Cache de DNS

ederpaulopereira
(usa Debian)

Enviado em 28/08/2013 - 14:03h

Boa tarde;

Tenho uma dúvida. Em minha rede, temos aproximadamente 80 computadores. Nem todos acessam a internet full-time, e acompanhando no meu firewall, utilizando a ferramenta iftop, percebo que o link de 10Mb que tenho na empresa não é utilizado nem 40%. Na verdade, o tráfego todo da rede que vejo no sarg, gira em torno de 1 Gb a 1,5 Gb por dia.

No entanto, mesmo assim percebo que muitas vezes ao acessar o site do google por exemplo, muitas vezes o browser fica pensando, pensando, até que dá o famoso erro: 'DNS name server not resolved'. Bom, após dar um F5, aí sim ele acessa. Porém, isso tem me deixado incomodado, e como responsável pela rede, não estou conseguindo resolver. Inicialmente eu queria fazer um cache de dns, e setar nos clientes o próprio gateway como servidor de DNS. Utilizo o centos 6.4 32bits, fiz isso usando:

yum install bind


Automaticamente ele instalou as dependências necessárias, dei um chkconfig named on, para iniciar no boot e tá rodando. Mesmo assim, o problema não foi resolvido. Mas o que percebi, é que quando dou um

/etc/init.d/named status
ou
/etc/init.d/named stop/start

ou até quando reinicio o servidor, demora pra caramba pra parar o named. Li em muitos lugares que só tendo o named rodando e apontando o dns dos clientes pro servidor, ele já faz o cache, mas como não entendo muito dessa parte, então não sei onde estou errando.

Ah, também abri no firewall a porta 53 tcp/udp, mesmo assim, fica lento igual, tipo, navega usando esse dns, mas não resolveu.

Alguém tem alguma sugestão?

leonardoortiz
(usa CentOS)

Enviado em 28/08/2013 - 17:18h

ok vamos por partes.
Primeiro, quem é teu gateway e dns atual agora ? O Linux(se sim passa a sua config de firewall) ?
Passa a saída desses comandos pra gente:
ps aux
free -m
df -hT

As maquinas passam por algum proxy ?(squid) se sim passa a config do proxy também.

ederpaulopereira
(usa Debian)

Enviado em 28/08/2013 - 18:07h

Meu gateway é 192.168.1.2, dns atualmente uso 8.8.8.8/208.67.222.222. Este gateway roda um Centos 6.4 32 bits c/ iptables + squid.

