For the benefit of the archives, I want to share what I found while
troubleshooting a high CPU issue on two of our servers running BIND. (We
happen to be running Debian Wheezy with a Debian patched version of BIND
9.7.3)
While looking through some graphs I noticed that the CPU of two of our
serve
@nagios:/etc/bind#
Frank
-Original Message-
From: Mark Andrews [mailto:ma...@isc.org]
Sent: Tuesday, June 23, 2015 10:31 PM
To: Frank Bulk
Cc: bind-us...@isc.org
Subject: Re: DNSSEC validation on 9.7.4 not working
Should have asked for +dnssec on those queries. Also "date -u&qu
7.0.0.1)
;; WHEN: Tue Jun 23 22:17:59 2015
;; MSG SIZE rcvd: 586
Frank
-Original Message-
From: Mark Andrews [mailto:ma...@isc.org]
Sent: Tuesday, June 23, 2015 10:11 PM
To: Frank Bulk
Cc: bind-us...@isc.org
Subject: Re: DNSSEC validation on 9.7.4 not working
In message <003d01d0
t/DS)
23-Jun-2015 20:43:48.759 dnssec: info: validating @0x7fced04fd9e0:
a1784.dscg.akamai.net : bad cache hit (net/DS)
23-Jun-2015 20:43:48.761 dnssec: info: validating @0x7fced04fd9e0:
e1181.dscb.akamaiedge.net : bad cache hit (net/DS)
Of course, once the TLDs aren't considered valid every
There are free ones:
http://www.frankb.us/dns/
http://networking.ringofsaturn.com/Unix/freednsservers.php
Regards,
Frank
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Robert Moskowitz
Sent: Tuesday, February 03, 2015 4:43
Rob,
I like to use DNSstuff because it can check each path:
http://www.dnsstuff.com/tools#dnsTraversal|type=domain&&value=4.254.253.50.i
n-addr.arpa&&recordType=PTR
Frank
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Rob
bind-users@lists.isc.org
Subject: Re: Unable to get for www.revk.uk from some of our servers
On 24/12/14 17:08, Frank Bulk wrote:
> Except queries from 96.31.0.5 and 199.120.69.24 reliably return the
> while queries from 96.31.0.20 do not. And we're all the same ISP, and in
> th
Except queries from 96.31.0.5 and 199.120.69.24 reliably return the
while queries from 96.31.0.20 do not. And we're all the same ISP, and in
the one case, from the same /24. I don't think Google is that granular. And
we do have good IPv6 connectivity.
Regards,
Frank Bulk
---
ews [mailto:ma...@isc.org]
Sent: Tuesday, December 23, 2014 6:38 PM
To: Frank Bulk
Cc: bind-us...@isc.org
Subject: Re: Unable to get for www.revk.uk from some of our servers
In message <001e01d01f0e$980b6070$c8222150$@iname.com>, "Frank Bulk" writes:
> Thanks, Mark.
>
IN NS ns4.google.com.
;; Received 170 bytes from 2001:503:a83e::2:30#53(a.gtld-servers.net) in 150
ms
;; connection timed out; no servers could be reached
-Original Message-
From: Mark Andrews [mailto:ma...@isc.org]
Sent: Tuesday
the "\- ;-$NXRRSET" mean?
Working server shows this in the dump:
; authanswer
ghs.l.google.com. 287 2607:f8b0:4001:c08::79
;
Regards,
Frank Bulk
-Original Message-
From: Mark Andrews [mailto:ma...@isc.org]
Sent: Tuesday, December 23, 2014 2:53 PM
To: Fra
>From time to time there are certain domains that don't properly resolve on
our corporate Windows DNS servers, but flushing the Windows DNS server cache
resolves that. But yesterday I ran into an issue with resolving the
for www.revk.uk on just some our ISP DNS servers and I have time to dig
Here’s some suggestions from ISC on capturing information on this memory growth
issue:
https://kb.isc.org/article/AA-01208
Frank
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kevin Oberman
Sent: Saturday, December 13, 2014 12:07 PM
To: Muku
>> On 09.12.14 21:36, Frank Bulk wrote:
>>> Perhaps it wasn't NXDOMAIN -- I didn't capture the output. But there
>>> definitely was not answer. The institution only has two authoritative
>>> nameserver entries, both pointing to the same IP, so all i
riginal Message-
From: Mark Andrews [mailto:ma...@isc.org]
Sent: Tuesday, December 09, 2014 9:32 PM
To: Frank Bulk
Cc: bind-us...@isc.org
Subject: Re: rndc flushname not working
Nameservers being down does not result in NXDOMAIN responses. I
suspect that some of the auth servers were pro
Our ISP operations are running a mixture of 9.7.3 and 9.8.4 on several
Debian servers and we've noticed that rndc flushname doesn't work many
times.
