From owner-freebsd-stable Wed Apr 3 14: 4:46 2002 Delivered-To: freebsd-stable@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id C763F37B400 for ; Wed, 3 Apr 2002 14:04:35 -0800 (PST) Received: from isc.org (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.11.6/8.11.2) with ESMTP id g33M4Ax56644; Thu, 4 Apr 2002 08:04:11 +1000 (EST) (envelope-from marka@isc.org) Message-Id: <200204032204.g33M4Ax56644@drugs.dv.isc.org> To: hawkeyd@visi.com Cc: stable at FreeBSD From: Mark.Andrews@isc.org Subject: Re: named connections "in vain" In-reply-to: Your message of "Wed, 03 Apr 2002 08:16:30 CST." <20020403081630.A20450@sheol.localdomain> Date: Thu, 04 Apr 2002 08:04:10 +1000 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Hello all. > > This may not be the correct forum, but I'm not sure where else to go with > this. > > I have the "log in vain" MIBs set on, and I get these messages, seemingly > whenever named queries an external server: > > Apr 3 07:36:41 sheol /kernel: Connection attempt to UDP 192.168.16.2:2303 fr > om 192.168.16.2:53 > Apr 3 07:37:45 sheol /kernel: Connection attempt to UDP 192.168.16.2:2311 fr > om 192.168.16.2:53 > Apr 3 07:37:50 sheol /kernel: Connection attempt to UDP 192.168.16.2:2312 fr > om 192.168.16.2:53 > Apr 3 07:38:00 sheol /kernel: Connection attempt to UDP 192.168.16.2:2313 fr > om 192.168.16.2:53 > Apr 3 07:38:20 sheol /kernel: Connection attempt to UDP 192.168.16.2:2314 fr > om 192.168.16.2:53 > > I can't figure out what named is trying to talk with. Named is replying to clients that have already given up waiting. These are most probably SERVFAILs saying that the nameserver has given up but they could also be late answers where the nameserver has had to work through several dead servers. Remember that there are a lot of misconfigured servers out there. > The only theory I can > come up with is that named is not waiting long enough for the forwarder to > reply, and does the query itself. When the forwarder does [finally] reply, > the connection has already been closed (either by named or ipf)? The Cricket > book (3rd ed.) isn't much help on this. > > See below the ASCII-sig for relevant config files. Can anyone point out my > error(s)? I'll supply more info as required. > > Some notes: > - OS is FreeBSD-RELEASE-p2. BIND is 8.2.4-REL. > - This is on the "internal" side of a gateway box. > - ipfilter's rules are wide open on this interface. ipnat's rule is > "map dc1 192.168.16.0/24 -> XXX.XXX.XXX.YYY/32". > - These messages lessen in frequency when "forward" is set to "only" in > /etc/namedb/named.conf . That's because it takes time for the forwarder to decide that it can't get a answer and more time for the nameserver to decide it can't get a answer for itself hence more clients give up before named returns SERVFAIL. > - localhost is defined only in /etc/namedb/p/named.localdomain . > - mozilla takes forever to resolve, and generates a lot of these messages. > Other apps resolve pretty quickly. > > TIA, > Dave > > -- > ______________________ ______________________ > \__________________ \ D. J. HAWKEY JR. / __________________/ > \________________/\ hawkeyd@visi.com /\________________/ > http://www.visi.com/~hawkeyd/ > > ---8<--- /etc/resolv.conf > > domain localdomain > nameserver 192.168.16.2 > > --->8--- > > ---8<--- /etc/rc.conf (excerpted) > > hostname="sheol.localdomain" > ifconfig_dc0="inet 192.168.16.2 netmask 255.255.255.0" > ifconfig_dc1="inet XXX.XXX.XXX.YYY netmask 255.255.255.252" > gateway_enable="YES" > > named_enable="YES" > named_flags="-u bind -g bind" > > defaultrouter="XXX.XXX.XXX.XXX" > ipfilter_enable="YES" > ipnat_enable="YES" > ipmon_enable="YES" > ipfs_enable="YES" > xntpd_enable="YES" > xntpd_flags="-A -p /var/run/ntpd.pid" > > --->8--- > > ---8<--- /etc/sysctl.conf > > kern.ipc.somaxconn=1024 > net.inet.icmp.drop_redirect=1 > net.inet.icmp.log_redirect=1 > net.inet.ip.redirect=0 > net.inet6.ip6.redirect=0 > net.inet.ip.sourceroute=0 > net.inet.ip.accept_sourceroute=0 > net.link.ether.inet.max_age=1200 > net.inet.icmp.bmcastecho=0 > net.inet.tcp.log_in_vain=1 > net.inet.udp.log_in_vain=1 > > --->8--- > > ---8<--- /etc/namedb/named.conf > > options { > directory "/etc/namedb"; > query-source address * port 53; > forwarders { YYY.YYY.YYY.YYY; ZZZ.ZZZ.ZZZ.ZZZ; }; > forward first; > listen-on { 192.168.16.0/24; }; > allow-query { 192.168.16.0/24; }; allow-recursion { 192.168.16.0/24; }; > allow-transfer { 192.168.16.0/24; }; > }; > > zone "." { > type hint; > file "named.root"; > }; > > zone "0.0.127.in-addr.arpa" IN { > type master; > file "p/0.0.127.in-addr.arpa"; > #allow-update { 192.168.16.2; }; > }; > > zone "localdomain" IN { > type master; > file "p/named.localdomain"; > #allow-update { 192.168.16.2; }; > }; > > zone "16.168.192.in-addr.arpa" IN { > type master; > file "p/16.168.192.in-addr.arpa"; > #allow-update { 192.168.16.2; }; > }; > > --->8--- > > ---8<--- /etc/ipf.rules (excerpted) > > block out quick on dc1 all head 10 > ... > pass out quick on dc1 proto tcp from any to any port = 53 flags S ke > ep state keep frags group 10 > pass out quick on dc1 proto udp from any to any port = 53 keep state > group 10 > ... > block out log on dc1 all group 10 > > --->8--- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message