Re: Connections with bad DNS cause lockups
Hi, Ok, I created the file and I looked and see absolutely nothing about the bad connection attempt, only good ones. I've posted it to : http://vjofn.tucs-beachin-obx-house.com/mysqltrace.txt does anyone see anything that would give any clues? Thanks, Tuc Hello. When I suggested to create a trace file, I wanted to find the place where mysqld hangs. In my opinion, it is possible. You should research the last entries at the end of the trace file (using tail, for example) after mysql has hung. I'm not sure if we are able to find any clues in the trace files when using clients with a good reverse. Tuc at T-B-O-H [EMAIL PROTECTED] wrote: Hi, I hacked the Makefile so that it would recompile it with -debug on the version. I started it with --debug as part of the extra args passed to safe_mysqld. It started, and created a /tmp/mysqld.trace where its logging to. So far, no one with a broken reverse DNS has tried to contact the server However, me with a good reverse but no authority via the /etc/hosts.allow has gone against it 5 or 6 times, and the log doesn't even show any evidence. If it isn't showing any sort of logging of my illegal attempt, I'm concerned it will not show any attempts from the hosts that are causing the problems. Thanks, Tuc -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Connections with bad DNS cause lockups
Hello. When I suggested to create a trace file, I wanted to find the place where mysqld hangs. In my opinion, it is possible. You should research the last entries at the end of the trace file (using tail, for example) after mysql has hung. I'm not sure if we are able to find any clues in the trace files when using clients with a good reverse. Tuc at T-B-O-H [EMAIL PROTECTED] wrote: Hi, I hacked the Makefile so that it would recompile it with -debug on the version. I started it with --debug as part of the extra args passed to safe_mysqld. It started, and created a /tmp/mysqld.trace where its logging to. So far, no one with a broken reverse DNS has tried to contact the server However, me with a good reverse but no authority via the /etc/hosts.allow has gone against it 5 or 6 times, and the log doesn't even show any evidence. If it isn't showing any sort of logging of my illegal attempt, I'm concerned it will not show any attempts from the hosts that are causing the problems. Thanks, Tuc Hello. To make the suggestions, we should have enough amount of information. If your MySQL server isn't heavy loaded, create a trace file and find out the place where the new connections hang. See: http://dev.mysql.com/doc/mysql/en/making-trace-files.html Tuc at T-B-O-H [EMAIL PROTECTED] wrote: Hello. In my opinion, we're a little kinked in this issue. Let's start over. :( Sorry. I've been told by the GF that I have a habit of doing it to her too. In one of your posts you mentioned that the server runs lots of other services besides the database. Yes, according to my runbook, the server : 1) Is an NFS server to 4 other servers for web traffic and logging. 2) Is the primary MX server for 7 domains (About 100 emails a day) 3) Runs a Listproc for 4 mailing lists (About 5 messages a day to 60 people) 4) Runs MySQL (Approx 98 queries per hour) 5) Runs [EMAIL PROTECTED] (2 processes) 6) Runs an IMAP Server for 1 user who logs on 5-10 minutes a day The server pushes about 120kb/s a second according to MRTG for all that. Why do you think that the cause of the server's weird behavior is MySQL? Maybe I wasn't clear about it. The server is running perfectly. I'm running SETI on it since its normally bored out of its ever loving mind. When someone with a missing or bad reverse DNS (PTR) record attempts to connect to the MySQL server, any other connection via either the socket or the TCP socket ends up blocking and waiting. Every other service on the machine is fine, but MySQL becomes completely unresponsive. When I said DOS, I meant only against MySQL. The rest of the machine is fine to process anything it wants. Is server still working, but you are unable to reach it through the network, or it is completely hung? No other services are affected, only attempts to connect to MySQL via the socket or TCP. This makes what little access there is to the database (A searchable orchid database) stop, and monitoring detects it down and pages out. Thanks, Tuc So if thats the way (FreeBSD ports), then besides the already suggested changing to pure IP, is there any other ways to stop the DOS? Thanks, Tuc -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.NET http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Gleb Paharenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.NET ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Connections with bad DNS cause lockups
