Dear all:
I had been running both BIND 8 and Squid under SuSe 6.2 until recently when I switched to RedHat 9 with BIND 9 and Squid from the 3 CDs.
Both in the old SuSe and new RedHat 9 now, I configure BIND to use forwarding by adding to /etc/named.conf this:
forwarders { N.N.N.N; // The IP of ISP DNS Server }; forward only;
Now, BIND 9 always prints these errors below into /var/log/messages:
--- Oct 29 11:09:37 nslinux named[2787]: client 192.168.1.154#1264: updating zone 'my.office.org/IN': update failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) Oct 29 11:09:37 nslinux named[2787]: client 192.168.1.154#1267: update 'my.office.org/IN' denied ---
And my 1 Mbps Internet connection (leased line) has always been saturated since the switch-over. I don't know if that is the DNS forwarding problem or a worm/spyware on my network.
Anyone has an idea? Hope for your kind and helpful response.
Regards, Vidol
Kh Linux wrote:
Dear all:
I had been running both BIND 8 and Squid under SuSe 6.2 until recently when I switched to RedHat 9 with BIND 9 and Squid from the 3 CDs.
Both in the old SuSe and new RedHat 9 now, I configure BIND to use forwarding by adding to /etc/named.conf this:
forwarders { N.N.N.N; // The IP of ISP DNS Server }; forward only;Now, BIND 9 always prints these errors below into /var/log/messages:
Oct 29 11:09:37 nslinux named[2787]: client 192.168.1.154#1264: updating zone 'my.office.org/IN': update failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) Oct 29 11:09:37 nslinux named[2787]: client 192.168.1.154#1267: update 'my.office.org/IN' denied
These messages are nothing to do with your forwarding. They are probably caused by being the DNS server for a domain that a bunch of Windows boxes are in. The Windows boxes are trying to do dynamic DNS updates when they get their DHCP leases.
See http://www.ibiblio.org/gferg/ldp/BIND+AD-HOWTO/BIND+AD-HOWTO.html for more info.
And my 1 Mbps Internet connection (leased line) has always been saturated since the switch-over. I don't know if that is the DNS forwarding problem or a worm/spyware on my network.
You may need to use tcpdump/ethereal to see what the activity on the network is.
Paul.
Dear Paul:
Thank you very much for your reply.
Could you please or someone in the list advise me further? Could it be that, the forwarding take up a lot of bandwidth to my ISP?
Or could it be the problem with Squid? I simply installed the Squid RPM that comes with the RedHat 9 CDs. I don't know how to fine-tune Squid performance, perhaps you could give some advice or point me to a good Web site on it.
Thanks, Vidol
----- Original Message ----- From: "Paul Howarth" paul@city-fan.org To: "For users of Fedora Core releases" fedora-list@redhat.com Sent: Friday, October 29, 2004 4:00 PM Subject: Re: BIND 9 Problem - DNS Forwarding
Kh Linux wrote:
Dear all:
I had been running both BIND 8 and Squid under SuSe 6.2 until recently
when
I switched to RedHat 9 with BIND 9 and Squid from the 3 CDs.
Both in the old SuSe and new RedHat 9 now, I configure BIND to use forwarding by adding to /etc/named.conf this:
forwarders { N.N.N.N; // The IP of ISP DNS Server }; forward only;Now, BIND 9 always prints these errors below into /var/log/messages:
Oct 29 11:09:37 nslinux named[2787]: client 192.168.1.154#1264: updating zone 'my.office.org/IN': update failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) Oct 29 11:09:37 nslinux named[2787]: client 192.168.1.154#1267: update 'my.office.org/IN' denied
These messages are nothing to do with your forwarding. They are probably caused by being the DNS server for a domain that a bunch of Windows boxes
are
in. The Windows boxes are trying to do dynamic DNS updates when they get
their
DHCP leases.
See http://www.ibiblio.org/gferg/ldp/BIND+AD-HOWTO/BIND+AD-HOWTO.html for
more
info.
And my 1 Mbps Internet connection (leased line) has always been
saturated
since the switch-over. I don't know if that is the DNS forwarding
problem or
a worm/spyware on my network.
You may need to use tcpdump/ethereal to see what the activity on the
network is.
Paul.
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
On Fri, 2004-10-29 at 11:34 +0700, Kh Linux wrote:
Dear all:
I had been running both BIND 8 and Squid under SuSe 6.2 until recently when I switched to RedHat 9 with BIND 9 and Squid from the 3 CDs.
Red Hat Linux 9 is very old now and no longer supported. I would *really* suggest that you wait another week and install Fedora Core 3 when it is released.
Then I suggest you use a network analyzer like ethereal to figure out what the traffic is. No amount of DNS traffic will fill a 1 Mbps pipe. Squid does have logs, so you should be able to see whether it has a part in the puzzle.
