from:"Thomas Manson"

Simple question about zone and CNAME

2013-04-05 Thread Thomas Manson

Hi,

 I'd like use CNAME record on my zone.

 I'm able to have this config:

for http://www.mysite.com

www IN CNAME  somehost.com

but I can't do

for http://mysite.com
@  IN CNAME somehost.com

How can I achive this configuration ?
Is there another way to specify the address of http://mysite.com ?

I would like to avoid pointing on an IP adress directly as I'm managing a
few hundred of domain and among them, I don't manage some domain of some
client, which is then very painful and time consuming to make them do some
change.

Regards,
Thomas.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

issues with BIND since a change of server

2012-10-04 Thread Thomas Manson

Hi,

  I had to change of server because the previous was getting old, and I had
to do it very fast because of a mis-communication of my host...

  I'm on Ubuntu 12.04 server, x86_64.

root@ns0:/etc/bind# aptitude show bind9
Package: bind9
New: yes
State: installed
Automatically installed: no
Version: 1:9.8.1.dfsg.P1-4ubuntu0.3


  since then I've some trouble :

* I've a RNDC error on stopping the service :

root@ns0:/etc/bind# service bind9 start
 * Starting domain name service... bind9
   ...done.
root@ns0:/etc/bind# service bind9 status
 * bind9 is running
root@ns0:/etc/bind# service bind9 stop
 * Stopping domain name service... bind9
rndc: connect failed: 127.0.0.1#953: connection refused
waiting for pid 28560 to die
   ...done.

and it appears that nothing listen on port 953 :

root@ns0:/etc/bind# netstat -a | grep 953
unix  2  [ ACC ] STREAM LISTENING 9853953  private/anvil
root@ns0:/etc/bind#


When I perform a zonecheck on one of my domain, I get an error saying that
the server do not listen :


The server do not listen or answer on the port TCP 53: (translated from
french)

   - Réf: *IETF RFC1035 (p.32 4.2.
Transport)ftp://ftp.ietf.org/rfc/rfc1035.txt
   *

   The DNS assumes that messages will be transmitted as datagrams or in a
   byte stream carried by a virtual circuit. While virtual circuits can be
   used for any DNS activity, datagrams are preferred for queries due to their
   lower overhead and better performance.


while the port is open, checked from another machine :

thomas@home:/home/special/www$ sudo nmap 88.190.17.222 -sS -p 53

Starting Nmap 5.21 ( http://nmap.org ) at 2012-10-04 14:55 CEST
Nmap scan report for ns0.ordiworld.fr (88.190.17.222)
Host is up (0.023s latency).
PORT   STATE SERVICE
53/tcp open  domain

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
thomas@home:/home/special/www$
thomas@home:/home/special/www$
thomas@home:/home/special/www$
thomas@home:/home/special/www$ telnet ns0.ordiworld.fr 53
Trying 88.190.17.222...
Connected to ns0.ordiworld.fr.
Escape character is '^]'.


coucou
Connection closed by foreign host.


One time, after adding a log cagtegory, the zonecheck was performed with
success, without the port 53 errors, but after a restart, the error appears
again !

I've 474 domain names... Bind is running with the root account.

I've increased the max open file (soft and hard limit) to 65535, (by
editing /etc/security/limits.conf and running ulimit -n 65535 from root
prompt and restart bind)

I would appreciate any help, I'm really lost here...



I've set some logging option but don't see errors in the produced files  :

##
//include /etc/bind/zones.rfc1918;
logging {
 channel security_file {
   file /var/log/named/security.log versions 3 size 30m;
   severity dynamic;
   print-time yes;
 };
 category security {
   security_file;
 };


channel query.log {
file /var/log/named/query.log;
severity debug 3;
};
category queries { query.log; };


channel config.log {
file /var/log/named/config.log;
severity debug 3;
};
category config { config.log; };



channel general.log {
file /var/log/named/general.log;
severity debug 3;
};
category general { general.log; };


channel default.log {
file /var/log/named/default.log;
severity debug 3;
};
category default { default.log; };

channel resolver.log {
file /var/log/named/resolver.log;
severity debug 3;
};
category resolver { resolver.log; };


channel network.log {
file /var/log/named/network.log;
severity debug 3;
};
category network { network.log; };

