Re: DNS Flag Day: I had to open the TCP/53 port
Ben, thanks a lot !!! Regards On Mon, Feb 4, 2019 at 11:04 AM Ben Croswell wrote: > When a DNS response is too large to fit in a single UDP packet, 512 bytes > up to 4k with edns, the DNS server will respond with as much as it can fit > in the UDP packet. It will also set the truncate, TC, bit to let the client > doing the query that the answer is truncated and the client should query > again over TCP for the full answer. > > The TC bit is also used in conjunction with RRL. > > On Mon, Feb 4, 2019, 8:57 AM Roberto Carna wrote: > >> Thanks Ben for your response, can you tell me the types of TCP traffic I >> have to expect in BIND, excepting Zone Tansfer? >> >> Thans a lot again!!! >> >> El lun., 4 feb. 2019 a las 10:50, Ben Croswell () >> escribió: >> >>> BIND has always required UDP and TCP 53 for proper functionality. It >>> sometimes mistakenly believed that TCP is only for zone transfers but that >>> is not the case. >>> >>> On Mon, Feb 4, 2019, 8:46 AM Roberto Carna >> wrote: >>> Dear, I have a BIND 9.10 public server and I have delegated some public domains. When I test these domains with the EDNS tool offered in the DNS Flag Day webpage, the test was wrong wit just UDP/53 port opened to Internet. After that, when I opened also TCP/53 port, the test was succesful. Please can you explain me the reason I have to open TCP/53 port to Internet from February 1st to the future??? Really thanks, regards. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users >>> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding request to another DNS server but the same domain
DNS1 with dynamic update and DNS2 with manually update
On Wed, Apr 30, 2014 at 8:11 PM, Kevin Darcy wrote:
> I'm still not understanding your constraints. If *all* updates come in
> through Dynamic Update, then you don't need freeze/unfreeze.
>
> -
> Kevin
>
>
> On 4/30/2014 6:47 PM, Jeronimo L. Cabral wrote:
>
> In office #1, the "company.com" master zone is updated automatically from
> some Windows machines inn DNS1 and in office #2 the same zone is updated
> manually in DNS2 by the administrator who shouldn't update (using freeze
> and unfreeze) the master zone from office #1. This is the scenario, and we
> need that a simple query to DNS1 be responded with any record from both
> zones.
>
> Thanks again
>
>
> On Wed, Apr 30, 2014 at 5:54 PM, Kevin Darcy wrote:
>
>> Oh, I thought this was an external-versus-internal scenario. But, this
>> is even easier.
>>
>> A) One of the nameservers (pick DNS1 or DNS2) becomes a slave (of the
>> "stealth" variety, if you want) of the other
>> B) People use nsupdate to maintain the zone
>>
>> For security, TSIG-sign the updates. For fast change propagation, set up
>> NOTIFY if and as necessary.
>>
>>
>> - Kevin
>>
>>
>> On 4/30/2014 4:32 PM, Jeronimo L. Cabral wrote:
>>
>> Dear John, this is my scenario:
>>
>> 1) Office 1: people work with some machines and fill up a local master
>> zone "company.com" with records in DNS1
>> 2) Office 2: people works with some others machines and fill up a local
>> master zone "company.com" with another records in DNS2
>>
>> So both office have a different master zone.
>>
>> Both offices belong to the same company, so I need that any client PC
>> can resolve a hostname from "company.com" domain, independently if this
>> record is in DNS1 or DNS2.
>>
>> Thanks again, regards.
>>
>> JeLo
>>
>>
>>
>> On Wed, Apr 30, 2014 at 5:21 PM, John Miller wrote:
>>
>>> Hi Jeronimo,
>>>
>>> First of all, please just tell us the real domain. Yes, we could try
>>> and talk about a fictitious "example.com" or "company.com," but having
>>> the real domain name lets us actually query your nameservers.
>>>
>>> Let me be sure I understand: you have two DNS servers. Each of them
>>> is authoritative for the same domain. Are both set as master?
>>>
>>> The two servers have different copies of the zone--what's your reason
>>> for that?
>>>
>>> If both servers think they are authoritative for a zone, then they
>>> will answer recursive queries for those zones themselves. From the manual:
>>>
>>> "Forwarding occurs only on those queries for which the server is not
>>> authoritative and does not have the answer in its cache."
>>>
>>> What exactly are you trying to achieve?
>>>
>>> John
>>>
>>>
>>>
>>> On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral <
>>> jelocab...@gmail.com> wrote:
>>>
>>>> Dear, I would like to ask for solution related with DNS (bind)
>>>> configuration to allow forward requests to another DNS but related
>>>> with the same domain.
