samba - Feb 2020 - Samba Bind DLZ Slow queries

So if this is done, is edns configure also ? 
?
in resolv.conf add: 
options edns0
?
and, name.conf test these. 
?
??????? //?The forwarded zone to the AD-DC DNS use these also. 
????????//dnssec-must-be-secure?internal.domain.tld no;
????????//dnssec-must-be-secure 168.192.in-addr.arpa no;

????????// listen-on-v6 { ::1; };? // test what works best, if not all?ipv6 is
disabled also?enable this one. just the responce.
??????? listen-on-v6 { "none"; };

??????? listen-on port 53 { 127.0.0.1; 192.168.xxx.xxx; };
??????? version "Go Away 0.0.7"; // change bind version 

??????? allow-query { "thisserverip"; 127.0.0.1; ::1;
"mynetworks"; };
??????? allow-query-cache { "thisserverip"; 127.0.0.1; ::1;
"mynetworks"; };
??????? // make sure bind does not eat all the ram
??????? max-cache-size 32M;

?

?

Van: Eben Victor [mailto:eben.victor at gmail.com] 
Verzonden: vrijdag 28 februari 2020 12:10
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Samba Bind DLZ Slow queries



Thanks Louis, FW configured as below


53/tcp 88/tcp 135/tcp 139/tcp 389/tcp 445/tcp 464/tcp 636/tcp 3268/tcp 3269/tcp
49152-65535/tcp 123/udp 53/udp 88/udp 137/udp 138/udp 389/udp 464/udp 22/tcp



On Fri, Feb 28, 2020 at 12:36 PM L.P.H. van Belle via samba <samba at
lists.samba.org> wrote:

Ow and i forgot.. 

If the server is firewalled, make sure you allow udp AND tcp on port 53. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: vrijdag 28 februari 2020 10:39
> Aan: sambalist
> Onderwerp: Re: [Samba] Samba Bind DLZ Slow queries
> 
> On 28/02/2020 09:21, Eben Victor wrote:
> > Thanks Rowland, I have removed from options, and amended 
> the forwarders.
> >
> > [global]
> > ? ? ? ? workgroup = <MYDOMAIN>
> > ? ? ? ? realm = <MYDOMAIN>.CORP
> > ? ? ? ? netbios name = <HOSTNAME>
> > ? ? ? ? server role = active directory domain controller
> > ? ? ? ? idmap_ldb:use rfc2307 = yes
> > ? ? ? ? idmap config * : range = 3000-7999 ----------> If I 
> remove the 
> > portion I get errors -> idmap range not specified for domain
'*'
> Yes, I know, remove the line and ignore the error, it is 
> meaningless ;-)
> > Also see below resolv.conf
> >
> > search mydomain.corp otherdomain.corp otherdomain.net 
> > <http://otherdomain.net> otherdomain.co.za 
> <http://otherdomain.co.za> 
> > mydomain.co.za <http://mydomain.co.za>
> Remove all domains except for the AD dns domain
> > nameserver DC2
> > nameserver DC3
> > nameserver DC1
> > nameserver DC5
> > nameserver DC6
> > nameserver DC4
> >
> The DC should use itself as its nameserver, whether you have other 
> nameservers is debatable, if Samba crashes, do you want it contacting 
> another DC ?
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:? https://lists.samba.org/mailman/options/samba
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba



-- 
Eben Victor

Cell:? +27 82 759 5266
Email: eben.victor at gmail.com

Thanks Louis,
I'll test as suggested.

I have to say, after the few changes made already, my DNS is running much
smoother that before.