Hi, Ok. Is there a way to get a timestamp in the file too? If this happens while I'm not near a machine I want to make sure I can find the right time frame in the file. Thanks, Tuc Hello. When I suggested to create a trace file, I wanted to find the place where mysqld hangs. In my opinion, it is possible. You should research the last entries at the end of the trace file (using tail, for example) after mysql has hung. I'm not sure if we are able to find any clues in the trace files when using clients with a good reverse. Tuc at T-B-O-H [EMAIL PROTECTED] wrote: Hi, I hacked the Makefile so that it would recompile it with -debug on the version. I started it with --debug as part of the extra args passed to safe_mysqld. It started, and created a /tmp/mysqld.trace where its logging to. So far, no one with a broken reverse DNS has tried to contact the server However, me with a good reverse but no authority via the /etc/hosts.allow has gone against it 5 or 6 times, and the log doesn't even show any evidence. If it isn't showing any sort of logging of my illegal attempt, I'm concerned it will not show any attempts from the hosts that are causing the problems. Thanks, Tuc Hello. To make the suggestions, we should have enough amount of information. If your MySQL server isn't heavy loaded, create a trace file and find out the place where the new connections hang. See: http://dev.mysql.com/doc/mysql/en/making-trace-files.html Tuc at T-B-O-H [EMAIL PROTECTED] wrote: Hello. In my opinion, we're a little kinked in this issue. Let's start over. :( Sorry. I've been told by the GF that I have a habit of doing it to her too. In one of your posts you mentioned that the server runs lots of other services besides the database. Yes, according to my runbook, the server : 1) Is an NFS server to 4 other servers for web traffic and logging. 2) Is the primary MX server for 7 domains (About 100 emails a day) 3) Runs a Listproc for 4 mailing lists (About 5 messages a day to 60 people) 4) Runs MySQL (Approx 98 queries per hour) 5) Runs [EMAIL PROTECTED] (2 processes) 6) Runs an IMAP Server for 1 user who logs on 5-10 minutes a day The server pushes about 120kb/s a second according to MRTG for all that. Why do you think that the cause of the server's weird behavior is MySQL? Maybe I wasn't clear about it. The server is running perfectly. I'm running SETI on it since its normally bored out of its ever loving mind. When someone with a missing or bad reverse DNS (PTR) record attempts to connect to the MySQL server, any other connection via either the socket or the TCP socket ends up blocking and waiting. Every other service on the machine is fine, but MySQL becomes completely unresponsive. When I said DOS, I meant only against MySQL. The rest of the machine is fine to process anything it wants. Is server still working, but you are unable to reach it through the network, or it is completely hung? No other services are affected, only attempts to connect to MySQL via the socket or TCP. This makes what little access there is to the database (A searchable orchid database) stop, and monitoring detects it down and pages out. Thanks, Tuc So if thats the way (FreeBSD ports), then besides the already suggested changing to pure IP, is there any other ways to stop the DOS? Thanks, Tuc -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Connections with bad DNS cause lockups
Hello. I don't know. You may want to hack MySQL source (it seems not too hard to change the dbug/dbug.c file). As an alternative you can make a feature request at: http://bugs.mysql.com In my opinion, timestamp is a helpful thing (however, it may affect the performance which is already a very low when MySQL produces trace files). In you case if MySQL really hangs you should be able to find the significant difference in the logging behavior after it has hung. I guess it won't log anything. And the last messages (mostly from sql/hostname) should be exactly what you need. Tuc at T-B-O-H [EMAIL PROTECTED] wrote: Hi, Ok. Is there a way to get a timestamp in the file too? If this happens while I'm not near a machine I want to make sure I can find the right time frame in the file. Thanks, Tuc Hello. When I suggested to create a trace file, I wanted to find the place where mysqld hangs. In my opinion, it is possible. You should research the last entries at the end of the trace file (using tail, for example) after mysql has hung. I'm not