Re: Odd query issue
On 8/2/2010 10:17 AM, Atkins, Brian (GD/VA-NSOC) wrote: Any ideas to point me in the right direction? What do the log files show surrounding the query? AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Strange IPv6 messages
Dear all, I have a simple question, when reloading Bind, I get these messages, and later on in the logs, the transfer seems to work with IPv4. Aug 2 23:24:13 cirrus named[1581]: network unreachable resolving '(host)/A/IN': 2001:620::4#53 Aug 2 23:24:13 cirrus named[1581]: network unreachable resolving '(host)/A/IN': 2001:418:1::39#53 What should I do to avoid these messages, and why are they appearing ? We have BIND 9.5.1-P2 Thanks a lot for any help :-) Denis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Odd query issue
1. Zone has expired (to confirm: check logs) 2. Corrupted/truncated journal file (to confirm: check logs, or, shut down gracefully, delete journal and start up again) 3. www.blah.com is a delegation in your slave copy of the zone, and the delegated nameservers are all returning SERVFAIL, are lame, give bogus answers, some combination of the above, etc. (to confirm: do the lookup non-recursively, or a zone transfer of blah.com; if www.blah.com shows as a delegation, query the delegated nameservers directly and see what they return) - Kevin On 8/2/2010 10:17 AM, Atkins, Brian (GD/VA-NSOC) wrote: I'm troubleshooting an issue with internal resolution of a domain. I have 2 identical slave servers that resolve for domains that have been delegated to our group. However, while one of the servers can successfully provide the responses, the other cannot. I've checked with the network gurus to verify there is not a possibility of a firewall or IPS rule causing the issue, but came back empty-handed. Here's the breakdown (please don't laugh at the antiques...): Sun V210's running Solaris 5.8 BIND 9.5.1-P3 ... zone blah.com { type slave; file /slave/db.blah.com; masters { 10.xxx.xxx.xxx; }; allow-transfer { none; }; allow-query { all-clients; }; }; ... # Query local server (one with issues) fails $ dig www.blah.com. ; DiG 9.5.1-P3 www.blah.com. ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 1735 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ; www.blah.com. IN A ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Aug 2 14:12:48 2010 ;; MSG SIZE rcvd: 29 # Query master directly or twin server from problem server succeeds $ dig @10.xxx.xxx.xxx www.blah.com. ; DiG 9.5.1-P3 @10.xxx.xxx.xxx www.blah.com. ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 341 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ; www.blah.com. IN A ;; ANSWER SECTION: www.blah.com.300 IN A 10.xxx.xxx.xxx ;; Query time: 34 msec ;; SERVER: 10.xxx.xxx.xxx #53(10.xxx.xxx.xxx) ;; WHEN: Mon Aug 2 14:14:16 2010 ;; MSG SIZE rcvd: 45 Any ideas to point me in the right direction? Thanks, Brian ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange IPv6 messages
On 08/02/10 14:43, Denis BUCHER wrote: Dear all, I have a simple question, when reloading Bind, I get these messages, and later on in the logs, the transfer seems to work with IPv4. Aug 2 23:24:13 cirrus named[1581]: network unreachable resolving '(host)/A/IN': 2001:620::4#53 Aug 2 23:24:13 cirrus named[1581]: network unreachable resolving '(host)/A/IN': 2001:418:1::39#53 What should I do to avoid these messages, and why are they appearing ? We have BIND 9.5.1-P2 First, that's an older version, it's generally a good idea to stay current with nameserver software. If you have any plans to do DNSSEC validation now, or in the near future, I strongly suggest you evaluate the latest version of either 9.7.x or 9.6.x. At minimum you should upgrade to the latest version of 9.5.x. Second, you didn't mention whether or not you actually HAVE IPv6 transport. Both servers answer fine for me over IPv6 (as I expect they would) so I'm guessing you don't. If that's accurate, you need to tell named to stop trying to make requests over it. Since you didn't indicate what OS you're running, 'man named' is probably your safest bet to find the answer. hth, Doug -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to handle SPF records for spilt dns
On Mon, 2010-08-02 at 22:13 -0400, donovan jeffrey j wrote: Greetings i have an internal dns server it resolvs all my queries from the inside. I have a mail system requesting an spf record. Should i add the same record on the inside as i do for the outside ? i don't want internal address space to mess with external. i would say just place it on my external dns. But it's an internal content filter that is asking for the record, so then shouldn't place it on the inside? any insight suggestions and flames welcome Hi, Why not have internal clients use smtp auth on submission only, and bypass spf (and other anti uce) tests? If postfix (since its the MTA used in your post, youm likely are), use: submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_sasl_authenticated,reject -o receive_override_options=no_milters But anyway, when I ran split views, I used spf on internal range using the int IP, but used ~all in place of -all (which I use on externals). Cheers Noel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to handle SPF records for spilt dns
