#top Przydatne informacje¶

[<<]|[<]|[^]|[v]|[>]|[>>]|[Zwiń]|[#top]|[X]

#top network unreachable resolving¶

Powyższe komunikaty pojawiające się w logu /var/log/named/named.log serwera Named:

13-Jan-2015 15:15:05.438 error (network unreachable) resolving 'wysylka7.pracuj.pl/A/IN': 2001:1a68:7:10:250:56ff:fe8c:4433#53

14-Jan-2015 17:21:42.231 error (network unreachable) resolving 'wysylka7.pracuj.pl/A/IN': 2001:1a68:7:10:250:56ff:fe8c:4433#53

18-Jan-2015 09:25:31.837 error (network unreachable) resolving 'wysylka.pracuj.pl/MX/IN': 2001:1a68:7:10:250:56ff:fe8c:4433#53

28-Jan-2015 11:51:32.967 error (network unreachable) resolving 'wysylka.pracuj.pl/AAAA/IN': 2001:1a68:7:10:250:56ff:fe8c:4433#53

08-Feb-2015 11:03:37.615 error (network unreachable) resolving 'wysylka.pracuj.pl/MX/IN': 2001:1a68:7:10:250:56ff:fe8c:4433#53

09-Feb-2015 11:40:15.608 error (network unreachable) resolving 'wysylka7.pracuj.pl/A/IN': 2001:1a68:7:10:250:56ff:fe8c:4433#53

12-Feb-2015 18:48:50.479 error (network unreachable) resolving 'wysylka7.pracuj.pl/A/IN': 2001:1a68:7:10:250:56ff:fe8c:4433#53

14-Feb-2015 14:24:59.983 error (network unreachable) resolving 'wysylka.pracuj.pl/AAAA/IN': 2001:1a68:7:10:250:56ff:fe8c:4433#53

16-Feb-2015 14:55:03.107 error (network unreachable) resolving 'wysylka.pracuj.pl/A/IN': 2001:1a68:7:10:250:56ff:fe8c:4433#53
16-Feb-2015 14:55:03.107 error (network unreachable) resolving 'wysylka.pracuj.pl/AAAA/IN': 2001:1a68:7:10:250:56ff:fe8c:4433#53
16-Feb-2015 14:55:03.108 error (network unreachable) resolving 'wysylka.pracuj.pl/A/IN': 2001:1a68:7:1:250:56ff:feb4:ea6#53
16-Feb-2015 14:55:03.108 error (network unreachable) resolving 'wysylka.pracuj.pl/AAAA/IN': 2001:1a68:7:1:250:56ff:feb4:ea6#53

17-Feb-2015 16:42:56.341 error (network unreachable) resolving 'wysylka7.pracuj.pl/A/IN': 2001:1a68:7:10:250:56ff:fe8c:4433#53

19-Feb-2015 15:50:16.048 error (network unreachable) resolving '246.66.200.193.in-addr.arpa/PTR/IN': 2001:500:13::c7d4:35#53
19-Feb-2015 15:50:16.048 error (network unreachable) resolving '246.66.200.193.in-addr.arpa/PTR/IN': 2001:dc0:2001:a:4608::59#53

11-Mar-2015 12:09:25.253 error (network unreachable) resolving 'wysylka.pracuj.pl/MX/IN': 2001:1a68:7:10:250:56ff:fe8c:4433#53

15-Mar-2015 15:12:56.923 error (network unreachable) resolving 'wysylka.pracuj.pl/A/IN': 2001:1a68:7:10:250:56ff:fe8c:4433#53
15-Mar-2015 15:12:56.923 error (network unreachable) resolving 'wysylka.pracuj.pl/AAAA/IN': 2001:1a68:7:10:250:56ff:fe8c:4433#53

Komunikaty ostrzeżenia w logu /var/log/mail/mail.log zawierającego informacje związane z serwerem pocztowym:

Jan 13 15:15:05 wbcd postfix/smtpd[29758]: warning: 176.119.40.86: address not listed for hostname wysylka.pracuj.pl

Jan 14 17:21:42 wbcd postfix/smtpd[19261]: warning: 176.119.40.86: address not listed for hostname wysylka.pracuj.pl
Jan 14 17:21:42 wbcd postfix/smtpd[19263]: warning: 176.119.40.86: address not listed for hostname wysylka.pracuj.pl
Jan 14 17:21:42 wbcd postfix/smtpd[19264]: warning: 176.119.40.86: address not listed for hostname wysylka.pracuj.pl