Cheers,
Dear Rodolfo and all:
Thank you for your response.
Would Fedora Core 3 solve the problem of ";;connection timed out; no servers could be reached"? I usually get the message the first time I do the query (#host www.yahoo.com) right after restarting named. And I had to do the query 2 or 3 times to get named answer it correctly. This does not happen with a query for a host in my local domains. I have tried it in RedHat7.3, RedHat 9, and Fedora Core 2 and BIND still behaves the same.
For your reference, please see below the result of the above 'host' command:
----Start---------
[root@fc2linux root]# host www.yahoo.com ;; connection timed out; no servers could be reached [root@fc2linux root]# host www.yahoo.com www.yahoo.com is an alias for www.yahoo.akadns.net. www.yahoo.akadns.net has address 66.94.230.52 www.yahoo.akadns.net has address 66.94.230.32 www.yahoo.akadns.net has address 66.94.230.34 www.yahoo.akadns.net has address 66.94.230.36 www.yahoo.akadns.net has address 66.94.230.38 www.yahoo.akadns.net has address 66.94.230.42 www.yahoo.akadns.net has address 66.94.230.43 www.yahoo.akadns.net has address 66.94.230.47 [root@fc2linux root]# ----End---------
And below is my /etc/named.conf file:
-----Start---------- // generated by named-bootconf.pl
options { directory "/var/named"; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; };
// // a caching only nameserver config // controls { inet 127.0.0.1 port 953 allow { localhost;127.0.0.1;} keys { rndckey; }; };
zone "." IN { type hint; file "named.ca"; };
zone "localhost" IN { type master; file "localhost.zone"; allow-update { none; }; };
zone "0.0.127.in-addr.arpa" IN { type master; file "named.local"; allow-update { none; }; };
include "/etc/rndc.key";
zone "my.domain.org" IN { type master ; file "my.domain.org.dns" ; }; zone "1.168.192.in-addr.arpa" IN { type master; file "1.168.192.dns"; }; -------END--------------
Hope for your kind response again.
Regards, Vidol
----- Original Message ----- From: "Rodolfo J. Paiz" rpaiz@simpaticus.com To: "For users of Fedora Core releases" fedora-list@redhat.com Sent: Friday, October 29, 2004 10:14 PM Subject: Re: BIND 9 Problem - DNS Forwarding
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
On Sun, 31 Oct 2004, Kh Linux wrote:
Dear Rodolfo and all:
Thank you for your response.
Would Fedora Core 3 solve the problem of ";;connection timed out; no servers could be reached"? I usually get the message the first time I do the query (#host www.yahoo.com) right after restarting named. And I had to do the query 2 or 3 times to get named answer it correctly. This does not happen with a query for a host in my local domains. I have tried it in RedHat7.3, RedHat 9, and Fedora Core 2 and BIND still behaves the same.
No...I don't think changing your OS will have anything to do with not being able to resolve DNS queries.
2 Questions:
1) What does your /etc/resolv.conf file look like? 2) Is named even running? As root, run "service named status" and give us the results.
Hi Mike,
Here they are:
=== /etc/resolv.conf=====
[root@rh9linux root]# cat /etc/resolv.conf search kh.undp.org nameserver 192.168.1.14
=========End=======
=== Result of (# ps auxw | grep named) ==========
[root@rh9linux root]# ps -auxw | grep -i named named 11369 0.0 1.2 31092 3208 ? S Oct31 0:18 [named] root 15991 0.0 0.2 3568 628 pts/0 S 12:54 0:00 grep -i named
==== End (It's not running as root, but named) =========
=== Result of (# service named status) ==========
[root@rh9linux root]# service named status number of zones: 8 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF server is up and running
======== End =============
As the result shows, 'named' is being run by the user 'named'; should i start it as 'root'?
Thanks & Regards, Vidol
----- Original Message ----- From: "Mike Burger" mburger@bubbanfriends.org To: "For users of Fedora Core releases" fedora-list@redhat.com Sent: Sunday, October 31, 2004 9:17 PM Subject: Re: BIND 9 Problem - DNS Forwarding
On Sun, 31 Oct 2004, Kh Linux wrote:
Dear Rodolfo and all:
Thank you for your response.
Would Fedora Core 3 solve the problem of ";;connection timed out; no
servers
could be reached"? I usually get the message the first time I do the
query
(#host www.yahoo.com) right after restarting named. And I had to do the query 2 or 3 times to get named answer it correctly. This does not
happen
with a query for a host in my local domains. I have tried it in
RedHat7.3,
RedHat 9, and Fedora Core 2 and BIND still behaves the same.
No...I don't think changing your OS will have anything to do with not being able to resolve DNS queries.
2 Questions:
- What does your /etc/resolv.conf file look like?
- Is named even running? As root, run "service named status" and give us
the results.
