Apache JMeter
Description:
Apache JMeter is a 100% pure Java desktop application designed to load test functional behavior and measure performance. It was originally designed for testing Web Applications but has since expanded to other test functions. Apache JMeter may be used to test performance both on static and dynamic resources (files, Servlets, Perl scripts, Java Objects, Data Bases and Queries, FTP Servers and more). It can be used to simulate a heavy load on a server, network or object to test its strength or to analyze overall performance under different load types. You can use it to make a graphical analysis of performance or to test your server/script/object behavior under heavy concurrent load.
Requirement:
Solaris, Linux, Windows (98, NT, 2000). JDK1.4 (or higher).
benerator
Description:
benerator is a framework for creating realistic and valid high-volume test data, used for (unit/integration/load) testing and showcase setup. Metadata constraints are imported from systems and/or configuration files. Data can be imported from and exported to files and systems, anonymized or generated from scratch. Domain packages provide reusable generators for creating domain-specific data as names and addresses internationalizable in language and region. It is strongly customizable with plugins and configuration options.
Requirement:
Platform Independent
CLIF is a Load Injection Framework
Description:
CLIF is a modular and flexible distributed load testing platform. It may address any target system that is reachable from a Java program (HTTP, DNS, TCP/IP...) CLIF provides 3 user interfaces (Swing or Eclipse GUI, command line) to deploy, control and monitor a set of distributed load injectors and resource consumption probes (CPU, memory...) An Eclipse wizard helps programming support for new protocols. Load scenarios are defined through XML-editing, using a GUI, or using a capture tool. The scenario execution engine allows the execution of up to millions of virtual users per load injector.
Requirement:
Java 1.5 or greater, with enhanced support for Linux, Windows XP, MacOSX/PPC
curl-loader
Description:
A C-written web application testing and load generating tool. The goal of the project is to provide a powerful open-source alternative to Spirent Avalanche and IXIA IxLoad. The loader uses real HTTP, FTP and TLS/SSL protocol stacks, simulating tens of thousand and hundred users/clients each with own IP-address. The tool supports user authentication, login and a range of statistics.
Requirement:
linux
Database Opensource Test Suite
Description:
The Database Opensource Test Suite (DOTS) is a set of test cases designed for the purpose of stress-testing database server systems in order to measure database server performance and reliability.
Requirement:
Linux, POSIX
DBMonster
Description:
DBMonster is an application to generate random data for testing SQL database driven applications under heavy load.
Requirement:
OS Independent
Deluge
Description:
An open-source web site stress test tool. Simulates multiple user types and counts. Includes proxy server for recording playback scripts, and log evaluator for generating result statistics. Note: this tool is no longer under active development although it is still available on Sourceforge.
Requirement:
OS independent
Dieseltest
Description:
Contains the high-end features common to packages costing $50,000 or more. Dieseltest is a Windows application that simulates hundreds or thousands of users hitting a website. To run a load test, you first create a test script using our script editor. The script contains all of the requests that a real-world user would make of a website. You then load the script and run the test. The system will show you real-time results while the script is running, and produce a report analyzing the results at the conclusion.
Requirement:
Windows
Faban
Description:
Faban is a facility for developing and running benchmarks, developed by Sun. It has two major components, the Faban harness and the Faban driver framework. The Faban harness is a harness to automate running of server benchmarks as well as a container to host benchmarks allowing new benchmarks to be deployed in a rapid manner. Faban provides a web interface to launch & queue runs, and extensive functionality to view, compare and graph run outputs.
Requirement:
OS independent; JVM 1.5 or later.
FunkLoad
Description:
FunkLoad is a functional and load web tester, written in Python, whose main use cases are functional and regression testing of web projects, performance testing by loading the web application and monitoring your servers, load testing to expose bugs that do not surface in cursory testing, and stress testing to overwhelm the web application resources and test the application recoverability, and writing web agents by scripting any web repetitive task, like checking if a site is alive.
Requirement:
OS independent - except for the monitoring which is Linux specific.
Grinder
Description:
The Grinder is a Java load-testing framework making it easy to orchestrate the activities of a test script in many processes across many machines, using a graphical console application.
Requirement:
OS Independent
Hammerhead 2 - Web Testing Tool
Description:
Hammerhead 2 is a stress testing tool designed to test out your web server and web site. It can initiate multiple connections from IP aliases and simulated numerous (256+) users at any given time. The rate at which Hammerhead 2 attempts to pound your site is fully configurable, there are numerous other options for trying to create problems with a web site (so you can fix them).
Requirement:
Hammerhead has been used with Linux, Solaris and FreeBSD.
Hammerora
Description:
Hammerora is a load generation tool for the Oracle Database and Web Applications. Hammerora includes pre-built schema creation and load tests based on the industry standard TPC-C and TPC-H benchmarks to deploy against the Oracle database with multiple users. Hammerora also converts and replays Oracle trace files and enables Web-tier testing to build bespoke load tests for your entire Oracle application environment.
Requirement:
Platform Independent (Binaries for Linux and Windows)
httperf
Description:
Httperf is a tool for measuring web server performance. It provides a flexible facility for generating various HTTP workloads and for measuring server performance. The focus is not on implementing one particular benchmark but on providing a robust, high-performance tool that facilitates the construction of both micro and macro level benchmarks. The three distinguishing characteristics of httperf are its robustness, which includes the ability to generate and sustain server overload, support for the HTTP/1.1 and SSL protocols, and its extensibility.
