Re: [Pdns-users] PDNS and ENUM
On 4/18/15 6:51 PM, Thomas Elsgaard wrote: Hi list I am trying to get ENUM to work with PowerDNS Authoritative Server 3.4.3 and PostgreSQL but i am not able to resolve the record. Is someone having an working example ? I have tried with: INSERT INTO records (domain_id, name, type, content, ttl, prio) VALUES (1,'8.7.6.5.4.3.2.1.enum.example.tld','NAPTR','100 10 \"u\" \"E2U+sip\" \"!^.*$!sip:12345678@10.0.0.10 <mailto:sip%3A12345678@10.0.0.10>!\" ."',120,0); but dig @127.0.0.1 <http://127.0.0.1> 8.7.6.5.4.3.2.1.enum.example.com <http://8.7.6.5.4.3.2.1.enum.example.com> NAPTR is not resolving it correctly: Silly thing to point out, but you inserted '8.7.6.5.4.3.2.1.enum.example.tld', not '8.7.6.5.4.3.2.1.enum.example.com'. Is that just a typo here on the message to the list? -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] [STILL NEED HELP] - PDNS stop suddenly after every night
On 4/1/12 7:02 PM, Đức Vinh Hồ wrote: /Mar 29 14:41:24 slv21 pdns[25327]: gmysql Connection failed: Unable to connect to database: Access denied for user 'power_admin'@'127.0.0.1' (using password: YES) Mar 29 14:41:24 slv21 pdns[25327]: Caught an exception instantiating a backend, cleaning up Mar 29 14:41:24 slv21 pdns[25327]: TCP server is unable to launch backends - will try again when questions come in: Unable to launch gmysql connection: Unable to connect to database: Access denied for user 'power_admin'@'127.0.0.1' (using password: YES)/ Your mysql server is refusing the password you are giving it with the power_admin user. Sounds like there may be a problem with the mysql server/database? -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Debian Squeeze/Wheezy packages for 3.1-svn
Hello All, It was suggested I throw this on the list for those who might be interested. I've got pdns 3.1 svn packages from svn up in my deb repo. Depending on if you run squeeze or wheezy, put in /etc/apt/sources.list or /etc/apt/sources.list.d/sosdg.list: Squeeze: deb http://deb.sosdg.org/debian sosdg-squeeze main Wheezy: deb http://deb.sosdg.org/debian sosdg-wheezy main Run apt-get update, then you can install the packages. If you need to force it, use for example: apt-get install pdns-server=3.1-0.1 (or whatever the current pre version is). There's no wheezy i386 atm, but I plan to remedy that this weekend. These are the same packages I use on my own dns servers (ns{1,2,3}.sosdg.org). -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Pdns-users mailing list unavailable
On 11/28/11 12:49 AM, Tom wrote: Hi there, I haven't received anything from the pdns-users mailing list since the 24th at 0700 GMT. I can see from the archive page here that there have been more mails, including 2 replies to the [Pdns-users] Bind Master, PDNS Slave Notifies being ignored. And since then, I have had no connections from your servers at all. It looks like no-one has replied to my mails on the list either, and they're usually pretty good at getting back to people, so I suspect that they haven't seen the mail because of this issue. Hopefully this has just slipped through the net, and someone just needs to fire up a service that didn't start on boot or something :) Cheers. Tom. Or, people were busy with their families if they were in the US (Thanksgiving), or were working on a full time job, or some other time occupying activity. This list can go through times of quiet, and other times of high activity. If this is a time critical matter, I do know there is various levels of commercial support that are available, including a per incident one: http://www.powerdns.com/content/services.html You can also attempt to ask in the #powerdns channel on irc.oftc.net and you may get lucky and find one or more of the developers and/or power users online and able to talk. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PowerDNS in an ISP environment