sure if we are able to find any clues in the trace files when using clients with a good reverse. Tuc at T-B-O-H [EMAIL PROTECTED] wrote: Hi, I hacked the Makefile so that it would recompile it with -debug on the version. I started it with --debug as part of the extra args passed to safe_mysqld. It started, and created a /tmp/mysqld.trace where its logging to. So far, no one with a broken reverse DNS has tried to contact the server However, me with a good reverse but no authority via the /etc/hosts.allow has gone against it 5 or 6 times, and the log doesn't even show any evidence. If it isn't showing any sort of logging of my illegal attempt, I'm concerned it will not show any attempts from the hosts that are causing the problems. Thanks, Tuc Hello. To make the suggestions, we should have enough amount of information. If your MySQL server isn't heavy loaded, create a trace file and find out the place where the new connections hang. See: http://dev.mysql.com/doc/mysql/en/making-trace-files.html Tuc at T-B-O-H [EMAIL PROTECTED] wrote: Hello. In my opinion, we're a little kinked in this issue. Let's start over. :( Sorry. I've been told by the GF that I have a habit of doing it to her too. In one of your posts you mentioned that the server runs lots of other services besides the database. Yes, according to my runbook, the server : 1) Is an NFS server to 4 other servers for web traffic and logging. 2) Is the primary MX server for 7 domains (About 100 emails a day) 3) Runs a Listproc for 4 mailing lists (About 5 messages a day to 60 people) 4) Runs MySQL (Approx 98 queries per hour) 5) Runs [EMAIL PROTECTED] (2 processes) 6) Runs an IMAP Server for 1 user who logs on 5-10 minutes a day The server pushes about 120kb/s a second according to MRTG for all that. Why do you think that the cause of the server's weird behavior is MySQL? Maybe I wasn't clear about it. The server is running perfectly. I'm running SETI on it since its normally bored out of its ever loving mind. When someone with a missing or bad reverse DNS (PTR) record attempts to connect to the MySQL server, any other connection via either the socket or the TCP socket ends up blocking and waiting. Every other service on the machine is fine, but MySQL becomes completely unresponsive. When I said DOS, I meant only against MySQL. The rest of the machine is fine to process anything it wants. Is server still working, but you are unable to reach it through the network, or it is completely hung? No other services are affected, only attempts to connect to MySQL via the socket or TCP. This makes what little access there is to the database (A searchable orchid database) stop, and monitoring detects it down and pages out. Thanks, Tuc So if thats the way (FreeBSD ports), then besides the already suggested changing to pure IP, is there any other ways to stop the DOS? Thanks, Tuc -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.NET http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Gleb Paharenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.NET ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:
Re: Connections with bad DNS cause lockups
Hello. I don't know. You may want to hack MySQL source (it seems not too hard to change the dbug/dbug.c file). As an alternative you can make a feature request at: http://bugs.mysql.com Done. Thank you. In my opinion, timestamp is a helpful thing (however, it may affect the performance which is already a very low when MySQL produces trace files). In you case if MySQL really hangs you should be able to find the significant difference in the logging behavior after it has hung. I guess it won't log anything. And the last messages (mostly from sql/hostname) should be exactly what you need. The problem is that it will eventually recover itself and continue on its way until the next time. I am waiting for it to happen again stillI've turned monitoring on so that if it does start to become uncontactable I'll get paged. Thanks, Tuc Tuc at T-B-O-H [EMAIL PROTECTED] wrote: Hi, Ok. Is there a way to get a timestamp in the file too? If this happens while I'm not near a machine I want to make sure I can find the right time frame in the file. Thanks, Tuc -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Connections with bad DNS cause lockups