ps aux

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 2900 1424 ? Ss 12:04 0:00 /sbin/init
root 2 0.0 0.0 0 0 ? S 12:04 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 12:04 0:00 [migration/0]
root 4 0.0 0.0 0 0 ? S 12:04 0:00 [ksoftirqd/0]
root 5 0.0 0.0 0 0 ? S 12:04 0:00 [migration/0]
root 6 0.0 0.0 0 0 ? S 12:04 0:00 [watchdog/0]
root 7 0.0 0.0 0 0 ? S 12:04 0:00 [migration/1]
root 8 0.0 0.0 0 0 ? S 12:04 0:00 [migration/1]
root 9 0.0 0.0 0 0 ? S 12:04 0:00 [ksoftirqd/1]
root 10 0.0 0.0 0 0 ? S 12:04 0:00 [watchdog/1]
root 11 0.0 0.0 0 0 ? S 12:04 0:00 [events/0]
root 12 0.0 0.0 0 0 ? S 12:04 0:00 [events/1]
root 13 0.0 0.0 0 0 ? S 12:04 0:00 [cgroup]
root 14 0.0 0.0 0 0 ? S 12:04 0:00 [khelper]
root 15 0.0 0.0 0 0 ? S 12:04 0:00 [netns]
root 16 0.0 0.0 0 0 ? S 12:04 0:00 [async/mgr]
root 17 0.0 0.0 0 0 ? S 12:04 0:00 [pm]
root 18 0.0 0.0 0 0 ? S 12:04 0:00 [sync_supers]
root 19 0.0 0.0 0 0 ? S 12:04 0:00 [bdi-default]
root 20 0.0 0.0 0 0 ? S 12:04 0:00 [kintegrityd/0]
root 21 0.0 0.0 0 0 ? S 12:04 0:00 [kintegrityd/1]
root 22 0.0 0.0 0 0 ? S 12:04 0:00 [kblockd/0]
root 23 0.0 0.0 0 0 ? S 12:04 0:00 [kblockd/1]
root 24 0.0 0.0 0 0 ? S 12:04 0:00 [kacpid]
root 25 0.0 0.0 0 0 ? S 12:04 0:00 [kacpi_notify]
root 26 0.0 0.0 0 0 ? S 12:04 0:00 [kacpi_hotplug]
root 27 0.0 0.0 0 0 ? S 12:04 0:00 [ata/0]
root 28 0.0 0.0 0 0 ? S 12:04 0:00 [ata/1]
root 29 0.0 0.0 0 0 ? S 12:04 0:00 [ata_aux]
root 30 0.0 0.0 0 0 ? S 12:04 0:00 [ksuspend_usbd]
root 31 0.0 0.0 0 0 ? S 12:04 0:00 [khubd]
root 32 0.0 0.0 0 0 ? S 12:04 0:00 [kseriod]
root 33 0.0 0.0 0 0 ? S 12:04 0:00 [md/0]
root 34 0.0 0.0 0 0 ? S 12:04 0:00 [md/1]
root 35 0.0 0.0 0 0 ? S 12:04 0:00 [md_misc/0]
root 36 0.0 0.0 0 0 ? S 12:04 0:00 [md_misc/1]
root 37 0.0 0.0 0 0 ? S 12:04 0:00 [khungtaskd]
root 38 0.0 0.0 0 0 ? S 12:04 0:00 [kswapd0]
root 39 0.0 0.0 0 0 ? SN 12:04 0:00 [ksmd]
root 40 0.0 0.0 0 0 ? S 12:04 0:00 [aio/0]
root 41 0.0 0.0 0 0 ? S 12:04 0:00 [aio/1]
root 42 0.0 0.0 0 0 ? S 12:04 0:00 [crypto/0]
root 43 0.0 0.0 0 0 ? S 12:04 0:00 [crypto/1]
root 48 0.0 0.0 0 0 ? S 12:04 0:00 [kthrotld/0]
root 49 0.0 0.0 0 0 ? S 12:04 0:00 [kthrotld/1]
root 51 0.0 0.0 0 0 ? S 12:04 0:00 [kpsmoused]
root 52 0.0 0.0 0 0 ? S 12:04 0:00 [usbhid_resume]
root 82 0.0 0.0 0 0 ? S 12:04 0:00 [kstriped]
root 161 0.0 0.0 0 0 ? S 12:04 0:00 [i915]
root 162 0.0 0.0 0 0 ? S< 12:04 0:00 [kslowd000]
root 163 0.0 0.0 0 0 ? S< 12:04 0:00 [kslowd001]
root 293 0.0 0.0 0 0 ? S 12:04 0:00 [scsi_eh_0]
root 295 0.0 0.0 0 0 ? S 12:04 0:00 [scsi_eh_1]
root 298 0.0 0.0 0 0 ? S 12:04 0:00 [scsi_eh_2]
root 299 0.0 0.0 0 0 ? S 12:04 0:00 [scsi_eh_3]
root 382 0.0 0.0 0 0 ? S 12:04 0:00 [jbd2/sda2-8]
root 383 0.0 0.0 0 0 ? S 12:04 0:00 [ext4-dio-unwr]
root 384 0.0 0.0 0 0 ? S 12:04 0:00 [ext4-dio-unwr]
root 478 0.0 0.0 0 0 ? S 12:04 0:00 [flush-8:0]
root 479 0.0 0.0 3044 1248 ? S<s 12:04 0:00 /sbin/udevd -d
root 692 0.0 0.0 0 0 ? S 12:04 0:00 [hd-audio0]
root 918 0.0 0.0 0 0 ? S 12:04 0:00 [kauditd]
root 1209 0.0 0.0 12952 844 ? S<sl 12:04 0:00 auditd
