Simple question about zone and CNAME
Hi, I'd like use CNAME record on my zone. I'm able to have this config: for http://www.mysite.com www IN CNAME somehost.com but I can't do for http://mysite.com @ IN CNAME somehost.com How can I achive this configuration ? Is there another way to specify the address of http://mysite.com ? I would like to avoid pointing on an IP adress directly as I'm managing a few hundred of domain and among them, I don't manage some domain of some client, which is then very painful and time consuming to make them do some change. Regards, Thomas. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
issues with BIND since a change of server
Hi, I had to change of server because the previous was getting old, and I had to do it very fast because of a mis-communication of my host... I'm on Ubuntu 12.04 server, x86_64. root@ns0:/etc/bind# aptitude show bind9 Package: bind9 New: yes State: installed Automatically installed: no Version: 1:9.8.1.dfsg.P1-4ubuntu0.3 since then I've some trouble : * I've a RNDC error on stopping the service : root@ns0:/etc/bind# service bind9 start * Starting domain name service... bind9 ...done. root@ns0:/etc/bind# service bind9 status * bind9 is running root@ns0:/etc/bind# service bind9 stop * Stopping domain name service... bind9 rndc: connect failed: 127.0.0.1#953: connection refused waiting for pid 28560 to die ...done. and it appears that nothing listen on port 953 : root@ns0:/etc/bind# netstat -a | grep 953 unix 2 [ ACC ] STREAM LISTENING 9853953 private/anvil root@ns0:/etc/bind# When I perform a zonecheck on one of my domain, I get an error saying that the server do not listen : The server do not listen or answer on the port TCP 53: (translated from french) - Réf: *IETF RFC1035 (p.32 4.2. Transport)ftp://ftp.ietf.org/rfc/rfc1035.txt * The DNS assumes that messages will be transmitted as datagrams or in a byte stream carried by a virtual circuit. While virtual circuits can be used for any DNS activity, datagrams are preferred for queries due to their lower overhead and better performance. while the port is open, checked from another machine : thomas@home:/home/special/www$ sudo nmap 88.190.17.222 -sS -p 53 Starting Nmap 5.21 ( http://nmap.org ) at 2012-10-04 14:55 CEST Nmap scan report for ns0.ordiworld.fr (88.190.17.222) Host is up (0.023s latency). PORT STATE SERVICE 53/tcp open domain Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds thomas@home:/home/special/www$ thomas@home:/home/special/www$ thomas@home:/home/special/www$ thomas@home:/home/special/www$ telnet ns0.ordiworld.fr 53 Trying 88.190.17.222... Connected to ns0.ordiworld.fr. Escape character is '^]'. coucou Connection closed by foreign host. One time, after adding a log cagtegory, the zonecheck was performed with success, without the port 53 errors, but after a restart, the error appears again ! I've 474 domain names... Bind is running with the root account. I've increased the max open file (soft and hard limit) to 65535, (by editing /etc/security/limits.conf and running ulimit -n 65535 from root prompt and restart bind) I would appreciate any help, I'm really lost here... I've set some logging option but don't see errors in the produced files : ## //include /etc/bind/zones.rfc1918; logging { channel security_file { file /var/log/named/security.log versions 3 size 30m; severity dynamic; print-time yes; }; category security { security_file; }; channel query.log { file /var/log/named/query.log; severity debug 3; }; category queries { query.log; }; channel config.log { file /var/log/named/config.log; severity debug 3; }; category config { config.log; }; channel general.log { file /var/log/named/general.log; severity debug 3; }; category general { general.log; }; channel default.log { file /var/log/named/default.log; severity debug 3; }; category default { default.log; }; channel resolver.log { file /var/log/named/resolver.log; severity debug 3; }; category resolver { resolver.log; }; channel network.log { file /var/log/named/network.log; severity debug 3; }; category network { network.log; }; }; ## /etc/resolv.conf : # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.0.1 nameserver 88.191.254.60 nameserver 88.191.254.70 my /etc/hosts file (for the netstat error) : root@ns0:/etc/bind# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain 88.190.17.222 ns0.ordiworld.fr ns0 sd-28447.dedibox.frsd-28447 2a01:e0b:1000:17:be30:5bff:fed0:2bd ns0.ordiworld.fr ns0 sd-28447.dedibox.frsd-28447 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND do not listen on udp port 53
