Post by Jeffrey Iskandar AhmadI have 2 BIND servers running behind local director sharing same
external ip. Reason using local director is to load balance and
failover. Both servers have same entry of named.conf. Im adding one
dnscache in the group. When i put the server in that group. "TCP reset
reassings" counter keep increasing in the local director status. At
certain limit or threshold it will considered the server as failed and
stop routing packet to that server. After 1 minute retry it will put
the server in service because the server is always up only that the
server the TCP resets keep increasing after few thousand connection. I
have tried close TCP connections at firewall going to dnscache but
still the same.
does the localdirector check for service availability? to me this looks
like the dnscache gets hit by requests and the localdirector throws it
out of service after probing service availability.
_this is just a wild guess_
what does the log of the localdirector say?
Post by Jeffrey Iskandar AhmadDoes this problem happen because i group the master and dnscache
togather?
separating _content servers_ and _recursive resolvers_ is always a Good
Thing[tm]. give it a try and put dnscache into a separate group. also,
try to turn off "DNS service availability" checks; i suspect the
localdirector request 'version bind' or the SOA of 'localhost.', which
might introduced the breakage.
Post by Jeffrey Iskandar AhmadHere is what i get from the log file when grep tcp and dont know what
is this.
2002-04-19 17:33:14.482326500 query 3280 202.174.129.5:4421:1401 6
_ldap._tcp.default-first-site-name._sites.dc
._msdcs.wtp.com.my.
2002-04-19 17:33:15.978344500 query 3335 202.174.129.5:4422:1402 6
_tcp.default-first-site-name._sites.dc._msdc
s.wtp.com.my.
2002-04-19 17:33:17.403269500 query 3352 192.168.18.3:2854:1116 6
_kerberos._tcp.irora.com.
these definately are microsoft boxes, trying to resolve their magic
service names over dns. this has not really to do with RFCs, it's a
"vendor specific feature" (eg. a bug, because M$ couldn't come up for
years with a working cross-subnet browsing method for their "CIFS"/"UNC"
"standard" based networking implementation. netbios over ip is mereley
a try to run their proprietary protocol over TCP/IP).
Post by Jeffrey Iskandar AhmadIm thinking of blocking TCP but RFC 1123 says that resolvers ``MUST
support UDP, and should support TCP.''
yeah, but when it comes to microsoft, you won't expect them to stick to
RFCs, do you? RFCs also state that "_" SHOULD not be used in DNS names,
but you see what they do :-/
- put the recursive resolver (dnscache) into a separate group on the LD
- turn off any checks for service availability on the LD
- look into the logs of the localdirector
- do not grep for tcp in dnscache, but for non-answered queries
- look into dnscache's root/ip directory and look if you actually allow
your clients _and_ the local director to query the cache
- supply us the _complete_ non-modified output of
- grep -r ^ /service/dnscache (or whereever it lives)
- localdirector log
- output of "uname -a" of your host(s)
- version of djbdns that you use and if you installed it from source
or as a binary
these are just some ideas based on guesswork. feel free to flame me for
that. i didn't have my hands on a localobfuscator^Wlocaldirector for
years ;-)
regards,
/k
--
Post by Jeffrey Iskandar AhmadExperience is a teacher that gives the examination first and the
lesson afterwards.
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46
My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/
Please do not remove my address from To: and Cc: fields in mailing lists. 10x