On Fri, Feb 28, 2020 at 1:22 PM L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
> So if this is done, is edns configure also ?
>
> in resolv.conf add:
> options edns0
>
> and, name.conf test these.
>
>         // The forwarded zone to the AD-DC DNS use these also.
>         //dnssec-must-be-secure internal.domain.tld no;
>         //dnssec-must-be-secure 168.192.in-addr.arpa no;
>
>         // listen-on-v6 { ::1; };  // test what works best, if not
> all ipv6 is disabled also enable this one. just the responce.
>         listen-on-v6 { "none"; };
>
>         listen-on port 53 { 127.0.0.1; 192.168.xxx.xxx; };
>         version "Go Away 0.0.7"; // change bind version
>
>         allow-query { "thisserverip"; 127.0.0.1; ::1;
"mynetworks"; };
>         allow-query-cache { "thisserverip"; 127.0.0.1; ::1;
"mynetworks";
> };
>         // make sure bind does not eat all the ram
>         max-cache-size 32M;
>
>
>
>
>
> Van: Eben Victor [mailto:eben.victor at gmail.com]
> Verzonden: vrijdag 28 februari 2020 12:10
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba Bind DLZ Slow queries
>
>
>
> Thanks Louis, FW configured as below
>
>
> 53/tcp 88/tcp 135/tcp 139/tcp 389/tcp 445/tcp 464/tcp 636/tcp 3268/tcp
> 3269/tcp 49152-65535/tcp 123/udp 53/udp 88/udp 137/udp 138/udp 389/udp
> 464/udp 22/tcp
>
>
>
> On Fri, Feb 28, 2020 at 12:36 PM L.P.H. van Belle via samba <
> samba at lists.samba.org> wrote:
>
> Ow and i forgot..
>
> If the server is firewalled, make sure you allow udp AND tcp on port 53.
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Rowland penny via samba
> > Verzonden: vrijdag 28 februari 2020 10:39
> > Aan: sambalist
> > Onderwerp: Re: [Samba] Samba Bind DLZ Slow queries
> >
> > On 28/02/2020 09:21, Eben Victor wrote:
> > > Thanks Rowland, I have removed from options, and amended
> > the forwarders.
> > >
> > > [global]
> > >         workgroup = <MYDOMAIN>
> > >         realm = <MYDOMAIN>.CORP
> > >         netbios name = <HOSTNAME>
> > >         server role = active directory domain controller
> > >         idmap_ldb:use rfc2307 = yes
> > >         idmap config * : range = 3000-7999 ----------> If I
> > remove the
> > > portion I get errors -> idmap range not specified for domain
'*'
> > Yes, I know, remove the line and ignore the error, it is
> > meaningless ;-)
> > > Also see below resolv.conf
> > >
> > > search mydomain.corp otherdomain.corp otherdomain.net
> > > <http://otherdomain.net> otherdomain.co.za
> > <http://otherdomain.co.za>
> > > mydomain.co.za <http://mydomain.co.za>
> > Remove all domains except for the AD dns domain
> > > nameserver DC2
> > > nameserver DC3
> > > nameserver DC1
> > > nameserver DC5
> > > nameserver DC6
> > > nameserver DC4
> > >
> > The DC should use itself as its nameserver, whether you have other
> > nameservers is debatable, if Samba crashes, do you want it contacting
> > another DC ?
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> Eben Victor
>
> Cell:  +27 82 759 5266
> Email: eben.victor at gmail.com
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
Eben Victor
Cell:  +27 82 759 5266
Email: eben.victor at gmail.com

Hai Eben (victor), 
?
Great to hear that, you opened TCP 53 ? 
edns?tcp/53?packet size 4096. 
dns??? udp/53 packet size 512?
?
having that right helps?a lot, but only that is often not enough.?
This is why i add the options also to resolv.conf and?bind.?
?
test a bit, and see what works best for you. 
?
Great weekend. 
?
Greetz, 
?
Louis


Van: Eben Victor [mailto:eben.victor at gmail.com] 
Verzonden: vrijdag 28 februari 2020 14:47
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Samba Bind DLZ Slow queries



Thanks Louis,
I'll test as suggested. 



I have to say, after the few changes made already, my DNS is running much
smoother that before.



