From owner-freebsd-questions@FreeBSD.ORG Mon Apr 1 18:04:48 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 90ED655F for ; Mon, 1 Apr 2013 18:04:48 +0000 (UTC) (envelope-from lists@lizardhill.com) Received: from kermit.lizardhill.com (kermit.lizardhill.com [64.69.41.217]) by mx1.freebsd.org (Postfix) with ESMTP id 7C5F7714 for ; Mon, 1 Apr 2013 18:04:48 +0000 (UTC) Received: from ip68-104-24-10.lv.lv.cox.net ([68.104.24.10] helo=Mickey) by kermit.lizardhill.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.62) (envelope-from ) id 1UMj5i-000MW7-NL; Mon, 01 Apr 2013 11:04:22 -0700 From: "Don O'Neil" To: "'Michael Sierchio'" References: <049d01ce2e89$c428ab80$4c7a0280$@com> <04ae01ce2e92$1283bf10$378b3d30$@com> <050001ce2eca$894d0240$9be706c0$@com> In-Reply-To: Subject: RE: Problems with IPFW causing failed DNS and FTP sessions Date: Mon, 1 Apr 2013 11:04:02 -0700 Message-ID: <058e01ce2f03$4aa46c20$dfed4460$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ac4u5GRFuOrk0FLvQESo9a7dqa4x6AAHdY7g Content-Language: en-us Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Apr 2013 18:04:48 -0000 My DNS config is pretty generic. I did try putting in the options to stop recursive lookups, but all that did was cause even more failures (permission denied lookups, etc...), so I removed that. Here's my basic config; options { directory "/etc/namedb"; pid-file "/var/run/named/pid"; dump-file "/var/dump/named_dump.db"; statistics-file "/var/stats/named.stats"; }; zone "." { type hint; file "named.root"; }; I'm not sure the problem is specific to named, but something more systemic with IPFW.... like I said, FTP sessions are timing out as well, and when I turn off IPFW that fixes that problem too. Is there any way to monitor what IPFW is dropping, by some sort of counters rather than logging everything, and see what's going on internally to IPFW? Thanks! -----Original Message----- From: Michael Sierchio [mailto:kudzu@tenebras.com] Sent: Monday, April 01, 2013 7:23 AM To: Don O'Neil Cc: freebsd-questions@freebsd.org Subject: Re: Problems with IPFW causing failed DNS and FTP sessions Okay, what's your DNS setup? Are you running a recursive cache that contacts the root servers directly? Using your ISP's servers? Etc. As a mitigation step, I tried pointing my caches to 8.8.8.8 and 8.8.4.4. - but it turns out that Google is intentionally blocking (returning NX responses to) many netblocks right now because they contain hosts known to be part of the botnet in the DDOS DNS amplification attack. I'm mirroring the root zone everywhere I have a cache, and it's helping.