>>>>
>>>> I'm asking about two authoritative name servers serving the same domain
>>>> but with different zone file info on each and have one of them forward
>>>> recursive queries to another one if first one cannot find some particular
>>>> subdomain record that is missing in his version of zone file.
>>>>
>>>> My named.conf.local is as follow, but it doesn't work:
>>>>
>>>> zone "company.com" {
>>>> type master;
>>>> file "/etc/bind/zones/company.com.db";
>>>> allow-transfer { key "company"; };
>>>> check-names ignore;
>>>> forward first;
>>>> forwarders { 172.16.1.1; };
>>>> };
>>>>
>>>> Thanks a lot,
>>>>
>>>> JeLo
>>>>
>>>>
>>>> ___
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>>> unsubscribe from this list
>>>>
>>>> bind-users mailin
Re: Forwarding request to another DNS server but the same domain
In office #1, the "company.com" master zone is updated automatically from
some Windows machines inn DNS1 and in office #2 the same zone is updated
manually in DNS2 by the administrator who shouldn't update (using freeze
and unfreeze) the master zone from office #1. This is the scenario, and we
need that a simple query to DNS1 be responded with any record from both
zones.
Thanks again
On Wed, Apr 30, 2014 at 5:54 PM, Kevin Darcy wrote:
> Oh, I thought this was an external-versus-internal scenario. But, this
> is even easier.
>
> A) One of the nameservers (pick DNS1 or DNS2) becomes a slave (of the
> "stealth" variety, if you want) of the other
> B) People use nsupdate to maintain the zone
>
> For security, TSIG-sign the updates. For fast change propagation, set up
> NOTIFY if and as necessary.
>
>
> - Kevin
>
>
> On 4/30/2014 4:32 PM, Jeronimo L. Cabral wrote:
>
> Dear John, this is my scenario:
>
> 1) Office 1: people work with some machines and fill up a local master
> zone "company.com" with records in DNS1
> 2) Office 2: people works with some others machines and fill up a local
> master zone "company.com" with another records in DNS2
>
> So both office have a different master zone.
>
> Both offices belong to the same company, so I need that any client PC
> can resolve a hostname from "company.com" domain, independently if this
> record is in DNS1 or DNS2.
>
> Thanks again, regards.
>
> JeLo
>
>
>
> On Wed, Apr 30, 2014 at 5:21 PM, John Miller wrote:
>
>> Hi Jeronimo,
>>
>> First of all, please just tell us the real domain. Yes, we could try
>> and talk about a fictitious "example.com" or "company.com," but having
>> the real domain name lets us actually query your nameservers.
>>
>> Let me be sure I understand: you have two DNS servers. Each of them is
>> authoritative for the same domain. Are both set as master?
>>
>> The two servers have different copies of the zone--what's your reason
>> for that?
>>
>> If both servers think they are authoritative for a zone, then they will
>> answer recursive queries for those zones themselves. From the manual:
>>
>> "Forwarding occurs only on those queries for which the server is not
>> authoritative and does not have the answer in its cache."
>>
>> What exactly are you trying to achieve?
>>
>> John
>>
>>
>>
>> On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral <
>> jelocab...@gmail.com> wrote:
>>
>>> Dear, I would like to ask for solution related with DNS (bind)
>>> configuration to allow forward requests to another DNS but related with
>>> the same domain.
>>>
>>> I'm asking about two authoritative name servers serving the same domain
>>> but with different zone file info on each and have one of them forward
>>> recursive queries to another one if first one cannot find some particular
>>> subdomain record that is missing in his version of zone file.
>>>
>>> My named.conf.local is as follow, but it doesn't work:
>>>
>>> zone "company.com" {
>>> type master;
>>> file "/etc/bind/zones/company.com.db";
>>> allow-transfer { key "company"; };
>>> check-names ignore;
>>> forward first;
>>> forwarders { 172.16.1.1; };
>>> };
>>>
>>> Thanks a lot,
>>>
>>> JeLo
>>>
>>>
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
>>
>>
>> --
>> John Miller
>> Systems Engineer
>> Brandeis University
>> johnm...@brandeis.edu
>> (781) 736-4619
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing
> listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding request to another DNS server but the same domain
Dear John, this is my scenario:
1) Office 1: people work with some machines and fill up a local master zone
"company.com" with records in DNS1
2) Office 2: people works with some others machines and fill up a local
master zone "company.com" with another records in DNS2
So both office have a different master zone.
Both offices belong to the same company, so I need that any client PC can
resolve a hostname from "company.com" domain, independently if this record
is in DNS1 or DNS2.
