Frequent timeout
Alex
mysqlstudent at gmail.com
Mon Sep 10 16:11:38 UTC 2018
Hi,
> >> tcpdump -s0 -n -i eth0 port domain -w /tmp/domaincapture.pcap
> >>
> >> You don't need all of the extra stuff because -s0 captures the full packet.
>
> On 06.09.18 18:42, Alex wrote:
> >This is the command I ran to produce the pcap file I sent:
> >
> ># tcpdump -s0 -vv -i eth0 -nn -w domain-capture-eth0-090518.pcap udp
> >dst port domain
>
> and that is the problem. "dst port domain" captures packets going to DNS
> servers, not responses coming back.
>
> "-vv" and "-nn" are useless when producing packet capture and "-s0" is
> default for some time. I often add "-U" so file is flushed wich each packet.
>
> you can strip incoming queries by using filter
>
> "(src host 68.195.XXX.45 and dst port domain) or (src port domain and dst host 68.195.XXX.45)"
I've generated a new tcpdump file using these criteria and uploaded it here:
https://drive.google.com/file/d/1F0VML8yPZJbcDZTys2hXDhjzv1UaBHuV/view?usp=sharing
The SERVFAIL errors didn't really occur over the weekend. I believe it
has something to do with mail volume, link congestion/bandwidth
utilization.
Thanks,
Alex
>
> >I should also mention that, while eth0 is the physical device, there
> >is a bridge set up to support virtual machines (none of which were
> >active). Hopefully that's not the reason! (real IP obscured).
>
> not the reason, but using "-i br0" could be safer then.
>
> Note that the IP was seen in packet capture you have published, not needed
> to hide it now.
>
> --
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> They that can give up essential liberty to obtain a little temporary
> safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list