Re: Configuring CNAME for nosslsearch.google.com

2012-04-15 Thread Ben Croswell 
What you are asking for can't be done.
If you load the google.com zone everything you don't load in the zone will
be black holed and not resolve.
If you try to load WWW.Google.com you will not be able to make WWW a cname
due to the no cname and other data rule.
 On Apr 15, 2012 5:39 PM, "Tobias Krais"  wrote:

> Hi together,
>
> I am a newbie to bind and wasted hours to create my first bind
> configuration. My target is simply creating a configuration with a CNAME
> for www.google.com to nosslsearch.google.com.
>
> First: I use Ubuntu Precise Pangolin with bind 9.8.1. I have a
> transparent proxy (Dansguardian + Squid) that I use for just this lonely
> copmuter.
>
> Now I read that I have to create a zone for google.com. Others said that
> it is OK to create a zone for www.google.com. But as far as I understand
> this won't be a great solution.
>
> Can you help me to create a zone for google.com that does only one
> thing: a CNAME for www.google.com to nosslsearch.google.com. It would be
> best, if all IP-addresses for other google.com subdomains like
> docs.google.com or even nosslsearch.google.com are taken from the
> "normal" nameserver, e.g. 8.8.8.8.
>
> Can anyone help me to create my /etc/bind/db.google.com file?
>
> Greetings,
>
> Tobias
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring CNAME for nosslsearch.google.com

2012-04-15 Thread Tobias Krais 
Hi Ben,

hmm. How can I manage what google suggests:
"Information for school network administrators about the No-SSL option

To utilize the no SSL option for your network, configure the DNS entry
for www.google.com to be a CNAME for nosslsearch.google.com."
Source:
http://support.google.com/websearch/bin/answer.py?hl=en&hlrm=en&answer=186669.
You can find this quite at the end of the document.

How can I realize such a configuration in bind?

Greetings,

Tobias

Am 16.04.2012 00:31, schrieb Ben Croswell:
> What you are asking for can't be done.
> If you load the google.com  zone everything you don't
> load in the zone will be black holed and not resolve.
> If you try to load WWW.Google.com  you will not
> be able to make WWW a cname due to the no cname and other data rule.
> 
> On Apr 15, 2012 5:39 PM, "Tobias Krais"  > wrote:
> 
> Hi together,
> 
> I am a newbie to bind and wasted hours to create my first bind
> configuration. My target is simply creating a configuration with a CNAME
> for www.google.com  to nosslsearch.google.com
> .
> 
> First: I use Ubuntu Precise Pangolin with bind 9.8.1. I have a
> transparent proxy (Dansguardian + Squid) that I use for just this lonely
> copmuter.
> 
> Now I read that I have to create a zone for google.com
> . Others said that
> it is OK to create a zone for www.google.com
> . But as far as I understand
> this won't be a great solution.
> 
> Can you help me to create a zone for google.com 
> that does only one
> thing: a CNAME for www.google.com  to
> nosslsearch.google.com . It would be
> best, if all IP-addresses for other google.com 
> subdomains like
> docs.google.com  or even
> nosslsearch.google.com  are taken
> from the
> "normal" nameserver, e.g. 8.8.8.8.
> 
> Can anyone help me to create my /etc/bind/db.google.com
>  file?
> 
> Greetings,
> 
> Tobias
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org 
> https://lists.isc.org/mailman/listinfo/bind-users
> 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring CNAME for nosslsearch.google.com

2012-04-16 Thread Phil Mayers 

On 04/15/2012 11:40 PM, Tobias Krais wrote:

Hi Ben,

hmm. How can I manage what google suggests:
"Information for school network administrators about the No-SSL option

To utilize the no SSL option for your network, configure the DNS entry
for www.google.com to be a CNAME for nosslsearch.google.com."
Source:
http://support.google.com/websearch/bin/answer.py?hl=en&hlrm=en&answer=186669.
You can find this quite at the end of the document.

How can I realize such a configuration in bind?


As you've been told, you can't. CNAMEs can't live at zone apex, so you 
can't a CNAME at the zone apex of "www.google.com". And if you create 
"google.com" as a zone, all other hostnames will be blackholed, 
including "nosslsearch.google.com".


I don't know why Google have made that suggestion; it's a bad 
suggestion, that's not supported by many nameservers.


I personally think it's a bad idea to try and disable SSL search for 
your users too, but that's your decision.