Mike Burger http://www.bubbanfriends.org
Visit the Dog Pound II BBS telnet://dogpound2.citadel.org or http://dogpound2.citadel.org
To be notified of updates to the web site, visit http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a message to:
site-update-request@bubbanfriends.org
with a message of:
subscribe
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
On Mon, 2004-11-01 at 06:10, Kh Linux wrote:
Hi Mike,
Here they are:
=== /etc/resolv.conf=====
[root@rh9linux root]# cat /etc/resolv.conf search kh.undp.org nameserver 192.168.1.14
So you are using a nameserver on your LAN at 192.168.1.14? Who maintains that nameserver? Is that your IP address?
=== Result of (# ps auxw | grep named) ==========
[root@rh9linux root]# ps -auxw | grep -i named named 11369 0.0 1.2 31092 3208 ? S Oct31 0:18 [named] root 15991 0.0 0.2 3568 628 pts/0 S 12:54 0:00 grep -i named
==== End (It's not running as root, but named) =========
That's normal, nothing to worry about there.
Paul.
Dear Paul:
Thanks again for your response.
So you are using a nameserver on your LAN at 192.168.1.14? Who maintains that nameserver? Is that your IP address?
Yes. And I have a CISCO PIX Firewall who will do the NAT for all local addresses in 192.168.1.x.
It's been like this for years now. Recently, my old SuSe 6.2 server crashed; it was running BIND 8 with forwarding to my ISP and very fast. When I started anew, I would like to shift to RedHat but still wondering which version is the best. I decided first to go for RH7.3 but then, IPTABLES did not seem to be complete;so I decided to go for RH9.0. I've been searching around and found that many people encountered the same problem but no clear solution.
Let me raise it again; the problem is that, I usually get this error message from named: ";;Connection timed out; no servers could be reached" when I do "# host www.yahoo.com", but after the second or third try, it responds correctly.
Could you suggest which RedHat/Fedora version I should use? I cannot wait for FC3.
The only 3 most important packages I need are: BIND, Squid and IPTABLES. I'd like very much get RH Enterprise 3, but it's not avaiable in the market here; and don't know where and how to buy one.
And, what could be the problem with my DNS server behind the PIX Firewall and with its IP being masqueraded? As I pointed above we had no problem with the old server (running SuSe 6.2 with BIND 8).
Thanks again and regards, Vidol
Kh Linux wrote:
So you are using a nameserver on your LAN at 192.168.1.14? Who maintains that nameserver? Is that your IP address?
Yes. And I have a CISCO PIX Firewall who will do the NAT for all local addresses in 192.168.1.x.
It's been like this for years now. Recently, my old SuSe 6.2 server crashed; it was running BIND 8 with forwarding to my ISP and very fast. When I started anew, I would like to shift to RedHat but still wondering which version is the best. I decided first to go for RH7.3 but then, IPTABLES did not seem to be complete;so I decided to go for RH9.0. I've been searching around and found that many people encountered the same problem but no clear solution.
Let me raise it again; the problem is that, I usually get this error message from named: ";;Connection timed out; no servers could be reached" when I do "# host www.yahoo.com", but after the second or third try, it responds correctly.
This points to your DNS resolver code taking a long time to do its job. AFter your second of third try, the answer has been received and is cached on your nameserver.
The tool to use to diagnose this problem is dig.
Try:
dig www.yahoo.com +trace
This will do a DNS lookup of www.yahoo.com "from first principles", starting at the root nameservers and working its way down the DNS hierarchy until it gets the answer. If you're getting slow responses from somewhere, this should be apparent in the output.
Could you suggest which RedHat/Fedora version I should use? I cannot wait for FC3.
I can't think of anything distribution-specific that would cause this problem. I don't think it's a good idea to be using an old, unmaintained version of the OS like RH9 either. I think it would be best to diagnose and fix the problem on the system you already have running, and think carefully about what to upgrade to (FC3 is out next week, or you could go for a supported distro like SuSE).
The only 3 most important packages I need are: BIND, Squid and IPTABLES. I'd like very much get RH Enterprise 3, but it's not avaiable in the market here; and don't know where and how to buy one.
You could always use Whitebox Enterprise Linux, which is virtually the same thing but available for free download: http://www.whiteboxlinux.org/
Paul.
Kh Linux wrote:
Let me raise it again; the problem is that, I usually get this error message from named: ";;Connection timed out; no servers could be reached" when I do "# host www.yahoo.com", but after the second or third try, it responds correctly.
Something else that occurs to me: previously you mentioned that your ISP told you that your 1MBit link was fully saturated with traffic. Did you find out what that problem was, and fix it? If that problem is still there then that would account for your slow DNS (and all other Internet-access) performnce.
Paul.
