Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Has anyone seen this error before?

Posted on 2014-10-23
16
Medium Priority
?
539 Views
Last Modified: 2014-10-24
I am getting several different errors in my daily logging that I would like to solve.   These are coming from my cache DNS servers:


dispatch: warning: dispatch 0x7fbcc820ef80: open_socket(0.0.0.0#1935) -> permission denied: continuing: 25 Time(s)

rate-limit: info: continue limiting responses to 162.17.148.0/24: 10 Time(s)

rate-limit: info: stop limiting error responses to 184.175.185.0/24: 10 Time(s)

These are some examples.

Thanks,
0
Comment
Question by:marchopkins
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 4
  • 3
16 Comments
 
LVL 7

Expert Comment

by:Stampel
ID: 40399528
No real problem, bind will continue with another port.
You can try to fix it by fixing port range in your /etc/named.conf as follows :

use-v4-udp-ports {range 32768 65535;};
0
 

Author Comment

by:marchopkins
ID: 40399681
does this address the dispatch warning or the rate-limit issue?

Thanks
0
 

Author Comment

by:marchopkins
ID: 40399683
Also, why those particular ports??

Thanks again.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 

Author Comment

by:marchopkins
ID: 40399692
I'm assuming that it would be inserted in this section of named.conf  or would it need to omit an entry in favor of this one?

options {
        listen-on port 53 { any; };
        #listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; "g4internal"; "g4external"; };
        #allow-query { any; };
        recursion yes;

        #Test Response Rate Limiting
        rate-limit {
                responses-per-second 5;
                window 5;
        };

        dnssec-enable no;
        dnssec-validation no;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        blackhole {
        #put in any networks that don't belong
                "iana-reserved";
        };
};
0
 
LVL 7

Expert Comment

by:Stampel
ID: 40399700
Yes it does address this particular issue by fixing port range above most common used ports.
It just specify the use of Ephemeral port. See http://en.wikipedia.org/wiki/Ephemeral_port
"Many Linux kernels use the port range 32768 to 61000"
0
 
LVL 7

Expert Comment

by:Stampel
ID: 40399727
Just Inside  your options { } section

options {
...
use-v4-udp-ports {range 32768 65535;};
...

}
0
 

Author Comment

by:marchopkins
ID: 40399807
Thanks I'll give it a try and report back tomorrow after the log output
0
 
LVL 62

Expert Comment

by:gheist
ID: 40400672
dispatch error is harmless
other error means that other IP requested same record over your rate limit. Your rate limit is little paranoid. 5 requests in 5 seconds can be simple retries. 10 requests in 10 seconds is likely to eliminate most of log entries.
First is unavoidable, so dont log it. Second - maybe helps diagnostics, so leave it

http://www.zytrax.com/books/dns/ch7/logging.html

Why do you load DNSSEC keys and then kill off DNSSEC validation? It is like 15 years old and works fine for 20% of internet.
0
 

Author Comment

by:marchopkins
ID: 40401955
Thanks gheist.  I see where that might help, yes.  Here is the change.  

 #Test Response Rate Limiting
        rate-limit {
                responses-per-second 10;
                window 10;
        };
I will follow the link to understand how to eliminate that log for dispatch.    I don't understand your comment "Why do you load DNSSEC keys and then kill off DNSSEC validation? It is like 15 years old and works fine for 20% of internet. "   I did not set that piece up and have no idea what it does.  

Stampel:  The same logs showed up today even after I edited port range in /etc/named.conf
0
 
LVL 7

Expert Comment

by:Stampel
ID: 40401986
Did you restart the bind daemon ?
Can you replace the config line with :
query-source port 53;

(you can keep listen-on port 53 { any; };)
0
 

Author Comment

by:marchopkins
ID: 40402011
Yes, i have done that.
0
 
LVL 62

Accepted Solution

by:
gheist earned 2000 total points
ID: 40402079
Default port range is 1024-65535, reducing it will not help at all.
And it even clashes with itself. As I said that log record is harmless and you can just stop logging it.

btw i dont see bind logging configuration in your named.conf
add there in log section category dispatch {null;};

Log rate limiting is also safe to ignore.
Why dont you use suggested default values with it?
https://kb.isc.org/article/AA-00994/0

Just enable DNSSEC, named CPU usage will rise from 0.1% to 0.2%
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
0
 

Author Comment

by:marchopkins
ID: 40402089
I will give that a try and post the results in a bit...thank you.
0
 

Author Comment

by:marchopkins
ID: 40402099
All set with all of these suggestions
0
 

Author Closing Comment

by:marchopkins
ID: 40402111
Thanks for the suggestions.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40402119
named-checkconf -z ;)
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my business, I use the LTS (Long Term Support) versions of Linux. My workstations do real work, and so I rarely have the patience to deal with silly problems caused by an upgraded kernel that had experimental software on it to begin with from a r…
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question