Hello. In my opinion, we're a little kinked in this issue. Let's start over. In one of your posts you mentioned that the server runs lots of other services besides the database. Why do you think that the cause of the server's weird behavior is MySQL? Is server still working, but you are unable to reach it through the network, or it is completely hung? So if thats the way (FreeBSD ports), then besides the already suggested changing to pure IP, is there any other ways to stop the DOS? Thanks, Tuc -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.NET http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Gleb Paharenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.NET ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Connections with bad DNS cause lockups
Hello. In my opinion, we're a little kinked in this issue. Let's start over. :( Sorry. I've been told by the GF that I have a habit of doing it to her too. In one of your posts you mentioned that the server runs lots of other services besides the database. Yes, according to my runbook, the server : 1) Is an NFS server to 4 other servers for web traffic and logging. 2) Is the primary MX server for 7 domains (About 100 emails a day) 3) Runs a Listproc for 4 mailing lists (About 5 messages a day to 60 people) 4) Runs MySQL (Approx 98 queries per hour) 5) Runs [EMAIL PROTECTED] (2 processes) 6) Runs an IMAP Server for 1 user who logs on 5-10 minutes a day The server pushes about 120kb/s a second according to MRTG for all that. Why do you think that the cause of the server's weird behavior is MySQL? Maybe I wasn't clear about it. The server is running perfectly. I'm running SETI on it since its normally bored out of its ever loving mind. When someone with a missing or bad reverse DNS (PTR) record attempts to connect to the MySQL server, any other connection via either the socket or the TCP socket ends up blocking and waiting. Every other service on the machine is fine, but MySQL becomes completely unresponsive. When I said DOS, I meant only against MySQL. The rest of the machine is fine to process anything it wants. Is server still working, but you are unable to reach it through the network, or it is completely hung? No other services are affected, only attempts to connect to MySQL via the socket or TCP. This makes what little access there is to the database (A searchable orchid database) stop, and monitoring detects it down and pages out. Thanks, Tuc So if thats the way (FreeBSD ports), then besides the already suggested changing to pure IP, is there any other ways to stop the DOS? Thanks, Tuc -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.NET http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Gleb Paharenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.NET ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Connections with bad DNS cause lockups
Hello. To make the suggestions, we should have enough amount of information. If your MySQL server isn't heavy loaded, create a trace file and find out the place where the new connections hang. See: http://dev.mysql.com/doc/mysql/en/making-trace-files.html Tuc at T-B-O-H [EMAIL PROTECTED] wrote: Hello. In my opinion, we're a little kinked in this issue. Let's start over. :( Sorry. I've been told by the GF that I have a habit of doing it to her too. In one of your posts you mentioned that the server runs lots of other services besides the database. Yes, according to my runbook, the server : 1) Is an NFS server to 4 other servers for web traffic and logging. 2) Is the primary MX server for 7 domains (About 100 emails a day) 3) Runs a Listproc for 4 mailing lists (About 5 messages a day to 60 people) 4) Runs MySQL (Approx 98 queries per hour) 5) Runs [EMAIL PROTECTED] (2 processes) 6) Runs an IMAP Server for 1 user who logs on 5-10 minutes a day The server pushes about 120kb/s a second according to MRTG for all that. Why do you think that the cause of the server's weird behavior is MySQL? Maybe I wasn't clear about it. The server is running perfectly. I'm running SETI on it since its normally bored out of its ever loving mind. When someone with a missing or bad reverse DNS (PTR) record attempts to connect to the MySQL server, any other connection via either the socket or the TCP socket ends up blocking and waiting. Every other service on the machine is fine, but MySQL becomes completely unresponsive. When I said DOS, I meant only against MySQL. The rest of the machine is fine to process anything it wants. Is server still working, but you are unable to reach it through the network, or it is completely hung? No other services are affected, only attempts to connect to MySQL via the socket or TCP. This makes what little access there is to the database (A searchable orchid database) stop, and monitoring detects it down and pages out. Thanks, Tuc So if thats the way (FreeBSD ports), then besides the already suggested changing to pure IP, is there any other ways to stop the DOS? Thanks, Tuc -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.NET http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Gleb Paharenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.NET ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Connections with bad DNS cause lockups