On Fri, Feb 28, 2020 at 1:22 PM L.P.H. van Belle via samba <samba at
lists.samba.org> wrote:

So if this is done, is edns configure also ? 
?
in resolv.conf add: 
options edns0
?
and, name.conf test these. 
?
??????? //?The forwarded zone to the AD-DC DNS use these also. 
????????//dnssec-must-be-secure?internal.domain.tld no;
????????//dnssec-must-be-secure 168.192.in-addr.arpa no;

????????// listen-on-v6 { ::1; };? // test what works best, if not all?ipv6 is
disabled also?enable this one. just the responce.
??????? listen-on-v6 { "none"; };

??????? listen-on port 53 { 127.0.0.1; 192.168.xxx.xxx; };
??????? version "Go Away 0.0.7"; // change bind version 

??????? allow-query { "thisserverip"; 127.0.0.1; ::1;
"mynetworks"; };
??????? allow-query-cache { "thisserverip"; 127.0.0.1; ::1;
"mynetworks"; };
??????? // make sure bind does not eat all the ram
??????? max-cache-size 32M;

?

?

Van: Eben Victor [mailto:eben.victor at gmail.com] 
Verzonden: vrijdag 28 februari 2020 12:10
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Samba Bind DLZ Slow queries



Thanks Louis, FW configured as below


53/tcp 88/tcp 135/tcp 139/tcp 389/tcp 445/tcp 464/tcp 636/tcp 3268/tcp 3269/tcp
49152-65535/tcp 123/udp 53/udp 88/udp 137/udp 138/udp 389/udp 464/udp 22/tcp



On Fri, Feb 28, 2020 at 12:36 PM L.P.H. van Belle via samba <samba at
lists.samba.org> wrote:

Ow and i forgot.. 

If the server is firewalled, make sure you allow udp AND tcp on port 53. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: vrijdag 28 februari 2020 10:39
> Aan: sambalist
> Onderwerp: Re: [Samba] Samba Bind DLZ Slow queries
> 
> On 28/02/2020 09:21, Eben Victor wrote:
> > Thanks Rowland, I have removed from options, and amended 
> the forwarders.
> >
> > [global]
> > ? ? ? ? workgroup = <MYDOMAIN>
> > ? ? ? ? realm = <MYDOMAIN>.CORP
> > ? ? ? ? netbios name = <HOSTNAME>
> > ? ? ? ? server role = active directory domain controller
> > ? ? ? ? idmap_ldb:use rfc2307 = yes
> > ? ? ? ? idmap config * : range = 3000-7999 ----------> If I 
> remove the 
> > portion I get errors -> idmap range not specified for domain
'*'
> Yes, I know, remove the line and ignore the error, it is 
> meaningless ;-)
> > Also see below resolv.conf
> >
> > search mydomain.corp otherdomain.corp otherdomain.net 
> > <http://otherdomain.net> otherdomain.co.za 
> <http://otherdomain.co.za> 
> > mydomain.co.za <http://mydomain.co.za>
> Remove all domains except for the AD dns domain
> > nameserver DC2
> > nameserver DC3
> > nameserver DC1
> > nameserver DC5
> > nameserver DC6
> > nameserver DC4
> >
> The DC should use itself as its nameserver, whether you have other 
> nameservers is debatable, if Samba crashes, do you want it contacting 
> another DC ?
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:? https://lists.samba.org/mailman/options/samba
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba



-- 
Eben Victor

Cell:? +27 82 759 5266
Email: eben.victor at gmail.com




-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba



-- 
Eben Victor

Cell:? +27 82 759 5266
Email: eben.victor at gmail.com

Awesome, really thanks for all the help.

Eben Victor
Retail Systems Administrator
CBU-IT 
Vodacom  Century City, Western Cape 
+2782 759 5266
eben.victor at vcontractor.co.za
vodacom.co.za 
The future is exciting. Ready?
> On 28 Feb 2020, at 4:23 PM, L.P.H. van Belle via samba <samba at
lists.samba.org> wrote:
> 
?Hai Eben (victor), 
 
Great to hear that, you opened TCP 53 ? 
edns tcp/53 packet size 4096. 
dns    udp/53 packet size 512 
 
having that right helps a lot, but only that is often not enough. 
This is why i add the options also to resolv.conf and bind. 
 
test a bit, and see what works best for you. 
 
