Re: Question about visibility
Em 11/10/18 16:13, Barry Margolin escreveu: If you accidentally, or someone else intentionally, create a link to the site that uses the IP and put it on a web page that Google can get to, it will probably find the page. robots.txt, on your website root, is your friend. Simply deny web crawling on it, and you're (probably) done. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: designing the DNS from the scratch
Em 10/07/17 11:12, Matthew Seaman escreveu: Or you could buy a service from one of a number of DNS service providers who provide pretty much exactly what I described. That will still be quite expensive, but not to the extent that it would cause inadvertent emission of bodily fluids. I have been using Amazon AWS Route 53 DNS services and i'm loving them. The price is really low for the availability i'm experiencing, the easy management. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to ignore external queries?
Em 19/03/2010 19:43, ic.nssip escreveu: and the results came up with a statement that "External Queries are REJECTED" and "It would be better for it to ignore external queries." _Question is... How can I IGNORE External Queries instead of Rejecting them?_ firewall them !!! The better would be to completly avoid external queries for even reaching your DNS server -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to find out DNS Server version ?
Tibo escreveu: I think I found it : fpdns -f NAMESERVER Is it always OK ? No, that's not always OK, because -f option of fpdns relies on the version.bind record, which i explained on my previous message that sometimes cant be queries and other times can fake some false version id. fpdns -fand the dig command i gave you queries exactly the same thing. none of those (which are in fact the sam thing) are 100% reliable for identifying remote dns server versions -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to find out DNS Server version ?
you can always try: dig @dns.server.to.query version.bind chaos txt which would return something like: ;; QUESTION SECTION: ;version.bind. CH TXT ;; ANSWER SECTION: version.bind. 0 CH TXT "djbdns 1.05" (sorry for the djbdns i found no bind that allows that for examplifying it :) ) the big problem here is that DNS servers, quite usually, do not accept this queries or, in some other quite usual configuration, change the text for some generic string, which can be easily done in BINDs for example: ;; ANSWER SECTION: version.bind. 0 CH TXT "version goes here" there's absolutely no guaranteed way of getting the correct version running on DNSs server you have no admin access. The only guaranteed to work 100% of the simes still seems to be the 'named -v' on the machine's console. Tibo escreveu: Hello ! I have a little problem : We have 4 little datacenters over the world. I would like to check if all DNS servers are up to date but only people responsible of a datacenter can access their servers for security reasons. I know some tools on the net can do that but it's not easy for me and I'd like to automatise all of that. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Modified a zone, so when it becomes available?
Marcos Lorenzo de Santiago escreveu: When I modify a RR or add a new one on an existing zone, I have to restart master server to make the change available. Is there any other way to reload the zone without stopping bind? I've tried with: - rdnc reload [zone] - rndc reconfig [zone] - rndc refresh [zone] Am I missing anything? 'rndc reload' is enough to make the zones being re-read and new/updated records available. Problably you're missing: 1) to increment the zone serial ... if you dont do that, bind wont know you updated the zone. That's important, ALWAYS update the serial when changing/adding records; 2) your DNS server itself is using another DNS server which is caching the records, so cache needs to expire so new/updated records can be seen. You can have your DNS server using itself (127.0.0.1) as DNS server, that should solve if this is the problem; -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
SERVFAIL debugging
Hello, I'm having SERVFAIL problems on some domains. I'm pretty sure it's not a bind problem, because everything is working but some few domains. I'm already running 9.6.0-P1 ... is it possible to, using dig or some other bind tool, to grab informations from running BIND and debug exactly why i'm having this SERVFAILs ??? At the right moment, the only think i know is that a full stop/start will make those domains works fine but in some hours, i start having SERVFAILs and have to stop/start again . is there something i can do to track this and, at least, try to find exactly what's happening ? Thanks. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it smime.p7s Description: S/MIME Cryptographic Signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Avoiding being used as DDoS reflector.
Leonardo Rodrigues Magalhães escreveu: Nathan Ollerenshaw escreveu: I have an Authoritative BIND server. It is configured to only allow recursive queries from localhost, with recursion disabled for any remote clients. If you attempt to perform a recursive query against this server, it will respond with a "query refused" packet, as this is what BIND does if you try to recursively query a server configured to disallow recursive queries. [ ] Any ideas? Anyone facing this same problem found a solution? I'd be glad to hear it :) if you're running authoritative only for localhost and is not answering network requests at all, then you could probably firewall incoming packets to UDP 53 port !!! Let the responses in, let the new requests out. i cant imagine anything simplier than that. even simplier than that would be: options { ... listen-on { 127.0.0.1; }; }; -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Avoiding being used as DDoS reflector.