Hi, I hacked the Makefile so that it would recompile it with -debug on the version. I started it with --debug as part of the extra args passed to safe_mysqld. It started, and created a /tmp/mysqld.trace where its logging to. So far, no one with a broken reverse DNS has tried to contact the server However, me with a good reverse but no authority via the /etc/hosts.allow has gone against it 5 or 6 times, and the log doesn't even show any evidence. If it isn't showing any sort of logging of my illegal attempt, I'm concerned it will not show any attempts from the hosts that are causing the problems. Thanks, Tuc Hello. To make the suggestions, we should have enough amount of information. If your MySQL server isn't heavy loaded, create a trace file and find out the place where the new connections hang. See: http://dev.mysql.com/doc/mysql/en/making-trace-files.html Tuc at T-B-O-H [EMAIL PROTECTED] wrote: Hello. In my opinion, we're a little kinked in this issue. Let's start over. :( Sorry. I've been told by the GF that I have a habit of doing it to her too. In one of your posts you mentioned that the server runs lots of other services besides the database. Yes, according to my runbook, the server : 1) Is an NFS server to 4 other servers for web traffic and logging. 2) Is the primary MX server for 7 domains (About 100 emails a day) 3) Runs a Listproc for 4 mailing lists (About 5 messages a day to 60 people) 4) Runs MySQL (Approx 98 queries per hour) 5) Runs [EMAIL PROTECTED] (2 processes) 6) Runs an IMAP Server for 1 user who logs on 5-10 minutes a day The server pushes about 120kb/s a second according to MRTG for all that. Why do you think that the cause of the server's weird behavior is MySQL? Maybe I wasn't clear about it. The server is running perfectly. I'm running SETI on it since its normally bored out of its ever loving mind. When someone with a missing or bad reverse DNS (PTR) record attempts to connect to the MySQL server, any other connection via either the socket or the TCP socket ends up blocking and waiting. Every other service on the machine is fine, but MySQL becomes completely unresponsive. When I said DOS, I meant only against MySQL. The rest of the machine is fine to process anything it wants. Is server still working, but you are unable to reach it through the network, or it is completely hung? No other services are affected, only attempts to connect to MySQL via the socket or TCP. This makes what little access there is to the database (A searchable orchid database) stop, and monitoring detects it down and pages out. Thanks, Tuc So if thats the way (FreeBSD ports), then besides the already suggested changing to pure IP, is there any other ways to stop the DOS? Thanks, Tuc -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.NET http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Gleb Paharenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.NET ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Connections with bad DNS cause lockups
Hello. is that when it gets probed, it COMPLETELY offlines (DOS) the server. One upon a time I solved such an issue with MySQL on FreeBSD by switching to the official binaries from: http://dev.mysql.com/downloads Still, the recommended way to run MySQL on FreeBSD is compiling it from the ports. Hi, Thanks for the reply. I did see that page before, but I guess my bigger question is why if the DNS is broken/slow, why does the entire server come to a COMPLETE halt, no commands can be done via either TCP *OR* the socket. If it just errored, that session took forever, whatever... I could understand. The problem is that when it gets probed, it COMPLETELY offlines (DOS) the server. And just *1* connection! Just also seems difficult to keep proper documentation if we are using IPs and not complete hostnames. Thanks, Tuc Tuc at T-B-O-H [EMAIL PROTECTED] wrote: Hi, We seem to be running into a problem with our installation that we don't understand. We are running mysql-server-4.0.25 from the ports collection on a FreeBSD 5.3-RELEASE-p10 machine. Its tcpwrapper'd to only allow from our /24, and a single machine outside the /24. At times, all of a sudden the server seems to freeze. It appears that we've narrowed it down to an issue with people attacking the server that come from a site that has a bad reverse DNS setup. Has anyone else seen this, or knows how to stop it? Thanks, Tuc -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.NET http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Gleb Paharenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.NET ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Connections with bad DNS cause lockups
