FW: Pls help me for bind9
Hi dear Pls help me for bind9 孙睿 / Rui Sun -Original Message- From: Sue Graves [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2008 12:48 AM To: Sun, Rui (IT Operation Director) Cc: [EMAIL PROTECTED] Subject: Re: Pls help me for bind9 As BIND is Open Source software, there is free support and discussion available from the community by sending mail to [EMAIL PROTECTED] There are 3 mail lists for discussions among users of ISC's BIND Distribution. You can subscribe via our website at https://lists.isc.org/mailman/listinfo Updates as to our development work are shared with the BIND Forum members which you are welcome to join. See https://www.isc.org/software/guild We also offer paid support contracts https://www.isc.org/services/support Regards, Sue Sun, Rui (IT Operation Director) wrote: Hi dear pls help me for bind 9 [In my tel DNS server] nslookup www.baihui.com Server: 118.102.24.83 Address:118.102.24.83#53 Non-authoritative answer: www.baihui.com canonical name = baihui.com. Name: baihui.com Address: 219.143.38.65 [But my db file is set as below] $TTL 600 @ IN SOA dns1.baihui.name. hostmaster.baihui.name. ( 140024 ; Serial 6000 ; Refresh 3000 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL; @IN NS dns1.baihui.name. @IN NS dns2.baihui.name. baihui.com. IN A 202.127.112.36 [Could you pls give me some help?] 孙睿 / Rui Sun -- Susan Graves Internet Systems Consortium +1 650-423-1323 office [EMAIL PROTECTED] See http://www.isc.org/training/ for the latest information on our training offerings ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Just to make sure I have TTL's understood.
Scott Haneda [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Before I go out on a limb, I wanted to ask those who know more about this than I do. I added a zone change to my primary server, in this case, setting the TTL's pretty low, as things were going to move around a bit in the beginning. Waited a few weeks after adding it. * The basic thing I am trying to understand, is *when* the slaves get the change, and what repercussions there are if it is slow. Here is the zone: ORIGIN . $TTL 86400 ; 1 day example.com IN SOA ns1.hostwizard.com. scott.hostwizard.com. ( 2008112501 ; serial *** I did change this *** 14400 ; refresh (4 hours) 7200 ; retry (2 hours) 604800 ; expire (1 week) 3600 ; minimum (1 hour) ) $TTL 3600 ; 1 hour NS ns1.hostwizard.com. NS ns1.nacio.com. A 64.84.37.51 $TTL 300; 5 minutes MX 10 gonepostal.hostwizard.com. $TTL 3600 ; 1 hour TXT v=spf1 ip4:64.84.37.0/26 ?all Should be changed to: SPFv=spf1 ... Usage of TXT for spf declarations has been depreciated for 2 years now. Why are you using ?all? That opens you up to forged messages (unless you're uncertain about the record). $ORIGIN example.com. foo A 64.84.37.51 bar A 64.84.37.51 $TTL 300; 5 minutes www A 64.84.37.51 pop A 64.84.37.6 smtpA 64.84.37.6 dig example.com MX That will give me back the MX you see above. In this case, I am on a starbucks wifi, so they use whatever NS they are using. At home, the same command, pointed to openDNS, gives back the new MX as well. Now, if I run dig example.com MX @ns1.hostwizard.com I also get the new MX Running dig example.com MX @ns1.nacio.com, which is my slave provide example.com. 188 IN MX 20 mx1.biz.mail.yahoo.com. example.com. 188 IN MX 30 mx5.biz.mail.yahoo.com. It took openDNS, all of 6 or 7 minutes to get the change, I am now, hours later, not seeing the change in my secondary provider. They also have ns0.nacio.com, ns1.nacio.com, ns2.nacio.com and ns3.nacio.com, all of which answer stale for this query. It may take up to 4 hours for your secondary to see the change. Why? Your refresh value on your SOA record is set to 4 hours. Therefore, the secondary server(s) won't check again until 4 hours after the last zone transfer, and when that check occurs and doesn't note a new serial number, then they should check in 2 hour intervals thereafter. So why did opendns get the change earlier: 1) They didn't have anything cached, are not servers for your zone, and queried your primary. 2) If they are also secondaries, perhaps they respect NOTIFY messages, while your secondaries do not. Am I correct, in that, the 300 TTL I set, is correct, and what I should have done to prepare for a MX change to happen with as little problem/delay as possible? No. The least delay is a TTL of 0 second, which should cause no caching of the record at all. What is the setting on a slave that determines when it should see my change? My logs show the notifies going over, and being accepted. Depends on the DNS software at the secondary. Perhaps notifies are being ignored. Do you know what they run? I also provide a secondary, and to be honest, if I wanted to stall my secondary from accepting a primary notify, different than the TTL, I would not even know how to do that. If the whois servers are listed with myself, and my secondary, and the secondary is now stale, for hours, what repercussions does this have? A lame delegation or old data at your TLD's name