Re: Some servvices on my edge box slow to reply
From: clvrmnky (clvrmnky-uunet_at_coldmail.com.invalid)
Date: 09/22/04
- Next message: Dave Uhring: "Re: Some servvices on my edge box slow to reply"
- Previous message: Ben: "Re: FTP problem with pf"
- In reply to: Dave Uhring: "Re: Some servvices on my edge box slow to reply"
- Next in thread: Dave Uhring: "Re: Some servvices on my edge box slow to reply"
- Reply: Dave Uhring: "Re: Some servvices on my edge box slow to reply"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 22 Sep 2004 13:53:29 -0400
On 21/09/2004 8:42 PM, Dave Uhring wrote:
> On Tue, 21 Sep 2004 19:44:29 -0400, clvrmnky wrote:
>
>>I'm patched up to the limit for 3.1. I just checked the diffs in patch
>>19, and my source tree matches. I recall rebuilding named at some point.
>
> That should have fixed that bug in your named, but after a year of no
> patches have there been more bugs? Recall that OpenBSD went to BIND-9
> because BIND-4 was simply too full of bugs.
>
Yes, I know. I got out of sync with releases after 3.1, and the change
to ELF made upgrading more of a challenge. I decided to reinstall from
scratch, but there are a lot of configs I have to save. Hence, I
decided to install 3.5 on a parallel box, and move things over a bit at
a time. I'm going to be running 3.5 as soon as my memory arrives.
>>True, but I've never had to care before. Obviously *something* outside
>>my realm of control has changed such that missed lookups are now taking
>>about 10x longer. This is completely new behaviour that I've never seen
>>in several years. I'm totally bewildered why some services would fail
>>*now*. Today. Some time since about 11PM last night.
>
> You have always needed reverse lookups when using ssh to connect to that
> server whether they were provided by dns or /etc/hosts, unless you were
> willing to tolerate the delays.
>
Sounds reasonable. The delays, such as they are, have been less than a
second (or, at least unnoticeable) until yesterday.
>>I've been wracking my brains trying to remember if I tweaked anything.
>>I haven't. Nothing was changed, and that gives me some concern.
>
> It's possible that your sshd was compromised. I permit ssh from only
> selected hosts and networks and close it to the rest of the Internet.
>
Me too (well, I restrict on UID only; many of my users are highly
mobile.) I don't think I've been compromised; I do run "forum" software
that may have had a hole that could leak it's own passwords. I fixed it
today, but if I had a forum user who also had an account on this box,
and had the same login/password...
I've fixed this now, and it does not look like any such accounts were
compromised. At least, none of the allowable users.
N.B.: Can anyone lurking here send me the output from `cksum
/usr/sbin/sshd` if they are running "sshd version OpenSSH_3.8, OpenSSL
0.9.6b [engine] 9 Jul 2001"?
>>I have the localhost.rev file referenced in named.boot, but I'm not
>>acting as a primary nameserver right now. I know this is not strictly
>>correct, but it's all worked for years now. I've been meaning to be the
>> primary DNS for internal hosts for some time (in fact, I have a
>>mydomain.rev file made, but commented out in the named.boot), but an
>>ultra-simple caching nameserver was good enough. I mean, lookups should
>>fail in some reasonable manner, and have done so until now.
>
> With no domain.rev zone file and with /etc/hosts not being populated on
> martini your server has no way of doing reverse lookups.
>
Yes, another look at my TCP/IP book and some hard thinking makes this
obvious. I have no idea why things have worked until yesterday. Best
just fix it.
>>Of course, since the worst thing ('til now) that would happen is that
>>badly formed FQDNs would end up resolving back to my own IP address,
>>occasionally puzzling internal users.
>
> No. They would simply receive an error notice.
>
Given that I just setup a caching named and walked away, I must have
left something broken. At any rate, bogus FQDNs often end up pointing
at my own IP address. Come to think of it, I think it's because
something like "bogus.bogus-domain.tld" seems to eventually be tried as
"bogus.bogus-domain.tld.mydomain.org". Maybe it's the resolver.
I'm guessing this is one of my problems.
>>I am running DHCP. I have no idea what DDNS is. Dynamic DNS? DNS for
>>internal nodes only? I'll drop you a line, I guess. It's not like I
>>turned on DHCP and got this problem. I've been running it for years.
>>Up to now, there has been 0 problems opening a web browser and typing in
>>the static IP address that is the default httpd instance from a host
>>that happens to have 10.0.0.10. Same for any of the server aliases I have.
>
> But doing those things does not require a reverse lookup and sshd does do
> a reverse lookup.
>
This is why I'm so puzzled! The problem with sshd is minimal. There is
a config for that. I'm specifically talking about httpd in this case.
Some virtual sites will not load up in less than a minute with any HTTP
client unless my DHCP supplied IPs have actual hostnames. This has
never been the case before. If it was just sshd, I wouldn't care. The
problem manifested itself out of nowhere, and affected httpd and imapd
as well.
> A 486DX2/16MB system is adequate but P75/32MB is a bit faster. Since I
> had an excess K5/166 CPU I replaced the P75 in an HP Vectra with it and
> because of the mis-matched multipliers wound up with a CPU running at
> 116MHz. There are 9 hosts on my home network using that DNS server and a
> D-Link wireless router and at times some Windoze notebooks using the DHCP
> server.
>
>>Mostly, I just want to bring my monthly kilowatt/hrs down, so I got a
>>VIA mainboard to play with.
>
> A sensible consideration. I turned off my AlphaServer 4100 because it was
> costing me an additional $50/month to run it.
>
Only about $10-15 for me, but still significant. I'd love to offload my
services to a spare dual PII-400 box I have, maybe even with another IP
address on a DMZ, but the cost of running this for such a small amount
of users (I host for a few friends) is prohibitive. One day I'll get
another VIA board, and turn the edge box into a dedicated, locked-down
router/firewall only.
I'd love to help test out SMP OpenBSD, too. Oh Well. I guess I can do
it at work, but only on SPARC.
Thanks for all your assistance. Let me re-read my O'Reilly book and a
nice ref I found on the 'net
(http://www.tongatapu.net.to/nix/OpenBSD/dns.htm) so I can get proper
reverse lookups working. Once I know what the hell I'm trying to do,
I'll drop you a line. I'm really not as lame as I sound; setting up
BIND has always been where I'm weakest. It just never sticks in my brain.
Good practice for the new box I'm building.
- Next message: Dave Uhring: "Re: Some servvices on my edge box slow to reply"
- Previous message: Ben: "Re: FTP problem with pf"
- In reply to: Dave Uhring: "Re: Some servvices on my edge box slow to reply"
- Next in thread: Dave Uhring: "Re: Some servvices on my edge box slow to reply"
- Reply: Dave Uhring: "Re: Some servvices on my edge box slow to reply"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