"unbound" might be able to to this, with a transparent local-zone and 
local-data override for "www.google.com".

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring CNAME for nosslsearch.google.com

2012-04-16 Thread Lyle Giese 

On 4/16/2012 3:30 AM, Phil Mayers wrote:

On 04/15/2012 11:40 PM, Tobias Krais wrote:

Hi Ben,

hmm. How can I manage what google suggests:
"Information for school network administrators about the No-SSL option

To utilize the no SSL option for your network, configure the DNS entry
for www.google.com to be a CNAME for nosslsearch.google.com."
Source:
http://support.google.com/websearch/bin/answer.py?hl=en&hlrm=en&answer=186669.

You can find this quite at the end of the document.

How can I realize such a configuration in bind?


As you've been told, you can't. CNAMEs can't live at zone apex, so you
can't a CNAME at the zone apex of "www.google.com". And if you create
"google.com" as a zone, all other hostnames will be blackholed,
including "nosslsearch.google.com".

I don't know why Google have made that suggestion; it's a bad
suggestion, that's not supported by many nameservers.

I personally think it's a bad idea to try and disable SSL search for
your users too, but that's your decision.

"unbound" might be able to to this, with a transparent local-zone and
local-data override for "www.google.com".
___


Or did they really mean, create a hosts file on the local machine that 
contains...


Or in your proxy server redirect www.google.com to nosslsearch.google.com

DNS server software is not very supportive of doing this for good reasons.

Lyle Giese
LCR Computer Services, Inc.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Configuring CNAME for nosslsearch.google.com

2012-04-16 Thread Matthew Huff 
Actually, this can be done.

Create a zone file for "www.google.com", not "google.com". The zone file
should like this (replace THIS_HOSTNAME with the name of your nameserver:


@   IN  SOA localhost   root@localhost. (
2012041100
7200
1800
1209600 
300 )

IN NS THIS_HOSTNAME

IN CNAME nosslsearch.google.com.





Matthew Huff | 1 Manhattanville Rd
Director of Operations   | Purchase, NY 10577
OTA Management LLC   | Phone: 914-460-4039
aim: matthewbhuff    | Fax:   914-460-4139

> -Original Message-
> From: bind-users-bounces+mhuff=ox@lists.isc.org [mailto:bind-users-
> bounces+mhuff=ox@lists.isc.org] On Behalf Of Lyle Giese
> Sent: Monday, April 16, 2012 8:50 AM
> To: bind-users@lists.isc.org
> Subject: Re: Configuring CNAME for nosslsearch.google.com
> 
> On 4/16/2012 3:30 AM, Phil Mayers wrote:
> > On 04/15/2012 11:40 PM, Tobias Krais wrote:
> >> Hi Ben,
> >>
> >> hmm. How can I manage what google suggests:
> >> "Information for school network administrators about the No-SSL
> >> option
> >>
> >> To utilize the no SSL option for your network, configure the DNS
> >> entry for www.google.com to be a CNAME for nosslsearch.google.com."
> >> Source:
> >>
> http://support.google.com/websearch/bin/answer.py?hl=en&hlrm=en&answer=
> 186669.
> >>
> >> You can find this quite at the end of the document.
> >>
> >> How can I realize such a configuration in bind?
> >
> > As you've been told, you can't. CNAMEs can't live at zone apex, so
> you
> > can't a CNAME at the zone apex of "www.google.com". And if you create
> > "google.com" as a zone, all other hostnames will be blackholed,
> > including "nosslsearch.google.com".
> >
> > I don't know why Google have made that suggestion; it's a bad
> > suggestion, that's not supported by many nameservers.
> >
> > I personally think it's a bad idea to try and disable SSL search for
> > your users too, but that's your decision.
> >
> > "unbound" might be able to to this, with a transparent local-zone and
> > local-data override for "www.google.com".
> > ___
> 
> Or did they really mean, create a hosts file on the local machine that
> contains...
> 
> Or in your proxy server redirect www.google.com to
> nosslsearch.google.com
> 
> DNS server software is not very supportive of doing this for good
> reasons.
> 
> Lyle Giese
> LCR Computer Services, Inc.
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring CNAME for nosslsearch.google.com

2012-04-16 Thread Alan Clegg 
On 4/16/2012 9:40 AM, Matthew Huff wrote:
> Actually, this can be done.
> 
> Create a zone file for "www.google.com", not "google.com". The zone file
> should like this (replace THIS_HOSTNAME with the name of your nameserver:
> 
> 
> @ IN  SOA localhost   root@localhost. (
>   2012041100
>   7200
>   1800
>   1209600 
>   300 )
>   
>   IN NS THIS_HOSTNAME
> 
>   IN CNAME nosslsearch.google.com.