On 8/16/11 1:50 AM, bert hubert wrote: On Tue, Aug 16, 2011 at 08:38:07AM +0100, Chris Russell wrote: > Hi All, > > Quick question - is anyone on the list using PDNS in an ISP environment, especially for auth services ? The best I can do is refer to this thread, which lists some data points: http://mailman.powerdns.com/pipermail/pdns-users/2011-May/007719.html DENIC and SIDN (the .de and .nl registries) still measure PowerDNS at around 40%-50% of all their domains. You might also want to consider that SIDN and NIC.AT underwrote part of PowerDNS 3.0 development, please see the 3.0 release notes for more details. We use powerdns almost exclusively with the mysql backend. Our ns1 hosts around 300 domains on it, with quite a few of them being high traffic - ahbl.org for example, which is one of the master name servers for all the dnsbl queries. Several other large DNSbl's also use our ns1 as a slave for redundancy. Between the 6 auth name servers in the US, I think we do around 3mbits of DNS traffic, and another 2mbits out of Canada. No problems really, most of our issues were caused by lax config on our end that we promptly fixed. When we did find a pretty major bug during the testing of ipv6 records in 3.0, Bert had the problem fixed within about 5 mins, and a new build pushed out. And that's all just by hopping on IRC and catching him when he's around. Is the SLA worth it? Hell yes, even if you never need to use it, your supporting the development. We're too small and not-for-profit based, so the contract is not feasible, but I always try to test and share my results if needed or asked (feedback is never a bad thing). Some other things to consider why running PDNS is better: 1) BIND is agonizingly slow when loading lots of zones. Only recently have they bothered to work on that so it doesn't take 6 hours to load a ton of domains. 2) Auth and caching services can be run separately, helping keep one potential issue from affecting another. 3) Config options are a heck of alot more easy to use/understand 4) Its trivially easy to run multiple backends, including the bind backend, and even run multiple server instances isolating types of customers, etc. 5) LUA and pipe backends -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] PDNS recursor Dual Stack
On 7/25/11 10:47 AM, Patrick Domack wrote: Why should I? it's working perfectly, and that sysctl is already set to 0 I must have misread what you were asking for then. Sorry! -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] [HELP REQUEST - protect PowerDNS] I have had a brutal mass-attack
To follow up, if you want to use fail2ban to block those types of queries automatically, here's a modified ruleset. in /etc/fail2ban/filter.d/pdns.conf: == [Definition] failregex = pdns(?:\[\d{1,5}\])?: Not authoritative for '.*',.*sending servfail to \(recursion was desired\) ignoreregex = == jail.conf: [pdns-qdomain] enabled = true #port = domain,8053 protocol = udp filter = pdns logpath = /var/log/daemon.log bantime = 259200 maxretry = 2 Its pretty easy to make matching rules. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] [HELP REQUEST - protect PowerDNS] I have had a brutal mass-attack
On 6/17/11 10:53 AM, kim Doff wrote: Hello, I have PowerDNS Authoritative Server is 2.9.22 on Centos 5.5 32 bits. I do not allow external recursion but I have had a brutal mass-attack from China and Romania. It is a "recursion was desired" attack. Does anyone know how to configure fail2ban to protect port 53? Is there a Tutorial for that? I am a newbie. I tried with iptables but I need something that automaticaly blocks ips. Best Regards, Kim ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users in /etc/fail2ban/filter.d/pdns.conf: == [Definition] failregex = pdns(?:\[\d{1,5}\])?: Received a malformed qdomain from ignoreregex = == You'll need to change it to match your log line. Then, add the proper lines in jail.[conf,local] and it should work. jail.conf: [pdns-qdomain] enabled = true #port = domain,8053 protocol = udp filter = pdns logpath = /var/log/daemon.log bantime = 259200 maxretry = 2 ==== -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] is it nessary to add soa record? I don't use axfr.
