RRSIG for glue records
Hi , I have delegated NS records and those records pointed to A records in signed zone. When I queired for my delgated domain against bind 9.6-p3. Bind is returning NS records and RRSIG for NS in authority section correctly. Glue records are returned correctly in additional section but RRSIG values are not returned for glue records. Is RRSIG won't return for glue records in additonal section? Could you please clarify me. Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
On 03.08.10 18:01, Denis BUCHER wrote: I have a question, it's not really a big problem, but it's annoying. In the logs I get plenty of lines like : client 202.152.172.4 query (cache) 'denkstelle.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkstunde.de/MX/IN' denied: 2 Time(s) client 202.152.172.4 query (cache) 'denktag.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkweise-hosting.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkwerk-berlin.de/MX/IN' denied: 2 Time(s) client 202.152.172.4 query (cache) 'dj-falk.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns01-tld.t-online.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns1.pro.vider.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns2.luact.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns6.pro.vider.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks10.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks18.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks19.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks20.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'f.nic.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'flashit.de/MX/IN' denied: 5 Time(s) This seems to be due to a script-kiddie. I don't think so. It may be someone who used your server when connected to your network and didn't change resolvers list after, someone who mistyped IP address, or someone who guessed that your server might provide recursive DNS for him (because of any reason). I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? hosts.allow is configuration of tcp wrappers library which is NOT used by bind nor by some other software. For abusers sending too many requests I have created special view containing only root zone with * pointing to localhost address. While this is quite BOFHish, it works. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They say when you play that M$ CD backward you can hear satanic messages. That's nothing. If you play it forward it will install Windows. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
Le 03.08.2010 21:25, Kevin Darcy a écrit : I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Use IPTables or add rules to your firewall. I don't believe that BIND pays any attention to /etc/hosts.allow Yes I tried iptables, it is working perfectly, and /etc/hosts.allow does not look to be working. This was pefect : iptables -I INPUT 3 -p tcp -s 202.152.172.4 --dport 53 -j DROP I'm no iptables experts, but doesn't that only apply to TCP packets? Dear Kevin, Yes sorry, in fact I also should add a rule for UDP : iptables -I INPUT 3 -p udp -s 202.152.172.4 --dport 53 -j DROP Or : (all ports) iptables -I INPUT 3 -s 202.152.172.4 -j DROP Thanks a lot ! Denis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: unexpected RCODE (REFUSED) resolving
Hello Mark Andrews, Am 2010-08-04 08:32:29, hacktest Du folgendes herunter: Basically you need to complain to the administators for xensource.com to get the delegation cleaned up or the server configured. OK... done! xensource.com is delegated to 68.156.138.136 but that server is refusing to answer queries for the xensource.com. Additionally according to ns1.xensource.com both ns0.xensource.com and ns2.xensource.com no longer exist. The administrators for xensource.com need to clean up the delegation by contacting their registrar and removing ns0.xensource.com from delegation. They also need to clean up the delegation for colo.xensource.com as that has ns0 and ns2 listed which don't exist. This is grmpf! It seems there are more then one Sys/Net-Admin which do no know its job! Currently the number of unknown name servers is increasing. Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de ICQ#328449886 Linux-User #280138 with the Linux Counter, http://counter.li.org/ signature.pgp Description: Digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Hijacked or Wrong Configuration?
On 2010-08-03, Mark wrote: In message OF7DE7E9DC.8EF91A8C-ON88257775.000385AF- 88257775.00043...@kp.org, bill.li...@kp.org writes: Now they can NOT get to the site - am I configured wrong? -- or -- did the domain get hijacked in the interm? Site: hysl.org DNS: dns1.light-family.com IP: 66.124.156.123 hysl.org is NOT published in the org zone. Given the dates in whois I would contact the registrar and ask them to fix this. In addition, the nameserver at dns1.light-family.com doesn't seem to have the hysl.org zone properly configured. It returns nothing for an A query for hysl.org, and SERVFAIL for www.hysl.org. Apparently there's a CNAME pointing www.hysl.org to dns1.light-family.com but you're not returning that. Check your named logs to find out why. -Rick -- Rick Murphy, Noblis P: 703-610-1635, F: 703-610-2053 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
You may want to consider how to trigger removal of this blocking when the problem has gone away and the address is again used responsibly. Maybe add a log statement with a limitation of one per day and checking that this is no longer seen for some time? IPTABLES can do the logging. On 04/08/10 11:00, Denis BUCHER wrote: Le 03.08.2010 21:25, Kevin Darcy a écrit : I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Use IPTables or add rules to your firewall. I don't believe that BIND pays any attention to /etc/hosts.allow Yes I tried iptables, it is working perfectly, and /etc/hosts.allow does not look to be working. This was pefect : iptables -I INPUT 3 -p tcp -s 202.152.172.4 --dport 53 -j DROP I'm no iptables experts, but doesn't that only apply to TCP packets? Dear Kevin, Yes sorry, in fact I also should add a rule for UDP : iptables -I INPUT 3 -p udp -s 202.152.172.4 --dport 53 -j DROP Or : (all ports) iptables -I INPUT 3 -s 202.152.172.4 -j DROP Thanks a lot ! Denis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRSIG for glue records
On 8/4/2010 2:58 AM, rams wrote: I have delegated NS records and those records pointed to A records in signed zone. When I queired for my delgated domain against bind 9.6-p3. Bind is returning NS records and RRSIG for NS in authority section correctly. Glue records are returned correctly in additional section but RRSIG values are not returned for glue records. Is RRSIG won't return for glue records in additonal section? Could you please clarify me. Only authoritative data is signed. glue records aren't authoritative, thus they aren't signed. Delegation NS records aren't signed either... AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Recursion problems
Hi, I am having problems with recursion for domains that reside on two particular nameservers. My BIND9 servers return a SERVFAIL and do not attempt to recurse to the authoritative nameservers for ugabookstore.com. I have verified that my caching servers are not contacting ugabookstore.com's authoritative servers via tcpdump. I have also enabled debug logging (level 99) on my caching server. Other servers are obviously able to recurse to ugabookstore.com's authoritative servers, so I feel like it may be an issue on my end. Could someone offer any advice? Recursion for all other domains is working correctly. Debug logs from my caching server: 04-Aug-2010 08:58:13.656 client: debug 3: client 172.26.101.56#46071: UDP request 04-Aug-2010 08:58:13.656 client: debug 5: client 172.26.101.56#46071: using view '_default' 04-Aug-2010 08:58:13.656 security: debug 3: client 172.26.101.56#46071: request is not signed 04-Aug-2010 08:58:13.656 security: debug 3: client 172.26.101.56#46071: recursion available 04-Aug-2010 08:58:13.656 client: debug 3: client 172.26.101.56#46071: query 04-Aug-2010 08:58:13.656 queries: info: client 172.26.101.56#46071: query: ugabookstore.com IN A + 04-Aug-2010 08:58:13.656 client: debug 10: client 172.26.101.56#46071: ns_client_attach: ref = 1 04-Aug-2010 08:58:13.656 security: debug 3: client 172.26.101.56#46071: query (cache) 'ugabookstore.com/A/IN' approved 04-Aug-2010 08:58:13.656 client: debug 3: client 172.26.101.56#46071: replace 04-Aug-2010 08:58:13.656 general: debug 3: clientmgr @0x960deb8: createclients 04-Aug-2010 08:58:13.656 general: debug 3: clientmgr @0x960deb8: recycle 04-Aug-2010 08:58:13.657 resolver: debug 1: createfetch: ugabookstore.com A 04-Aug-2010 08:58:13.657 resolver: debug 3: fctx 0x9678d50(ugabookstore.com/A'): create 04-Aug-2010 08:58:13.657 resolver: debug 3: fctx 0x9678d50(ugabookstore.com/A'): join 04-Aug-2010 08:58:13.657 resolver: debug 3: fetch 0x98ee108 (fctx 0x9678d50(ugabookstore.com/A)): created 04-Aug-2010 08:58:13.657 client: debug 3: client @0x9e2a378: udprecv 04-Aug-2010 08:58:13.657 general: debug 50: socket 0x960e2f8: socket_recv: event 0x9bdfe88 - task 0x9913de0 04-Aug-2010 08:58:13.657 resolver: debug 3: fctx 0x9678d50(ugabookstore.com/A'): start 04-Aug-2010 08:58:13.657 resolver: debug 3: fctx 0x9678d50(ugabookstore.com/A'): try 04-Aug-2010 08:58:13.657 resolver: debug 3: fctx 0x9678d50(ugabookstore.com/A'): cancelqueries 04-Aug-2010 08:58:13.657 resolver: debug 3: fctx 0x9678d50(ugabookstore.com/A'): getaddresses 04-Aug-2010 08:58:13.657 resolver: debug 3: fctx 0x9678d50(ugabookstore.com/A'): query 04-Aug-2010 08:58:13.658 resolver: debug 3: resquery 0x99353f0 (fctx 0x9678d50(ugabookstore.com/A)): send 04-Aug-2010 08:58:13.658 general: debug 90: socket 0x991db08 0.0.0.0#49050: bound 04-Aug-2010 08:58:13.658 dispatch: debug 90: dispatch 0x976cdc0 response 0x9b9db60 192.5.6.30#53: attached to task 0x9771b28 04-Aug-2010 08:58:13.658 general: debug 50: socket 0x991db08: socket_recv: event 0x9e721c8 - task 0x976eb80 04-Aug-2010 08:58:13.658 resolver: debug 3: resquery 0x99353f0 (fctx 0x9678d50(ugabookstore.com/A)): sent 04-Aug-2010 08:58:13.658 resolver: debug 3: resquery 0x99353f0 (fctx 0x9678d50(ugabookstore.com/A)): udpconnected 04-Aug-2010 08:58:13.658 resolver: debug 3: resquery 0x99353f0 (fctx 0x9678d50(ugabookstore.com/A)): senddone 04-Aug-2010 08:58:13.658 general: debug 60: sockmgr 0x95ba350: watcher got message -3 for socket 513 04-Aug-2010 08:58:13.658 general: debug 60: sockmgr 0x95ba350: watcher got message -3 for socket 514 04-Aug-2010 08:58:13.658 general: debug 60: sockmgr 0x95ba350: watcher got message -2 for socket -1 04-Aug-2010 08:58:13.710 general: debug 50: socket 0x991db08: dispatch_recv: event 0x9e721c8 - task 0x976eb80 04-Aug-2010 08:58:13.710 general: debug 60: socket 0x991db08: internal_recv: task 0x976eb80 got event 0x991db68 04-Aug-2010 08:58:13.710 general: debug 60: socket 0x991db08 192.5.6.30#53: packet received correctly 04-Aug-2010 08:58:13.710 general: debug 90: socket 0x991db08: processing cmsg 0x983d880 04-Aug-2010 08:58:13.710 dispatch: debug 90: dispatch 0x976cdc0: got packet: requests 1, buffers 1, recvs 0 04-Aug-2010 08:58:13.710 dispatch: debug 92: dispatch 0x976cdc0: got valid DNS message header, /QR 1, id 21927 04-Aug-2010 08:58:13.710 dispatch: debug 90: dispatch 0x976cdc0 response 0x9b9db60 192.5.6.30#53: [a] Sent event 0x96a2560 buffer 0x987c8c0 len 4096 to task 0x9771b28 04-Aug-2010 08:58:13.710 general: debug 50: socket 0x991db08: socket_recv: event 0x9bfdd78 - task 0x976eb80 04-Aug-2010 08:58:13.710 resolver: debug 3: resquery 0x99353f0 (fctx 0x9678d50(ugabookstore.com/A)): response 04-Aug-2010 08:58:13.710 resolver: debug 10: received packet: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 21927 ;; flags: qr ; QUESTION: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;ugabookstore.com. IN