Which isn't legal since you can't have a CNAME and another RR at the
same label.

AlanC
-- 
a...@clegg.com | acl...@infoblox.com
  1.919.355.8851



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Configuring CNAME for nosslsearch.google.com

2012-04-16 Thread Ben Croswell 
This is incorrect. It is illegal to have a cname and any other record on
the same name in dns. The ns and soa count as records.
 On Apr 16, 2012 9:41 AM, "Matthew Huff"  wrote:

> Actually, this can be done.
>
> Create a zone file for "www.google.com", not "google.com". The zone file
> should like this (replace THIS_HOSTNAME with the name of your nameserver:
>
>
> @   IN  SOA localhost   root@localhost. (
>2012041100
>7200
>1800
>1209600
>300 )
>
>IN NS THIS_HOSTNAME
>
>IN CNAME nosslsearch.google.com.
>
>
>
>
> 
> Matthew Huff | 1 Manhattanville Rd
> Director of Operations   | Purchase, NY 10577
> OTA Management LLC   | Phone: 914-460-4039
> aim: matthewbhuff| Fax:   914-460-4139
>
> > -Original Message-
> > From: bind-users-bounces+mhuff=ox@lists.isc.org [mailto:bind-users-
> > bounces+mhuff=ox@lists.isc.org] On Behalf Of Lyle Giese
> > Sent: Monday, April 16, 2012 8:50 AM
> > To: bind-users@lists.isc.org
> > Subject: Re: Configuring CNAME for nosslsearch.google.com
> >
> > On 4/16/2012 3:30 AM, Phil Mayers wrote:
> > > On 04/15/2012 11:40 PM, Tobias Krais wrote:
> > >> Hi Ben,
> > >>
> > >> hmm. How can I manage what google suggests:
> > >> "Information for school network administrators about the No-SSL
> > >> option
> > >>
> > >> To utilize the no SSL option for your network, configure the DNS
> > >> entry for www.google.com to be a CNAME for nosslsearch.google.com."
> > >> Source:
> > >>
> > http://support.google.com/websearch/bin/answer.py?hl=en&hlrm=en&answer=
> > 186669.
> > >>
> > >> You can find this quite at the end of the document.
> > >>
> > >> How can I realize such a configuration in bind?
> > >
> > > As you've been told, you can't. CNAMEs can't live at zone apex, so
> > you
> > > can't a CNAME at the zone apex of "www.google.com". And if you create
> > > "google.com" as a zone, all other hostnames will be blackholed,
> > > including "nosslsearch.google.com".
> > >
> > > I don't know why Google have made that suggestion; it's a bad
> > > suggestion, that's not supported by many nameservers.
> > >
> > > I personally think it's a bad idea to try and disable SSL search for
> > > your users too, but that's your decision.
> > >
> > > "unbound" might be able to to this, with a transparent local-zone and
> > > local-data override for "www.google.com".
> > > ___
> >
> > Or did they really mean, create a hosts file on the local machine that
> > contains...
> >
> > Or in your proxy server redirect www.google.com to
> > nosslsearch.google.com
> >
> > DNS server software is not very supportive of doing this for good
> > reasons.
> >
> > Lyle Giese
> > LCR Computer Services, Inc.
> >
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring CNAME for nosslsearch.google.com

2012-04-16 Thread /dev/rob0 
On Mon, Apr 16, 2012 at 09:40:16AM -0400, Matthew Huff wrote:
> Actually, this can be done.
> 
> Create a zone file for "www.google.com", not "google.com". The zone file
> should like this (replace THIS_HOSTNAME with the name of your nameserver:
> 
> 
> @ IN  SOA localhost   root@localhost. (
>   2012041100
>   7200
>   1800
>   1209600 
>   300 )
>   
>   IN NS THIS_HOSTNAME
> 
>   IN CNAME nosslsearch.google.com.

Did you try this out with named-checkzone(8)?

1. Bad SOA:
   a. unqualified MNANE
   b. "@" in RNAME
2. CNAME and other data

The top of a zone cannot be a CNAME, because SOA and NS are required.