Nathan Ollerenshaw escreveu: I have an Authoritative BIND server. It is configured to only allow recursive queries from localhost, with recursion disabled for any remote clients. If you attempt to perform a recursive query against this server, it will respond with a "query refused" packet, as this is what BIND does if you try to recursively query a server configured to disallow recursive queries. [ ] Any ideas? Anyone facing this same problem found a solution? I'd be glad to hear it :) if you're running authoritative only for localhost and is not answering network requests at all, then you could probably firewall incoming packets to UDP 53 port !!! Let the responses in, let the new requests out. i cant imagine anything simplier than that. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: negative cache TTLs
JINMEI Tatuya / escreveu: I strongly recommend you to upgrade to 9.5.1-P1. 9.5.0-P2 has several known issues that can lead to SERVFAIL, and it's normally not very easy to identify the cause. If you still see the problem with 9.5.1, please report it again. i have updated to 9.5.1-P1 . anyway, the related problem was NOT happening frequently. In fact it was the first time my users complained about that and i noticed it. Maybe it happened other times, but i didnt noticed that. max-ncache-ttl 30; max-cache-ttl 7200; These are most likely to be irrelevant to your problem. let's suppose that SERVFAIL wasnt related to some bug and it was, indeed, a DNS failure resolution. In that case, of a legitime DNS failure resolution, would it be the max-ncache-ttl that would control this SERVFAIL time-to-live ?? If not, is there some parameter to control these SERVFAIL caches ? -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
negative cache TTLs
Hi, Today, for some unknown reason, one of my servers which is running a local DNS caching server (bind 9.5.0-P2) was answering SERVFAIL for a specific host which i know exists and was working fine. Maybe it was some temporary fail, some temporary internet connection problem . anyway, it was returning SERVFAIL and even after minutes it was returning that. From other servers, i could successfully resolve that name. i had to stop/start bind to make it resolves that name correctly again. Question ... which parameters are used to control the TTL of this 'failed' answers ?? I'm already running with: max-ncache-ttl 30; max-cache-ttl 7200; i tought ncache-ttl would control these failed answers, but seems it didnt ... -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: zone transfer problem
Sener ATAS escreveu: Hi, I try to add slave dns server. But there is a problem about zone transfer. If I don't edit manually slave server's named.conf file, zone files don't transfer from master to slave. log file at slave dns is; 02-Jan-2009 16:40:03.226 notify: client 192.168.117.50#63516: received notify for zone 'yyy.aaa.com': not authoritative 192.168.117.50 my master dns. both server is FREE BSD with BIND 9.5.1 where's the problem !?!? This is the correct (and so the expected one) behavior of bind. There's no auto-configuration for slave zones. You'll have to, somehow, sinc your configurations so slave servers can receive the new slave zones. there's no problem at all, just a misunderstanding that bind should transfer all zones automatically. this was discussed some days ago on the list ... https://lists.isc.org/pipermail/bind-users/2008-December/074290.html -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind memory usage
Peter Dambier escreveu: I can confirm bind 9.4 does run on an (IBM, not Intel) 486-SCL/2 with 16 MB. That cpu can address no more than 16 MB. i have tried running 9.4.3 instead of 9.5.0-P2 and got odd results. 9.5.0-P2 right after start. Not a single query was made to it, just the daemon started: r...@sede:/# pmap 26858 26858: /usr/sbin/named -c /etc/bind/named.conf [ ] total 6644K r...@sede:/# with 9.4.3, compiled the exact way 9.5.0-P2 was compiled, threads disabled, the very same config file. r...@sede:/etc/init.d# pmap 27726 27726: /usr/sbin/named -c /etc/bind/named.conf [ . ] total 8056K r...@sede:/etc/init.d# So, at least here, 9.4.3 seems to use more memory than 9.5.0-P2. i was thinking that maybe the fact i'm running on a MIPS and with uclibc (instead of common glibc) plataform has some difference on results you got from x86 platform do you think this could have some relation to the memory usage ??? r...@sede:/# cat /proc/cpuinfo system type : Atheros AR7130 rev 2 (id:0xa8) processor : 0 cpu model : MIPS 24K V7.4 just for information, i'm also running squid on this RouterBoard with 32Mb of RAM. After some config file tweaks, i got a stable memory usage of about 5,5-6Mb. And that's quite stable even during peak times. Of course all in-memory caches are disabled as well as disk-caches. Squid is just running for blocking somethings and logging. Anyway, on the same machine i did the memory usage tests above, squid seems to be doing very well, stable memory use. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Where is the open recursion test?