};
##





/etc/resolv.conf :
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
nameserver 88.191.254.60
nameserver 88.191.254.70


my /etc/hosts file (for the netstat error) :

root@ns0:/etc/bind# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain

88.190.17.222   ns0.ordiworld.fr ns0
sd-28447.dedibox.frsd-28447
2a01:e0b:1000:17:be30:5bff:fed0:2bd ns0.ordiworld.fr ns0
sd-28447.dedibox.frsd-28447

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND do not listen on udp port 53

2009-05-29 Thread Thomas Manson

Hi,
  Thanks for the advices, i've run the test (named -g after kill) and the
realize the zonecheck of the AFNIC.FR has passed.

 As I didn't do nothing in between, I guess  this was maybe a temporary
error of the AFNIC.FR zonecheck utility (which says UDP port 53 was not
reachable).

 Is there a mean to query the DNS Server on UDP port 53 with something like
dig ? so I can be sure that it's not my server that is wrong ?

I'll keep in mind the lsfo -i :53.
For nmap, the correct command was nmap -sU ns1 -p53


Thanks for your help,
Thomas.

On Thu, May 28, 2009 at 17:12, Peter Dambier pe...@peter-dambier.de wrote:

 Hi Thomas,

 did you reboot or start/stop bind or kill?

 I remember having a named process dangling that kept me from
 receiving. After rebooting that worked again.

 with

 ps -elf | grep named

 you should see your named and how it was called:

 ps -elf | grep named

 5 S hammer   4142 1  0  80   0 -  4142 -  May26 ?00:00:05
 named -u hammer -c named.conf

 Now kill 4142, that is my named. Start named manually:

 named -u hammer -c named.conf -g

 That -g switch gets you a named console and you can
 see what goes wrong even if it does not write a log.

 Control c terminates bind and you can either start it without -g or
 whatever way you normally do.


 Kind Regards
 Peter


 Thomas Manson wrote:
  Hi,
 
  I'm using BIND 9.5.0-P2 (on ubuntu server 8.04).
 
   And the bind server do not listen anymore on the udp port.
 
  I've updated the /etc/bind/named.conf to add a domain, but didn't touch
  the /etc/bind/named.conf.options.
 
  On localhost, when I use nmap I can see that the udp port is not listed.
 
  tho...@ns1:/etc/bind$ sudo nmap -sS localhost
  [sudo] password for thomas:
 
  Starting Nmap 4.62 ( http://nmap.org ) at 2009-05-28 15:17 CEST
  Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
  Interesting ports on localhost (127.0.0.1):
  Not shown: 1709 closed ports
  PORT STATE SERVICE
  22/tcp   open  ssh
  25/tcp   open  smtp
  53/tcp   open  domain
  80/tcp   open  http
  953/tcp  open  rndc
  9102/tcp open  jetdirect
 
  Nmap done: 1 IP address (1 host up) scanned in 0.175 seconds
  tho...@ns1:/etc/bind$
 
 
  Does anyone have an idea of what's going on ?
 
  I can't figure out why this stop working as before.
 
  Maybe it's trivial, but as it's not my fulltime job to manage these dns
  servers (and have so much other thing to deal with), so help would be
  appreciated.
 
  Regards,
  Thomas.
 
 
  
 
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users

 --
 Peter and Karin Dambier
 Cesidian Root - Radice Cesidiana
 Rimbacher Strasse 16
 D-69509 Moerlenbach-Bonsweiher
 +49(6209)795-816 (Telekom)
 +49(6252)750-308 (VoIP: sipgate.de)
 mail: pe...@peter-dambier.de
 http://www.peter-dambier.de/
 http://iason.site.voila.fr/
 https://sourceforge.net/projects/iason/
 ULA= fd80:4ce1:c66a::/48
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Change my primary DNS server safely...

2009-03-03 Thread Thomas Manson

Thanks Jeff and Robert,

 Robert's plan seems to be the best way to do the thing so I'll follow
that plan ;)

Thanks again,
Thomas.