Jan 18 09:25:31 wbcd postfix/smtpd[7489]: warning: 176.119.40.86: address not listed for hostname wysylka.pracuj.pl

Jan 28 11:51:32 wbcd postfix/smtpd[13182]: warning: 176.119.40.86: address not listed for hostname wysylka.pracuj.pl

Feb  8 11:03:37 wbcd postfix/smtpd[15383]: warning: 176.119.40.86: address not listed for hostname wysylka.pracuj.pl

Feb  9 11:40:15 wbcd postfix/smtpd[15854]: warning: 176.119.40.86: address not listed for hostname wysylka.pracuj.pl

Feb 12 18:48:50 wbcd postfix/smtpd[6596]: warning: 176.119.40.86: address not listed for hostname wysylka.pracuj.pl
Feb 12 18:48:50 wbcd postfix/smtpd[6598]: warning: 176.119.40.86: address not listed for hostname wysylka.pracuj.pl

Feb 14 14:24:59 wbcd postfix/smtpd[9133]: warning: 176.119.40.86: address not listed for hostname wysylka.pracuj.pl

Feb 16 14:55:03 wbcd postfix/smtpd[24893]: warning: 176.119.40.86: address not listed for hostname wysylka.pracuj.pl

Feb 17 16:42:56 wbcd postfix/smtpd[11410]: warning: 176.119.40.86: address not listed for hostname wysylka.pracuj.pl
Feb 17 16:42:56 wbcd postfix/smtpd[11418]: warning: 176.119.40.86: address not listed for hostname wysylka.pracuj.pl

Mar 11 12:09:25 wbcd postfix/smtpd[30764]: warning: 176.119.40.86: address not listed for hostname wysylka.pracuj.pl

Mar 15 15:12:56 wbcd postfix/smtpd[11166]: warning: 176.119.40.86: address not listed for hostname wysylka.pracuj.pl

Mar 18 08:33:24 wbcd postfix/smtpd[1429]: warning: 176.119.40.86: address not listed for hostname wysylka.pracuj.pl
Mar 19 08:44:45 wbcd postfix/smtpd[19373]: warning: 176.119.40.86: address not listed for hostname wysylka.pracuj.pl

Obserwowalny rezultat powyższych komunikatów w nagłowkach odbieranych wiadomości:

Received: from wysylka7.pracuj.pl (unknown [176.119.40.86])
	by wbcd.pl (Postfix) with ESMTP id C747C44213
	for <*****@wbcd.pl>; Tue, 13 Jan 2015 15:15:05 +0100 (CET)


Received: from wysylka7.pracuj.pl (unknown [176.119.40.86])
	by wbcd.pl (Postfix) with ESMTP id 1EF6D44214
	for <*****@wbcd.pl>; Wed, 14 Jan 2015 17:21:42 +0100 (CET)

Received: from wysylka7.pracuj.pl (unknown [176.119.40.86])
	by wbcd.pl (Postfix) with ESMTP id 206DD44215
	for <*****@wbcd.pl>; Wed, 14 Jan 2015 17:21:42 +0100 (CET)

Received: from wysylka7.pracuj.pl (unknown [176.119.40.86])
	by wbcd.pl (Postfix) with ESMTP id 20EAC44216
	for <*****@wbcd.pl>; Wed, 14 Jan 2015 17:21:42 +0100 (CET)


Received: from wysylka7.pracuj.pl (unknown [176.119.40.86])
	by wbcd.pl (Postfix) with ESMTP id 4698B44218
	for <*****@wbcd.pl>; Sun, 18 Jan 2015 09:25:31 +0100 (CET)


Received: from wysylka7.pracuj.pl (unknown [176.119.40.86])
	by wbcd.pl (Postfix) with ESMTP id 4110844220
	for <*****@wbcd.pl>; Wed, 28 Jan 2015 11:51:33 +0100 (CET)


Received: from wysylka7.pracuj.pl (unknown [176.119.40.86])
	by wbcd.pl (Postfix) with ESMTP id B7C394422B
	for <*****@wbcd.pl>; Sun,  8 Feb 2015 11:03:37 +0100 (CET)