The OP needs to talk to Google about their suggestion.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Configuring CNAME for nosslsearch.google.com

2012-04-16 Thread Matthew Huff 
I had forgotten that about CNAME. But you can hard-code an A record to the
nosslsearch.google.com record


We have to use this technique (we point the A record to a proxy) for
regulatory reasons to block IM connections except through our IM proxy.


Matthew Huff | 1 Manhattanville Rd
Director of Operations   | Purchase, NY 10577
OTA Management LLC   | Phone: 914-460-4039
aim: matthewbhuff    | Fax:   914-460-4139


> -Original Message-
> From: bind-users-bounces+mhuff=ox@lists.isc.org [mailto:bind-users-
> bounces+mhuff=ox@lists.isc.org] On Behalf Of Alan Clegg
> Sent: Monday, April 16, 2012 9:53 AM
> To: bind-users@lists.isc.org
> Subject: Re: Configuring CNAME for nosslsearch.google.com
> 
> On 4/16/2012 9:40 AM, Matthew Huff wrote:
> > Actually, this can be done.
> >
> > Create a zone file for "www.google.com", not "google.com". The zone
> > file should like this (replace THIS_HOSTNAME with the name of your
> nameserver:
> >
> >
> > @   IN  SOA localhost   root@localhost. (
> > 2012041100
> > 7200
> > 1800
> > 1209600
> > 300 )
> >
> > IN NS THIS_HOSTNAME
> >
> > IN CNAME nosslsearch.google.com.
> 
> Which isn't legal since you can't have a CNAME and another RR at the
> same label.
> 
> AlanC
> --
> a...@clegg.com | acl...@infoblox.com
>   1.919.355.8851



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring CNAME for nosslsearch.google.com

2012-04-16 Thread Chris Buxton 
On Apr 15, 2012, at 3:40 PM, Tobias Krais wrote:

> Hi Ben,
> 
> hmm. How can I manage what google suggests:
> "Information for school network administrators about the No-SSL option
> 
> To utilize the no SSL option for your network, configure the DNS entry
> for www.google.com to be a CNAME for nosslsearch.google.com."
> Source:
> http://support.google.com/websearch/bin/answer.py?hl=en&hlrm=en&answer=186669.
> You can find this quite at the end of the document.
> 
> How can I realize such a configuration in bind?

I believe you can use response policy (RPZ) to achieve this. Or you can use 
just about any non-BIND resolver (e.g. unbound) to achieve this.

Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring CNAME for nosslsearch.google.com

2012-04-17 Thread Tobias Krais 
Hi all together,

very interesting this discussion. For I am a newbie I understood only half.

Thus I detected 2 ways to continue:

> I believe you can use response policy (RPZ) to achieve this. Or you can use 
> just about any non-BIND resolver (e.g. unbound) to achieve this.

1. Don't use bind but e.g. unbound instead.

2. Ask Google.

Any other ideas I missed?

I will do so and in case of success, I'll post the link here.

Thanks for your great help!

Greetings,

Tobias
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring CNAME for nosslsearch.google.com

2012-04-17 Thread Phil Mayers 

On 17/04/12 13:24, Tobias Krais wrote:

Hi all together,

very interesting this discussion. For I am a newbie I understood only
half.

Thus I detected 2 ways to continue:


I believe you can use response policy (RPZ) to achieve this. Or you
can use just about any non-BIND resolver (e.g. unbound) to achieve
this.


1. Don't use bind but e.g. unbound instead.

2. Ask Google.

Any other ideas I missed?


3. Use RPZ, as per Chris' suggestion

4. Create a zone for "www.google.com" and instead of CNAME, put an A 
record at the apex with the same IP as "nosslsearch.google.com". Run a 
script FREQUENTLY to re-resolve the host, as Google do short-TTL 
DNS-based loadbalancing.


5. Don't do this at all, since interfering with SSL is bad.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring CNAME for nosslsearch.google.com

2012-04-17 Thread Tobias Krais 
Hi Phil,

>> 1. Don't use bind but e.g. unbound instead.

First: here the link to follow on the unbound mailing list:
http://unbound.nlnetlabs.nl/pipermail/unbound-users/2012-April/002329.html

>> Any other ideas I missed?
> 
> 3. Use RPZ, as per Chris' suggestion
> 
> 4. Create a zone for "www.google.com" and instead of CNAME, put an A
> record at the apex with the same IP as "nosslsearch.google.com". Run a
> script FREQUENTLY to re-resolve the host, as Google do short-TTL
> DNS-based loadbalancing.
> 
> 5. Don't do this at all, since interfering with SSL is bad.