On Mon, 01 Nov 2004 10:46:03 +0000, Paul Howarth paul@city-fan.org wrote:
Kh Linux wrote:
Let me raise it again; the problem is that, I usually get this error message from named: ";;Connection timed out; no servers could be reached" when I do "# host www.yahoo.com", but after the second or third try, it responds correctly.
My 2 cents:
Might want to uncomment the following line in your named.conf
// query-source address * port 53;
This will revert to the pre BIND 8.1 behaviour. If you PIX rules are setup that way you probably do not get the delay anymore.
Regarding the saturated link: try the eliminate method: stop squid for a moment (yes users will complain) and do some DNS testing and see if anything changes. If DNS responds normally take a look at the squid config. I setup my squid with delay pools to take 80% of our bandwith so some is left for other stuff on the link.
Marco.
Thank you.
My 2 cents:
Might want to uncomment the following line in your named.conf
// query-source address * port 53;
I did that as I found it on a thread from the Net, but did not solve the problem.
This will revert to the pre BIND 8.1 behaviour. If you PIX rules are setup that way you probably do not get the delay anymore.
Regarding the saturated link: try the eliminate method: stop squid for a moment (yes users will complain) and do some DNS testing and see if anything changes. If DNS responds normally take a look at the squid config. I setup my squid with delay pools to take 80% of our bandwith so some is left for other stuff on the link.
I tried to stop Squid and restart the DNS; still not solve the problem (;;connection timed out). How do you tell Squid to take only 80% of the bandwidth?
My PIX keeps getting Input Packet Errors (the number of errors keeps increasing). I am not sure what causes this. Maybe that makes it very slow. And the MRTG graphs shows only 3.5k for my 1 Mbps link. I think, that is the main cause. Sorry to bother you all around.
Let me try to resolve my PIX problem first. Well, it is out of topic but may I ask if anyone has an idea of what's wrong with my PIX or my local network? What could cause Input Packet errors?
Thank you all again; I'm very much greatful.
Regards, Vidol
I tried to stop Squid and restart the DNS; still not solve the problem (;;connection timed out). How do you tell Squid to take only 80% of the bandwidth?
You need to setup delay pools in squid. Read about it at http://squid.visolve.com/squid/squid24s1/delaypool.htm.
Basically add lines to your squid.conf delay_pools 1 delay_class 1 2 delay_parameters 1 450000/500000 300000/350000
You will have to tune the x/x pair of parameters to get the byte/sec right for your link (these are my values)
Marco.
On Mon, 01 Nov 2004 19:08:45 +0700, Kh Linux fedora.kh@undp.org wrote:
Thank you.
My 2 cents:
Might want to uncomment the following line in your named.conf
// query-source address * port 53;I did that as I found it on a thread from the Net, but did not solve the problem.
This will revert to the pre BIND 8.1 behaviour. If you PIX rules are setup that way you probably do not get the delay anymore.
Regarding the saturated link: try the eliminate method: stop squid for a moment (yes users will complain) and do some DNS testing and see if anything changes. If DNS responds normally take a look at the squid config. I setup my squid with delay pools to take 80% of our bandwith so some is left for other stuff on the link.
I tried to stop Squid and restart the DNS; still not solve the problem (;;connection timed out). How do you tell Squid to take only 80% of the bandwidth?
My PIX keeps getting Input Packet Errors (the number of errors keeps increasing). I am not sure what causes this. Maybe that makes it very slow. And the MRTG graphs shows only 3.5k for my 1 Mbps link. I think, that is the main cause. Sorry to bother you all around.
Let me try to resolve my PIX problem first. Well, it is out of topic but may I ask if anyone has an idea of what's wrong with my PIX or my local network? What could cause Input Packet errors?
Thank you all again; I'm very much greatful.
Regards, Vidol
Yes Paul, exactly. I've just checked out my PIX interface. I got a lot of errors on input packets. Let me fix the problem first and get back here again. Hope my DNS setting is fine.
Regards, Vidol
----- Original Message ----- From: "Paul Howarth" paul@city-fan.org To: "For users of Fedora Core releases" fedora-list@redhat.com Sent: Monday, November 01, 2004 5:46 PM Subject: Re: BIND 9 Problem - DNS Forwarding
Kh Linux wrote:
Let me raise it again; the problem is that, I usually get this error
message
from named: ";;Connection timed out; no servers could be reached" when I do "# host www.yahoo.com", but after the second or third try, it responds
correctly.
Something else that occurs to me: previously you mentioned that your ISP
told
you that your 1MBit link was fully saturated with traffic. Did you find
out
what that problem was, and fix it? If that problem is still there then
that
would account for your slow DNS (and all other Internet-access)
performnce.
Paul.
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
-
fedora.kh@undp.org -
Marco van Neerbos -
Mike Burger -
Paul Howarth -
Rodolfo J. Paiz