This weekend we had a local institution whose own authoritative DNS servers
[all of them] were offline for 48+ hours and so there were several
negati
21, 2014 8:21 PM
To: Frank Bulk
Cc: bind-users
Subject: Re: Digging to the final IP
On Oct 19, 2014, at 1:26, Frank Bulk wrote:
> Is there a dig option that will list out the final (IPs) or query result??
> By default, even with +short, it can list intermediate CNAME(s) and not
what
> I
lf Of Phil Mayers
Sent: Monday, October 20, 2014 8:39 AM
To: bind-users@lists.isc.org
Subject: Re: Digging to the final IP
On 20/10/14 14:22, Frank Bulk (iname.com) wrote:
> We're using this in a bash shell script. I don't think there's a native
> shell command to get the IP
We’re using this in a bash shell script. I don’t think there’s a native shell
command to get the IP, so I’ll use a mixture of host and dig as necessary.
Thanks,
Frank
From: Fajar A. Nugraha [mailto:w...@fajar.net]
Sent: Sunday, October 19, 2014 11:04 PM
To: Frank Bulk
Cc: comp
n
>
> No improvements come from shouting:
>
> "MALE BOVINE MANURE!!!"
>
> > On 19 Oct 2014, at 08:05, Karl Auer wrote:
> >
> >> On Sun, 2014-10-19 at 00:26 -0500, Frank Bulk wrote:
> >> Is there a dig option that will list out the final (IPs
Is there a dig option that will list out the final (IPs) or query result??
By default, even with +short, it can list intermediate CNAME(s) and not what
IP(s) that CNAME may have.
For example,
root@nagios:/tmp# dig mail.automatedwastesystems.net +short
mail3.sandhills.com.
ven
decide that? As far as I know I haven't had any issues until now...
Jeff
On Jun 25, 2013, at 6:26 AM, Matus UHLAR - fantomas
wrote:
>> On 24.06.13 07:41, Frank Bulk wrote:
>>> Interesting to note that querying for ANY does return an SOA. I can't
>>> exp
age-
From: bind-users-bounces+frnkblk=iname@lists.isc.org
[mailto:bind-users-bounces+frnkblk=iname@lists.isc.org] On Behalf Of
Frank Bulk
Sent: Saturday, June 22, 2013 8:56 PM
To: 'SH Development'; bind-users@lists.isc.org
Subject: RE: Secondary DNS question...
stariononline.com ha
stariononline.com has two NSes listed, ns1.starionhost.net [74.87.108.83]
and ns2.starionhost.net [64.136.200.138]. But the first one does not seem
to want to respond (http://goo.gl/s41wN and http://dnscheck.iis.se/ and
http://www.zonecut.net/dns/index.cgi are just a few examples) to a few of
the
There's more: both ns1.netbcp.com and ns2.netbcp.net don't respond to
queries about nbc.com and ns1.netbcp.com doesn't respond over TCP.
Frank
From: bind-users-bounces+frnkblk=iname@lists.isc.org
[mailto:bind-users-bounces+frnkblk=iname@lists.isc.org] On Behalf Of
Kevin Darcy
Sent
For the domains that we're primary and authoritative we check the listing of
each customer's WHOIS record to confirm they're using the right DNS servers
and then query our upstream's DNS server (which is slaving it) to make sure
they're responding authoritatively. We also query a public DNS server
One possible default setting is to say a certain percentages or volume of
disk space free.
Frank
-Original Message-
From: bind-users-bounces+frnkblk=iname@lists.isc.org
[mailto:bind-users-bounces+frnkblk=iname@lists.isc.org] On Behalf Of
Anand Buddhdev
Sent: Wednesday, November 30
We had the same thing, affected only one of our DNS servers (behind a
load-balancer). Here's the relevant log snippet:
Nov 15 23:03:33 mail1 named[4601]: query.c:1781: INSIST(!
dns_rdataset_isassociated(sigrdataset)) failed, back trace
Nov 15 23:03:33 mail1 named[4601]: #0 0x7f1b1e97686f in ?
Would be nice if the error output or log would indicate such failures.
Frank
-Original Message-
From: bind-users-bounces+frnkblk=iname@lists.isc.org
[mailto:bind-users-bounces+frnkblk=iname@lists.isc.org] On Behalf Of
Tony Finch
Sent: Wednesday, August 17, 2011 9:31 AM
To: Fredrik
Yes, this message arrived in my Inbox 44 minutes after it was sent.
Frank
-Original Message-
From: bind-users-bounces+frnkblk=iname@lists.isc.org
[mailto:bind-users-bounces+frnkblk=iname@lists.isc.org] On Behalf Of
Warren Kumari
Sent: Tuesday, May 31, 2011 4:59 PM
To: Warren Kumar
Yes, this message arrived in my Inbox 44 minutes after it was sent.
Frank
-Original Message-
From: bind-users-bounces+frnkblk=iname@lists.isc.org
[mailto:bind-users-bounces+frnkblk=iname@lists.isc.org] On Behalf Of
Warren Kumari
Sent: Tuesday, May 31, 2011 4:59 PM
To: Warren Kumar
rton [mailto:do...@dougbarton.us]
Sent: Monday, May 30, 2011 2:19 PM
To: frnk...@iname.com
Cc: 'babu dheen'; bind-users@lists.isc.org
Subject: Re: Split DNS Configuration in BIND
On 05/30/2011 09:15, Frank Bulk wrote:
> Not all firewalls can hairpin a public IP back to a private IP.
Not all firewalls can hairpin a public IP back to a private IP. We've had
to do this, too.
Yes, we could have create a separate zone, but that would requiring training
our staff to use on FQDN internally and another with the customers. Easier
to teach one thing to the staff and push the compl
Which DNS server are you digging? It's possible that (by default) you're
digging against a server that has the old entry still cached.
Frank
-Original Message-
From: bind-users-bounces+frnkblk=iname@lists.isc.org
[mailto:bind-users-bounces+frnkblk=iname@lists.isc.org] On Behalf O
You can do an "ipconfig /displaydns" to see some TTL info.
Frank
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of John Horne
Sent: Thursday, October 15, 2009 3:07 AM
To: Bind users
Subject: Nslookup not showng TTL
Hello,
Us
Perhaps the inverse would be more interesting: what's the lowest-spec
hardware that could host an OS that would run the latest version of BIND. =)
Frank
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Barry Margolin
Sent: Sa
Your name servers are reporting:
t1dns1.anl.gov.
t1dns2.anl.gov.
ns-lvk.es.net.
ns-aoa.es.net.
oxygen.aps.anl.gov.
ns1.es.net.
nsx.lbl.gov.
The first two are results of CNAMES for dns1.aps.anl.gov and
dns2.aps.anl.gov, respectively. According to RFC 1912 2.4 and RFC 2181
10.3, you ought not to ha
Sounds interesting.
How is it different than these?:
http://whois.webhosting.info
http://www.domaintools.com/reverse-ip/
Frank
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jay Ess
Sent: Tuesday, June 16, 2009 7:19 PM
To:
(For pay) tools like the PTR trace from DNSreports do a very nice job of
showing how the reverse is delegated, step by step.
Frank
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jeff Lasman
Sent: Friday, June 12, 2009 11:34
Just to add to the excellent comments already posted here, using +trace can
be helpful in seeing how things are delegated. I use the paid version of
DNSreports to provide a non-tech friendly version of the delegation, which
has the added benefit of beings able to trace it down other "branches" as
riginal Message-
From: SM [mailto:s...@resistor.net]
Sent: Saturday, May 16, 2009 12:46 PM
To: Frank Bulk
Cc: bind-users@lists.isc.org
Subject: Re: dig printout doesn't appear to match reality
At 08:53 16-05-2009, Frank Bulk wrote:
>It appears that dig is printing results that it attribut
Ok, now I'm following youI don't live and breathe this like you and
Chris do. =)
If the dns3.uiowa.edu's cache was flushed for sioux-center.k12.ia.us, what
do you think the query results for
dig @DNS3.UIOWA.EDU sioux-center.k12.ia.us ns +noall +answer
would be?
Frank
-Original M
Thanks for the response. The wheels are already in motion to get this
inconsistency resolved. Unfortunately, the stated response time for this
state agency is 2 weeks. =(
Frank
-Original Message-
From: sth...@nethelp.no [mailto:sth...@nethelp.no]
Sent: Saturday, May 16, 2009 11:20 AM
T
Buxton [mailto:cbux...@menandmice.com]
Sent: Saturday, May 16, 2009 11:09 AM
To: Frank Bulk
Cc: bind-users@lists.isc.org
Subject: Re: dig printout doesn't appear to match reality
If you send the server a recursive query, you get an answer from its
cache. If you sent it an iterative query
It appears that dig is printing results that it attributes to the wrong
server.
While troubleshooting an inconsistent NS issue (upstream from us), a trace
(at the end of this message) shows that DNS3.UIOWA.EDU listed two NS
records, when in fact, if you query DNS3.UIOWA.EDU for the domain in
quest
I've had a rough time with BlueCat's Adonis product on the DHCP side of
things. There are feature and stability gaps that take months and years to
resolve. Their releases are always just a few weeks or months away, but
take longer to materialize. I've been waiting over a year for code that
they
& CIDR
On Sun, 08 Mar 2009 21:28:55 -0500, Frank Bulk wrote:
> There are other DNS servers that do a better job for RBLs.
>
> Frank
I'm listening.
Replica Watches - TRY LIDL - Cheap meds? Visit your GP
--
. . .
___
bind-users
There are other DNS servers that do a better job for RBLs.
Frank
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Stephen Ward
Sent: Sunday, March 08, 2009 5:20 AM
To: comp-protocols-dns-b...@isc.org
Subject: Zonefiles & CIDR
Frank
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Matus UHLAR -
fantomas
Sent: Monday, February 09, 2009 3:15 AM
To: bind-users@lists.isc.org
Subject: Re: NS validation?
On 07.02.09 20:58, Frank Bulk - iName.com wrote
A business customer of ours could not change their DNS entry at Register.com
from ns1.mtcnet.net/ns1.netins.net.
After 10 failed attempts thru register.com to register
to ns1.mtcnet.net and ns1.netins.net, I contacted Register.com
and escalated this call to their highest t
Al:
If you read RFC 2181 section 10.3, RFC 1034 section 3.6, RFC 1912 (page 6),
the average person would understand that it's strongly discouraged. Perhaps
"illegal" is too strong a word, but the weight of the RFCs and best
practices appears to disagree with your assessment that "there is no s
M
To: frnk...@iname.com
Cc: BIND Users Mailing List
Subject: Re: denied NS/IN
On Jan 20, 2009, at 3:52 PM, Frank Bulk wrote:
> That's being discussed on NANOG, here's one thread:
> http://markmail.org/message/ydiqnztzmz5qmusf
>
> See here for more details in blocking them:
That's being discussed on NANOG, here's one thread:
http://markmail.org/message/ydiqnztzmz5qmusf
See here for more details in blocking them:
http://www.cymru.com/Documents/secure-bind-template.html
specifically:
blackhole {
// Deny anything from the bogon networks as
// detail
f Of Barry Margolin
Sent: Monday, January 19, 2009 9:47 PM
To: comp-protocols-dns-b...@moderators.individual.net
Subject: Re: SERVFAIL issues
In article ,
"Frank Bulk" wrote:
> Sorry for not being more clear. It's my understanding that "rndc stats"
> dumps only
Sorry for not being more clear. It's my understanding that "rndc stats"
dumps only a subset of what ARM provides.
Regards,
Frank
-Original Message-
From: JINMEI Tatuya / 神明達哉 [mailto:jinmei_tat...@isc.org]
Sent: Monday, January 19, 2009 1:38 PM
To: Frank Bulk
Cc: bin
This issue of how applications and operating systems resolve single-word
TLDs and host names was discussed on NANOG some time ago:
http://www.mail-archive.com/na...@nanog.org/msg03092.html
Regards,
Frank
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...
M
To: frnk...@iname.com
Cc: 'Fr34k'; bind-us...@isc.org
Subject: Re: SERVFAIL issues
At Fri, 16 Jan 2009 14:24:28 -0600,
"Frank Bulk - iName.com" wrote:
> Yes, I read that last night before posting. I changed it to "256M". Is
> there a way using rndc to see i
x-cache-size 0 ;
will restore previous behavior (unlimited).
The ultimate setting would need to be considered for the environment BIND is
running in.
FWIW, we use max-cache-size 0 ; without issue.
You can search this list archives for max-cache-size for previous
discussions on this.
Thanks.
--
http://marc.info/?l=bind-users&m=122239920822324&w=2
http://marc.info/?l=bind-users&m=122243068905656&w=2
We upgraded to 9.5.0-P1 when the Kaminsky DNS vulnerability was announced
and have had intermittent issues with SERVFAIL problems for some DSL modems
that don't properly fail over to a seconda
59 matches
Mail list logo