servers. I think, queries that are not cached by the local resolver of a internet user, go back to whoever is listed in the whois. I am also pretty sure it does not pick one over the other, I see no way a client request could pick a primary over a secondary, I believe it happens at random, almost in a load balanced way, or perhaps it is distance routed, so the closest is first. Short of fetching the SOA record, there is nothing that tells a resolver which name server is primary, and even that is sometimes non-conclusive (due to faulty data). Either way, am I correct in that a secondary, is needed, if it is there, it must be in sync, as it is pretty evenly used by all clients requesting data from it, until their local resolver caches it? Needed? Yes. (Disaster recovery) In Sync? It should be. (Minor variations during an update are OK) Used evenly? Given enough time, yes. (random distribution). Thanks, and as I
Re: forward reverse lookups
At Fri, 7 Nov 2008 07:18:27 -0800 (PST), paulpsmith [EMAIL PROTECTED] wrote: I'm fairly new to BIND, but have a pretty good understanding of DNS and other protocols. I have been trying to make something work for about a week now and can't figure it out. Is it possible to have a cache only nameserver forward reverse lookups to a primary server for those zones? This is for internal only. I have an OBSD 4.4 syslog server. i got named running on it locally as a cache only name server. The syslog messages come in and get logged with the src IP address of the host sending the message. I want the fqdn of the device for easier reading. If I put the name/IP in a hosts file, it shows the name. If I have the server do lookups to the primary servers, I get a name. My problem is that if I have it just look up to the primary, it is up to 50/100 lookups per second to the primary servers. i don't want to put that load on them. Anyone have an idea? I've tried putting the zone statements for the subnets in as forward zones in the named.conf, but that does not seem to help. If I understand you correctly, this should be possible. But if you can provide more details including network configuration and your named.conf that didn't work, we could provide more useful and specific advice. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rfc1918 ns records coming from internet are queried?
Date: Wed, 26 Nov 2008 21:09:53 +0100 (CET) To: [EMAIL PROTECTED] Subject: Re: rfc1918 ns records coming from internet are queried? From: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] A border router knows what is inside and outside your network, while a DNS server does not. Important difference. You're missing the point. This is not about inside and outside networks, it is about rfc1918 responses from internet queries. I'm afraid I have seen too many organizations using a mix of public and RFC1918 IP addresses on the inside. Thus I don't believe that you can differentiate based on RFC1918 addresses or not on a general basis. Actually, I got the impression that the OP wanted to know if BIND would ignore and NS records provided by some server on the internet that pointed to RFC-1918 type IP addresses. (It could be that everyone is talking to the same thing...) If BIND sends out a request, as it should, to some set of NS record IP addresses, it keeps a record of WHEN the request was sent out and marks how long it takes to get a response back from those requests. The RFC-1918 type addresses SHOULD never respond - unless you happen to have a server at the same address that someone else is advertizing. (The SHOULD never respond is driven by the BCP-38 filtering at edge routers.) Thus those addresses will have ungodly high round trip times and should be removed from further queries... (My read of how it works. I could be wrong though.) Regards, Gregory Hicks Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - Gregory Hicks | Principal Systems Engineer | Direct: 408.569.7928 People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf -- George Orwell The price of freedom is eternal vigilance. -- Thomas Jefferson The best we can hope for concerning the people at large is that they be properly armed. --Alexander Hamilton ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Moderators note
Due to technical difficulties, a number of messages were being held in the moderation queue. These postings have now been cleared out (some may be duplicates, for which I apologize). We are still working out a couple of minor kinks in the move to the new mailing list system. Thanks for your understanding. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: logging query results
In article [EMAIL PROTECTED], Mark Andrews [EMAIL PROTECTED] wrote: Disk i/o is just glacially slow when compared to network i/o. To get disk logging up to network speeds you need to throw away a lots of it. Which suggests that having filtering built into the logging might make it much more useful, at the risk of yet more feature bloat. I make this suggestion from experience with packet logging on routers - almost useless without filtering. Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