On Fri, Feb 27, 2009 at 17:39, Jeff Lightner jlight...@water.com wrote:
 In your case it sounds like you're going to have two external IPs.  If so I'd 
 leave the Apache server with BIND running and add the new server as first one 
 at the registrar.  That way anyone that has your old server cached will 
 continue to get to it.  Any new queries hopefully would cache your new server.

 After you're sure the new server is up and running for a few days you can 
 stop BIND on the old one (to reduce load on it).

 -Original Message-
 From: Thomas Manson [mailto:dev.mansontho...@gmail.com]
 Sent: Friday, February 27, 2009 10:06 AM
 To: Jeff Lightner
 Cc: bind-users@lists.isc.org
 Subject: Re: Change my primary DNS server safely...

 Hi Jeff,

  Actually, I've Postfix/Apache2/Bind (primary DNS) on the same
 machine which is hosted by one company.

  I want to dedicate a server to be the primary DNS. This server is
 hosted by another company. (the first server will be re installed soon
 but will stay in the original hosting company).

  The secondary DNS is already a dedicated server.

  So my new primary DNS  is ready and the old server will still be
 running (at least for the apache2 service).
  Should I let BIND running on the old server or stop it ?  (whould it
 be annoying if the old ip still answer to query ?)

 Regards,
 Thomas.



 On Fri, Feb 27, 2009 at 14:50, Jeff Lightner jlight...@water.com wrote:
 Not sure where the trepidation comes in here.  Hopefully you ARE running
 a slave server as well so if the primary isn't reachable the slave would
 resolve lookups until you fixed any problem.

 Here we've moved our servers from one network provider to another so had
 to change the IPs of the master and the slave at the Network registrars.
 We did those one at a time.  That is to say we first did the slave and
 once we were sure it was resolving correctly and had allowed time for
 everyone's caches to clear (we waited 3 days/72 hours) then we moved the
 master.

 We've also completely replaced both our primary and slave by installing
 new servers and setting them with the IPs.  There again we did it by
 doing one at a time.  For those there was no propagation time since the
 IP stayed the same.

 If you're simply moving your master to a new IP (as the outside world
 sees it) then you'll have to allow time for the caches to clear as we
 did.  If you're simply moving it to a new IP internally then your
 network folks should be able to NAT that IP to the same external IP your
 prior server had.

 -Original Message-
 From: bind-users-boun...@lists.isc.org
 [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Thomas Manson
 Sent: Thursday, February 26, 2009 8:04 PM
 To: bind-users@lists.isc.org
 Subject: Change my primary DNS server safely...

 Hello,

  I need to change the primary DNS server which manage hundreds of
 domains.

  I've setup the new machine so that it has the correct named
 configuration for each domains (script generated).

  I plan to change the IP behind the ns0.mydomain.com so that it
 points to the new machine.

  As I feel it's a bit risky to do that, if you have any suggestion,
 I'll be glad to hear it.

 Thanks,
 Thomas.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

 Please consider our environment before printing this e-mail or attachments.
 --
 CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
 information and is for the sole use of the intended recipient(s). If you are 
 not the intended recipient, any disclosure, copying, distribution, or use of 
 the contents of this information is prohibited and may be unlawful. If you 
 have received this electronic transmission in error, please reply 
 immediately to the sender that you have received the message in error, and 
 delete it. Thank you.
 --


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Change my primary DNS server safely...

2009-02-27 Thread Thomas Manson

Hi Jeff,

  Actually, I've Postfix/Apache2/Bind (primary DNS) on the same
machine which is hosted by one company.

  I want to dedicate a server to be the primary DNS. This server is
hosted by another company. (the first server will be re installed soon
but will stay in the original hosting company).

  The secondary DNS is already a dedicated server.

  So my new primary DNS  is ready and the old server will still be
running (at least for the apache2 service).
  Should I let BIND running on the old server or stop it ?  (whould it
be annoying if the old ip still answer to query ?)

Regards,
Thomas.



On Fri, Feb 27, 2009 at 14:50, Jeff Lightner jlight...@water.com wrote:
 Not sure where the trepidation comes in here.  Hopefully you ARE running
 a slave server as well so if the primary isn't reachable the slave would
 resolve lookups until you fixed any problem.