Received: from wysylka7.pracuj.pl (unknown [176.119.40.86])
	by wbcd.pl (Postfix) with ESMTP id 7CBB94422C
	for <*****@wbcd.pl>; Mon,  9 Feb 2015 11:40:15 +0100 (CET)


Received: from wysylka7.pracuj.pl (unknown [176.119.40.86])
	by wbcd.pl (Postfix) with ESMTP id C501D44230
	for <*****@wbcd.pl>; Thu, 12 Feb 2015 18:48:50 +0100 (CET)

Received: from wysylka7.pracuj.pl (unknown [176.119.40.86])
	by wbcd.pl (Postfix) with ESMTP id B3EB64422F
	for <*****@wbcd.pl>; Thu, 12 Feb 2015 18:48:50 +0100 (CET)


Received: from wysylka7.pracuj.pl (unknown [176.119.40.86])
	by wbcd.pl (Postfix) with ESMTP id 2CC2F44231
	for <*****@wbcd.pl>; Sat, 14 Feb 2015 14:25:00 +0100 (CET)


Received: from wysylka7.pracuj.pl (unknown [176.119.40.86])
	by wbcd.pl (Postfix) with ESMTP id 4B10444233
	for <*****@wbcd.pl>; Mon, 16 Feb 2015 14:55:03 +0100 (CET)


Received: from wysylka7.pracuj.pl (unknown [176.119.40.86])
	by wbcd.pl (Postfix) with ESMTP id 918EA44234
	for <*****@wbcd.pl>; Tue, 17 Feb 2015 16:42:56 +0100 (CET)


Received: from wysylka7.pracuj.pl (unknown [176.119.40.86])
	by wbcd.pl (Postfix) with ESMTP id 95B7144237
	for <*****@wbcd.pl>; Thu, 19 Feb 2015 15:50:16 +0100 (CET)


Received: from wysylka7.pracuj.pl (unknown [176.119.40.86])
	by wbcd.pl (Postfix) with ESMTP id A531D4424A
	for <*****@wbcd.pl>; Wed, 11 Mar 2015 12:09:25 +0100 (CET)


Received: from wysylka.pracuj.pl (unknown [176.119.40.86])
	by wbcd.pl (Postfix) with ESMTP id 3681F4424E
	for <*****@wbcd.pl>; Sun, 15 Mar 2015 15:12:56 +0100 (CET)

Interesujące opcje dotyczące poprawy parametrów serwera min-retry-time oraz max-retry-time, których opis znajduje się w sekcji Tunning na stronie z dokumentacją serwera Named: Tuning (v9.9) | Tuning (v9.8.2)

min-refresh-time, max-refresh-time, min-retry-time, max-retry-time

These options control the server's behavior on refreshing a zone (querying for SOA changes) or retrying failed transfers. Usually the SOA values for the zone are used, but these values are set by the master, giving slave server administrators little control over their contents.

These options allow the administrator to set a minimum and maximum refresh and retry time either per-zone, per-view, or globally. These options are valid for slave and stub zones, and clamp the SOA refresh and retry times to the specified values.

Fragment pliku /etc/named/named.options.conf

//
// named.options.conf
//
options {
[...]
    /* Path to ISC DLV key */
    bindkeys-file "/etc/named/named.iscdlv.key";

    /* The following defaults apply: min-retry-time 500 seconds, and max-retry-time 1209600 seconds (2 weeks). */
    // 2014-XX-XX
    //min-retry-time 5;
    //max-retry-time 10;
    // 2015-03-17 07:04
    //min-retry-time 3;
    //max-retry-time 9;
    // 2015-08-09
    min-retry-time 5;
    max-retry-time 15;
    /* resolver-query-timeout: The amount of time the resolver will spend attempting to resolve a recursive query before failing. */
    /* The default and minimum is 10 and the maximum is 30. Setting it to 0 will result in the default being used. */
    // unknown option 'resolver-query-timeout:'
    // resolver-query-timeout: 5;
    query-source 10.5.5.5;
    query-source-v6 ::1;
};

#top TXT or SPF record longer than 255 characters¶

Przydatna informacja zwłaszcza w przypadku definiowania długich rekordów TXT (SPF - Sender Policy Framework) lub w przypadku stosowania wpisów DKIM (DomainKeys Identified Mail) prowadzących do konieczności definiowania rekordów TXT z długimi wpisami.