Gregory Hicks escreveu: Greetings: Seeing in my named.log entries for "too many timeouts resolving ''..." makes me wonder if my server is an open recursive server. Where is the test please for open recursion so I can check? http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind memory usage
Peter Dambier escreveu: I can confirm bind 9.4 does run on an (IBM, not Intel) 486-SCL/2 with 16 MB. That cpu can address no more than 16 MB. $ cat /proc/meminfo total:used:free: shared: buffers: cached: Mem: 14540800 10596352 398 3194880 1003520 3518464 very good to know that 9.4 is running OK on a 16Mb machine, a situation even worst than mine, which is 32Mb :) i'll try to install 9.4 this week instead of 9.5 and check if it has a slower memory footprint. thanks for the tip !!! -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind memory usage
JINMEI Tatuya / escreveu: question is is there something i can do to low bind's memory usage and successfully run it on those very low embedded devices ??? Admittedly, BIND9 tends to require a lot of memory. I'm not sure if it can reasonably function with a total system memory of 32MB. Some related points: - if you enable threads, disable them. With the thread support BIND9 will require even more memory. yes threads are already disabled. Compilation is done this way: CONFIGURE_ARGS += \ --enable-shared \ --enable-static \ --enable-ipv6 \ --with-randomdev="/dev/urandom" \ --disable-threads \ --with-openssl="$(STAGING_DIR)/usr" \ --with-libtool \ --with-libxml2=no \ , \ BUILD_CC="$(TARGET_CC)" \ - "max-cache-size 1048576" is a meaningless configuration: Any positive values less than 2MB will be ignored reset to 2MB. (from ARM) i do RTFM :) and on the options section, max-cache-size description, there's nothing about that. But if you say so, i'm sure it's there somewhere :) I have done a quick search on 9.5 ARM and really didnt find it . anyway, i successfully found that validation on the code ... dns_cache_setcachesize and DNS_CACHE_MINSIZE . anything smaller than 2Mb is replaced by 2Mb. Anyway, even the 1Mb being meaningless, it would force the DNS_CACHE_MINSIZE (2Mb) to be used and not the default one which is 32Mb. Even if the 1Mb parameter is ignored, the 2Mb would be something to me, comparing to 32Mb default one. anyway, thanks for the tip. I would never realize that. -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind memory usage
Hi, i'm trying to run bind 9.5.0-P2 on a very low memory system. It's a RouterBoard 450 with 32Mb RAM running OpenWRT. r...@sede:~# cat /proc/meminfo MemTotal:29920 kB the problem is that bind seems to consume a LOT of memory ... well, a lot for low memory devices, i never noticed that on machines with GBs of RAM. Right after starting, bind uses 15% of my system memory, which would be about almost 4,5Mb. And memory usage grows when requests are being answered. I have seen bind using 25% of my memory, which would be about 7.5Mb. Of course there's all the cache stuff, which i tried to limit with: max-cache-size 1048576; but it didnt helped much even with very few thing stored on cache, which i can check with 'rndc stats', bind memory keeps growing to unnaceptable levels given my very low memory resources. rndc flush, which should empty the cache, simply didnt low memory usage, thus showing that it's not the cache that's eating that much memory. just for comparison, maradns, another caching nameserver (not simply dns forwarder, it's a recursive server) that i'm used to run on OpenWRT, has a memory usage of about 1Mb and it didnt vary too much from that. Of course maradns dont have LOOOTS of features bind has but i'm really interested on running bind because i'll have to configure some DNSSec verifications and none of these 'small' DNS servers do that. question is is there something i can do to low bind's memory usage and successfully run it on those very low embedded devices ??? -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users