Thanks for that hint. I'll give it a try if the unbound solution won't work.

Greetings,

Tobias
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring CNAME for nosslsearch.google.com

2012-05-08 Thread Tobias Krais 
Hi Phil,

> 4. Create a zone for "www.google.com" and instead of CNAME, put an A
> record at the apex with the same IP as "nosslsearch.google.com". Run a
> script FREQUENTLY to re-resolve the host, as Google do short-TTL
> DNS-based loadbalancing.

For unbound has no solution Inow want to try your suggestion no. 4. My
db file now looks like this:
-%<-
@   IN  SOA localhost   root@localhost. (
2012041100
7200
1800
1209600
300 )
IN  A   216.239.32.20 #nosslsearch.google.com.
-%<-

But this does not work. Can you tell me whats wrong?

Greetings,

Tobias
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring CNAME for nosslsearch.google.com

2012-05-08 Thread Barry Margolin 
In article ,
 Tobias Krais  wrote:

> Hi Phil,
> 
> > 4. Create a zone for "www.google.com" and instead of CNAME, put an A
> > record at the apex with the same IP as "nosslsearch.google.com". Run a
> > script FREQUENTLY to re-resolve the host, as Google do short-TTL
> > DNS-based loadbalancing.
> 
> For unbound has no solution Inow want to try your suggestion no. 4. My
> db file now looks like this:
> -%<-
> @   IN  SOA localhost   root@localhost. (
> 2012041100
> 7200
> 1800
> 1209600
> 300 )
> IN  A   216.239.32.20 #nosslsearch.google.com.
> -%<-
> 
> But this does not work. Can you tell me whats wrong?
> 
> Greetings,
> 
> Tobias

"#" isn't the comment character in DNS zond files, ";" is.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring CNAME for nosslsearch.google.com

2012-05-08 Thread Jan-Piet Mens 
> -%<-
> @   IN  SOA localhost   root@localhost. (
> 2012041100
> 7200
> 1800
> 1209600
> 300 )
> IN  A   216.239.32.20 #nosslsearch.google.com.
> -%<-

What's the hash doing there? ...^

That's not a comment.

Replace that whole line by 

nosslsearch.google.com.   IN  A   216.239.32.20 

Assuming you've configured the zone correctly, that ought to do the
trick. (It has been pointed out to you previously, that this IP address
is bound to change -- you should monitor the "real" domain name
frequently and then update (dynamically?) your zone.

-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring CNAME for nosslsearch.google.com

2012-05-08 Thread Chris Thompson 

On May 8 2012, Barry Margolin wrote:


In article ,
Tobias Krais  wrote:


Hi Phil,

> 4. Create a zone for "www.google.com" and instead of CNAME, put an A
> record at the apex with the same IP as "nosslsearch.google.com". Run a
> script FREQUENTLY to re-resolve the host, as Google do short-TTL
> DNS-based loadbalancing.

For unbound has no solution Inow want to try your suggestion no. 4. My
db file now looks like this:
-%<-
@   IN  SOA localhost   root@localhost. (
2012041100
7200
1800
1209600
300 )
IN  A   216.239.32.20 #nosslsearch.google.com.
-%<-

But this does not work. Can you tell me whats wrong?

Greetings,

Tobias


"#" isn't the comment character in DNS zond files, ";" is.


Also, you need at least one NS record (maybe for "localhost.").
named-checkzone would have told you about both these problems.

Less serious problems:

It's better to use a $TTL directive than rely on it defaulting to
the SOA.MINTTL value (or specify all TTLs explicltly).

You probably meant "root.localhost." for the SOA.rname.

--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring CNAME for nosslsearch.google.com

2012-05-08 Thread /dev/rob0 
Sundry nitpicks. Not much of interest here, sorry.

On Tue, May 08, 2012 at 05:38:55PM +0200, Jan-Piet Mens wrote:
> > -%<-
> > @   IN  SOA localhost   root@localhost. (
> > 2012041100
> > 7200
> > 1800
> > 1209600
> > 300 )
> > IN  A   216.239.32.20 #nosslsearch.google.com.
> > -%<-
> 
> What's the hash doing there? ...^
> 
> That's not a comment.
> 
> Replace that whole line by 
> 
> nosslsearch.google.com.   IN  A   216.239.32.20 

ITYM:

@   IN  A   216.239.32.20

This zone is named "www.google.com."