Requirement:
linux (Debian package available), HP-UX, perhaps other Unix
http_load
Description:
http_load runs multiple HTTP fetches in parallel, to test the throughput of a Web server. However, unlike most such test clients, it runs in a single process, to avoid bogging the client machine down. It can also be configured to do HTTPS fetches.
Requirement:
tbc
JChav
Description:
JChav is a way to see the change in performance of your web application over time, by running a benchmark test for each build you produce. JChav reads all the JMeter logs from each of your runs (one per build), and produces a set of charts for each test in each run.
Requirement:
JMeter
JCrawler
Description:
Stress-Testing Tool for web-applications. It comes with the crawling/exploratory feature. You can give JCrawler a set of starting URLs and it will begin crawling from that point onwards, going through any URLs it can find on its way and generating load on the web application. The load parameters (hits/sec) are configurable.
Requirement:
OS Independent
Lobo, Continuous Tuning
Description:
Lobo is a tool for performance testing and monitoring that allows you to monitor the evolution of performance along the time-line of the project. It was specially designed to be used in agile-iterative and evolutionary approaches.
Requirement:
Java
NTime
Description:
The NTime tool is very similar to NUnit tool to perform repeatable tasks that help managers, architects, developers and testers to test an application against its performance.
Requirement:
Windows 98 or above, .Net framework 1.1 or 2.0
OpenSTA
Description:
A distributed software testing architecture based on CORBA. Using OpenSTA (Open System Testing Architecture) a user can generate realistic heavy loads simulating the activity of hundreds to thousands of virtual users. OpenSTA graphs both virtual user response times and resource utilization information from all Web Servers, Application Servers, Database Servers and Operating Platforms under test, so that precise performance measurements can be gathered during load tests and analysis on these measurements can be performed.
Requirement:
Windows 2000, NT4 and XP
OpenWebLoad
Description:
OpenWebLoad is a tool for load testing web applications. It aims to be easy to use and providing near real-time performance measurements of the application under test.
Requirement:
Linux, Windows
p-unit
Description:
An open source framework for unit test and performance benchmark, which was initiated by Andrew Zhang, under GPL license. p-unit supports to run the same tests with single thread or multi-threads, tracks memory and time consumption, and generates the result in the form of plain text, image or pdf file.
Requirement:
OS Independent
PandoraFMS
Description:
Pandora FMS is a monitoring Open Source software. It watches your systems and applications, and allows you to know the status of any element of those systems. Pandora FMS could detect a network interface down, a defacement in your website, a memory leak in one of your server application, or the movement of any value of the NASDAQ new technology market. If you want, Pandora FMS could send out SMS message when your systems fails... or when Google's value drop below US$ 500.
Requirement:
32-bit MS Windows (NT/2000/XP), All POSIX (Linux/BSD/UNIX-like OSes), Solaris, HP-UX, IBM AIX
Pylot
Description:
Pylot is a free open source tool for testing performance and scalability of web services. It runs HTTP load tests, which are useful for capacity planning, benchmarking, analysis, and system tuning. Pylot generates concurrent load (HTTP Requests), verifies server responses, and produces reports with metrics. Tests suites are executed and monitored from a GUI.
Requirement:
Python 2.5+. required.Tested on Windows XP, Vista, Cygwin, Ubuntu, MacOS
Seagull
Description:
Seagull is a multi-protocol traffic generator test tool. Primary aimed at IMS protocols, Seagull is a powerful traffic generator for functional, load, endurance, stress and performance tests for almost any kind of protocol. Currently supports Diameter, XCAP over HTTP, TCAP (GSM Camel, MAP, Win) protocols.
Requirement:
Linux/Unix/Win32-Cygwin
Siege
Description:
SIEGE is an http regression testing and benchmarking utility. It was designed to let web developers measure the performance of their code under duress, to see how it will stand up to load on the internet. It lets the user hit a webserver with a configurable number of concurrent simulated users. Those users place the webserver "under siege." SCOUT surveys a webserver and prepares the urls.txt file for a siege. In order to perform regression testing, siege loads URLs from a file and runs through them sequentially or randomly. Scout makes the process of populating that file easier. You should send out the scout, before you lay siege.
Requirement:
GNU/Linux, AIX, BSD, HP-UX and Solaris.
Sipp
Description:
SIPp is a performance testing tool for the SIP protocol. Its main features are basic SIPStone scenarios, TCP/UDP transport, customizable (xml based) scenarios, dynamic adjustement of call-rate and a comprehensive set of real-time statistics. It can also generate media (RTP) traffic for audio and video calls.
Requirement:
Linux/Unix/Win32-Cygwin
SLAMD
Description:
SLAMD Distributed Load Generation Engine is a Java-based application designed for stress testing and performance analysis of network-based applications.
Requirement:
Any system with Java 1.4 or higher
Soap-Stone
Description:
Network benchmark application which can put your network under load and conduct automatic benchmark and recording activities.
Requirement:
OS Independent
stress_driver
Description:
General-purpose stress test tool.
Requirement:
Windows NT/2000, Linux
TestMaker
Description:
TestMaker from PushToTest.com delivers a rich environment for building and running intelligent test agents that test Web-enabled applications for scalability, functionality, and performance. It comes with a friendly graphical user environment, an object-oriented scripting language (Jython) to build intelligent test agents, an extensible library of protocol handlers (HTTP, HTTPS, SOAP, XML-RPC, SMTP, POP3, IMAP), a new agent wizard featuring an Agent Recorder to write scripts for you, a library of fully-functional sample test agents, and shell scripts to run test agents from the command line and from unit test utilities.
Requirement:
Java 1.4 or higher virtual machine on Windows, Linux, Solaris, and Macintosh.
TPTEST
Description:
The purpose with TPTEST is to allow users to measure the speed of their Internet connection in a simple way. TPTEST measures the throughput speed to and from various reference servers on the Internet. The use of TPTEST may help increase the consumer/end user knowledge of how Internet services work.
Requirement:
MacOS/Carbon and Win32
Tsung
Description:
Tsung is a distributed load testing tool. It is protocol-independent and can currently be used to stress HTTP, SOAP and Jabber servers (SSL is supported). It simulates complex user's behaviour using an XML description file, reports many measurements in real time (including response times, CPU and memory usage from servers, customized transactions, etc.). HTML reports (with graphics) can be generated during the load. For HTTP, it supports 1.0 and 1.1, has a proxy mode to record sessions, supports GET and POST methods, Cookies, and Basic WWW-authentication. It has already been used to simulate thousands of virtual users.
Requirement:
Tested on Linux, but should work on MacOSX and Windows.
Valgrind
Description:
Valgrind is an award-winning suite of tools for debugging and profiling Linux programs. With the tools that come with Valgrind, you can automatically detect many memory management and threading bugs, avoiding hours of frustrating bug-hunting, making your programs more stable. You can also perform detailed profiling, to speed up and reduce memory use of your programs.
Requirement:
Linux
Web Application Load Simulator
Description:
LoadSim is a web application load simulator. It allows you to create simulations and have those simulations run against your webserver.
Requirement:
JDK 1.3 or above
Web Polygraph
Description:
Benchmarking tool for caching proxies, origin server accelerators, L4/7 switches, content filters, and other Web intermediaries.
Requirement:
C++ compiler
WebLOAD
Description:
WebLOAD Open Source is a fully functional, commercial-grade performance testing product based on WebLOAD, Radview's flagship product that is already deployed at 1,600 sites. Available for free download and use, WebLOAD is a commercial-grade open source project with more than 250 engineering years of product development. Companies that require commercial support, additional productivity features and compatibility with third-party protocols have the option of purchasing WebLOAD Professional directly from RadView.
Requirement:
Windows NT/2000/XP
Friday, July 25, 2008
Monday, July 21, 2008
Nmap (Network Mapper)
Nmap is an open source utility to explore the network and to audit the security tools. It scans large networks (even those consisting of hundreds of thousands of machines, claims one of the users) quite rapidly, although it works fine against single hosts.
The users like the fact that Nmap uses raw IP packets to find out what hosts are available on the network, which application those hosts are offering and what operating systems (and what versions) they are running. It is able, state some of the readers, to indicate what type of packet filters and firewalls are in use. Nmap runs on most types of computers and both console and graphical versions are available. What is very important and what is most frequently prized by the users – Nmap is free!
The scanner can be run to support most operating systems: Linux, Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga. Nmap offers many advanced features for power users. You can start out as simply as nmap -v- Atargethost. Both - command line and graphical (GUI) are available to suit user's preference. Those who do not wish to compile Nmap from source can always use the binaries.
Although it is not so easy to run, Nmap has good, up-to-date man pages and tutorials in many languages. The disadvantage noticed by the users is the fact that the scanner comes with no warranty.
The swiss army knife of network surveilance.What can i say,it should be in every networking professionals toolbox.Advantage is the prize,its free open source.Yet a very powerfull tool to gain more knowledge about the target.You have two versions,one for the command prompt and NmapFE as GUI interface.Drawback is the lack of an suitable report generator,although mostly one will use Nessus and Nmap together.
Free tool Nmap: the one I will always use and trust, most reliable for discovering and fingerpritng, the fastest one too. The main purpose of the tool to discover, to identify open ports or fingerprint services.
Nmap has won Information Security Product of the Year award by Linux Journal, Info World and Codetalker Digest. Ratings show that Nmap is among the top ten (out of 30,000) programs at the Freshmeat.Net repository.
The result of an Nmap run is a list of scanned targets with some more information on each of them (depending on the options used), which is quite useful according to our testers. In addition to the interesting ports table, Nmap can provide further details on targets, including reverse DNS names, operating system guesses, device types, and MAC addresses.
Sunday, July 13, 2008
Upgrading to BIND 9: The Top Nine Gotchas
1. BIND 9 handles errors in zone data files differently.
BIND 9 will refuse to load a zone that contains just about any syntax error, or one of many logical errors. Earlier versions of BIND were much more forgiving. So if you've been sailing blithely along, ignoring various warnings in your syslog file, upgrading to BIND 9 may be a rude awakening. All of a sudden, your name server may not load one or more of your zone data files.
Here are a couple of examples of errors that will cause your BIND 9 name server to fail to load a zone:
A single domain name owning a CNAME record and any other record (including another CNAME record). Missing fields in resource records
2. BIND 9 handles errors in named.conf differently.
An older BIND name server would still start, albeit with a partial configuration, if it found an error in named.conf. For example, you might leave out the masters substatement in a slave zone statement:
zone "test.example" {
type slave;
file "bak.test.example";
};
A BIND 8 name server would simply skip that zone statement and go on. A BIND 9 name server, on the other hand, will fail to start:
Apr 2 16:05:10 ns1 /usr/local/sbin/named[6501]: zone
'test.example': missing 'masters' entry
Apr 2 16:05:10 ns1 /usr/local/sbin/named[6501]: loading
configuration: failure
Apr 2 16:05:10 ns1 /usr/local/sbin/named[6501]: exiting
(due to fatal error)
You'd need to fix the problem by adding the masters substatement before named would even start.
3. The $TTL control statement is now required.
BIND 9 name servers demand that you specify a default time to live value for the zone with a $TTL control statement in each zone data file (unless you specify an explicit TTL on each record, and who does that?). If you don't, you'll see errors like this:
Apr 2 14:39:33 ns1 /usr/local/sbin/named[6054]:
dns_master_load: db.test.example:1: no TTL specified
Apr 2 14:39:33 ns1 /usr/local/sbin/named[6054]:
dns_zone_load: zone test.example/IN: loading master file
db.test.example: no ttl
BIND 8.2 and later name servers would use the last field in the zone's SOA record as the default TTL if no $TTL control statement was specified. (Before BIND 8.2, BIND name servers didn't understand the $TTL control statement at all.)
4. The default zone transfer format in BIND 9 is many-answers.
BIND 8 supported the new, more efficient many-answers zone transfer format, but defaulted to using the older one-answer format for interoperability's sake: BIND 4 slaves couldn't interpret the many-answers format. In BIND 9, however, the default zone transfer format is many-answers. If you have any BIND 4 slaves at all, you'll need to use server statements in named.conf to instruct your BIND 9 name servers to send them one-answer zone transfers:
server 10.0.0.1 { // our poor BIND 4 slave
transfer-format one-answer;
};
5. BIND 9 uses rndc instead of ndc.
BIND 8 introduced ndc, the name daemon controller, which initially just automated the task of finding the name server's PID and sending it a signal to induce it to do something interesting, like reload the name server. In BIND 8.2, ndc became a binary (it had been a shell script) that used a Unix domain socket- or TCP-based "control channel" to send control messages to the running name server. Either version of ndc usually worked right after installing the name server: the old version would track down the server's PID from the file named.pid, while the newer version used a local Unix domain socket to communicate with the name server.
BIND 9 uses rndc, the successor to ndc, to control the name server. rndc uses an authenticated control channel to send messages to the name server. This is significant both because it helps mitigate the risk of someone spoofing a message to the control channel and because it means that rndc doesn't work "out of the box."
To use rndc at all, you need to create an rndc.conf file and add a key statement and a controls statement to your named.conf file. Here's a small, sample rndc.conf file, which usually lives in /etc:
options {
default-server localhost;
default-key "rndc-key";
};
key "rndc-key" {
algorithm hmac-md5;
secret "jZhJ6D0KwJapRhr4Ln6RYQ==";
};
This tells rndc to present the key named rndc-key, by default, to the name server running on the local host when it has a command to send. The corresponding key and controls statement in named.conf would look like this:
controls {
inet * allow { any; } keys { "rndc-key"; };
};
key "rndc-key" {
algorithm hmac-md5;
secret "jZhJ6D0KwJapRhr4Ln6RYQ==";
};
This tells named to listen on all local network interfaces ("*") for control messages and to allow them to come from any IP address as long as they're signed with the key rndc-key. The key statement is exactly the same as the statement in rndc.conf.
Note that it's important that the name of the key, not just the secret that the key points to, matches in rndc.conf and named.conf since rndc uses the name to identify the key that was used to produce the hash value that authenticates the control message.
6. BIND 9 strictly enforces zone boundaries.
Older BIND name servers would let you get away with configurations like this:
subdomain IN NS ns1
subdomain IN TXT "Delegated subdomain"
Technically, that TXT record belongs in the zone data file for subdomain, not in the parent zone. Older versions of BIND, however, would allow it. Not BIND 9, though; it ignores the TXT record as "out-of-zone data."
This rigidity can also cause problems with delegation information in parent zones. Many administrators take advantage of the automatic "promotion" of NS records in a delegated zone into the parent zone within a single name server. For example, if your BIND 8 name server is configured both as the primary master for bar.example and as a slave for foo.bar.example, it will automatically "promote" the NS records in the foo.bar.example zone into the delegation information for foo.bar.example in the bar.example zone, obviating the need for you to maintain the delegation information manually.
BIND 9, however, won't mix the subzone's information with the parent zone's. So when a bar.example slave requested a transfer of the zone, it wouldn't include the foo.bar.example NS records.
This also affects stub zones: a BIND 9 name server won't "promote" NS records from a stub zone into its parent zone. You can, however, configure all of the parent zone's name servers with the stub child zone.
7. BIND 9 is multithreaded.
Unless you build BIND 9 with
./configure --disable-threads
you'll end up with a multithreaded name server. That's cool (as long as your operating system has a good threads implementation) because it'll let your name server take advantage of any extra CPUs your computer may have stashed away. But you may find the consequent output of ps confusing:
% ps ax grep named
6052 ? S 0:00 /usr/local/sbin/named
6053 ? S 0:00 /usr/local/sbin/named
6054 ? S 0:00 /usr/local/sbin/named
6055 ? S 0:00 /usr/local/sbin/named
6056 ? S 0:00 /usr/local/sbin/named
6318 pts/0 S 0:00 grep named
What are all those extra processes? They're a byproduct of using threads: each thread shows up as a separate process in the process list. It's nothing to be afraid of.
By the way, if you need to stop or reload the name server, remember to use rndc instead of sending signals to named.
8. BIND 9 doesn't support name checking.
Some wouldn't view this as a gotcha since it liberalizes the characters that BIND accepts in domain names, but it's worth noting. All versions of BIND from 4.9.4 through BIND 8 implement name checking and forbid illegal characters in domain names that refer to hosts (which, to BIND, means "domain names that own address records"). Legal characters are alphanumerics and dash.
BIND 9 doesn't implement name checking, though. You can use any characters you want in domain names, including underscores. You should keep in mind, however, that many resolvers now implement name checking, and may not be able to resolve domain names with weird characters.
9. BIND 9 developers don't hang out in the same old places.
In the past, you could expect to find BIND developers hanging out in the bind-users mailing list, which was bidirectionally gatewayed to the Usenet newsgroup comp.protocols.dns.bind. Send a message there about your woes getting named.conf's syntax right and you'd often get a response back within minutes.
The BIND 9 developers, however, hang out in the more exclusive bind9-users mailing list. (There's no equivalent newsgroup yet.) If you have questions about BIND 9 in particular, you should ask them there. Better yet--before you ask, check the mailing list's archive or the searchable archive.
BIND 9 will refuse to load a zone that contains just about any syntax error, or one of many logical errors. Earlier versions of BIND were much more forgiving. So if you've been sailing blithely along, ignoring various warnings in your syslog file, upgrading to BIND 9 may be a rude awakening. All of a sudden, your name server may not load one or more of your zone data files.
Here are a couple of examples of errors that will cause your BIND 9 name server to fail to load a zone:
A single domain name owning a CNAME record and any other record (including another CNAME record). Missing fields in resource records
2. BIND 9 handles errors in named.conf differently.
An older BIND name server would still start, albeit with a partial configuration, if it found an error in named.conf. For example, you might leave out the masters substatement in a slave zone statement:
zone "test.example" {
type slave;
file "bak.test.example";
};
A BIND 8 name server would simply skip that zone statement and go on. A BIND 9 name server, on the other hand, will fail to start:
Apr 2 16:05:10 ns1 /usr/local/sbin/named[6501]: zone
'test.example': missing 'masters' entry
Apr 2 16:05:10 ns1 /usr/local/sbin/named[6501]: loading
configuration: failure
Apr 2 16:05:10 ns1 /usr/local/sbin/named[6501]: exiting
(due to fatal error)
You'd need to fix the problem by adding the masters substatement before named would even start.
3. The $TTL control statement is now required.
BIND 9 name servers demand that you specify a default time to live value for the zone with a $TTL control statement in each zone data file (unless you specify an explicit TTL on each record, and who does that?). If you don't, you'll see errors like this:
Apr 2 14:39:33 ns1 /usr/local/sbin/named[6054]:
dns_master_load: db.test.example:1: no TTL specified
Apr 2 14:39:33 ns1 /usr/local/sbin/named[6054]:
dns_zone_load: zone test.example/IN: loading master file
db.test.example: no ttl
BIND 8.2 and later name servers would use the last field in the zone's SOA record as the default TTL if no $TTL control statement was specified. (Before BIND 8.2, BIND name servers didn't understand the $TTL control statement at all.)
4. The default zone transfer format in BIND 9 is many-answers.
BIND 8 supported the new, more efficient many-answers zone transfer format, but defaulted to using the older one-answer format for interoperability's sake: BIND 4 slaves couldn't interpret the many-answers format. In BIND 9, however, the default zone transfer format is many-answers. If you have any BIND 4 slaves at all, you'll need to use server statements in named.conf to instruct your BIND 9 name servers to send them one-answer zone transfers:
server 10.0.0.1 { // our poor BIND 4 slave
transfer-format one-answer;
};
5. BIND 9 uses rndc instead of ndc.
BIND 8 introduced ndc, the name daemon controller, which initially just automated the task of finding the name server's PID and sending it a signal to induce it to do something interesting, like reload the name server. In BIND 8.2, ndc became a binary (it had been a shell script) that used a Unix domain socket- or TCP-based "control channel" to send control messages to the running name server. Either version of ndc usually worked right after installing the name server: the old version would track down the server's PID from the file named.pid, while the newer version used a local Unix domain socket to communicate with the name server.
BIND 9 uses rndc, the successor to ndc, to control the name server. rndc uses an authenticated control channel to send messages to the name server. This is significant both because it helps mitigate the risk of someone spoofing a message to the control channel and because it means that rndc doesn't work "out of the box."
To use rndc at all, you need to create an rndc.conf file and add a key statement and a controls statement to your named.conf file. Here's a small, sample rndc.conf file, which usually lives in /etc:
options {
default-server localhost;
default-key "rndc-key";
};
key "rndc-key" {
algorithm hmac-md5;
secret "jZhJ6D0KwJapRhr4Ln6RYQ==";
};
This tells rndc to present the key named rndc-key, by default, to the name server running on the local host when it has a command to send. The corresponding key and controls statement in named.conf would look like this:
controls {
inet * allow { any; } keys { "rndc-key"; };
};
key "rndc-key" {
algorithm hmac-md5;
secret "jZhJ6D0KwJapRhr4Ln6RYQ==";
};
This tells named to listen on all local network interfaces ("*") for control messages and to allow them to come from any IP address as long as they're signed with the key rndc-key. The key statement is exactly the same as the statement in rndc.conf.
Note that it's important that the name of the key, not just the secret that the key points to, matches in rndc.conf and named.conf since rndc uses the name to identify the key that was used to produce the hash value that authenticates the control message.
6. BIND 9 strictly enforces zone boundaries.
Older BIND name servers would let you get away with configurations like this:
subdomain IN NS ns1
subdomain IN TXT "Delegated subdomain"
Technically, that TXT record belongs in the zone data file for subdomain, not in the parent zone. Older versions of BIND, however, would allow it. Not BIND 9, though; it ignores the TXT record as "out-of-zone data."
This rigidity can also cause problems with delegation information in parent zones. Many administrators take advantage of the automatic "promotion" of NS records in a delegated zone into the parent zone within a single name server. For example, if your BIND 8 name server is configured both as the primary master for bar.example and as a slave for foo.bar.example, it will automatically "promote" the NS records in the foo.bar.example zone into the delegation information for foo.bar.example in the bar.example zone, obviating the need for you to maintain the delegation information manually.
BIND 9, however, won't mix the subzone's information with the parent zone's. So when a bar.example slave requested a transfer of the zone, it wouldn't include the foo.bar.example NS records.
This also affects stub zones: a BIND 9 name server won't "promote" NS records from a stub zone into its parent zone. You can, however, configure all of the parent zone's name servers with the stub child zone.
7. BIND 9 is multithreaded.
Unless you build BIND 9 with
./configure --disable-threads
you'll end up with a multithreaded name server. That's cool (as long as your operating system has a good threads implementation) because it'll let your name server take advantage of any extra CPUs your computer may have stashed away. But you may find the consequent output of ps confusing:
% ps ax grep named
6052 ? S 0:00 /usr/local/sbin/named
6053 ? S 0:00 /usr/local/sbin/named
6054 ? S 0:00 /usr/local/sbin/named
6055 ? S 0:00 /usr/local/sbin/named
6056 ? S 0:00 /usr/local/sbin/named
6318 pts/0 S 0:00 grep named
What are all those extra processes? They're a byproduct of using threads: each thread shows up as a separate process in the process list. It's nothing to be afraid of.
By the way, if you need to stop or reload the name server, remember to use rndc instead of sending signals to named.
8. BIND 9 doesn't support name checking.
Some wouldn't view this as a gotcha since it liberalizes the characters that BIND accepts in domain names, but it's worth noting. All versions of BIND from 4.9.4 through BIND 8 implement name checking and forbid illegal characters in domain names that refer to hosts (which, to BIND, means "domain names that own address records"). Legal characters are alphanumerics and dash.
BIND 9 doesn't implement name checking, though. You can use any characters you want in domain names, including underscores. You should keep in mind, however, that many resolvers now implement name checking, and may not be able to resolve domain names with weird characters.
9. BIND 9 developers don't hang out in the same old places.
In the past, you could expect to find BIND developers hanging out in the bind-users mailing list, which was bidirectionally gatewayed to the Usenet newsgroup comp.protocols.dns.bind. Send a message there about your woes getting named.conf's syntax right and you'd often get a response back within minutes.
The BIND 9 developers, however, hang out in the more exclusive bind9-users mailing list. (There's no equivalent newsgroup yet.) If you have questions about BIND 9 in particular, you should ask them there. Better yet--before you ask, check the mailing list's archive or the searchable archive.
Thursday, July 10, 2008
Windows 2008 Server: What new functionality does Windows Server Backup provide?
Windows Server Backup includes the following improvements:
· Faster backup technology. Windows Server Backup uses Volume Shadow Copy Service (VSS) and block-level backup technology to back up and recover your operating system, files and folders, and volumes. After the first full backup is created, you can configure Windows Server Backup to automatically run incremental backups by saving only the data that has changed since the last backup. Even if you choose to always perform full backups, your backup will take less time than it did in earlier versions of Windows.
· Simplified restoration. You can restore items by choosing a backup and then selecting specific items from that backup to restore. You can recover specific files from a folder or all the contents of a folder. In addition, previously, you needed to manually restore from multiple backups if the item was stored on an incremental backup. But this is no longer true—you can now choose the date of the backup version for the item you want to restore.
· Simplified recovery of your operating system. Windows Server Backup works with new Windows recovery tools to make it easier for you to recover your operating system. You can recover to the same server—or if the hardware fails, you can recover to a separate server that has similar hardware and no operating system.
· Ability to recover applications. Windows Server Backup uses VSS functionality that is built into applications like Microsoft® SQL Server® to protect application data.
· Improved scheduling. Windows Server Backup includes a wizard that guides you through the process of creating daily backups. System volumes are automatically included in all scheduled backups so that you are protected against disasters.
· Offsite removal of backups for disaster protection. You can save backups to multiple disks in a rotation, which enables you to move disks from an offsite location. You can add each disk as a scheduled backup location and, if the first disk is moved offsite, Windows Server Backup will automatically save backups to the next disk in the rotation.
· Remote administration. Windows Server Backup uses an MMC snap-in to give you a familiar and consistent experience for managing your backups. After you install the snap-in, you can access this tool through Server Manager or by adding the snap-in to a new or existing MMC console. Then, you can manage backups on other servers by clicking the Action menu in the snap-in, and then clicking Connect to Another Computer.
· Automatic disk usage management. After you configure a disk for a scheduled backup, Windows Server Backup automatically manages the disk usage—you do not need to be concerned about running out of disk space after repeated backups. Windows Server Backup will automatically reuse the space of older backups when creating new backups. The management tool displays the backups that are available and the disk usage information. This can help you plan for provisioning additional storage to meet your recovery time objectives.
· Extensive command-line support. Windows Server Backup includes the Wbadmin command and documentation, which enable you to perform all of the same tasks at the command line that you can perform by using the snap-in. For more information, see the Command Reference (http://go.microsoft.com/fwlink/?LinkId=93131). You can also automate backup activities through scripting.
In addition, Windows Server 2008 contains a collection of Windows PowerShell™ commands (cmdlets) for Windows Server Backup that you can use to write scripts to perform backups. For more information, see http://go.microsoft.com/fwlink/?LinkId=93317.
· Support for optical media drives and removable media. You can manually back up volumes directly to optical media drives, such as DVD drives, and also to removable media. This offers a solution if you want to create backups that can easily be moved offsite on a one-time basis. This version of Windows Server Backup retains support for manual backups to shared folders and hard disks.
· Faster backup technology. Windows Server Backup uses Volume Shadow Copy Service (VSS) and block-level backup technology to back up and recover your operating system, files and folders, and volumes. After the first full backup is created, you can configure Windows Server Backup to automatically run incremental backups by saving only the data that has changed since the last backup. Even if you choose to always perform full backups, your backup will take less time than it did in earlier versions of Windows.
· Simplified restoration. You can restore items by choosing a backup and then selecting specific items from that backup to restore. You can recover specific files from a folder or all the contents of a folder. In addition, previously, you needed to manually restore from multiple backups if the item was stored on an incremental backup. But this is no longer true—you can now choose the date of the backup version for the item you want to restore.
· Simplified recovery of your operating system. Windows Server Backup works with new Windows recovery tools to make it easier for you to recover your operating system. You can recover to the same server—or if the hardware fails, you can recover to a separate server that has similar hardware and no operating system.
· Ability to recover applications. Windows Server Backup uses VSS functionality that is built into applications like Microsoft® SQL Server® to protect application data.
· Improved scheduling. Windows Server Backup includes a wizard that guides you through the process of creating daily backups. System volumes are automatically included in all scheduled backups so that you are protected against disasters.
· Offsite removal of backups for disaster protection. You can save backups to multiple disks in a rotation, which enables you to move disks from an offsite location. You can add each disk as a scheduled backup location and, if the first disk is moved offsite, Windows Server Backup will automatically save backups to the next disk in the rotation.
· Remote administration. Windows Server Backup uses an MMC snap-in to give you a familiar and consistent experience for managing your backups. After you install the snap-in, you can access this tool through Server Manager or by adding the snap-in to a new or existing MMC console. Then, you can manage backups on other servers by clicking the Action menu in the snap-in, and then clicking Connect to Another Computer.
· Automatic disk usage management. After you configure a disk for a scheduled backup, Windows Server Backup automatically manages the disk usage—you do not need to be concerned about running out of disk space after repeated backups. Windows Server Backup will automatically reuse the space of older backups when creating new backups. The management tool displays the backups that are available and the disk usage information. This can help you plan for provisioning additional storage to meet your recovery time objectives.
· Extensive command-line support. Windows Server Backup includes the Wbadmin command and documentation, which enable you to perform all of the same tasks at the command line that you can perform by using the snap-in. For more information, see the Command Reference (http://go.microsoft.com/fwlink/?LinkId=93131). You can also automate backup activities through scripting.
In addition, Windows Server 2008 contains a collection of Windows PowerShell™ commands (cmdlets) for Windows Server Backup that you can use to write scripts to perform backups. For more information, see http://go.microsoft.com/fwlink/?LinkId=93317.
· Support for optical media drives and removable media. You can manually back up volumes directly to optical media drives, such as DVD drives, and also to removable media. This offers a solution if you want to create backups that can easily be moved offsite on a one-time basis. This version of Windows Server Backup retains support for manual backups to shared folders and hard disks.
Tuesday, July 8, 2008
Patches coming today for DNS vulnerability
Whether you're running Linux, Windows, Cisco, Sun, or other DNS servers, you are at risk from a newly discovered vulnerability. So says Dan Kaminsky, head of penetration testing research at IO Active, who accidently discovered the DNS "design flaw" earlier this year.
You can check whether the DNS servers you use are vulnerable by clicking the Check My DNS button in the upper right corner of Kaminsky's Web site.
Kaminsky says he made the discovery entirely by accident. When he realized the flaw was a fundamental design flaw that is universal in scope, he called for a summit of security researchers to decide on a course of action. That summit took place on the Microsoft campus on March 31, and out of it a multi-vendor patch solution was developed. Microsoft, Sun, Cisco, Bind, and other firms will be releasing patches for the flaw today. Linux distributions are expected to start providing patches today as well. Debian users already can find Bind patch instructions online.
The problem in general terms is described as insufficient randomness. Vendors have tried to deliver the fix in a way that can't be reverse-engineered to reveal the actual flaw. Full details on the flaw will not be revealed for 30 days, in order to allow system administrators time to evaluate and apply patches to their DNS servers. DNS clients are also at risk, but to a much smaller degree, and the focus at present continues to be on DNS servers.
According to Kaminsky, the rule for applying patches for this flaw should be, "If it recurses, patch it."
source: www.linux.com
You can check whether the DNS servers you use are vulnerable by clicking the Check My DNS button in the upper right corner of Kaminsky's Web site.
Kaminsky says he made the discovery entirely by accident. When he realized the flaw was a fundamental design flaw that is universal in scope, he called for a summit of security researchers to decide on a course of action. That summit took place on the Microsoft campus on March 31, and out of it a multi-vendor patch solution was developed. Microsoft, Sun, Cisco, Bind, and other firms will be releasing patches for the flaw today. Linux distributions are expected to start providing patches today as well. Debian users already can find Bind patch instructions online.
The problem in general terms is described as insufficient randomness. Vendors have tried to deliver the fix in a way that can't be reverse-engineered to reveal the actual flaw. Full details on the flaw will not be revealed for 30 days, in order to allow system administrators time to evaluate and apply patches to their DNS servers. DNS clients are also at risk, but to a much smaller degree, and the focus at present continues to be on DNS servers.
According to Kaminsky, the rule for applying patches for this flaw should be, "If it recurses, patch it."
source: www.linux.com
Monday, July 7, 2008
Windows 2008 Server: Improvements to interfaces for working with shared folders.
In Windows Server 2008, the interfaces for viewing or configuring shared folders in a failover cluster have been extended and streamlined. Configuration is more straightforward and misconfiguration is less likely. The improvements include the ability to configure the following for shared folders:
· Access-based enumeration: You can use access-based enumeration to hide a specified folder from users' view. Instead of allowing users to see the folder but not access anything on it, you can choose to prevent them from seeing the folder at all. You can configure access-based enumeration for a clustered shared folder in the same way as for a nonclustered shared folder.
· Offline access: You can configure offline access (caching) for a clustered shared folder in the same way as for a nonclustered shared folder.
· Clustered disks always recognized as part of the cluster: Whether you use the failover cluster interface, Windows Explorer, or the Share and Storage Management snap-in, Windows Server 2008 recognizes whether a disk has been designated as being in the cluster storage. If such a disk has already been configured in Failover Cluster Management as part of a clustered file server, you can then use any of the previously-mentioned interfaces to create a share on the disk. If such a disk has not been configured as part of a clustered file server, you cannot mistakenly create a share on it. Instead, an error indicates that the disk must first be configured as part of a clustered file server before it can be shared.
· Integration of Services for Network File System: The File Server role in Windows Server 2008 includes the optional role service called Services for Network File System (NFS). By installing the role service and configuring shared folders with Services for NFS, you can create a clustered file server that supports UNIX-based clients.
· Access-based enumeration: You can use access-based enumeration to hide a specified folder from users' view. Instead of allowing users to see the folder but not access anything on it, you can choose to prevent them from seeing the folder at all. You can configure access-based enumeration for a clustered shared folder in the same way as for a nonclustered shared folder.
· Offline access: You can configure offline access (caching) for a clustered shared folder in the same way as for a nonclustered shared folder.
· Clustered disks always recognized as part of the cluster: Whether you use the failover cluster interface, Windows Explorer, or the Share and Storage Management snap-in, Windows Server 2008 recognizes whether a disk has been designated as being in the cluster storage. If such a disk has already been configured in Failover Cluster Management as part of a clustered file server, you can then use any of the previously-mentioned interfaces to create a share on the disk. If such a disk has not been configured as part of a clustered file server, you cannot mistakenly create a share on it. Instead, an error indicates that the disk must first be configured as part of a clustered file server before it can be shared.
· Integration of Services for Network File System: The File Server role in Windows Server 2008 includes the optional role service called Services for Network File System (NFS). By installing the role service and configuring shared folders with Services for NFS, you can create a clustered file server that supports UNIX-based clients.
Sunday, July 6, 2008
Tuesday, July 1, 2008
RHEL File System Performance Optimization Characterization and Tuning.
Separate swap and busy partition like /var and /usr.
RHEL 4/5 EXT3 improves performance
- Scalability up to 5 M file/system.
- Sequential write by using block reservations.
- Increases file system up to 8 TB.
Use GFS – global file system – cluster file system.
Subscribe to:
Comments (Atom)