check Availability before sending response
Hello, Is there any way to make Bind check the server's availability before send back responses to clients? ie, given the domain name www.site.com was pointed to 1.1.1.1 and 2.2.2.2 in Bind. When a client query for www.site.com, Bind will check the health status for these two servers. If one is unavailable,Bind shouldn't direct client's requests to it. I know F5's 3DNS can do it well.But rather than 3DNS, is there any free way for this purpose? Thanks. Ken. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: check Availability before sending response
On Wed, Dec 03, 2008 at 10:53:43PM +0800, Ken DBA [EMAIL PROTECTED] wrote a message of 21 lines which said: ie, given the domain name www.site.com was pointed to 1.1.1.1 and 2.2.2.2 in Bind. When a client query for www.site.com, Bind will check the health status for these two servers. If one is unavailable,Bind shouldn't direct client's requests to it. How BIND could: * Know what protocol to test? www.site.com is probably for HTTP but mail.site.com ? POP ? IMAP ? * Embed all these protocols? HTTP, HTTPS, POP, IMAP, BitTorrent, DNS, whois, FTP, SSH, SMTP... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: FW: Pls help me for bind9
Subject: FW: Pls help me for bind9 Date: Fri, 21 Nov 2008 10:25:49 +0800 From: Sun, Rui \(IT Operation Director\) [EMAIL PROTECTED] To: bind-users@lists.isc.org Hi dear Pls help me for bind9 What problem are you having? What does your named.conf look like? your zone files? (Please include the 'real' files, not any sanitized ones. Ëïî£ / Rui Sun -Original Message- From: Sue Graves [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2008 12:48 AM To: Sun, Rui (IT Operation Director) Cc: [EMAIL PROTECTED] Subject: Re: Pls help me for bind9 As BIND is Open Source software, there is free support and discussion available from the community by sending mail to [EMAIL PROTECTED] There are 3 mail lists for discussions among users of ISC's BIND Distribution. You can subscribe via our website at https://lists.isc.org/mailman/listinfo Updates as to our development work are shared with the BIND Forum members which you are welcome to join. See https://www.isc.org/software/guild We also offer paid support contracts https://www.isc.org/services/support Regards, Sue Sun, Rui (IT Operation Director) wrote: Hi dear pls help me for bind 9 [In my tel DNS server] nslookup www.baihui.com Server: 118.102.24.83 Address:118.102.24.83#53 Non-authoritative answer: www.baihui.com canonical name = baihui.com. Name: baihui.com Address: 219.143.38.65 [But my db file is set as below] $TTL 600 @ IN SOA dns1.baihui.name. hostmaster.baihui.name. ( 140024 ; Serial 6000 ; Refresh 3000 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL; @IN NS dns1.baihui.name. @IN NS dns2.baihui.name. baihui.com. IN A 202.127.112.36 [Could you pls give me some help?] Ëïî£ / Rui Sun -- Susan Graves Internet Systems Consortium +1 650-423-1323 office [EMAIL PROTECTED] See http://www.isc.org/training/ for the latest information on our training offerings ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - Gregory Hicks | Principal Systems Engineer | Direct: 408.569.7928 People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf -- George Orwell The price of freedom is eternal vigilance. -- Thomas Jefferson The best we can hope for concerning the people at large is that they be properly armed. --Alexander Hamilton ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dropping external recursive requests
That ought to work, and work well. This will not impact outside name servers that query your name server, because they send iterative queries. If they're sending recursive queries, they're abusing your server. I can't see any problems with this approach. If you have authoritative data in the third view, make sure that when the first view wants to look it up, its iterative query to the server machine itself is routed through to the third view (rather than being captured by the first view). Chris Buxton Men Mice On Tue, 2008-12-02 at 17:10 -0800, [EMAIL PROTECTED] wrote: Our DNS server occasionally get requests for recursion with forged src addresses. Currently our server returns Standard query response, Refused since our named.conf only allows recursion for our internal machines. This, of course, results in the poor machine whose address was forged receiving spurious traffic. Some of the Cisco firewalls support DNS inspection and can be configured to drop requests which want recursion. What are the ramifications of enabling this? Can bind be configured to do this? I was thinking about something like: view internal { match-clients { localhost; localnets; }; ... } view external-recursive { match-clients { any; }; match-recursive-only yes; blackhole { any}; } view external { ... } -- John [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to modify A records on the slave when master is down?