Hi, Thanks for the advices, i've run the test (named -g after kill) and the realize the zonecheck of the AFNIC.FR has passed. As I didn't do nothing in between, I guess this was maybe a temporary error of the AFNIC.FR zonecheck utility (which says UDP port 53 was not reachable). Is there a mean to query the DNS Server on UDP port 53 with something like dig ? so I can be sure that it's not my server that is wrong ? I'll keep in mind the lsfo -i :53. For nmap, the correct command was nmap -sU ns1 -p53 Thanks for your help, Thomas. On Thu, May 28, 2009 at 17:12, Peter Dambier pe...@peter-dambier.de wrote: Hi Thomas, did you reboot or start/stop bind or kill? I remember having a named process dangling that kept me from receiving. After rebooting that worked again. with ps -elf | grep named you should see your named and how it was called: ps -elf | grep named 5 S hammer 4142 1 0 80 0 - 4142 - May26 ?00:00:05 named -u hammer -c named.conf Now kill 4142, that is my named. Start named manually: named -u hammer -c named.conf -g That -g switch gets you a named console and you can see what goes wrong even if it does not write a log. Control c terminates bind and you can either start it without -g or whatever way you normally do. Kind Regards Peter Thomas Manson wrote: Hi, I'm using BIND 9.5.0-P2 (on ubuntu server 8.04). And the bind server do not listen anymore on the udp port. I've updated the /etc/bind/named.conf to add a domain, but didn't touch the /etc/bind/named.conf.options. On localhost, when I use nmap I can see that the udp port is not listed. tho...@ns1:/etc/bind$ sudo nmap -sS localhost [sudo] password for thomas: Starting Nmap 4.62 ( http://nmap.org ) at 2009-05-28 15:17 CEST Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1. Interesting ports on localhost (127.0.0.1): Not shown: 1709 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 953/tcp open rndc 9102/tcp open jetdirect Nmap done: 1 IP address (1 host up) scanned in 0.175 seconds tho...@ns1:/etc/bind$ Does anyone have an idea of what's going on ? I can't figure out why this stop working as before. Maybe it's trivial, but as it's not my fulltime job to manage these dns servers (and have so much other thing to deal with), so help would be appreciated. Regards, Thomas. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: pe...@peter-dambier.de http://www.peter-dambier.de/ http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ ULA= fd80:4ce1:c66a::/48 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Change my primary DNS server safely...
Thanks Jeff and Robert, Robert's plan seems to be the best way to do the thing so I'll follow that plan ;) Thanks again, Thomas. On Fri, Feb 27, 2009 at 17:39, Jeff Lightner jlight...@water.com wrote: In your case it sounds like you're going to have two external IPs. If so I'd leave the Apache server with BIND running and add the new server as first one at the registrar. That way anyone that has your old server cached will continue to get to it. Any new queries hopefully would cache your new server. After you're sure the new server is up and running for a few days you can stop BIND on the old one (to reduce load on it). -Original Message- From: Thomas Manson [mailto:dev.mansontho...@gmail.com] Sent: Friday, February 27, 2009 10:06 AM To: Jeff Lightner Cc: bind-users@lists.isc.org Subject: Re: Change my primary DNS server safely... Hi Jeff, Actually, I've Postfix/Apache2/Bind (primary DNS) on the same machine which is hosted by one company. I want to dedicate a server to be the primary DNS. This server is hosted by another company. (the first server will be re installed soon but will stay in the original hosting company). The secondary DNS is already a dedicated server. So my new primary DNS is ready and the old server will still be running (at least for the apache2 service). Should I let BIND running on the old server or stop it ? (whould it be annoying if the old ip still answer to query ?) Regards, Thomas. On Fri, Feb 27, 2009 at 14:50, Jeff Lightner jlight...@water.com wrote: Not sure where the trepidation comes in here. Hopefully you ARE running a slave server as well so if the primary isn't reachable the slave would resolve lookups until you fixed any problem. Here we've moved our servers from one network provider to another so had to change the IPs of the master and the slave at the Network registrars. We did those one at a time. That is to say we first did the slave and once we were sure it was resolving correctly and had allowed time for everyone's caches to clear (we waited 3 days/72 hours) then we moved the master. We've also completely replaced both our primary and slave by installing new servers and setting them with the IPs. There again we did it by doing one at a time. For those there was no propagation time since the IP stayed the same. If you're simply moving your master to a new IP (as the outside world sees it) then you'll have to allow time for the caches to clear as we did. If you're simply moving it to a new IP internally then your network folks should be able to NAT that IP to the same external IP your prior server had. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Thomas Manson Sent: Thursday, February 26, 2009 8:04 PM To: bind-users@lists.isc.org Subject: Change my primary DNS server safely... Hello, I need to change the primary DNS server which manage hundreds of domains. I've setup the new machine so that it has the correct named configuration for each domains (script generated). I plan to change the IP behind the ns0.mydomain.com so that it points to the new machine. As I feel it's a bit risky to do that, if you have any suggestion, I'll be glad to hear it. Thanks, Thomas. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Change my primary DNS server safely...