On Aug 2, 2010, at 10:23 PM, Noel Butler wrote: On Mon, 2010-08-02 at 22:13 -0400, donovan jeffrey j wrote: Greetings i have an internal dns server it resolvs all my queries from the inside. I have a mail system requesting an spf record. Should i add the same record on the inside as i do for the outside ? i don't want internal address space to mess with external. i would say just place it on my external dns. But it's an internal content filter that is asking for the record, so then shouldn't place it on the inside? any insight suggestions and flames welcome Hi, Why not have internal clients use smtp auth on submission only, and bypass spf (and other anti uce) tests? clamav is picking up from an old relay and I think it's lowering the score because of an spf check. 192.168.1.2 is my mail gateway internal interface. myfilter.mydomain.com] received a message from 192.168.1.2 that claimed an envelope sender address of foo.mo...@dealstodaycheap.info. However, the domain dealstodaycheap.info has declared using SPF that it does not send mail through 192.168.1.1. That is why the message was rejected. i don't want my internal filter to lower scores just because that relay doesn't have an spf record, and I do not want to call the relay local. i want everything scanned from there. I may also not be understanding What Spf record clamav is looking for. my relay or his relay or mydomain ? i best start with my domain. If postfix (since its the MTA used in your post, youm likely are), use: submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_sasl_authenticated,reject -o receive_override_options=no_milters But anyway, when I ran split views, I used spf on internal range using the int IP, but used ~all in place of -all (which I use on externals). Cheers Noel thanks for the reply noel, i saw that option on a web site and i thought it was a typo ( ~ ) vs ( - ) what is the difference. -j On Aug 2, 2010, at 10:23 PM, Noel Butler wrote: On Mon, 2010-08-02 at 22:13 -0400, donovan jeffrey j wrote: Greetings i have an internal dns server it resolvs all my queries from the inside. I have a mail system requesting an spf record. Should i add the same record on the inside as i do for the outside ? i don't want internal address space to mess with external. i would say just place it on my external dns. But it's an internal content filter that is asking for the record, so then shouldn't place it on the inside? any insight suggestions and flames welcome Hi, Why not have internal clients use smtp auth on submission only, and bypass spf (and other anti uce) tests? If postfix (since its the MTA used in your post, youm likely are), use: submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_sasl_authenticated,reject -o receive_override_options=no_milters But anyway, when I ran split views, I used spf on internal range using the int IP, but used ~all in place of -all (which I use on externals). Cheers Noel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Clarification on ANY query
Hi , I have data as follows a.rameshops5446.com. 86400 IN A 1.2.3.1 a.rameshops5446.com. 86400 IN MX 10 a.rameshops5446.com. I queried domain a.rameshops5446.com with type ANY against bind9.6 . Actual Result: Bind is returning above two records in answer section and also returning A record in additional section as follows. # dig @localhost a.rameshops5446.com. any ; DiG 9.6.1-P3 @localhost a.rameshops5446.com. any ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 33411 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;a.rameshops5446.com. IN ANY ;; ANSWER SECTION: a.rameshops5446.com.86400 IN MX 10 a.rameshops5446.com. a.rameshops5446.com.86400 IN A 1.2.3.1 ;; AUTHORITY SECTION: rameshops5446.com. 86400 IN NS udns2.ultradns.net. rameshops5446.com. 86400 IN NS udns1.ultradns.net. ;; ADDITIONAL SECTION: a.rameshops5446.com.86400 IN A 1.2.3.1 ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Aug 3 04:06:45 2010 ;; MSG SIZE rcvd: 137 Here my doubt is A record already returned in answer section why the same A record is returning in additional section. I know if MX pointed record have any A/ records will return in additional section. but in above case already the same A record returned in answer section. Is bind result correct? could you please clarify me. Thanks Regards, Ramesh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Clarification on ANY query
Here my doubt is A record already returned in answer section why the same A record is returning in additional section. I know if MX pointed record have any A/ records will return in additional section. but in above case already the same A record returned in answer section. Is bind result correct? could you please clarify me. It's correct in the sense that it isn't a protocol violation. But it's incorrect in the sense that duplicate data is inefficient, so maybe it's a bug that BIND did that. Send it to bind9-b...@isc.org, we'll look into it. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users