 Here we've moved our servers from one network provider to another so had
 to change the IPs of the master and the slave at the Network registrars.
 We did those one at a time.  That is to say we first did the slave and
 once we were sure it was resolving correctly and had allowed time for
 everyone's caches to clear (we waited 3 days/72 hours) then we moved the
 master.

 We've also completely replaced both our primary and slave by installing
 new servers and setting them with the IPs.  There again we did it by
 doing one at a time.  For those there was no propagation time since the
 IP stayed the same.

 If you're simply moving your master to a new IP (as the outside world
 sees it) then you'll have to allow time for the caches to clear as we
 did.  If you're simply moving it to a new IP internally then your
 network folks should be able to NAT that IP to the same external IP your
 prior server had.

 -Original Message-
 From: bind-users-boun...@lists.isc.org
 [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Thomas Manson
 Sent: Thursday, February 26, 2009 8:04 PM
 To: bind-users@lists.isc.org
 Subject: Change my primary DNS server safely...

 Hello,

  I need to change the primary DNS server which manage hundreds of
 domains.

  I've setup the new machine so that it has the correct named
 configuration for each domains (script generated).

  I plan to change the IP behind the ns0.mydomain.com so that it
 points to the new machine.

  As I feel it's a bit risky to do that, if you have any suggestion,
 I'll be glad to hear it.

 Thanks,
 Thomas.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

 Please consider our environment before printing this e-mail or attachments.
 --
 CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
 information and is for the sole use of the intended recipient(s). If you are 
 not the intended recipient, any disclosure, copying, distribution, or use of 
 the contents of this information is prohibited and may be unlawful. If you 
 have received this electronic transmission in error, please reply immediately 
 to the sender that you have received the message in error, and delete it. 
 Thank you.
 --

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: loads of Query denied... is it an attack or a misconfiguration ?

2009-02-11 Thread Thomas Manson

Well...


  I'll temporray block the ip on my firewall

 Very bad idea, since it is forged. You do exactly what the attacker
 wanted you to do.
 The proper thing to do is:
 https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful


this is kind of response I expect : an answer of someone who know the
subject to a person who doesn't...
In this case, I could do nothing (and let the attack be done) or, doing
things wrong that amplify the attack.
Is it something everyone would want? If so, just tell me, I'll setup DoS
attack myself, if it's in the general interest !


 Please go read the list achives.

this encourage to do nothing : I've a working system (my domain name are
resolved accross the internet) why care more ?
and then let the dns system get attacked... great...



On Wed, Feb 11, 2009 at 08:59, Stephane Bortzmeyer bortzme...@nic.frwrote:

 On Wed, Feb 11, 2009 at 01:21:35AM +0100,
  Thomas Manson dev.mansontho...@gmail.com wrote
  a message of 88 lines which said:

  I believed I was on bind mailing list, a mailing list is where you
  usually get some help... isn't it ?

 You're right, it's a shame. Ask immediately for a refund, both for
 your registration to the mailing list and for BIND itself.


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

loads of Query denied... is it an attack or a misconfiguration ?

2009-02-10 Thread Thomas Manson

Hi,

I can see in my secondary DNS server a lot of logs with query(cache) denied
from the same ip.
I've traceroute one of them which seems to be a russian computer.


 * *
17  ns1.orlan-net.ru (195.68.176.4)  136.563 ms * *


Feb 11 00:21:49 ns1 named[13392]: client 195.68.176.4#59934: query (cache)
'./NS/IN'
denied

Feb 11 00:21:49 ns1 named[13392]: client 195.68.176.4#23591: query (cache)
'./NS/IN'
denied

Feb 11 00:21:53 ns1 named[13392]: client 195.68.176.4#54430: query (cache)
'./NS/IN'
denied

Feb 11 00:21:53 ns1 named[13392]: client 195.68.176.4#46875: query (cache)
'./NS/IN'
denied

Feb 11 00:21:55 ns1 named[13392]: client 195.68.176.4#43603: query (cache)
'./NS/IN'
denied

Feb 11 00:21:56 ns1 named[13392]: client 195.68.176.4#27124: query (cache)
'./NS/IN'
denied

Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#14844: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#11936: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#5777: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#64647: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#41115: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:21:58 ns1 named[13392]: client 62.193.206.133#6712: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:21:59 ns1 named[13392]: client 195.68.176.4#38402: query (cache)
'./NS/IN'
denied

Feb 11 00:21:59 ns1 named[13392]: client 195.68.176.4#59205: query (cache)
'./NS/IN'
denied

Feb 11 00:22:01 ns1 named[13392]: client 195.68.176.4#36863: query (cache)
'./NS/IN'
denied

Feb 11 00:22:02 ns1 named[13392]: client 195.68.176.4#51511: query (cache)
'./NS/IN'
denied

Feb 11 00:22:03 ns1 named[13392]: client 62.193.206.134#50013: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:22:03 ns1 named[13392]: client 62.193.206.134#43818: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:22:03 ns1 named[13392]: client 62.193.206.134#10674: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:22:05 ns1 named[13392]: client 195.68.176.4#61345: query (cache)
'./NS/IN'
denied

Feb 11 00:22:05 ns1 named[13392]: client 195.68.176.4#5707: query (cache)
'./NS/IN'
denied

Feb 11 00:22:06 ns1 named[13392]: client 62.193.206.235#53811: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:22:06 ns1 named[13392]: client 62.193.206.235#53504: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:22:06 ns1 named[13392]: client 62.193.206.235#24805: query (cache)
'le-droit-de-lenfance.com/A/IN'
denied

Feb 11 00:22:07 ns1 named[13392]: client 195.68.176.4#50225: query (cache)
'./NS/IN'
denied

Feb 11 00:22:08 ns1 named[13392]: client 195.68.176.4#27039: query (cache)
'./NS/IN'
denied

Feb 11 00:22:08 ns1 named[13392]: client 195.68.176.4#47331: query (cache)
'./NS/IN'
denied

Feb 11 00:22:12 ns1 named[13392]: client 195.68.176.4#53740: query (cache)
'./NS/IN'
denied

Feb 11 00:22:12 ns1 named[13392]: client 195.68.176.4#53988: query (cache)
'./NS/IN'
denied

Feb 11 00:22:12 ns1 named[13392]: client 62.193.206.133#1995: query (cache)
'le-droit-de-lenfance.com/A/IN' denied


Is it a misconfiguration of my dns Server (which passes french nic test
so...) or an attack or something else ?

Is there anything I should do ?

Regards,
Thomas.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: loads of Query denied... is it an attack or a misconfiguration ?

2009-02-10 Thread Thomas Manson

That's some awesome answer... (did you get helped to elaborate it?)

equivalent : google is your friend, search the RFCs

Then... read the list archives... I guess I can spend the next ten years if
I read it from the beginning

Could you give any clue of what to look for ?

I believed I was on bind mailing list, a mailing list is where you usually
get some help... isn't it ?

Thomas.

On Wed, Feb 11, 2009 at 00:52, Thomas Manson dev.mansontho...@gmail.comwrote:

 


 On Wed, Feb 11, 2009 at 00:51, Mark Andrews mark_andr...@isc.org wrote:


Please go read the list achives.

Mark
 --
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: loads of Query denied... is it an attack or a misconfiguration ?

2009-02-10 Thread Thomas Manson

someone answers me,

you could just have say search reflector DoS attack in the archive list,
this would have narrow down a lot my research.

I'll temporray block the ip on my firewall

On Wed, Feb 11, 2009 at 01:21, Mark Andrews mark_andr...@isc.org wrote:


 In message f43eb7e60902101552l524787b1t72fcc821437af...@mail.gmail.com,
 Thoma
 s Manson writes:
  

The subject matter has been discussed in lots of detail
over the last month.  Go read the archives of the mailing
list.

Mark
 --
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Simple question about zone and CNAME

issues with BIND since a change of server

Re: BIND do not listen on udp port 53

Re: Change my primary DNS server safely...

Re: Change my primary DNS server safely...

Re: loads of Query denied... is it an attack or a misconfiguration ?

loads of Query denied... is it an attack or a misconfiguration ?

Re: loads of Query denied... is it an attack or a misconfiguration ?

Re: loads of Query denied... is it an attack or a misconfiguration ?

9 matches

Site Navigation

Mail list logo

Footer information