On Fri, 2008-11-21 at 21:10 -0800, [EMAIL PROTECTED] wrote: Hello. I have two geographically different datacenters. Each datacenter has two instances of BIND. There is one master out of these four. The zones will have multiple A records (pointing to the two datacenters to provide some minimal amount of redundancy and load balancing) What I want to do is put together a plan for when the master either fails or the master becomes unavailable. So if your master fails, or more likely, it becomes unavailable, and I need to change the A records on the other slaves, how do you do it? Can I have a master in each datacenter and a slave in each datacenter, but a change made to any master propagates to all slaves? For that matter, can I just have four masters and be done with it? It doesnt make sense that I could have multiple masters.. but I have no idea how to solve this problem. If datacenter A goes down for three days, i want to be able to modify the slave A records to stop pointing to the bad datacenter. And when the datacenter comes back up and the old master is alive, I want everything to work. You can always promote a slave to master status, or maintain a DR copy of the zone. Configure your slave servers to look to your second master (or the slave that will be promoted as needed) as a second master, and enable multi-master. Like this: zone zone.name { type slave; file zone.file; masters { ip-of-master; ip-of-backup-master; }; multi-master yes; }; If you have a backup (or DR) master, then the slaves will switch to its version of the zone automatically. If you instead use a slave that will be promoted for this purpose, then, when disaster strikes: - Promote the slave (edit the zone statement, changing the type and removing the 'masters' and 'multi-master' statements). - Edit the zone as needed. - 'rndc reconfig' ought to work, but you may need 'rndc reload' instead. If you have lots of zones, it makes sense to keep a whole separate named.conf instead, and simply switch over to it. Chris Buxton Men Mice ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: socket: too many open file descriptors
At Tue, 2 Dec 2008 05:17:17 -0800 (PST), pollex [EMAIL PROTECTED] wrote: Hi Jinmei I have followed your advice and I have installed and compiled the Bind 9.3.6 with the following command: STD_CDEFINES=-ISC_SOCKET_FDSETSIZE=4096 ./configure --prefix=/usr/ local/bind9.3.6 --enable-threads But now I have the following issue, I can't start bind with multi threading... I have in the init script the lines: OPTIONS=-u bind -n 8 -t /var/lib/named -c /etc/bind/named.conf and in the start part: mount --bind /proc/ /var/lib/named/proc/ -o ro (This is needed because bin runs in jail) First, you don't need to specify ISC_SOCKET_FDSETSIZE in 9.3.6 (but I don't think it's irrelevant to the main point). Second, I have no idea. Maybe it's somehow related to this change: 2472. [port] linux: check the number of available cpu's before calling chroot as it depends on /proc. [RT #16923] hopefully someone more familiar with Linux has some clue. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Binding DNS server to a particular IP address
Shouldn't the server statement in options/view do the trick? /Jonathan On Wed, Dec 3, 2008 at 12:04 PM, Todd Snyder [EMAIL PROTECTED] wrote: Try the listen-on directive. Read more here: http://books.google.com.hk/books?id=zkZN52WhG8sCprintsec=frontcoverdq= dnsei=dA-3SJ7XEaWijgG7v4Qwhl=ensig=ACfU3U3PDWVTG3zFFj5QkZbfz5ZSy7i84Q #PPA270,M1http://books.google.com.hk/books?id=zkZN52WhG8sCprintsec=frontcoverdq=dnsei=dA-3SJ7XEaWijgG7v4Qwhl=ensig=ACfU3U3PDWVTG3zFFj5QkZbfz5ZSy7i84Q#PPA270,M1 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry M Sent: Wednesday, December 03, 2008 11:37 AM To: bind-users@lists.isc.org Subject: Binding DNS server to a particular IP address I have two different IP addresses coming into my server. I need to guarantee that ISC BIND only monitors and replies to requests coming from one of the two IP addresses. I can't seem to find a configuration parameter that tells the server which IP address to listen on. How do I configure that? Thanks. JWM ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to modify A records on the slave when master is down?
