Michael McNamara

ISC BIND 9.10.2-P3 Forwarding Caching Only Nameserver

Michael McNamara — Mon, 03 Aug 2015 12:00:16 +0000

I recently had to migrate a large DNS environment from about 23 Microsoft Domain Controllers to Infoblox DNS. I could have just deleted all the zones and set the forwarding on the Microsoft DNS servers but I wanted to leave the Microsoft DNS configuration and data in place to provide a quick backout option in the unlikely event that it was need (it was needed but the second time around using the named.conf file below was the charm).

I ended up deploying ISC BIND 9.10.2-P3 across a mix of Windows 2003 and Windows 2008 domain controller servers, some 32-bit and some 64-bit.

As I alluded to above I originally had issues running BIND getting error messages such as the following after only a few hours running the service and clients failing to get name resolution.

27-Jul-2015 19:15:04.575 general: error: ..\client.c:2108: unexpected error:
27-Jul-2015 19:15:04.575 general: error: failed to get request's destination: failure
27-Jul-2015 19:15:04.981 general: error: ..\client.c:2108: unexpected error:
27-Jul-2015 19:15:04.981 general: error: failed to get request's destination: failure
27-Jul-2015 19:15:20.971 general: error: ..\client.c:2108: unexpected error:
27-Jul-2015 19:15:20.971 general: error: failed to get request's destination: failure

There were also a few other errors that apeared to be releated to the anti-DDoS mechanisms built into BIND;

27-Jul-2015 19:50:02.369 resolver: notice: clients-per-query increased to 15

So I went back and recrafted the named.conf file and came up with the following which seems to be working well for me now almost 5 days after the Infoblox DNS migration.

You’ll noticed that I commented out the localhost zone and the 127.0.0.1 reverse zone as well. I didn’t think that BIND would run without them but sure enough it does. I also enabled query logging so I could see what type of abuse the DNS servers were getting. I found a couple of servers that were querying more than 40,000 times a minute for a management platform that had been retired almost 5+ years ago.

options {
  directory "c:\program files\isc bind 9\bin";
 
  // here are the servers we'll send all our queries to
  forwarders {10.1.1.1; 10.2.2.2;};
  forward only;

  auth-nxdomain no;

  // need to include allow-query at a minimum
  allow-recursion { "any"; };
  allow-query { "any"; };
  allow-transfer { "none"; };

  // lets leave IPv6 off for now less to worry about
  listen-on-v6 { "none"; };

  // standard stuff
  version none;
  minimal-responses yes;
 
  // cache positive and negative results for only 5 minutes
  max-cache-ttl 300;
  max-ncache-ttl 300;

  // disable DDoS mechanisms in BIND
  clients-per-query 0;
  max-clients-per-query 0;

};

logging{
   channel example_log{
    file "C:\program files\isc bind 9\log\named.log" versions 3 size 250k;
    severity info;
    print-severity yes;
    print-time yes;
    print-category yes;
  };

  channel queries_file {
    file "c:\program files\isc bind 9\log\queries.log" versions 10 size 10m;
    severity dynamic;
    print-time yes;
  };

  category default{ example_log; };
  category queries { queries_file; };

};

//zone "localhost" in{
//  type master;
//  file "pri.localhost";
//  allow-update{none;};
//};

//zone "0.0.127.in-addr.arpa" in{
//  type master;
//  file "localhost.rev";
//  allow-update{none;};
//};

I setup my first nameserver running BIND 4.x back in 1995, more than 20 years ago while working at Manhattan College. While I'm pretty familiar with BIND a lot has changed since then and so I had to-do a fair bit of research to arrive at the configuration above.

Hopefully someone else will find it helpful.

Cheers!

Windows Server Team – Microsoft Patch KB3002657

Michael McNamara — Sun, 29 Mar 2015 23:38:46 +0000

I recently took on the responsibility of managing and re-building the Windows Server team. Thanks to Microsoft Security Patch KB3002657 last week was a true adventure in both patch management and change control. It was discovered that several Windows Domain Controllers were missing some critical security patches so it was decided, rather haphazardly, to patch those Domain Controllers immediately. You can guess the chaos that shortly ensued afterwards. The catch – the issue wasn’t with the Domain Controllers that needed to be patched but rather with a legacy Windows 2003 Domain Controller (older physical box) that was left to authenticate requests while the other Domain Controllers rebooted. Unknowingly KB3002657 had been applied to this legacy Windows 2003 Domain Controller automatically by WSUS on the prior Thursday but no issues had been detected at that time because the other Domain Controllers in the Site had been authenticating requests for Microsoft Outlook MAC Clients, IIS and SharePoint. We originally suspected the Domain Controllers that had just been patched but quickly ruled them out and were able to determine which Domain Controller was failing to properly authenticate NTLM requests.

It doesn’t help that Windows 2003 Server is End of Support on July 15, 2015.

Cheers!

References;

https://technet.microsoft.com/en-us/library/security/ms15-027.aspx
http://blogs.technet.com/b/rmilne/archive/2015/03/17/update-015_2d00_027-revised-_2800_3002657_2900_.aspx
http://www.infoworld.com/article/2897814/operating-systems/server-2003-admins-beware-microsoft-re-issues-botched-netlogon-patch-kb-3002657.html

Nortel IP Softphone 2050 Licensing Server

Michael McNamara — Mon, 06 Apr 2009 03:00:28 +0000

We recently started deploying the Nortel IP 2050 Softphone v3.x for our work-from-home Contact Center agent pilot. With software release v3.x or higher you need a licensing server somewhere in your network. That means that yes you need to purchase licenses for all your concurrent 2050 users. It’s my understanding that Nortel has licensed various technologies in the 2050 that required it to deploy a licensing server as set forth in the licensing agreements with the various third parties.

We chose to deploy the Nortel IP Softphone 2050 Licensing Server on the same server that where we had the Nortel Enterprise Management System (NMS) application and the Nortel Enterprise Switch Manager (ESM) application already installed.

If your testing out the solution there’s no need to worry about needing a licensing server on day one as each installation of the 2050 comes with a 30 day demo/evaluation license.

After you have installed the License Server you’ll need to replace the file “counted.lic” in C:\Program Files\Nortel\IP Softphone 2050 Licensing Server (or where ever you’ve installed the software) with the license file you received from your reseller.

You can issue a “lmstat -a” from the installation director and it will output the number of total licenses installed and the number of available licenses. When you add licenses you just need to replace the file “counted.lic” and then restart the “Nortel IP Softphone 2050 Licensing Server Service” service.

Cheers!