> Assuming you've configured the zone correctly, that ought to do the 
> trick. (It has been pointed out to you previously, that this IP 
> address is bound to change -- you should monitor the "real" domain 
> name frequently and then update (dynamically?) your zone.

On Tue, May 08, 2012 at 05:07:39PM +0100, Chris Thompson wrote:
> On May 8 2012, Barry Margolin wrote:
> 
> >In article ,
> >Tobias Krais  wrote:
> >
> >>Hi Phil,
> >>
> >>> 4. Create a zone for "www.google.com" and instead of CNAME, put an A
> >>> record at the apex with the same IP as "nosslsearch.google.com". Run a
> >>> script FREQUENTLY to re-resolve the host, as Google do short-TTL
> >>> DNS-based loadbalancing.
> >>
> >>For unbound has no solution Inow want to try your suggestion no. 4. My
> >>db file now looks like this:
> >>-%<-
> >>@   IN  SOA localhost   root@localhost. (
> >>2012041100
> >>7200
> >>1800
> >>1209600
> >>300 )
> >>IN  A   216.239.32.20 #nosslsearch.google.com.
> >>-%<-
> >>
> >>But this does not work. Can you tell me whats wrong?
> >>
> >>Greetings,
> >>
> >>Tobias
> >
> >"#" isn't the comment character in DNS zond files, ";" is.
> 
> Also, you need at least one NS record (maybe for "localhost.").
> named-checkzone would have told you about both these problems.
> 
> Less serious problems:
> 
> It's better to use a $TTL directive than rely on it defaulting to
> the SOA.MINTTL value (or specify all TTLs explicltly).
> 
> You probably meant "root.localhost." for the SOA.rname.

And "localhost." for the SOA.mname.

And the SOA.serial implies the date of April 11. :) Seriously, you 
would probably want the serial to reflect the date you last did a 
check of the upstream name, nosslsearch.google.com.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring CNAME for nosslsearch.google.com

2012-05-08 Thread Joseph S D Yao 
On Tue, Apr 17, 2012 at 02:24:48PM +0200, Tobias Krais wrote:
> Hi all together,
> 
> very interesting this discussion. For I am a newbie I understood only half.
> 
> Thus I detected 2 ways to continue:
> 
> > I believe you can use response policy (RPZ) to achieve this. Or you can use 
> > just about any non-BIND resolver (e.g. unbound) to achieve this.
> 
> 1. Don't use bind but e.g. unbound instead.
> 
> 2. Ask Google.
...


6. Use your workstation's /etc/hosts or MSW's something...\hosts file
to insert the desired IP address for www.google.com.  This is as bad a
suggestion as all the others - worse, because it doesn't scale to a
site with multiple workstations.


--
/*\
**
** Joe Yao  j...@tux.org - Joseph S. D. Yao
**
\*/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring CNAME for nosslsearch.google.com

2012-05-08 Thread Tobias Krais 
Hi Jan-Piet,

> What's the hash doing there? ...^
> 
> That's not a comment.

Thanks. I continue learning...

> Replace that whole line by 
> 
> nosslsearch.google.com.   IN  A   216.239.32.20 

Zone is www.google.com. That won't work here

> Assuming you've configured the zone correctly, that ought to do the
> trick. (It has been pointed out to you previously, that this IP address
> is bound to change -- you should monitor the "real" domain name
> frequently and then update (dynamically?) your zone.

Yes, Phil already told me. But first it has to work with an A record...

Thanks Jan-Piet!

Greetings,

Tobias
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring CNAME for nosslsearch.google.com

2012-05-08 Thread Tobias Krais 
Hi together,

thanks for these many hints. Wow! So many mistakes in a few lines. Here
ist now my config file:
-%<-
@   IN  SOA localhost.  root.localhost. (
2012050900
7200
1800
1209600
300 )
1800IN  NS  localhost.
1800IN  A   216.239.32.20 ;nosslsearch.google.com.
-%<-

And here my dig answer:
-%<-
root@tobias-xps:/home/tobias# dig @localhost www.google.com

; <<>> DiG 9.8.1-P1 <<>> @localhost www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51300
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; QUESTION SECTION:
;www.google.com.IN  A

;; ANSWER SECTION:
www.google.com. 1800IN  A   216.239.32.20

...
-%<-

That looks good. Are there any more mistakes or hints not mentioned yet?

Greetings,

Tobias
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users