What we used to do is we had 2 masters. After an update was done on one of them, we ran a perl script that would scp the db files to the other and then send rndc reload to itself and the other master. That way both were always up to date. It seems like if you had one master and one slave at each datacenter, this would work very well. After the down datacenter comes back up, simply run the script from the up-to-date master. I can send you the perl script to save you some time if you want. The main trick was getting scp to work with rsa keys so no password is required (although it could work fine with a password if you're running the script manually). Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2008 9:10 PM To: [EMAIL PROTECTED] Subject: How to modify A records on the slave when master is down? Hello. I have two geographically different datacenters. Each datacenter has two instances of BIND. There is one master out of these four. The zones will have multiple A records (pointing to the two datacenters to provide some minimal amount of redundancy and load balancing) What I want to do is put together a plan for when the master either fails or the master becomes unavailable. So if your master fails, or more likely, it becomes unavailable, and I need to change the A records on the other slaves, how do you do it? Can I have a master in each datacenter and a slave in each datacenter, but a change made to any master propagates to all slaves? For that matter, can I just have four masters and be done with it? It doesnt make sense that I could have multiple masters.. but I have no idea how to solve this problem. If datacenter A goes down for three days, i want to be able to modify the slave A records to stop pointing to the bad datacenter. And when the datacenter comes back up and the old master is alive, I want everything to work. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dropping external recursive requests
In message [EMAIL PROTECTED] t, Alberto Colosi/SI/RM/GSI/it writes: why not? beter handled by isc and done in a clean way then 1.000.000 of dirty ways as these ;) Please go read RFC 5358. No where in there does it say to drop responses. If we though that dropping queries was a good idea it would have been explicitely documented in RFC 5358. Not offering recursive service means returning REFUSED. --- Alberto Colosi IBM Global Business Services Sistemi Informativi S.P.A. IT NetWork Security Department *-* *-* *-* SECURITY IS EVERYONE'S BUSINESS Member of IBM Information Security WW CoP -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to modify A records on the slave when master is down?
better to use an ftps then an sftp. use vsftpd with SSL compile option GNU lftp lftp is really simple and can be configured to bypass RSA CA verify sso to allow selfsigned and many other settings. The difference is that if you lose RSA keys or in all cases, using the RSA keys to allow SCP, you could have a command line session too if used with SSH instead. The main difference is a bit of security more ;) --- Alberto Colosi IBM Global Business Services Sistemi Informativi S.P.A. IT NetWork Security Department *-* *-* *-* SECURITY IS EVERYONE'S BUSINESS Member of IBM Information Security WW CoP Mike Bernhardt [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/12/2008 22.59 To [EMAIL PROTECTED], [EMAIL PROTECTED] cc Subject RE: How to modify A records on the slave when master is down? What we used to do is we had 2 masters. After an update was done on one of them, we ran a perl script that would scp the db files to the other and then send rndc reload to itself and the other master. That way both were always up to date. It seems like if you had one master and one slave at each datacenter, this would work very well. After the down datacenter comes back up, simply run the script from the up-to-date master. I can send you the perl script to save you some time if you want. The main trick was getting scp to work with rsa keys so no password is required (although it could work fine with a password if you're running the script manually). Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2008 9:10 PM To: [EMAIL PROTECTED] Subject: How to modify A records on the slave when master is down? Hello. I have two geographically different datacenters. Each datacenter has two instances of BIND. There is one master out of these four. The zones will have multiple A records (pointing to the two datacenters to provide some minimal amount of redundancy and load balancing) What I want to do is put together a plan for when the master either fails or the master becomes unavailable. So if your master fails, or more likely, it becomes unavailable, and I need to change the A records on the other slaves, how do you do it? Can I have a master in each datacenter and a slave in each datacenter, but a change made to any master propagates to all slaves? For that matter, can I just have four masters and be done with it? It doesnt make sense that I could have multiple masters.. but I have no idea how to solve this problem. If datacenter A goes down for three days, i want to be able to modify the slave A records to stop pointing to the bad datacenter. And when the datacenter comes back up and the old master is alive, I want everything to work. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Binding DNS server to a particular IP address
Not really. The server statement modifies how named talks to other nameservers, it doesn't affect what addresses are listened on. - Kevin Jonathan Petersson wrote: Shouldn't the server statement in options/view do the trick? /Jonathan On Wed, Dec 3, 2008 at 12:04 PM, Todd Snyder [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Try the listen-on directive. Read more here: http://books.google.com.hk/books?id=zkZN52WhG8sCprintsec=frontcoverdq= dnsei=dA-3SJ7XEaWijgG7v4Qwhl=ensig=ACfU3U3PDWVTG3zFFj5QkZbfz5ZSy7i84Q #PPA270,M1 http://books.google.com.hk/books?id=zkZN52WhG8sCprintsec=frontcoverdq=dnsei=dA-3SJ7XEaWijgG7v4Qwhl=ensig=ACfU3U3PDWVTG3zFFj5QkZbfz5ZSy7i84Q#PPA270,M1 -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] On Behalf Of Jerry M Sent: Wednesday, December 03, 2008 11:37 AM To: bind-users@lists.isc.org mailto:bind-users@lists.isc.org Subject: Binding DNS server to a particular IP address I have two different IP addresses coming into my server. I need to guarantee that ISC BIND only monitors and replies to requests coming from one of the two IP addresses. I can't seem to find a configuration parameter that tells the server which IP address to listen on. How do I configure that? Thanks. JWM ___ bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: check Availability before sending response
Ken DBA wrote: Hello, Is there any way to make Bind check the server's availability before send back responses to clients? ie, given the domain name www.site.com was pointed to 1.1.1.1 and 2.2.2.2 in Bind. When a client query for www.site.com, Bind will check the health status for these two servers. If one is unavailable,Bind shouldn't direct client's requests to it. I know F5's 3DNS can do it well.But rather than 3DNS, is there any free way for this purpose? Thanks. Roll your own monitoring system and have it modify the DNS RRset via Dynamic Update (if you prefer) to reflect which server(s) are up/down at any particular time. That's essentially what all these fancy, expensive GSLB boxes do anyway. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dropping external recursive requests
On Dec 3, 6:26 pm, Mark Andrews [EMAIL PROTECTED] wrote: If it is a forged packet it should be dropped regardless of the setting of RD. True, however not something that's easily determined from a distance. Ideally ingress filtering would render this a non-issue, however there obviously holes in the current filtering done by ISPs. If the only reason to think the packet is forged is the setting of RD=1 then the OP has committed a reasoning error. The situation that we've encountered on a couple of occasions is a steady stream (several a second) of the exact same query with the same source address for several days. When we contact the owner of the source address, they state they're under DDoS attack and are not the source of the request. Part of the attack they experience is the Refused response from our DNS server. Also rd being set my just be the result of someone testing with a tool which sets rd by default. In which case they can change the setting. Which is worst ... occasionally dropping a request from someone using a misconfigured tool / server, or participating in a larger DDoS attack? Granted that dropping external requests with RD=1 doesn't eliminate the potiental for DDoS attacks, it just changes it. One needs to be really, really careful here. Understood ... and I realize that things shouldn't be oversimplified (i.e. by assuming RD=1 must mean an evil request). Part of the purpose for this post is to start a discussion on the pros / cons. -- John [EMAIL PROTECTED] ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users