Thanks again, regards.
JeLo
On Wed, Apr 30, 2014 at 5:21 PM, John Miller wrote:
> Hi Jeronimo,
>
> First of all, please just tell us the real domain. Yes, we could try and
> talk about a fictitious "example.com" or "company.com," but having the
> real domain name lets us actually query your nameservers.
>
> Let me be sure I understand: you have two DNS servers. Each of them is
> authoritative for the same domain. Are both set as master?
>
> The two servers have different copies of the zone--what's your reason for
> that?
>
> If both servers think they are authoritative for a zone, then they will
> answer recursive queries for those zones themselves. From the manual:
>
> "Forwarding occurs only on those queries for which the server is not
> authoritative and does not have the answer in its cache."
>
> What exactly are you trying to achieve?
>
> John
>
>
>
> On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral
> wrote:
>
>> Dear, I would like to ask for solution related with DNS (bind)
>> configuration to allow forward requests to another DNS but related with
>> the same domain.
>>
>> I'm asking about two authoritative name servers serving the same domain
>> but with different zone file info on each and have one of them forward
>> recursive queries to another one if first one cannot find some particular
>> subdomain record that is missing in his version of zone file.
>>
>> My named.conf.local is as follow, but it doesn't work:
>>
>> zone "company.com" {
>> type master;
>> file "/etc/bind/zones/company.com.db";
>> allow-transfer { key "company"; };
>> check-names ignore;
>> forward first;
>> forwarders { 172.16.1.1; };
>> };
>>
>> Thanks a lot,
>>
>> JeLo
>>
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
>
> --
> John Miller
> Systems Engineer
> Brandeis University
> johnm...@brandeis.edu
> (781) 736-4619
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Forwarding request to another DNS server but the same domain
Dear, I would like to ask for solution related with DNS (bind)
configuration to allow forward requests to another DNS but related with the
same domain.
I'm asking about two authoritative name servers serving the same domain but
with different zone file info on each and have one of them forward
recursive queries to another one if first one cannot find some particular
subdomain record that is missing in his version of zone file.
My named.conf.local is as follow, but it doesn't work:
zone "company.com" {
type master;
file "/etc/bind/zones/company.com.db";
allow-transfer { key "company"; };
check-names ignore;
forward first;
forwarders { 172.16.1.1; };
};
Thanks a lot,
JeLo
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone transfer doesn't work when I set allow-update statement
Dear, thanks for your help.
Please the last question: can I dynamically update a zone and -when
necessary- make a freeze, manually add/delete records, and after that make
a thaw to continue with the dynamic update In other words, a mix
betwwen dynamic and manually update.
Thanks again,
JeLo
On Fri, Apr 25, 2014 at 6:04 PM, Evan Hunt wrote:
> On Fri, Apr 25, 2014 at 05:29:30PM -0300, Jeronimo L. Cabral wrote:
> > But the master zone is not refreshed until I execute "service bind9
> > restart" ("service bind9 reload" doesn't refresh the master zone).
>
> The zone has been updated, but the changes are stored in a journal file
> ("zonefile.jnl"). You can look at the contents of the journal file
> with "named-journalprint ".
>
> If you want to dump the current version of the zone to disk so you
> can look at the whole thing, use "rndc sync ".
>
> (That's assuming this is a fairly recent BIND. If it doesn't support
> sync, use "rndc freeze ; rndc thaw ".)
>
> --
> Evan Hunt -- e...@isc.org
> Internet Systems Consortium, Inc.
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone transfer doesn't work when I set allow-update statement
Thanks a lot, but using the allow-update statement, I use nsupdate in order
to add a new record:
# nsupdate
> server x.x.x.x
>zone company.com.ar
>update add test.company.com.ar 86400 A 1.1.1.1
>send
>quit
But the master zone is not refreshed until I execute "service bind9
restart" ("service bind9 reload" doesn't refresh the master zone).
How can I do in order to add new records using nsupdate without restarting
the bind9 service ???
Thanks again !!!
On Fri, Apr 25, 2014 at 5:12 PM, Kevin Darcy wrote:
> allow-update + manual editing of zone file = bad.
>
> Use nsupdate.