On 11/10/10 9:05 PM, Xscape wrote: hi, I will manage one dns zone(or one domain) with pdns authoritative server (mysql backend). Is there any problems without soa record. SOA record contains last update time, expire, retry, TTL times. Without it, you are seriously breaking RFC compliance. I'm sure others on this list can say what breaks in PowerDNS when you do such things. :) -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] MacOS X support/development
Hello All, I've got a G5 XServe running 10.5 - who would I need to talk to if I wanted to offer a ssh login to assist with OS X development of PowerDNS? :-) -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursive lookups over IPv6 failing
On 4/5/10 11:16 AM, bert hubert wrote: On Mon, Apr 05, 2010 at 11:11:50AM -0600, Brielle Bruns wrote: The way I read your message was that it always fails via IPv6, but never via IPv4 - can you elaborate a bit? The default 'allow all' for IPv4 recursion may have been a mistake, a mistake we're not repeating for IPv6. During testing, it was failing 2 out of 3 queries in a row over IPv6. IE: www.aol.com -> SERVFAIL www.aol.com -> SERVFAIL www.aol.com -> 207.200.111.65 It may be that the answer was in the packet cache. PowerDNS does not check 'allow-recurse' before consulting the packet cache - since it would not save any work. I tested this on an isolated server where outside queries wouldn't affect the cache - and it did the same thing. So, what i'm wondering, is if its rejecting the first two queries, how is it getting the final positive response? Is it for whatever reason still doing the lookup on the backend during the first two, even if it sends back a failure to the client? -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursive lookups over IPv6 failing
On 4/5/10 9:01 AM, bert hubert wrote: Brielle, The way I read your message was that it always fails via IPv6, but never via IPv4 - can you elaborate a bit? The default 'allow all' for IPv4 recursion may have been a mistake, a mistake we're not repeating for IPv6. During testing, it was failing 2 out of 3 queries in a row over IPv6. IE: www.aol.com -> SERVFAIL www.aol.com -> SERVFAIL www.aol.com -> 207.200.111.65 I could do this literally every time. IPv4 did not have this problem. It seems, when I added: allow-recursion=0.0.0.0/0,::/0 Started working every time. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursive lookups over IPv6 failing
On 4/3/10 8:09 AM, bert hubert wrote: On Fri, Apr 02, 2010 at 01:09:19PM -0600, Brielle Bruns wrote: Querying from IPv6 host on the same LAN to the server: www.apple.com ;; Got SERVFAIL reply from 2001:470:e867::3, trying next server Brielle, have you added ::/0 to the allow-recurse list? That solves the exact same issue here. Bert Solved it here too. *scratches her head* So, if allow-recursion is commented out, even though it allows all ipv4, there's something weird with the way it handles ipv6 that makes it fail some of the time, succeed other times. But yet, if I put in an allow for ::/0 it suddenly works all the time, no failures. Fun. I think that qualifies as a bug? -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] Recursive lookups over IPv6 failing
On 4/2/10 3:02 PM, Leen Besselink wrote: What I haven't seen you try is, did you try the pdns-recursor on port 8053 directly with IPv6 and IPv4, any strange results for that ? Sorry, I knew I forgot something. :) Works fine direct querying on port 8053. Looks like its getting hung up somewhere in the pdns_server side of things. I was able to reproduce this on a firewall thats not Xen based, as I wanted to make sure there wasn't something with my virt platform somewhere. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
[Pdns-users] Recursive lookups over IPv6 failing
Hello all, I've got a weird issue, don't know if its come up before, and i'm not exactly sure where to file a bug report about it either. Server: 2.9.22 (Debian 2.9.22-3 package from sid, recompiled for lenny) Recursor: 3.2 (Debian 3.2-1 package from sid, recompiled for lenny) Backends: gmysql I've got a dual stack host that runs both authorative and recursive (yes, I know they should be separate) services, with auth running on TCP/UDP 53, and recursive running on TCP/UDP 8053. Server is set to forward queries to 8053 for the recursor to handle. IPv4 and IPv6 ranges involved are allowed to query/recurse on the server. Querying from IPv6 host on the same LAN to the server: > www.apple.com ;; Got SERVFAIL reply from 2001:470:e867::3, trying next server It then tries the same server over ipv4, and is successful. Try it another time, same exact results. Try it a third time, and it is successful, returning the expected non-auth answers. Logs show the following: Apr 2 13:02:57 snowbank pdns[9084]: Not authoritative for 'www.apple.com', sending servfail to 2001:470:e867::2 (recursion was desired) Apr 2 13:03:57 snowbank pdns[9084]: Not authoritative for 'www.apple.com', sending servfail to 2001:470:e867::2 (recursion was desired) With no log entry for the third time querying. It does _not_ do this when querying over ipv4 - only over ipv6. I can reproduce this from any ipv6 host for any non-auth domain. The whole 2 out of 3 queries failing thing is a bit odd. Anyone have any insight or things I should try? -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users