Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 1 Apr 2013 11:04:02 -0700
From:      "Don O'Neil" <lists@lizardhill.com>
To:        "'Michael Sierchio'" <kudzu@tenebras.com>
Cc:        freebsd-questions@freebsd.org
Subject:   RE: Problems with IPFW causing failed DNS and FTP sessions
Message-ID:  <058e01ce2f03$4aa46c20$dfed4460$@com>
In-Reply-To: <CAHu1Y714J5o2Xove%2BENJiSEojhdqA9gdTkjzXi5%2BJ1YO=NBK4g@mail.gmail.com>
References:  <049d01ce2e89$c428ab80$4c7a0280$@com>	<CAHu1Y70GrfKs9QQZDpm2rHXorEwWDebnd2=k5=LbVZLCdfzEJA@mail.gmail.com>	<04ae01ce2e92$1283bf10$378b3d30$@com>	<CAHu1Y70Y98ccp6_bRXmz8ZGnYVUFfgD4n=mXrRAgLaoh8Ya2Fg@mail.gmail.com>	<050001ce2eca$894d0240$9be706c0$@com> <CAHu1Y714J5o2Xove%2BENJiSEojhdqA9gdTkjzXi5%2BJ1YO=NBK4g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
My DNS config is pretty generic. I did try putting in the options to stop
recursive lookups, but all that did was cause even more failures (permission
denied lookups, etc...), so I removed that.

Here's my basic config;

options {
        directory       "/etc/namedb";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";

};

zone "." {
        type hint;
        file "named.root";
};

I'm not sure the problem is specific to named, but something more systemic
with IPFW.... like I said, FTP sessions are timing out as well, and when I
turn off IPFW that fixes that problem too.

Is there any way to monitor what IPFW is dropping, by some sort of counters
rather than logging everything, and see what's going on internally to IPFW?

Thanks!

-----Original Message-----
From: Michael Sierchio [mailto:kudzu@tenebras.com] 
Sent: Monday, April 01, 2013 7:23 AM
To: Don O'Neil
Cc: freebsd-questions@freebsd.org
Subject: Re: Problems with IPFW causing failed DNS and FTP sessions

Okay, what's your DNS setup?  Are you running a recursive cache that
contacts the root servers directly?  Using your ISP's servers?  Etc.

As a mitigation step, I tried pointing my caches to 8.8.8.8 and
8.8.4.4. - but it turns out that Google is intentionally blocking
(returning NX responses to) many netblocks right now because they
contain hosts known to be part of the botnet in the DDOS DNS
amplification attack.

I'm mirroring the root zone everywhere I have a cache, and it's helping.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?058e01ce2f03$4aa46c20$dfed4460$>