Hi Jeff, Actually, I've Postfix/Apache2/Bind (primary DNS) on the same machine which is hosted by one company. I want to dedicate a server to be the primary DNS. This server is hosted by another company. (the first server will be re installed soon but will stay in the original hosting company). The secondary DNS is already a dedicated server. So my new primary DNS is ready and the old server will still be running (at least for the apache2 service). Should I let BIND running on the old server or stop it ? (whould it be annoying if the old ip still answer to query ?) Regards, Thomas. On Fri, Feb 27, 2009 at 14:50, Jeff Lightner jlight...@water.com wrote: Not sure where the trepidation comes in here. Hopefully you ARE running a slave server as well so if the primary isn't reachable the slave would resolve lookups until you fixed any problem. Here we've moved our servers from one network provider to another so had to change the IPs of the master and the slave at the Network registrars. We did those one at a time. That is to say we first did the slave and once we were sure it was resolving correctly and had allowed time for everyone's caches to clear (we waited 3 days/72 hours) then we moved the master. We've also completely replaced both our primary and slave by installing new servers and setting them with the IPs. There again we did it by doing one at a time. For those there was no propagation time since the IP stayed the same. If you're simply moving your master to a new IP (as the outside world sees it) then you'll have to allow time for the caches to clear as we did. If you're simply moving it to a new IP internally then your network folks should be able to NAT that IP to the same external IP your prior server had. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Thomas Manson Sent: Thursday, February 26, 2009 8:04 PM To: bind-users@lists.isc.org Subject: Change my primary DNS server safely... Hello, I need to change the primary DNS server which manage hundreds of domains. I've setup the new machine so that it has the correct named configuration for each domains (script generated). I plan to change the IP behind the ns0.mydomain.com so that it points to the new machine. As I feel it's a bit risky to do that, if you have any suggestion, I'll be glad to hear it. Thanks, Thomas. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: loads of Query denied... is it an attack or a misconfiguration ?
Well... I'll temporray block the ip on my firewall Very bad idea, since it is forged. You do exactly what the attacker wanted you to do. The proper thing to do is: https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful this is kind of response I expect : an answer of someone who know the subject to a person who doesn't... In this case, I could do nothing (and let the attack be done) or, doing things wrong that amplify the attack. Is it something everyone would want? If so, just tell me, I'll setup DoS attack myself, if it's in the general interest ! Please go read the list achives. this encourage to do nothing : I've a working system (my domain name are resolved accross the internet) why care more ? and then let the dns system get attacked... great... On Wed, Feb 11, 2009 at 08:59, Stephane Bortzmeyer bortzme...@nic.frwrote: On Wed, Feb 11, 2009 at 01:21:35AM +0100, Thomas Manson dev.mansontho...@gmail.com wrote a message of 88 lines which said: I believed I was on bind mailing list, a mailing list is where you usually get some help... isn't it ? You're right, it's a shame. Ask immediately for a refund, both for your registration to the mailing list and for BIND itself. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
loads of Query denied... is it an attack or a misconfiguration ?