Cytat z poniższej strony:

https://kb.isc.org/article/AA-00356/0/Can-I-have-a-TXT-or-SPF-record-longer-than-255-characters.html

You may have more than 255 characters of data in a TXT or SPF record, but not more than 255 characters in a single string.

If you attempt to create an SPF or TXT record with a long string (>255 characters) in it, BIND will give an error (e.g. "invalid rdata format: ran out of space".) Strings in SPF and TXT records should be no longer than 255 characters.
However to get around this limitation, per RFC 4408 a TXT or SPF record is allowed to contain multiple strings, which should be concatenated together by the reading application. In the case of use for SPF (using either TXT or SPF RRs) the strings are concatenated together without spaces as described below.
Reassembly by other applications of multiple strings stored in TXT records might work differently.

3.1.3. Multiple Strings in a Single DNS record

As defined in [RFC1035] sections 3.3.14 and 3.3, a single text DNS record (either TXT or SPF RR types) can be composed of more than one string. If a published record contains multiple strings, then the record MUST be treated as if those strings are concatenated together without adding spaces. For example:

    IN TXT "v=spf1 .... first" "second string..."

MUST be treated as equivalent to:

    IN TXT "v=spf1 .... firstsecond string..."

SPF or TXT records containing multiple strings are useful in constructing records that would exceed the 255-byte maximum length of a string within a single TXT or SPF RR record.

#top lame server resolving¶

Jedną ze znanych przyczyn występowania niniejszego komunikatu w logach:

lame server resolving

jest wskazanie poprzez umieszczenie w strefie domeny rekordu NS wskazującego na serwer, który powinien być traktowany jako serwer master dla danej domeny, jednakże nim nie jest. Taka sytuacja może występować w przypadku wskazania jako serwera master dla danej domeny np: serwera cache DNS.

Cytat z poniższej strony:

http://www.linuxquestions.org/questions/linux-networking-3/caching-dns-server-error-lame-server-resolving-294136/

From the manual:
A DNS server which is supposed to be authoritative for a zone, but isnt.
If you see something like this:

Aug 7 00:57:37 colo named[827]: lame server resolving '98.96-27.40.119.62.in-addr.arpa' (in '96-27.40.119.62.in-addr.arpa'?): 62.119.40.115#53

in your BIND logs, then BIND has queried a lame server.
In this case, 62.119.40.115 is mentioned as being authoritative somewhere
for the zone 98.96-27.40.119.62.in-addr.arpa,
but when BIND queries it, it discovers that 62.119.40.115 is not authoritative,
and logs that message. The SysAdmin at the other end needs to get a clue and fix his DNS.

Problem is solved by disabling lame server loging in bind.
To do this, edit /etc/named.conf or /etc/named/named.conf and add following line

logging {
    category lame-servers { null; };
};

#top RFC 1918 response from Internet¶

Powyższe komunikaty pojawiające się w logu /var/log/named/named.log (lub /var/log/named/security-debug.log w zależności od konfiguracji logowania logging) serwera Named:

30-May-2016 09:21:19.256 security: warning: client 10.41.0.58#43554: view internal: RFC 1918 response from Internet for 1.0.169.10.in-addr.arpa
30-May-2016 09:29:33.448 security: warning: client 10.41.0.58#52754: view internal: RFC 1918 response from Internet for 1.0.16.172.in-addr.arpa
30-May-2016 09:32:58.094 security: warning: client 10.41.0.58#53205: view internal: RFC 1918 response from Internet for 1.0.168.192.in-addr.arpa

Treść komunikatu RFC 1918 response from Internet w tłumaczeniu niemal dosłownym oznacza odebrano odpowiedź z serwera DNS (Internetu) dla zapytania o adres IP znajdujący się w podsieci zdefiniowanej w RFC 1918 (Address Allocation for Private Internets). Zgodnie z dokumentem RFC 1918 pula adresów prywatnych (Private Address Space) zdefiniowana jest następująco:

3. Private Address Space

The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

Built-in Empty Zones (v9.9) | Built-in Empty Zones (v9.8.2)
Zapytania o nazwy domenowe nie powinny być wysyłane do serwerów DNS dostępnych w Internecie. Serwer Named/Bind powinien sam rozwiązywać adresy IP z puli prywatnej na nazwy domenowe. W tym celu należy włączyć (dla widoku wewnętrznego) opcję empty-zones-enable yes lub ustawić opcję disable-empty-zone ".";
W przypadku definicji widoku wewnętrznego view "internal" znajdującej się w pliku /etc/named/named.conf konfiguracja będzie przedstawiać się następująco:

view "internal" {
        match-clients { localhost; 127.0.0.0/8; 10.5.5.0/28; 10.41.0.0/16; 10.0.0.0/16; };
        recursion yes;
        allow-recursion { localhost; 127.0.0.0/8; 10.5.5.0/28; 10.41.0.0/16; 10.0.0.0/16;  };
[...]
        empty-zones-enable yes;
        disable-empty-zone ".";
[...]
};

Alternatywnie w definicji widoku wewnętrznego view "internal" znajdującej się w pliku /etc/named/named.conf można umieścić explicte definicję stref odwzorowania odwrotnego dla podsieci zdefiniowanych w RFC 1918, po wprowadzeniu deklaracji stref konfiguracja będzie przedstawiać się następująco:

view "internal" {
        match-clients { localhost; 127.0.0.0/8; 10.5.5.0/28; 10.41.0.0/16; 10.0.0.0/16; };
        recursion yes;
        allow-recursion { localhost; 127.0.0.0/8; 10.5.5.0/28; 10.41.0.0/16; 10.0.0.0/16; };
[...]
        zone "10.in-addr.arpa"      { type master; file "/etc/named/db/named.zero"; allow-update { none; }; };
        zone "16.172.in-addr.arpa"  { type master; file "/etc/named/db/named.zero"; allow-update { none; }; };
        zone "17.172.in-addr.arpa"  { type master; file "/etc/named/db/named.zero"; allow-update { none; }; };
        zone "18.172.in-addr.arpa"  { type master; file "/etc/named/db/named.zero"; allow-update { none; }; };
        zone "19.172.in-addr.arpa"  { type master; file "/etc/named/db/named.zero"; allow-update { none; }; };
        zone "20.172.in-addr.arpa"  { type master; file "/etc/named/db/named.zero"; allow-update { none; }; };
        zone "21.172.in-addr.arpa"  { type master; file "/etc/named/db/named.zero"; allow-update { none; }; };
        zone "22.172.in-addr.arpa"  { type master; file "/etc/named/db/named.zero"; allow-update { none; }; };
        zone "23.172.in-addr.arpa"  { type master; file "/etc/named/db/named.zero"; allow-update { none; }; };
        zone "24.172.in-addr.arpa"  { type master; file "/etc/named/db/named.zero"; allow-update { none; }; };
        zone "25.172.in-addr.arpa"  { type master; file "/etc/named/db/named.zero"; allow-update { none; }; };
        zone "26.172.in-addr.arpa"  { type master; file "/etc/named/db/named.zero"; allow-update { none; }; };
        zone "27.172.in-addr.arpa"  { type master; file "/etc/named/db/named.zero"; allow-update { none; }; };
        zone "28.172.in-addr.arpa"  { type master; file "/etc/named/db/named.zero"; allow-update { none; }; };
        zone "29.172.in-addr.arpa"  { type master; file "/etc/named/db/named.zero"; allow-update { none; }; };
        zone "30.172.in-addr.arpa"  { type master; file "/etc/named/db/named.zero"; allow-update { none; }; };
        zone "31.172.in-addr.arpa"  { type master; file "/etc/named/db/named.zero"; allow-update { none; }; };
        zone "168.192.in-addr.arpa" { type master; file "/etc/named/db/named.zero"; allow-update { none; }; };
        zone "254.169.in-addr.arpa" { type master; file "/etc/named/db/named.zero"; allow-update { none; }; };
[...]
};

Plik /etc/named/db/named.zero definiujący strefy zdefiniowane w RFC 1918 powinien zawierać wpisy tylko i wyłącznie serwerów nazw (Name Server, wpisy NS), analogicznie jak przedstawiono to poniżej:

$TTL    86400
@               IN SOA localhost.    root.localhost. (
                                     42              ; serial (d. adams)
                                     3H              ; refresh
                                     15M             ; retry
                                     1W              ; expiry
                                     1D )            ; minimum
        IN      NS     localhost.

Zmodyfikowany ostatnio: 2016/05/31 12:27:27 (7 lat temu), textsize: 18,7 kB, htmlsize: 27,6 kB

Zapraszam do komentowania, zgłaszania sugestii, propozycji, własnych przykładów, ...

Dodaj komentarzKomentarze użytkowników