Hello. is that when it gets probed, it COMPLETELY offlines (DOS) the server. One upon a time I solved such an issue with MySQL on FreeBSD by switching to the official binaries from: http://dev.mysql.com/downloads Still, the recommended way to run MySQL on FreeBSD is compiling it from the ports. So if thats the way (FreeBSD ports), then besides the already suggested changing to pure IP, is there any other ways to stop the DOS? Thanks, Tuc -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Connections with bad DNS cause lockups
Hello. Have a look here: http://dev.mysql.com/doc/mysql/en/dns.html You may want to start mysqld with the --skip-name-resolve option. Hi, Thanks for the reply. I did see that page before, but I guess my bigger question is why if the DNS is broken/slow, why does the entire server come to a COMPLETE halt, no commands can be done via either TCP *OR* the socket. If it just errored, that session took forever, whatever... I could understand. The problem is that when it gets probed, it COMPLETELY offlines (DOS) the server. And just *1* connection! Just also seems difficult to keep proper documentation if we are using IPs and not complete hostnames. Thanks, Tuc Tuc at T-B-O-H [EMAIL PROTECTED] wrote: Hi, We seem to be running into a problem with our installation that we don't understand. We are running mysql-server-4.0.25 from the ports collection on a FreeBSD 5.3-RELEASE-p10 machine. Its tcpwrapper'd to only allow from our /24, and a single machine outside the /24. At times, all of a sudden the server seems to freeze. It appears that we've narrowed it down to an issue with people attacking the server that come from a site that has a bad reverse DNS setup. Has anyone else seen this, or knows how to stop it? Thanks, Tuc -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.NET http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Gleb Paharenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.NET ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Connections with bad DNS cause lockups
(please, either top-post or bottom-post but don't mix it up) One way to bypass a broken DNS server is to create complete HOSTS files on your servers. That way you can keep using your hostnames but avoid the problems of actual DNS server negotiations going sour as all hostname to IP address translations are handled locally. This is especially useful for resolving internal names for resources that rarely change addresses (like servers and most users). Then, the only names that pose a risk would be those not on the list. It's not a perfect solution but it may keep you going until MySQL can figure out something better to deal with misbehaving DNS servers. Shawn Green Database Administrator Unimin Corporation - Spruce Pine Tuc at T-B-O-H [EMAIL PROTECTED] wrote on 09/01/2005 10:56:24 AM: Hello. Have a look here: http://dev.mysql.com/doc/mysql/en/dns.html You may want to start mysqld with the --skip-name-resolve option. Hi, Thanks for the reply. I did see that page before, but I guess my bigger question is why if the DNS is broken/slow, why does the entire server come to a COMPLETE halt, no commands can be done via either TCP *OR* the socket. If it just errored, that session took forever, whatever... I could understand. The problem is that when it gets probed, it COMPLETELY offlines (DOS) the server. And just *1* connection! Just also seems difficult to keep proper documentation if we are using IPs and not complete hostnames. Thanks, Tuc Tuc at T-B-O-H [EMAIL PROTECTED] wrote: Hi, We seem to be running into a problem with our installation that we don't understand. We are running mysql-server-4.0.25 from the ports collection on a FreeBSD 5.3-RELEASE-p10 machine. Its tcpwrapper'd to only allow from our /24, and a single machine outside the /24. At times, all of a sudden the server seems to freeze. It appears that we've narrowed it down to an issue with people attacking the server that come from a site that has a bad reverse DNS setup. Has anyone else seen this, or knows how to stop it? Thanks, Tuc -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.NET http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Gleb Paharenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.NET ___/ www.mysql.com