root 1234 0.0 0.0 37188 1528 ? Sl 12:04 0:00 /sbin/rsyslogd
root 1257 0.0 0.0 0 0 ? S 12:04 0:01 [kondemand/0]
root 1258 0.0 0.0 0 0 ? S 12:04 0:01 [kondemand/1]
named 1289 0.0 0.6 61988 13072 ? Ssl 12:04 0:00 /usr/sbin/named
rpc 1310 0.0 0.0 2576 836 ? Ss 12:04 0:00 rpcbind
rpcuser 1328 0.0 0.0 2840 1252 ? Ss 12:04 0:00 rpc.statd
root 1356 0.0 0.0 0 0 ? S 12:04 0:00 [rpciod/0]
root 1357 0.0 0.0 0 0 ? S 12:04 0:00 [rpciod/1]
root 1361 0.0 0.0 2640 492 ? Ss 12:04 0:00 rpc.idmapd
dbus 1459 0.0 0.0 13244 1112 ? Ssl 12:04 0:00 dbus-daemon --s
root 1476 0.0 0.1 12240 2896 ? Ss 12:04 0:00 cupsd -C /etc/c
root 1502 0.0 0.0 2020 584 ? Ss 12:04 0:00 /usr/sbin/acpid
68 1511 0.0 0.1 6252 3776 ? Ss 12:04 0:00 hald
root 1512 0.0 0.0 3784 1076 ? S 12:04 0:00 hald-runner
root 1540 0.0 0.0 3860 1024 ? S 12:04 0:00 hald-addon-inpu
68 1558 0.0 0.0 3504 1008 ? S 12:04 0:00 hald-addon-acpi
root 1573 0.0 0.0 30008 1588 ? Ssl 12:04 0:00 automount --pid
root 1593 0.0 0.0 8640 1016 ? Ss 12:04 0:00 /usr/sbin/sshd
root 1669 0.0 0.1 13492 2532 ? Ss 12:04 0:00 /usr/libexec/po
postfix 1692 0.0 0.1 12744 2532 ? S 12:04 0:00 qmgr -l -t fifo
root 1693 0.0 0.0 5220 900 ? Ss 12:04 0:00 /usr/sbin/abrtd
root 1701 0.0 0.1 11776 3448 ? Ss 12:04 0:00 /usr/sbin/httpd
root 1709 0.0 0.0 5960 1284 ? Ss 12:04 0:00 crond
apache 1727 0.0 0.1 11776 2144 ? S 12:04 0:00 /usr/sbin/httpd
apache 1728 0.0 0.1 11776 2144 ? S 12:04 0:00 /usr/sbin/httpd
apache 1729 0.0 0.1 11776 2144 ? S 12:04 0:00 /usr/sbin/httpd
apache 1730 0.0 0.1 11776 2144 ? S 12:04 0:00 /usr/sbin/httpd
apache 1731 0.0 0.1 11776 2144 ? S 12:04 0:00 /usr/sbin/httpd
apache 1732 0.0 0.1 11776 2144 ? S 12:04 0:00 /usr/sbin/httpd
apache 1733 0.0 0.1 11776 2144 ? S 12:04 0:00 /usr/sbin/httpd
apache 1734 0.0 0.1 11776 2144 ? S 12:04 0:00 /usr/sbin/httpd
root 1747 0.0 0.0 2944 464 ? Ss 12:04 0:00 /usr/sbin/atd
root 1759 0.0 0.0 8476 552 ? Ss 12:04 0:00 /usr/sbin/certm
root 1815 0.0 0.0 2008 480 tty1 Ss+ 12:04 0:00 /sbin/mingetty
root 1817 0.0 0.0 2008 472 tty2 Ss+ 12:04 0:00 /sbin/mingetty
root 1819 0.0 0.0 2008 476 tty3 Ss+ 12:04 0:00 /sbin/mingetty
root 1821 0.0 0.0 3356 1800 ? S< 12:04 0:00 /sbin/udevd -d
root 1822 0.0 0.0 3356 1800 ? S< 12:04 0:00 /sbin/udevd -d
root 1823 0.0 0.0 2008 504 tty4 Ss+ 12:04 0:00 /sbin/mingetty
root 1825 0.0 0.0 2008 476 tty5 Ss+ 12:04 0:00 /sbin/mingetty
root 1827 0.0 0.0 2008 480 tty6 Ss+ 12:04 0:00 /sbin/mingetty
root 1828 0.0 0.1 11584 3356 ? Ss 12:05 0:00 sshd: root@pts/
root 1832 0.0 0.0 5244 1680 pts/0 Ss+ 12:05 0:00 -bash
root 1942 0.0 0.2 17584 5388 ? Ss 12:07 0:00 squid -f /etc/s
squid 1944 0.3 2.7 61808 53632 ? S 12:07 1:17 (squid) -f /etc
squid 1946 0.0 0.0 3280 924 ? S 12:07 0:00 (unlinkd)
squid 1947 0.0 0.0 3764 1172 ? S 12:07 0:07 diskd 1990660 1
postfix 3116 0.0 0.1 12676 2492 ? S 17:04 0:00 pickup -l -t fi
root 3118 0.0 0.1 11584 3360 ? Ss 17:05 0:00 sshd: root@pts/
root 3123 0.0 0.0 5240 1660 pts/1 Ss 17:05 0:00 -bash
root 3256 0.0 0.0 4932 1044 pts/1 R+ 17:54 0:00 ps aux

free -m

total used free shared buffers cached
Mem: 1882 634 1248 0 94 347
-/+ buffers/cache: 192 1690
Swap: 1499 0 1499

df -hT
Sist. Arq. Tipo Size Used Avail Use% Montado em
/dev/sda2 ext4 146G 3,7G 135G 3% /
tmpfs tmpfs 942M 0 942M 0% /dev/shm

Meu arquivo de iptables posto depois.

Meu arquivo do squid.conf também.

leonardoortiz
(usa CentOS)

Enviado em 29/08/2013 - 15:42h

Ok ficamos no aguardo pelos arquivos de configuração.

ederpaulopereira
(usa Debian)

Enviado em 30/08/2013 - 08:44h

Bom dia pessoal, seguem meus confs:
squid.conf:

# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

#Rede local
acl redelocal src 192.168.1.0/24

visible_hostname proxymatrizoi

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Configuração mínima recomendada
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

################################################################################################################################
################################################################################################################################
######################### ESPAÇO PARA AS ACLS, QUALQUER ALTERAÇÃO DEVE SER FEITA AQUI #########################################

acl acesso_total src "/etc/squid/acessototal.txt"
acl youtube_liberado url_regex "/etc/squid/youtube.txt"
acl youtube src "/etc/squid/ips_podem_ver_youtube.txt"
acl liberado src "/etc/squid/ips_liberados.txt"

####Aqui entra as palavras bloqueadas do squid para qualquer site###
acl proibidos url_regex "/etc/squid/palavras_bloqueadas.txt"

### Aqui entra sites liberados ou palavras###
acl site_liberado url_regex "/etc/squid/sites_liberados.txt"

#### Aqui entra as ordens das acls

http_access allow manager
http_access allow acesso_total
#http_access deny all extensoes
#http_access deny bloqueado
http_access deny proibidos
http_access allow liberado
http_access deny manager
http_access allow redelocal
http_access allow localhost
# Aqui bloqueia o todo o resto que nao foi especificado acima
http_access deny all

# Squid normally listens to port 3128
http_port 3128 transparent

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Configurações de cache
#cache_dir ufs /var/spool/squid 30480 16 256

cache_dir diskd /var/spool/squid 30480 16 256 Q1=72 Q2=64
cache_access_log /var/log/squid/access.log
cache_effective_user squid
cache_effective_group squid
cache_mem 1024 MB
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
minimum_object_size 0 KB
maximum_object_size 900 MB

memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
negative_dns_ttl 1 minutes
positive_dns_ttl 8 hours
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

######## Inicio Controle de Banda por IP #####################
# Controle de Banda SQUID - Lima 19/11

# ACLS
acl bandabaixa src "/etc/squid/banda_baixa.txt"
acl bandamedia src "/etc/squid/banda_media.txt"
acl bandaalta src "/etc/squid/banda_alta.txt"

# Delay Pools
delay_pools 3
delay_class 1 2
delay_class 2 2
delay_class 3 2

delay_access 1 allow bandabaixa
delay_access 2 allow bandamedia
delay_access 3 allow bandaalta

delay_parameters 1 -1/-1 70000/70000 # 700 KB
delay_parameters 2 -1/-1 200000/200000 # 02 MB
delay_parameters 3 -1/-1 100000/100000 # 10 MB
################### Fim controle de BANDA ########################

Arquivo de firewall:

#!/bin/bash

######### Limpa as tabelas ############
iptables -F &&
iptables -X &&
iptables -t nat -F &&
iptables -t nat -X &&
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
##

#Politica Padrao - Bloqueio de Tudo na Entrada
iptables -P INPUT DROP # Entrada
iptables -P OUTPUT ACCEPT # Pacotes do firewall p fora
iptables -P FORWARD ACCEPT # Vem da rede Interna para FORA

# Bloqueia qualquer acesso externo no firewall
iptables -A INPUT -p tcp --syn -s 213.232.110.135/24 -j DROP
iptables -A INPUT -p tcp --syn -s 200.143.8.86/24 -j DROP
iptables -A INPUT -p tcp --syn -s 31.12.64.23/24 -j DROP
iptables -A INPUT -p tcp --syn -s 31.12.68.205/24 -j DROP
iptables -A INPUT -p tcp --syn -s 31.0.0.0/24 -j DROP

#Pacotes originados pelo firewall
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Liberando Dns interno
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT

# Liberados sem proxy - Sempre antes do redirecionamento para o proxy
iptables -t nat -A PREROUTING -s 192.168.1.153/32 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.1.11/32 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.1.12/32 -j ACCEPT

#Liberando acesso interno da rede Local
iptables -A INPUT -p tcp --syn -s 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -p tcp --syn -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -p tcp --syn -s 192.168.1.0/24 -j ACCEPT

#Aqui entra o redirecionamento do transparent proxy -- Redirecionar tudo as requisições da porta 80 que #vem da eth0 (rede local) para o squid
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

# Rejeita qualquer requisição ao SQUID senao for da rede Interna
iptables -A INPUT -p tcp -s ! 192.168.1.0/16 --dport 3128 -j REJECT

#Redirecionamento do kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

#Mascara a rede para Saída na WEB
iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -p udp -s 192.168.1.0/24 -j MASQUERADE

#Termina

É isso aí.