, FWIW. Doug -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
DNS - slaving the root zone
Hello list, Jeremy, Doug, We're currently having a discussion on the FRnOG mailing list regarding the laughable announcement of an attack on the DNS root servers by Anonymous. I've kinda hijacked the thread to ask whether people slave the root zone or not, and why if not. Active poster, renowned blogger and AFNIC worker Stephane Bortzmeyer pointed out that it might not be a good idea and submitted the following discussion from 2007 as reference: http://lists.freebsd.org/pipermail/freebsd-current/2007-August/075895.html Do you still believe slaving the root zone to be a bad idea ? I actually do it on production 8-STABLE boxes here, seems to work well enough. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS - slaving the root zone
On Fri, Feb 17, 2012 at 02:41:57PM +0100, Damien Fleuriot wrote: Hello list, Jeremy, Doug, We're currently having a discussion on the FRnOG mailing list regarding the laughable announcement of an attack on the DNS root servers by Anonymous. I've kinda hijacked the thread to ask whether people slave the root zone or not, and why if not. Active poster, renowned blogger and AFNIC worker Stephane Bortzmeyer pointed out that it might not be a good idea and submitted the following discussion from 2007 as reference: http://lists.freebsd.org/pipermail/freebsd-current/2007-August/075895.html Do you still believe slaving the root zone to be a bad idea ? The important thread (IMO) is actually here: https://lists.dns-oarc.net/pipermail/dns-operations/2007-July/thread.html#1804 These are the people you should be asking this question to given the announcement. Folks like Paul Vixie and David Conrad. Also, just a tip: given that at an old job I dealt with DoS and DDoS attacks on our infrastructure on a near-daily basis (advice to public: never run a public IRC server on a major network), I wouldn't be so quick to dismiss the claim as laughable. Folks can bring up the distribution of all the root servers, anycast, etc. all they want, but nobody truly knows how distributed the DDoS will be. Sit back and think about that one for a little while, let it stew in your mind. Rest assured, if what is being proposed turns out to be accomplished, you will be quite surprised at how many large Fortune 500 companies and financial organisations are impacted by it. I can't go into details, but I can assure you with utmost certainty that many of them rely on Internet transit for very important transactions -- most of which use DNS-based lookups for all sorts of things. Given the state of IT in general these days, chances are very few companies have thought ahead in this case. Though DNS may not simply break 100% (duh), failed lookups and oddities occurring all over the place would be likely. If you've ever worked at a large corporation, you'll know how easy it is for people to incorrectly assess reasons for outages -- it wouldn't surprise me if it took said companies 24-48 hours to figure out what was truly the root cause. TL;DR -- don't be hasty when it comes to threats on the Internet on such a large scale. It's amazing the infrastructure we have today works at all anyway. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS - slaving the root zone
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 02/17/2012 05:41, Damien Fleuriot wrote: Hello list, Jeremy, Doug, We're currently having a discussion on the FRnOG mailing list regarding the laughable announcement of an attack on the DNS root servers by Anonymous. Given their success at their previous endeavors, I wouldn't call it laughable. Even if they are unsuccessful at taking down all of the root servers, if *your* particular part of the Internet gets knocked down, that's pretty important to you, right? OTOH, I think that actually doing what they state they want to do will be very difficult, and not likely to produce the results that they believe it will. However, unlike some in the DNS/Security communities I do not intend to outline the deficiencies in their plan, lest they take advantage of the opportunity to improve it. :) I've kinda hijacked the thread to ask whether people slave the root zone or not, and why if not. Well there is no secret that I (and many others) think it's a good idea. Active poster, renowned blogger and AFNIC worker Stephane Bortzmeyer pointed out that it might not be a good idea and submitted the following discussion from 2007 as reference: http://lists.freebsd.org/pipermail/freebsd-current/2007-August/075895.html I know Stephane professionally, and I respect his opinion about many