Re: Connections with bad DNS cause lockups
Hi, (Lets not get into top/bottom/mixed post discussions. :) ) I'm not sure why putting in hosts would make a difference. Doesn't the --skip-name-resolve bypass any sort of name resolution, be it /etc/hosts or resolver? Or are you telling me to change nsswitch.conf from hosts: files dns to just hosts: files? Would be a SLIM possibility, if this wasn't a machine that didn't only do MySQL and other things in my TCPWrappers (/etc/hosts.allow) did partial domain matching for clients. Thanks, Tuc (please, either top-post or bottom-post but don't mix it up) One way to bypass a broken DNS server is to create complete HOSTS files on your servers. That way you can keep using your hostnames but avoid the problems of actual DNS server negotiations going sour as all hostname to IP address translations are handled locally. This is especially useful for resolving internal names for resources that rarely change addresses (like servers and most users). Then, the only names that pose a risk would be those not on the list. It's not a perfect solution but it may keep you going until MySQL can figure out something better to deal with misbehaving DNS servers. Shawn Green Database Administrator Unimin Corporation - Spruce Pine Tuc at T-B-O-H [EMAIL PROTECTED] wrote on 09/01/2005 10:56:24 AM: Hello. Have a look here: http://dev.mysql.com/doc/mysql/en/dns.html You may want to start mysqld with the --skip-name-resolve option. Hi, Thanks for the reply. I did see that page before, but I guess my bigger question is why if the DNS is broken/slow, why does the entire server come to a COMPLETE halt, no commands can be done via either TCP *OR* the socket. If it just errored, that session took forever, whatever... I could understand. The problem is that when it gets probed, it COMPLETELY offlines (DOS) the server. And just *1* connection! Just also seems difficult to keep proper documentation if we are using IPs and not complete hostnames. Thanks, Tuc Tuc at T-B-O-H [EMAIL PROTECTED] wrote: Hi, We seem to be running into a problem with our installation that we don't understand. We are running mysql-server-4.0.25 from the ports collection on a FreeBSD 5.3-RELEASE-p10 machine. Its tcpwrapper'd to only allow from our /24, and a single machine outside the /24. At times, all of a sudden the server seems to freeze. It appears that we've narrowed it down to an issue with people attacking the server that come from a site that has a bad reverse DNS setup. Has anyone else seen this, or knows how to stop it? Thanks, Tuc -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Connections with bad DNS cause lockups
I don't know how your OS does it or what you need to do to use it, but if I have a file called HOSTS in my (c:\winnt\system32\drivers\etc\ directory (each OS has a similar location for this file)) that contains a list of hostname - IP address pairs then whenever I attempt to do a hostname resolution, my IP stack will use that file *first* before attempting to contact a DNS server. If it finds the hostname in the HOSTS file then it never calls a DNS server. I am suggesting that you populate a hosts file suitable to resolve the hostnames to ip addresses for your user base. That way you should be able to remove --skip-name-resolve (allowing MySQL to do hostname-based security) and not run into the issue of a DNS server becoming flaky unless someone with a hostname NOT in the list tries to login. However, if your users are always getting new IP addresses (some places are like that) then this workaround won't work for you. It may not work at all but I thought it was worth a shot. Shawn Green Database Administrator Unimin Corporation - Spruce Pine Tuc at T-B-O-H [EMAIL PROTECTED] wrote on 09/01/2005 11:24:24 AM: Hi, (Lets not get into top/bottom/mixed post discussions. :) ) I'm not sure why putting in hosts would make a difference. Doesn't the --skip-name-resolve bypass any sort of name resolution, be it /etc/hosts or resolver? Or are you telling me to change nsswitch.conf from hosts: files dns to just hosts: files? Would be a SLIM possibility, if this wasn't a machine that didn't only do MySQL and other things in my TCPWrappers (/etc/hosts.allow) did partial domain matching for clients. Thanks, Tuc (please, either top-post or bottom-post but don't mix it up) One way to bypass a broken DNS server is to create complete HOSTS files on your servers. That way you can keep using your hostnames but avoid the problems of actual DNS server negotiations