Hi, I can see in my secondary DNS server a lot of logs with query(cache) denied from the same ip. I've traceroute one of them which seems to be a russian computer. * * 17 ns1.orlan-net.ru (195.68.176.4) 136.563 ms * * Feb 11 00:21:49 ns1 named[13392]: client 195.68.176.4#59934: query (cache) './NS/IN' denied Feb 11 00:21:49 ns1 named[13392]: client 195.68.176.4#23591: query (cache) './NS/IN' denied Feb 11 00:21:53 ns1 named[13392]: client 195.68.176.4#54430: query (cache) './NS/IN' denied Feb 11 00:21:53 ns1 named[13392]: client 195.68.176.4#46875: query (cache) './NS/IN' denied Feb 11 00:21:55 ns1 named[13392]: client 195.68.176.4#43603: query (cache) './NS/IN' denied Feb 11 00:21:56 ns1 named[13392]: client 195.68.176.4#27124: query (cache) './NS/IN' denied Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#14844: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#11936: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#5777: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#64647: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#41115: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#6712: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:21:59 ns1 named[13392]: client 195.68.176.4#38402: query (cache) './NS/IN' denied Feb 11 00:21:59 ns1 named[13392]: client 195.68.176.4#59205: query (cache) './NS/IN' denied Feb 11 00:22:01 ns1 named[13392]: client 195.68.176.4#36863: query (cache) './NS/IN' denied Feb 11 00:22:02 ns1 named[13392]: client 195.68.176.4#51511: query (cache) './NS/IN' denied Feb 11 00:22:03 ns1 named[13392]: client 62.193.206.134#50013: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:22:03 ns1 named[13392]: client 62.193.206.134#43818: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:22:03 ns1 named[13392]: client 62.193.206.134#10674: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:22:05 ns1 named[13392]: client 195.68.176.4#61345: query (cache) './NS/IN' denied Feb 11 00:22:05 ns1 named[13392]: client 195.68.176.4#5707: query (cache) './NS/IN' denied Feb 11 00:22:06 ns1 named[13392]: client 62.193.206.235#53811: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:22:06 ns1 named[13392]: client 62.193.206.235#53504: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:22:06 ns1 named[13392]: client 62.193.206.235#24805: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Feb 11 00:22:07 ns1 named[13392]: client 195.68.176.4#50225: query (cache) './NS/IN' denied Feb 11 00:22:08 ns1 named[13392]: client 195.68.176.4#27039: query (cache) './NS/IN' denied Feb 11 00:22:08 ns1 named[13392]: client 195.68.176.4#47331: query (cache) './NS/IN' denied Feb 11 00:22:12 ns1 named[13392]: client 195.68.176.4#53740: query (cache) './NS/IN' denied Feb 11 00:22:12 ns1 named[13392]: client 195.68.176.4#53988: query (cache) './NS/IN' denied Feb 11 00:22:12 ns1 named[13392]: client 62.193.206.133#1995: query (cache) 'le-droit-de-lenfance.com/A/IN' denied Is it a misconfiguration of my dns Server (which passes french nic test so...) or an attack or something else ? Is there anything I should do ? Regards, Thomas. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: loads of Query denied... is it an attack or a misconfiguration ?
That's some awesome answer... (did you get helped to elaborate it?) equivalent : google is your friend, search the RFCs Then... read the list archives... I guess I can spend the next ten years if I read it from the beginning Could you give any clue of what to look for ? I believed I was on bind mailing list, a mailing list is where you usually get some help... isn't it ? Thomas. On Wed, Feb 11, 2009 at 00:52, Thomas Manson dev.mansontho...@gmail.comwrote: On Wed, Feb 11, 2009 at 00:51, Mark Andrews mark_andr...@isc.org wrote: Please go read the list achives. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: loads of Query denied... is it an attack or a misconfiguration ?
someone answers me, you could just have say search reflector DoS attack in the archive list, this would have narrow down a lot my research. I'll temporray block the ip on my firewall On Wed, Feb 11, 2009 at 01:21, Mark Andrews mark_andr...@isc.org wrote: In message f43eb7e60902101552l524787b1t72fcc821437af...@mail.gmail.com, Thoma s Manson writes: The subject matter has been discussed in lots of detail over the last month. Go read the archives of the mailing list. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users