topics. On this topic we disagree. Do you still believe slaving the root zone to be a bad idea ? I never thought it was a bad idea. I've been suggesting that people do it for years. :) To clarify, almost universally the opposition to the idea centers around the problems of users who enable this method, and then don't notice if something changes/breaks, resulting in a stale zone (or zones, depending on what you choose to slave). I have always acknowledged that this is a valid concern, just not one that I think overwhelms the virtues of doing the slaving in the first place. The method currently in comments in /etc/namedb/named.conf suggests servers generously provided by ICANN that are dedicated to allowing AXFR of various infrastructure zones. (Note, ICANN does not necessarily endorse the idea of slaving these zones for resolvers, but I do have their permission to include these servers in our named.conf.) That alleviates one of the other criticisms of slaving these zones, as it presents no load on the actual root servers at all. So in short, this is an excellent idea, I've been doing it/recommending it for years, and assuming you have the knowledge/ability to keep your resolvers up to date (and/or you're tracking our named.conf where I do it for you) then it's totally safe to do. hth, Doug - -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJPPumEAAoJEFzGhvEaGryE5PUH/RmKV4VLjj+iaThsP3BMsN6M hapYkYUCLeCjPRcN1mhHuR8sjIZ+NV/UUs7MtBxxKzPkeQQx65vmY1pDD66BPIFA qAFix/BqUbpYoBKLwkPkVMCEF7JCpJ5D8r+4EedybLvxzivpbdzROrPhyOHBinTB 5hxYUfb1t1peY23C4pk3+3k9kSFm0A1lF0JhNCdsvXTl8nZF1LiCChllwN7S//mH F1jAPHqNtxi+//LzFY913yCHtNrOi2PJT+iiKBBbJxgnr5+HvzdhXATPWEzB1AZE nDZcc5+zETiFKeTn/zyk4FXoWskcgkYeOfLY1ka+afe6djWsZDb5q8GKVpThgJQ= =EmJF -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
changed ip-adress, DNS lookups don't work anymore
FreeBSD 8.2. system. Gets is TCP/IP parameters (and DNS name-servers IPs) from a DHCP server, with a fixed IP address (the system always gets the same IP, based on its MAC address as specified in the DHCP config file) Now I wanted the system to have a different IP address. Changed the DHCP server config accordingly. Reboot. OK, from $ ifconfig -a I can see it received the new IP. But DNS lookups don't work any longer .. $ host xxx.yyy.zzz.com ;; connection timed out; no servers could be reached The system is behind a firewall, but there are NO errors logged relating to the (new) IP address. Other FreeBSD-8.2 systems using the same DHCP server, configured in exactly the same way, work perfectly well. I can SSH to the sytem, but it takes 20 or 30 seconds before the Password: prompt appears (normally should be immediate) Once in the system, starting my alpine mail-client, it takes a minute or so to display the messages (normally this should be immediate) Also at boot of the system there is wait for a 2,5 minutes somewhere in the series of Starting deamon. Probably these three phenomena have the same cause: DNS lookups don't work any idea what can be wrong ?? I've looked and compared with other systems, can't find it ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: changed ip-adress, DNS lookups don't work anymore
On 1/19/12 3:32 PM, n dhert wrote: FreeBSD 8.2. system. Gets is TCP/IP parameters (and DNS name-servers IPs) from a DHCP server, with a fixed IP address (the system always gets the same IP, based on its MAC address as specified in the DHCP config file) Now I wanted the system to have a different IP address. Changed the DHCP server config accordingly. Reboot. OK, from $ ifconfig -a I can see it received the new IP. But DNS lookups don't work any longer .. $ host xxx.yyy.zzz.com ;; connection timed out; no servers could be reached The system is behind a firewall, but there are NO errors logged relating to the (new) IP address. Other FreeBSD-8.2 systems using the same DHCP server, configured in exactly the same way, work perfectly well. I can SSH to the sytem, but it takes 20 or 30 seconds before the Password: prompt appears (normally should be immediate) Once in the system, starting my alpine mail-client, it takes a minute or so to display the messages (normally this should be immediate) Also at boot of the system there is wait for a 2,5 minutes somewhere in the series of Starting deamon. Probably these three phenomena have the same cause: DNS lookups don't work any idea what can be wrong ?? I've looked and compared with other systems, can't find it ... First, add UseDNS no to either /etc/ssh/sshd_config or /usr/local/etc/ssh/sshd_config That'll allow you to log in via SSH without the server performing DNS lookups, which are rather useless anyway. Second, you should run tcpdump on your DNS host to check if you're actually receiving requests from your freebsd box. Also, post your /etc/resolv.conf , netstat -rn and ifconfig I'd also be interested in the relevant parts of your firewalling config ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: changed ip-adress, DNS lookups don't work anymore
- with UseDNS no, I can login quickly again.. - I don't manage the DNS servers, can do anything there, but I do believe they do not receive anything since I now see, I can't even ping any of the three of tehm, specified in my /etc/resolv,conf file # ping 143.169.254.100 - the /etc/resolv.conf file is OK (same as on other machines getting DHCP info from the same DHCP server) [admin@pclinwi7475old 75.126 ~]$ netstat -m 258/267/525 mbufs in use (current/cache/total) 256/134/390/16704 mbuf clusters in use (current/cache/total/max) 256/128 mbuf+clusters out of packet secondary zone in use (current/cache) 0/2/2/8352 4k (page size) jumbo clusters in use (current/cache/total/max) 0/0/0/4176 9k jumbo clusters in use (current/cache/total/max) 0/0/0/2088 16k jumbo clusters in use (current/cache/total/max) 576K/342K/919K bytes allocated to network (current/cache/total) 0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters) 0/0/0 requests for jumbo clusters denied (4k/9k/16k) 0/4/4432 sfbufs in use (current/peak/max) 0 requests for sfbufs denied 0 requests for sfbufs delayed 0 requests for I/O initiated by sendfile 0 calls to protocol drain routines [admin@pclinwi7475old 75.126 ~]$ ifconfig em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=209bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC ether 00:0b:db:53:3e:15 inet 143.129.75.126 netmask 0xff00 broadcast 143.129.75.255 media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST metric 0 mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 options=3RXCSUM,TXCSUM inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 nd6 options=3PERFORMNUD,ACCEPT_RTADV I'm believing now there is still something wrong on the firewall something in the cache referring to the old IP address ??? I use shorewall on a Ubuntu 11.04 ... 2012/1/19 Damien Fleuriot m...@my.gd On 1/19/12 3:32 PM, n dhert wrote: FreeBSD 8.2. system. Gets is TCP/IP parameters (and DNS name-servers IPs) from a DHCP server, with a fixed IP address (the system always gets the same IP, based on its MAC address as specified in the DHCP config file) Now I wanted the system to have a different IP address. Changed the DHCP server config accordingly. Reboot. OK, from $ ifconfig -a I can see it received the new IP. But DNS lookups don't work any longer .. $ host xxx.yyy.zzz.com ;; connection timed out; no servers could be reached The system is behind a firewall, but there are NO errors logged relating to the (new) IP address. Other FreeBSD-8.2 systems using the same DHCP server, configured in exactly the same way, work perfectly well. I can SSH to the sytem, but it takes 20 or 30 seconds before the Password: prompt appears (normally should be immediate) Once in the system, starting my alpine mail-client, it takes a minute or so to display the messages (normally this should be immediate) Also at boot of the system there is wait for a 2,5 minutes somewhere in the series of Starting deamon. Probably these three phenomena have the same cause: DNS lookups don't work any idea what can be wrong ?? I've looked and compared with other systems, can't find it ... First, add UseDNS no to either /etc/ssh/sshd_config or /usr/local/etc/ssh/sshd_config That'll allow you to log in via SSH without the server performing DNS lookups, which are rather useless anyway. Second, you should run tcpdump on your DNS host to check if you're actually receiving requests from your freebsd box. Also, post your /etc/resolv.conf , netstat -rn and ifconfig I'd also be interested in the relevant parts of your firewalling config ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS
On Sun, Jan 01, 2012 at 04:26:38PM -0800, Waitman Gobble wrote: You have to have your nameserver listed with internic (for .com and .net - ie, your nameserver has to show up in the NAMESERVER whois (note: different than DOMAIN whois) on http://www.internic.net/whois.html) and also for each This is exactly the point I missed. At that opportunity I searched in all places except in the right one. Waitman I am very grateful. Walter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS
On Sun, Jan 01, 2012 at 04:26:38PM -0800, Waitman Gobble wrote: Yes, you can run BIND on the same FreeBSD machine as your web server. You have to have your nameserver listed with internic (for .com and .net - ie, your nameserver has to show up in the NAMESERVER whois (note: different than DOMAIN whois) on http://www.internic.net/whois.html) and also for each TLD you want to provide service for (ie, .org, .mobi, etc etc) . If you are using opensrs it's pretty simple to list your nameserver with local and foreign tlds, but with other Registrars - you'd have to check into the details. It's generally easier to use a local domain for the nameservers (ie, ns1.example.mobi for .mobi domains.) but it is also possible to use foreign nameservers (ie, ns1.example.com to resolve www.example.mobi - is considered foreign) Waitman Bothering you again Waitman, Now after refreshing my memory (it happened one year ago) I could remember that I did register the nameservers. I found the option in my registar to add to some domain i.e. mydomain.com the entries ns1.mydomain.com, etc. I think that the problem I had was related with the IPs. The VPS provider gave me just two, and AFAIK each name server needs its own dedicated IP. Now I can remember that I asked to their support team and they answered me that the nameservers could perfectly share the IP with the domains. Could be that the reason I don't get the thing working? Walter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS
Now after refreshing my memory (it happened one year ago) I could remember that I did register the nameservers. I found the option in my registar to add to some domain i.e. mydomain.com the entries ns1.mydomain.com, etc. I think that the problem I had was related with the IPs. The VPS provider gave me just two, and AFAIK each name server needs its own dedicated IP. Now I can remember that I asked to their support team and they answered me that the nameservers could perfectly share the IP with the domains. Could be that the reason I don't get the thing working? Walter Hello, You /can/ have a nameserver with same IP as www. And you /can/ multihome your NIC with multiple IP on same machine, ie, www.example.com 192.168.0.131 and 192.168.0.132 (if you want, optional extra address for www) ns1.example.com 192.168.0.131 ns2.example.com 192.168.0.132 Waitman ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS
On Mon, Jan 02, 2012 at 11:06:39AM -0800, Waitman Gobble wrote: Hello, You /can/ have a nameserver with same IP as www. And you /can/ multihome your NIC with multiple IP on same machine, ie, www.example.com 192.168.0.131 and 192.168.0.132 (if you want, optional extra address for www) ns1.example.com 192.168.0.131 ns2.example.com 192.168.0.132 Waitman I thought I've isolated the problem. God is playing with me like in The Truman Show :-). Well, the next time I get a dedicated server I will try again. Many thanks Waitman Walter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Fwd: DNS
-- Forwarded message -- From: Daniel Lewis innervisionnetw...@gmail.com Date: Sat, Dec 31, 2011 at 6:50 PM Subject: DNS To: freebsd-questions@freebsd.org Im new to freebsd 8.2 and the unix world. How do i setup dns to support my domain www.innervisionnetworks.com??? Registar asking for nameserver info and not ip address. How do I setup nameserver and point to my directory with html document inside??? Thankyou, Daniel Lewis ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS
On Sun, Jan 1, 2012 at 12:20 PM, Daniel Lewis
innervisionnetw...@gmail.comwrote:
Im new to freebsd 8.2 and the unix world. How do i setup dns to support my
domain
Hi Daniel,
You probably want to use ISC bind in /usr/ports/dns
I recommend you read the O'Reilly book DNS and BIND.
Basic process -
Install and configure bind. If possible set up on two or more machines/ip.
IMHO it's less hassle to set up duplicate masters and rsync changes from
your 'main' install instead of setting up master/slave configurations.
create zone file for your domain, ie
$TTL 86400
example.com.IN SOA ns1.example.com. n...@example.com. (
2012010210
28800
7200
1209600
86400 )
example.com.NS ns1.example.com.
example.com.NS ns2.example.com.
example.com.MX 0 mail.example.com.
example.com.A 192.168.0.133
www.example.com.A 192.168.0.133
* IN CNAME www.example.com.
cname is good for people who enjoy making typos like and ww
add your domain zone file to named.conf, ie
zone example.com IN {
type master;
file example.com.hosts;
};
reload nameserver
rndc reload
export your nameservers to root ns, this process varies for registrar -
look for use my own nameserver or create nameservers based on domain in
your registrar help docs. Maybe you can contact internic/nsi directly
instead (?). Back in the old days users just spread around copies of the
hosts file.
Have fun.
Waitman Gobble
San Jose California USA
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS
On Sun, Jan 1, 2012 at 2:54 PM, Robert Huff roberth...@rcn.com wrote: Walter Alejandro Iglesias writes: Time ago I made the attempt to setup my own DNS in the same machine I had my web server running. DNS was the only thing I was not able to automatically update in the system with my scripts each time a new customer purchased a service. It would be wonderful for me if you or anyone here at least confirm me if it is really possible. What is possible - updating using scripts, or running BIND on the same machine as a web server (presumably Apache)? While I'm sure someone has written them, I don't know of any scripts that will update (whatever that means) BIND configuration files that are included either as part of the base system or as ports. However, running BIND and Apache is certainly possible - the machine I'm typing this on does exactly that. Robert Huff I agree with Robert, it's generally no problem, at least technically, to run BIND on the same machine. (Unless in certain situations I can think of at the moment) you are running your httpd server on a non-public network behind a firewall, doing certain things with NAT on the router, or running httpd on a private machine that only gets traffic from a public-facing cache/proxy like squid. These situations don't rule out use but could cause 'looping' or otherwise cause problems depending on how your network and name system is setup. It is better to have more than one machine running name services, if possible. Also a good idea to prohibit zone transfers and recursive lookups, or at least limit very carefully. You should be able to set up a zone update thing for your customers, just keep TTL somewhat short, and update your serial # in the zone so that external caches will pull the updates (using date and/or time is probably best.) And you probably don't want the daemon/nobody httpd user fooling around with the zone files or named process directly so it's best to set a signal in your script like 'touch /tmp/updatebind' or something and have a cron job check for the 'signal'. Waitman ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS
On Sun, Jan 01, 2012 at 05:54:59PM -0500, Robert Huff wrote: Walter Alejandro Iglesias writes: Time ago I made the attempt to setup my own DNS in the same machine I had my web server running. DNS was the only thing I was not able to automatically update in the system with my scripts each time a new customer purchased a service. It would be wonderful for me if you or anyone here at least confirm me if it is really possible. What is possible - updating using scripts, or running BIND on the same machine as a web server (presumably Apache)? While I'm sure someone has written them, I don't know of any scripts that will update (whatever that means) BIND configuration files that are included either as part of the base system or as ports. However, running BIND and Apache is certainly possible - the machine I'm typing this on does exactly that. Robert Huff I wrote a bunch of sh scripts to update sendmail, apache, add system users, etc. Those scripts were executed by cron. I wrote a simple php client panel too. So, the sh scripts read the data from mysql (I wrote those scripts originally in Slackware and more late I left unfinished its migration to freebsd) and updated the system. For updating BIND I meant that the scripts (using sed) add zones in the zone files and restart bind, in the same way they add new virtual server entries in httpd.conf and restart apache. Sure, like you say, it is possible running BIND and Apache. But, is it possible|convenient that the name server reside in the same machine that host (with apache) the domain names served by it? Perhaps you find stupid my question, but believe me, I am lost :-). Or to simplify the question, what is needed to run a DNS? What I know: Edit the zone files. Run bind. Register the names ns1.mysite.com, ns2..., (some trick here?) Obviously adding them to the registrar of the domains served. Walter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS
On Sun, Jan 01, 2012 at 03:24:59PM -0800, Waitman Gobble wrote: On Sun, Jan 1, 2012 at 2:54 PM, Robert Huff roberth...@rcn.com wrote: Walter Alejandro Iglesias writes: Time ago I made the attempt to setup my own DNS in the same machine I had my web server running. DNS was the only thing I was not able to automatically update in the system with my scripts each time a new customer purchased a service. It would be wonderful for me if you or anyone here at least confirm me if it is really possible. What is possible - updating using scripts, or running BIND on the same machine as a web server (presumably Apache)? While I'm sure someone has written them, I don't know of any scripts that will update (whatever that means) BIND configuration files that are included either as part of the base system or as ports. However, running BIND and Apache is certainly possible - the machine I'm typing this on does exactly that. Robert Huff I agree with Robert, it's generally no problem, at least technically, to run BIND on the same machine. (Unless in certain situations I can think of at the moment) you are running your httpd server on a non-public network behind a firewall, doing certain things with NAT on the router, or running httpd on a private machine that only gets traffic from a public-facing cache/proxy like squid. These situations don't rule out use but could cause 'looping' or otherwise cause problems depending on how your network and name system is setup. It is better to have more than one machine running name services, if possible. Also a good idea to prohibit zone transfers and recursive lookups, or at least limit very carefully. You should be able to set up a zone update thing for your customers, just keep TTL somewhat short, and update your serial # in the zone so that external caches will pull the updates (using date and/or time is probably best.) And you probably don't want the daemon/nobody httpd user fooling around with the zone files or named process directly so it's best to set a signal in your script like 'touch /tmp/updatebind' or something and have a cron job check for the 'signal'. Waitman Thanks Waitman, The true is I am a bit lost, perhaps (here is late, 00:54) I am a bit hungry and tired :-). I will dinner, sleep and tomorrow morning with a fresh mind I will reread carefully this last message. I'll buy the book you advised too. Walter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS
Sure, like you say, it is possible running BIND and Apache. But, is it possible|convenient that the name server reside in the same machine that host (with apache) the domain names served by it? Perhaps you find stupid my question, but believe me, I am lost :-). Or to simplify the question, what is needed to run a DNS? What I know: Edit the zone files. Run bind. Register the names ns1.mysite.com, ns2..., (some trick here?) Obviously adding them to the registrar of the domains served. Walter Yes, you can run BIND on the same FreeBSD machine as your web server. You have to have your nameserver listed with internic (for .com and .net - ie, your nameserver has to show up in the NAMESERVER whois (note: different than DOMAIN whois) on http://www.internic.net/whois.html) and also for each TLD you want to provide service for (ie, .org, .mobi, etc etc) . If you are using opensrs it's pretty simple to list your nameserver with local and foreign tlds, but with other Registrars - you'd have to check into the details. It's generally easier to use a local domain for the nameservers (ie, ns1.example.mobi for .mobi domains.) but it is also possible to use foreign nameservers (ie, ns1.example.com to resolve www.example.mobi - is considered foreign) Waitman ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: DNS
Walter Alejandro Iglesias writes: Perhaps you find stupid my question, but believe me, I am lost :-). Where you are now, so once were most of us. :-) Sure, like you say, it is possible running BIND and Apache. But, is it possible|convenient that the name server reside in the same machine that host (with apache) the domain names served by it? Possible: I'm doing it. Convenient? Depends on what you consider convenient The machine in question only serves a few zones, and only changes its IP occesionally. When it does, I have a script which will change the config file for sshd, and another which changes most (but not all) settings for bind. Elapsed time (assuming I remember all the bits): 5 minutes, plus a re-boot and checking the numbers. Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: DNS
Hello, I've been using FreeBSD as a local nameserver (with my own .local domains!) for quite some time. FreeBSD comes with a name server already installed; you don't need to get it from the ports, although I'm not sure what difference it makes. The one that comes with FreeBSD can be enabled with named_enable=YES in /etc/rc.conf. The configuration files are in /etc/namedb/. Getting a book about BIND really helps learning it. The examples are especially useful. BIND can be a little daunting to learn, but it all clicks in the end. If you want to use BIND for mass hosting, you can consider hooking BIND up to MySQL or a similar database. I haven't personally tried it, so I cannot vouch for it to work. It may be what you're looking for, though. You can have a look at this link: http://mysql-bind.sourceforge.net/. Hopefully, this helps. Sincerely, Kevin Zheng ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Host Dynamic DNS configuration for 8.2-RELEASE
Hi, What is the required configuration in a FreeBSD 8.2 release host for it to publish its name in a dynamic dns supported network? LINUX: For a Linux host with name x.y.z.com I had to do the following: = # echo DHCP_HOSTNAME=x; /etc/sysconfig/network-scripts/ifcfg-eth0 # echo PEERDNS=no /etc/sysconfig/network-scripts/ifcfg-eth0 # echo SEARCH=\ y.z.com /etc/sysconfig/network # echo HOSTNAME=x.y.z.com /etc/sysconfig/network # reboot SEARCH: Couldnt find for host configuration === My Google search gave some links describing Linux host configuration but none for freebsd host configuration. Some described FreeBSD server configuration though ( http://www.google.com/search?hl=enclient=firefox-ahs=l2Mrls=org.mozilla%3Aen-US%3Aofficialq=configuring+dynamic+dns+freebsd+dhcp+clientoq=configuring+dynamic+dns+freebsd+dhcp+clientaq=faqi=aql=gs_sm=egs_upl=13114l14889l0l15039l12l12l0l11l0l0l166l166l0.1l1l0, http://alex.kruijff.org/FreeBSD/Dynamic_DNS.html). TIA, Akshay ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Host Dynamic DNS configuration for 8.2-RELEASE
On 29/12/2011 20:11, akshay sreeramoju wrote:
What is the required configuration in a FreeBSD 8.2 release host for it to
publish its name in a dynamic dns supported network?
Something like this in /etc/dhclient.conf:
interface em0 {
send host-name foo.example.com;
}
See dhclient.conf(5), particularly the EXAMPLES section at the end.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
Re: Host Dynamic DNS configuration for 8.2-RELEASE
Thanks Matthew. It works.
Akshay
On Thu, Dec 29, 2011 at 1:14 PM, Matthew Seaman
m.sea...@infracaninophile.co.uk wrote:
On 29/12/2011 20:11, akshay sreeramoju wrote:
What is the required configuration in a FreeBSD 8.2 release host for it
to
publish its name in a dynamic dns supported network?
Something like this in /etc/dhclient.conf:
interface em0 {
send host-name foo.example.com;
}
See dhclient.conf(5), particularly the EXAMPLES section at the end.
Cheers,
Matthew
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