going sour as all hostname to IP address translations are handled locally. This is especially useful for resolving internal names for resources that rarely change addresses (like servers and most users). Then, the only names that pose a risk would be those not on the list. It's not a perfect solution but it may keep you going until MySQL can figure out something better to deal with misbehaving DNS servers. Shawn Green Database Administrator Unimin Corporation - Spruce Pine Tuc at T-B-O-H [EMAIL PROTECTED] wrote on 09/01/2005 10:56:24 AM: Hello. Have a look here: http://dev.mysql.com/doc/mysql/en/dns.html You may want to start mysqld with the --skip-name-resolve option. Hi, Thanks for the reply. I did see that page before, but I guess my bigger question is why if the DNS is broken/slow, why does the entire server come to a COMPLETE halt, no commands can be done via either TCP *OR* the socket. If it just errored, that session took forever, whatever... I could understand. The problem is that when it gets probed, it COMPLETELY offlines (DOS) the server. And just *1* connection! Just also seems difficult to keep proper documentation if we are using IPs and not complete hostnames. Thanks, Tuc Tuc at T-B-O-H [EMAIL PROTECTED] wrote: Hi, We seem to be running into a problem with our installation that we don't understand. We are running mysql-server-4.0.25 from the ports collection on a FreeBSD 5.3-RELEASE-p10 machine. Its tcpwrapper'd to only allow from our /24, and a single machine outside the /24. At times, all of a sudden the server seems to freeze. It appears that we've narrowed it down to an issue with people attacking the server that come from a site that has a bad reverse DNS setup. Has anyone else seen this, or knows how to stop it? Thanks, Tuc
Re: Connections with bad DNS cause lockups
Hi, I'm running FreeBSD 5.4 on the system in question. It was my understanding on newer Unixes that things like a call to gethostbyname(3) would cause it to go against the nsdispatch(3) in libc and determine what method to perform its various lookups. Right now its set to read nsswitch.conf and that has hosts: files dns. That, to me, means it'll go against /etc/hosts first, then do lookups against bind. The problem I have switching to just hosts: files is that this system does alot of other services besides a database, that depend on being able to do reliable forward and reverse DNS queries. I understand you then want me to put all the names into my /etc/hosts, but doing so doesn't buy me what I need for all the rest of the services on the box. I also have TCPWrappers running depending on domain names out of my control, so it would mean that every time they added/deleted a host, I would have to be told of it. I think /etc/hosts would also do forward DNS only, while TCPWrappers also wants reverse DNS (PTR). While in concept the suggestion is a work around, I think it then breaks every thing around it. Thanks, Tuc -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Connections with bad DNS cause lockups
Hello. Have a look here: http://dev.mysql.com/doc/mysql/en/dns.html You may want to start mysqld with the --skip-name-resolve option. Tuc at T-B-O-H [EMAIL PROTECTED] wrote: Hi, We seem to be running into a problem with our installation that we don't understand. We are running mysql-server-4.0.25 from the ports collection on a FreeBSD 5.3-RELEASE-p10 machine. Its tcpwrapper'd to only allow from our /24, and a single machine outside the /24. At times, all of a sudden the server seems to freeze. It appears that we've narrowed it down to an issue with people attacking the server that come from a site that has a bad reverse DNS setup. Has anyone else seen this, or knows how to stop it? Thanks, Tuc -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.NET http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Gleb Paharenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.NET ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Connections with bad DNS cause lockups
Hi, We seem to be running into a problem with our installation that we don't understand. We are running mysql-server-4.0.25 from the ports collection on a FreeBSD 5.3-RELEASE-p10 machine. Its tcpwrapper'd to only allow from our /24, and a single machine outside the /24. At times, all of a sudden the server seems to freeze. It appears that we've narrowed it down to an issue with people attacking the server that come from a site that has a bad reverse DNS setup. Has anyone else seen this, or knows how to stop it? Thanks, Tuc -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]