> - Kevin
>
>
> On 4/25/2014 4:03 PM, Jeronimo L. Cabral wrote:
>
> Dear, I'm using Bind 9.8.4 with a master / slave scenario. Zone transfer
> works OK when I have this config in named.conf.local from master server,
> add some A records and execute "service bind9 reload":
>
> zone "company.com.ar" {
> type master;
> file "/etc/bind/zones/company.com.ar.db";
> allow-transfer { key "company"; };
> check-names ignore;
>
> After that I add the allo-update statement and restart bind9 service:
>
> zone "company.com.ar" {
> type master;
> file "/etc/bind/zones/company.com.ar.db";
> allow-transfer { key "company"; };
> allow-update { 172.12.88.3; 10.8.91.7;};
> check-names ignore;
>
> Finally, I add some A records in my company.com.ar zone and increment
> the serial number, then I execute "service bind9 reload" but the Slave
> doesn't receive the new records. The only way Slave receives the new
> records is when I execute "service bind9 restart" in Master which is not
> the idea.
>
> What is the problem please ???
>
> Thanks a lot,
>
> JeLo
>
>
>
>
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing
> listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Zone transfer doesn't work when I set allow-update statement
Dear, I'm using Bind 9.8.4 with a master / slave scenario. Zone transfer
works OK when I have this config in named.conf.local from master server,
add some A records and execute "service bind9 reload":
zone "company.com.ar" {
type master;
file "/etc/bind/zones/company.com.ar.db";
allow-transfer { key "company"; };
check-names ignore;
After that I add the allo-update statement and restart bind9 service:
zone "company.com.ar" {
type master;
file "/etc/bind/zones/company.com.ar.db";
allow-transfer { key "company"; };
allow-update { 172.12.88.3; 10.8.91.7;};
check-names ignore;
Finally, I add some A records in my company.com.ar zone and increment the
serial number, then I execute "service bind9 reload" but the Slave doesn't
receive the new records. The only way Slave receives the new records is
when I execute "service bind9 restart" in Master which is not the idea.
What is the problem please ???
Thanks a lot,
JeLo
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Master to Slave initial zone transfer question
Dear Alan, sorry but I don't understand...can yo help me on this please:
When create a new zone in Master and add the zone parameters in
named.conf.local, before the Slave get the new zone do I have to write by
hand the same zone parameters in Slave's named.conf.local and restart its
bind9 daemon ???
Thanks again.
JeLo
On Wed, Apr 16, 2014 at 2:17 PM, Alan Clegg wrote:
> On 4/16/14, 11:42 AM, Jim Glassford wrote:
>
> > To quicken the update process can use also-notify in options
> >
> >also-notify {
> > slave1.n.n.n;
> > slave2.n.n.n;
> >};
>
> There is no reason to use also-notify in this situation.
>
> Please don't do this unless you know what you are doing and actually
> NEED to do this.
>
> It makes cleaning up a few years from now so much easier when you have a
> sane configuration.
>
> AlanC
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Master to Slave initial zone transfer question
Dear Jim, where do I have to execute the command "rndc reconfig", in master
or slave ??
Thanks a lot to both.
On Wed, Apr 16, 2014 at 12:42 PM, Jim Glassford wrote:
> On 4/16/2014 11:35 AM, Barry Margolin wrote:
>
> In article
> ,
> "Jeronimo L. Cabral" wrote:
>
>
> Dear, I've implemented two Debian 7 servers with Bind9 as a Master - Slave
> schema.
>
> Everything works OK, but I have just a question:
>
> When a create a new zone in the Master and reload the bind9 daemon, this
> zone doesn't appear automatically in the Slaveit only appears if I
> restart the bind9 daemon in the Slave server.
>
> Is this behaviour correct or is there any statement to transfer a new zone
> from Master to Slave withouth restarting the bind9 daemon in the Slave ???
>
> To pick up new zones added to named.conf, you just need to use:
>
> rndc reconfig
>
> You don't need to restart the daemon on either the master or slave.
>
>
>
> To quicken the update process can use also-notify in options
>
>also-notify {
> slave1.n.n.n;
> slave2.n.n.n;
>};
>
> *also-notify*
>
> Only meaningful if *notify* is active for this zone. The set of machines
> that will receive a DNS NOTIFY message for this zone is made up of all
> the listed name servers (other than the primary master) for the zone plus
> any IP addresses specified with *also-notify*. A port may be specified
> with each *also-notify* address to send the notify messages to a port
> other than the default of 53. *also-notify* is not meaningful for stub
> zones. The default is the empty list.
>
> best!
> jim
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Master to Slave initial zone transfer question
Dear, I've implemented two Debian 7 servers with Bind9 as a Master - Slave schema. Everything works OK, but I have just a question: When a create a new zone in the Master and reload the bind9 daemon, this zone doesn't appear automatically in the Slaveit only appears if I restart the bind9 daemon in the Slave server. Is this behaviour correct or is there any statement to transfer a new zone from Master to Slave withouth restarting the bind9 daemon in the Slave ??? Really thanks, JeLo ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