Great weekend. 
 
Greetz, 
 
Louis


Van: Eben Victor [mailto:eben.victor at gmail.com] 
Verzonden: vrijdag 28 februari 2020 14:47
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Samba Bind DLZ Slow queries



Thanks Louis,
I'll test as suggested. 



I have to say, after the few changes made already, my DNS is running much
smoother that before.



On Fri, Feb 28, 2020 at 1:22 PM L.P.H. van Belle via samba <samba at
lists.samba.org> wrote:

So if this is done, is edns configure also ? 
 
in resolv.conf add: 
options edns0
 
and, name.conf test these. 
 
        // The forwarded zone to the AD-DC DNS use these also. 
        //dnssec-must-be-secure internal.domain.tld no;
        //dnssec-must-be-secure 168.192.in-addr.arpa no;

        // listen-on-v6 { ::1; };  // test what works best, if not all ipv6 is
disabled also enable this one. just the responce.
        listen-on-v6 { "none"; };

        listen-on port 53 { 127.0.0.1; 192.168.xxx.xxx; };
        version "Go Away 0.0.7"; // change bind version 

        allow-query { "thisserverip"; 127.0.0.1; ::1;
"mynetworks"; };
        allow-query-cache { "thisserverip"; 127.0.0.1; ::1;
"mynetworks"; };
        // make sure bind does not eat all the ram
        max-cache-size 32M;

 

 

Van: Eben Victor [mailto:eben.victor at gmail.com] 
Verzonden: vrijdag 28 februari 2020 12:10
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Samba Bind DLZ Slow queries



Thanks Louis, FW configured as below


53/tcp 88/tcp 135/tcp 139/tcp 389/tcp 445/tcp 464/tcp 636/tcp 3268/tcp 3269/tcp
49152-65535/tcp 123/udp 53/udp 88/udp 137/udp 138/udp 389/udp 464/udp 22/tcp



On Fri, Feb 28, 2020 at 12:36 PM L.P.H. van Belle via samba <samba at
lists.samba.org> wrote:

Ow and i forgot.. 

If the server is firewalled, make sure you allow udp AND tcp on port 53. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: vrijdag 28 februari 2020 10:39
> Aan: sambalist
> Onderwerp: Re: [Samba] Samba Bind DLZ Slow queries
> 
>> On 28/02/2020 09:21, Eben Victor wrote:
>> Thanks Rowland, I have removed from options, and amended 
> the forwarders.
>> 
>> [global]
>>         workgroup = <MYDOMAIN>
>>         realm = <MYDOMAIN>.CORP
>>         netbios name = <HOSTNAME>
>>         server role = active directory domain controller
>>         idmap_ldb:use rfc2307 = yes
>>         idmap config * : range = 3000-7999 ----------> If I 
> remove the 
>> portion I get errors -> idmap range not specified for domain
'*'
> Yes, I know, remove the line and ignore the error, it is 
> meaningless ;-)
>> Also see below resolv.conf
>> 
>> search mydomain.corp otherdomain.corp otherdomain.net 
>> <http://otherdomain.net> otherdomain.co.za 
> <http://otherdomain.co.za> 
>> mydomain.co.za <http://mydomain.co.za>
> Remove all domains except for the AD dns domain
>> nameserver DC2
>> nameserver DC3
>> nameserver DC1
>> nameserver DC5
>> nameserver DC6
>> nameserver DC4
>> 
> The DC should use itself as its nameserver, whether you have other 
> nameservers is debatable, if Samba crashes, do you want it contacting 
> another DC ?
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



-- 
Eben Victor

Cell:  +27 82 759 5266
Email: eben.victor at gmail.com




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



-- 
Eben Victor

Cell:  +27 82 759 5266
Email: eben.victor at gmail.com




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba