Re: Custom DNS error with BIND?

2010-10-05 Thread Matus UHLAR - fantomas 
> > --On 5. oktober 2010 22.25.17 +0700 Phan Quoc Hien 
> > wrote:
> >>
> >> I'm find the way to "custom DNS error with BIND". Below I explained it:
> >>
> >> It A record not exist => return to one IP to redirect custom error
> >> page with apache! Like OpenDNS?
> >>
> >> Please let me know how to solve this problem...or must edit bind source
> >> code?

> On Tue, Oct 5, 2010 at 11:20 PM, Eivind Olsen  wrote:
> > As far as I know, it's not natively supported by BIND. Are you _really_ sure
> > you want this? Suggested reading is for example
> > 

On 05.10.10 23:24, Phan Quoc Hien wrote:
> Thank for your respond. I find for testing purpuse only.

like, testing how DNSSEC validation fails for such names?
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to query the nameserver

2010-10-05 Thread Ben McGinnes 
On 6/10/10 6:49 AM, Dotan Cohen wrote:
> On Tue, Oct 5, 2010 at 20:30, Eivind Olsen  wrote:
>>
>> I don't think you've mentioned which OS you're running, and whether you run
>> a bundled or self-compiled version of BIND, so I'm not sure where it puts
>> its logs by default. Do you see _any_ mention of "named" in your
>> /var/log/messages or /var/log/syslog or similar files if you restart BIND?
>> How to restart it depends on your distribution, whether you use bundled BIND
>> etc. It might be "service named restart" on one distribution, and "rndc
>> stop" followed by "/usr/local/sbin/named" on another, or "/etc/rc.d/named
>> restart" on yet another.. And I'm not good at guessing :D
>>
> 
> Sorry, it's CentOS 5.5 and I'm running the distro's packaged bind.
> There are a few Bind messages in /var/log/messages but no errors
> (other than no-start error when I have a bad config).

I'm running CentOS 5.5 too and the default Bind package is
9.3.6-4.P1.el5_4.2.

Dotan, if you run "yum list bind" you can confirm that.


Regards,
Ben



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND 9.5.3rc1 is now available.

2010-10-05 Thread Mark Andrews 

BIND 9.5.3rc1 is now available.

BIND 9.5.3rc1 is a beta version of the maintenance release
for BIND 9.5.  BIND 9.5.3 is intended to be the last
maintenance release for BIND 9.5.

BIND 9.5.3rc1 can be downloaded from

ftp://ftp.isc.org/isc/bind9/9.5.3rc1/bind-9.5.3rc1.tar.gz
http://ftp.isc.org/isc/bind9/9.5.3rc1/bind-9.5.3rc1.tar.gz

The PGP signature of the distribution is at

ftp://ftp.isc.org/isc/bind9/9.5.3rc1/bind-9.5.3rc1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.5.3rc1/bind-9.5.3rc1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.3rc1/bind-9.5.3rc1.tar.gz.sha512.asc

http://ftp.isc.org/isc/bind9/9.5.3rc1/bind-9.5.3rc1.tar.gz.asc
http://ftp.isc.org/isc/bind9/9.5.3rc1/bind-9.5.3rc1.tar.gz.sha256.asc
http://ftp.isc.org/isc/bind9/9.5.3rc1/bind-9.5.3rc1.tar.gz.sha512.asc

The signature was generated with the ISC public key, which is
available at .

A binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.zip
http://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.zip

ftp://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.debug.zip
http://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.debug.zip

The PGP signature of the binary kit for Windows XP and Window 2003 is at

ftp://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.zip.asc
ftp://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.zip.sha512.asc

http://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.zip.asc
http://ftp.isc.org/isc/bind9/9.7.2rc1/BIND9.5.3rc1.zip.sha256.asc
http://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.zip.sha512.asc

ftp://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.debug.zip.sha512.asc

http://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.debug.zip.asc
http://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.debug.zip.sha256.asc
http://ftp.isc.org/isc/bind9/9.5.3rc1/BIND9.5.3rc1.debug.zip.sha512.asc

Changes since 9.5.0.

--- 9.5.3rc1 released ---

2946.   [doc]   Document the default values for the minimum and maximum
zone refresh and retry values in the ARM. [RT #21886]

2945.   [doc]   Update empty-zones list in ARM. [RT #21772]

2944.   [maint] Remove ORCHID prefix from built in empty zones.
[RT #21772]

2937.   [bug]   Worked around an apparent race condition in over
memory conditions.  Without this fix a DNS cache DB or
ADB could incorrectly stay in an over memory state,
effectively refusing further caching, which
subsequently made a BIND 9 caching server unworkable.
This fix prevents this problem from happening by
polling the state of the memory context, rather than
making a copy of the state, which appeared to cause
a race.  This is a "workaround" in that it doesn't
solve the possible race per se, but several experiments
proved this change solves the symptom.  Also, the
polling overhead hasn't been reported to be an issue.
This bug should only affect a caching server that
specifies a finite max-cache-size.  It's also quite
likely that the bug happens only when enabling threads,
but it's not confirmed yet. [RT #21818]

--- 9.5.3b1 released ---

2929.   [bug]   Improved handling of GSS security contexts: 
 - added LRU expiration for generated TSIGs
 - added the ability to use a non-default realm
 - added new "realm" keyword in nsupdate
 - limited lifetime of generated keys to 1 hour
   or the lifetime of the context (whichever is
   smaller)
[RT #19737]

2925.   [bug]   Named failed to accept uncachable negative responses
from insecure zones. [RT# 21555]

2923.   [bug]   'dig +trace' could drop core after "connection
timeout". [RT #21514]

2921.   [bug]   The resolver could attempt to destroy a fetch context
too soon.  [RT #19878]

2918.   [maint] Add  address for I.ROOT-SERVERS.NET.

2916.   [func]  Add framework to use IPv6 in tests.
fd92:7065:b8e:::1 ... fd92:7065:b8e:::7

2915.

Re: More ignorance (I have no shame) /var/named conventions

2010-10-05 Thread Doug Barton 

On 10/5/2010 12:14 PM, Stewart Dean wrote:

In the standard 'yum install bind' installation, I see there are
/var/named/data and /var/named/slaves directories. What are they for? I
do so like to follow standards particularly if there is a good reason :)


I am not familiar with the way that your Linux distro does it, but for 
FreeBSD I separated the static authoritative, dynamic authoritative, and 
slave zones into separate directories so that we could use the principle 
of "least privilege" in the permissions on the directories and files.



I plan to use views


Why? IME doing so causes way more problems than it solves, and is rarely 
worth the effort to do properly. Don't just do this because "that's how 
it's done," make sure you have a real need, and triple check that the 
problems you think you're solving can't be solved other ways.



and have the internal zone files in
/var/named/internal (or /var/named/data/internal) and the external zone
files in /var/named/external (or /var/named/data/external).


If it were me I'd do /var/named/{external|internal}/{master|dynamic|slave}


hth,

Doug

--

Breadth of IT experience, and|   Nothin' ever doesn't change,
depth of knowledge in the DNS.   |   but nothin' changes much.
Yours for the right price.  :)   |  -- OK Go
http://SupersetSolutions.com/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: minimum cache times?

2010-10-05 Thread Doug Barton 
If you would like to create a new thread your best bet is to store the 
list address in your e-mail address book and then create a new message 
to the list. By replying to someone else's message and changing the 
subject you cause your message to appear "hidden" behind the message you 
replied to for those of us who use threaded mail readers.



FYI,

Doug

--

Breadth of IT experience, and|   Nothin' ever doesn't change,
depth of knowledge in the DNS.   |   but nothin' changes much.
Yours for the right price.  :)   |  -- OK Go
http://SupersetSolutions.com/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: minimum cache times?

2010-10-05 Thread Christoph Weber-Fahr 
Hello,

On 05.10.2010 16:45, Nicholas Wheeler wrote:
> > At Tue, 5 Oct 2010 09:19:49 -0400, Atkins, Brian (GD/VA-NSOC) wrote:
>> >> From what I've read, everyone seems to frown on over-riding cache times,
>> >> but I haven't seen any specifics as to why it's bad.
> >
> > Because it's a protocol violation, deliberately ignores the cache time
> > set by the owner of the data, and is dangerous.
> >
> > Eg, you ask me for the address of my web server.  I answer, saying
> > that the answer is good for a week, after which you need to ask again
> > because I might have changed something.

Well, I was talking about minimum values, and, especially, a min-ncache-ttl,
i.e. a minimum for negative caching.

My point of view is that of a the operator of a very busy DNS resolver/cache
infrastructure.

For anecdotal evidence, I present this:

http://blog.boxedice.com/2010/09/28/watch-out-for-millions-of-ipv6-dns--requests/

Now this ostensibly is about how bad IPv6 is for DNS (n comment),
but somewhere down comes the interesting tidbit: apparently there
are commercial DNS providers (dyn.com in this case) who recommend
and default to 60 seconds as SOA value for negative caching in their
customer zones.

RIPE's recommended default is 1 hour.

Of course they do this for a reason - they actually charge by
request, so a badly set up customer DNS improves their bottom line.

This is ridiculous and puts quite a strain on resolvers having to deal
with such data - especially if one of 2 requests is no-error/no-data
for  reasons.

So, if this is a trend, we might want to have a min-ncache-ttl of 300,
just to get rid of the most obnoxious jerks.

Same goes for positive caching; sensible minimum values used to be
a matter of politeness, but folks like Akamai give us TTLs like
20 or 60. As long as Akamai is the only one doing this that's not
a problem - but should that get widespread use I'd be inclined
to clamp down on this, too.

> > The TTL mechanism is part of the protocol for a reason: it's to
> > control how tightly consistent the data are supposed to be in the
> > opinion of the publisher of the data.  Nobody but the publisher of the
> > data has enough information to know how long it's safe to keep the
> > data.  Some publishers make silly decisions about this setting, which
> > causes other problems, but keeping data past its expiration time is
> > not the answer.
Caching is part of the protocol, too. If there are large scale
developments sabotaging that it forces me to have much more
resolver capacity online.

And that costs *me* money. Yes, publisher should know best - but
apparently he often doesn't, and publishing bad DNS data
affect's other people's systems, too.

Regards

Christoph Weber-Fahr


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: minimum cache times?

2010-10-05 Thread Atkins, Brian (GD/VA-NSOC) 
After noodling it out with a co-administrator, that is the same
conclusion we came to. 

Thank you for confirming it.

Brian

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to query the nameserver

2010-10-05 Thread Dotan Cohen 
On Tue, Oct 5, 2010 at 20:30, Eivind Olsen  wrote:
>> However, another site that _does_ work (with both nameservers on this
>> host, not just ns1) shows the same thing:
>>
>> # nslookup ns1.sharingserver.eu 178.63.65.136
>> Server:         178.63.65.136
>> Address:        178.63.65.136#53
>>
>> ** server can't find ns1.sharingserver.eu: NXDOMAIN
>
> How do you mean this one is working? It's working just as badly as your
> first example.
>

Yes, but typing the domain into Firefox brings up the webpage that
I've put on that server!


> I've tried looking up the domain "sharingserver.de" and "sharingserver.eu"
> on both the IP addresses you listed, and in all cases your nameserver
> replies with NXDOMAIN - it doesn't know about those domains.
>
>> I don't see a named or bind log, but messages is clean of such things.
>
> I don't think you've mentioned which OS you're running, and whether you run
> a bundled or self-compiled version of BIND, so I'm not sure where it puts
> its logs by default. Do you see _any_ mention of "named" in your
> /var/log/messages or /var/log/syslog or similar files if you restart BIND?
> How to restart it depends on your distribution, whether you use bundled BIND
> etc. It might be "service named restart" on one distribution, and "rndc
> stop" followed by "/usr/local/sbin/named" on another, or "/etc/rc.d/named
> restart" on yet another.. And I'm not good at guessing :D
>

Sorry, it's CentOS 5.5 and I'm running the distro's packaged bind.
There are a few Bind messages in /var/log/messages but no errors
(other than no-start error when I have a bad config).


> Anyway - if you don't see a single line about "named" in the logs even after
> restarting it, you need to look into fixing that, as I'm guessing BIND is
> then really trying to give you some nice information in the logs but it
> can't..
>

-- 
Dotan Cohen

http://gibberish.co.il
http://what-is-what.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to query the nameserver

2010-10-05 Thread Dotan Cohen 
On Tue, Oct 5, 2010 at 16:31, Greg Whynott  wrote:
> its as if they think hackers main source of targets comes from here.    
> doesn't appear to really want any help anyway.
>

Not at all, rather I was trying to learn. I really didn't want anybody
doing the heavy lifting for me. But I've gotten to the point where I
see that I _do_ need that help, and I am not embarrassed to admit it.
I have been posting the real data now.

-- 
Dotan Cohen

http://gibberish.co.il
http://what-is-what.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to query the nameserver

2010-10-05 Thread Dotan Cohen 
On Tue, Oct 5, 2010 at 11:35, Eivind Olsen  wrote:
> Hm, you mention in another posting that you're hosting other domains. Are
> they using the same registrar as the one that's giving you this error
> message?

Yes.

> Are you _naming_ the nameservers the same? I know some registrars
> require you to first register your nameservers with them, so they can add
> any glue records if needed. I'm just wondering if the error message might
> be misleading.
>

With this particular registrar I have sharingcenter.eu and
sharingcenter.de. The sharingcenter.eu site works fine, it has
ns1.sharingcenter.eu and ns2.sharingcenter.eu working without me
having to explicitly set the "glue".


> But maybe they really can't contact your nameserver. As a few others have
> mentioned, it's hard to help troubleshoot this when you've given no real
> information.
>

Server mercury:
178.63.65.136
178.63.65.171
178.63.65.188

Server venus:
88.198.27.251

ns1.sharingcenter.eu - 178.63.65.136
ns2.sharingcenter.eu - 178.63.65.188

ns1.sharingcenter.de - 178.63.65.171
ns2.sharingcenter.de - 88.198.27.251


> Check your logs on your nameserver. Depending on your OS, it might end up
> in /var/log/messages, /var/adm/messages, or somewhere else entirely (or
> maybe not at all). You should at least see some log-entries when you start
> BIND. The copies of named.conf you listed didn't show any custom logging
> statements.
>

Bind is running as a service (CentOS), and I'm not really sure how to
get it logging.


> Verify nameserver operation, by doing something like this:
>
> # dig any your.troublesome.domain @1.1.1.1
> (replace the domain name + IP-address of your nameserver with the real data)
>
> Do this from multiple places:
> - from the nameserver itself
> - from another server in the same subnet if possible, to avoid routing
> issues etc...:
> - from somewhere outside of your network
>
> If it for example works from the nameserver itself + another server in
> your local network, but doesn't work from an external address, I suggest
> you look at any firewalls / access controls in your network.
>
> You also mentioned you had another domain which worked, on the same
> nameservers. Do the same kind of queries on that as well, from the same
> places.
>
> Let us know how these tests went. And/or post real data so we can check a
> bit for ourselves.
>

✈dcl:~$ dig any sharingserver.de @178.63.65.171

; <<>> DiG 9.6.1-P2 <<>> any sharingserver.de @178.63.65.171
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29311
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;sharingserver.de.  IN  ANY

;; AUTHORITY SECTION:
de. 2398IN  SOA f.nic.de.
its.denic.de. 2010100577 7200 7200 360 7200

;; Query time: 228 msec
;; SERVER: 178.63.65.171#53(178.63.65.171)
;; WHEN: Tue Oct  5 21:41:22 2010
;; MSG SIZE  rcvd: 86

✈dcl:~$ dig any sharingserver.eu @178.63.65.136

; <<>> DiG 9.6.1-P2 <<>> any sharingserver.eu @178.63.65.136
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62696
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;sharingserver.eu.  IN  ANY

;; AUTHORITY SECTION:
eu. 600 IN  SOA a.nic.eu.
tech.eurid.eu. 1002851820 3600 1800 360 600

;; Query time: 259 msec
;; SERVER: 178.63.65.136#53(178.63.65.136)
;; WHEN: Tue Oct  5 21:42:02 2010
;; MSG SIZE  rcvd: 87





> Oh, and another thing - you mentioned you were running both nameservers on
> the same server (eth0 and eth0:0). You _are_ aware of what this means, if
> your domain name is only served by a single physical server and that
> server happens to go down some day? Any server _will_ go down sometimes,
> even if you decide to not patch it...

Yes, I am aware of this.

> If it's serving a domain name you care about, I'd _really_ recommend
> having multiple _separate_ nameservers, hosted on separate subnets. There
> are various companies that sell cheap slave-DNS services.
>

The .de domain will be on two separate machines.


-- 
Dotan Cohen

http://gibberish.co.il
http://what-is-what.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to query the nameserver

2010-10-05 Thread Dotan Cohen 
On Tue, Oct 5, 2010 at 08:48, Chiesa Stefano  wrote:
> Hello Dothan.
> You said: "The working site has both nameservers pointed to that same
> server (on two different IP addresses on eth0 and etho0:0)."
> So the question is "Are you sure you answer to queries on the proper
> interface?"
> Maybe you (for instance) receive a query on eth0:0 (1.1.2.2 ?) but
> answer on eth0 (1.1.1.1 ?)...

Could that be? I'd never considered that! How would I even check that?

> What is your default gateway?
>


[r...@mercury html]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
### Hetzner Online AG - installimage
# device: eth0
DEVICE=eth0
BOOTPROTO=static
BROADCAST=178.63.65.191
HWADDR=40:61:86:f5:43:1f
IPADDR=178.63.65.136
NETMASK=255.255.255.255
SCOPE="peer 178.63.65.129"
[r...@mercury html]# cat /etc/sysconfig/network-scripts/ifcfg-eth0:0
### Hetzner Online AG - installimage
# device: eth0
DEVICE=eth0:0
BOOTPROTO=static
BROADCAST=178.63.65.191
HWADDR=40:61:86:f5:43:1f
IPADDR=178.63.65.188
NETMASK=255.255.255.192
SCOPE="peer 178.63.65.129"
[r...@mercury html]# cat /etc/sysconfig/network-scripts/ifcfg-eth0:1
DEVICE=eth0:1
BOOTPROTO=static
BROADCAST=178.63.65.191
HWADDR=40:61:86:f5:43:1f
IPADDR=178.63.65.171
NETMASK=255.255.255.192
SCOPE="peer 178.63.65.129"
[r...@mercury html]# cat /etc/sysconfig/network-scripts/ifcfg-eth0:2
DEVICE=eth0:2
BOOTPROTO=static
BROADCAST=178.63.65.191
HWADDR=40:61:86:f5:43:1f
IPADDR=178.63.65.172
NETMASK=255.255.255.192
SCOPE="peer 178.63.65.129"

-- 
Dotan Cohen

http://gibberish.co.il
http://what-is-what.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to query the nameserver

2010-10-05 Thread Hauke Lampe 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 05.10.2010 20:35, Dotan Cohen wrote:

I think the problem is that your two servers return different
answers to the same question:

dig +norec sharingcenter.de ns @178.63.65.171:
> ;; ANSWER SECTION:
> sharingcenter.de. 86400   IN  NS  ns1.sharingcenter.de.
> sharingcenter.de. 86400   IN  NS  ns2.sharingcenter.de.

@88.198.27.251:
> ;; ANSWER SECTION:
> sharingcenter.de. 86400   IN  NS  ns2.sharingcenter.de.

That result matches the two zone files you show, with same SOA serial
number but different content. The comment in the SOA record indicates
that you don't slave the zone to ns2 and instead edit two distinct zone
files.

Either sync the zone files or set up the second server as slave and you
should be fine. You can check with DeNIC's pre-delegation test here:
http://nast.denic.de/


Hauke.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyre6AACgkQKIgAG9lfHFPGDwCfQo8RjhJNYYA6WG/9iAII0z9c
Yg8AoJRoCOnRQqYpTY60QdDvi12MeFf7
=AVXa
-END PGP SIGNATURE-
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to query the nameserver

2010-10-05 Thread Dotan Cohen 
On Tue, Oct 5, 2010 at 02:47, Noel Butler  wrote:
> apart from my dig for you not giving real information..
>
> On Mon, 2010-10-04 at 23:08 +0200, Dotan Cohen wrote:
>
>
> // On 1.1.1.1
> [r...@1.1.1.1]# cat /etc/named.conf
> options {
> directory "/etc";
>
>
> Why are you specifying /etc here?
> I suggest you use  /var/named
>

Thanks. I'm not sure where I got that from, this is an Frankenshein's
monster of bits that I've been googling!


>    pid-file "/var/run/named/named.pid";
> listen-on {
> any;
> };
> };
>
> zone "." {
> type hint;
>     file "/etc/db.cache";
>
> remove /etc/
>

I did not realize that a relative path would work.


> };
>
> zone "example.de" {
> type master;
> file "/var/named/example.de.hosts";
>
>
> only need the file name (so long as you correct the options statement

Makes sense!


>
> notify yes;
> allow-query { any; };
>     };
>
>
> who are you notifying?

I added that at some "throwing more lines of code at the file" attempt
to get this working...

> where is..
>     allow-transfer { remotedns; };
>

I did not know that I need it.


>
> zone "example.eu" {
> type master;
> file "/var/named/example.eu.hosts";
>     };
>
> correct as above for who to transfer to
>

Well, this one works properly so I don't want to touch it!

> [r...@1.1.1.1]# cat /var/named/example.de.hosts
> $ORIGIN example.de.
> $TTL 86400
> example.de. IN  SOA example.de. foo.example.de. (
>
> replace example.de.   with  @
>

Will do.

>     2010100401; Serial - increment me
> 10800
> 3600
> 604800
> 38400 )
>IN  NSns1.example.de.
>    IN  NS    ns2.example.de.
>
> no MX record?
>

Not yet, I'll tackle that later.

>IN  A 1.1.1.1
> wwwIN  A 1.1.1.1
> ns1IN  A 1.1.1.1
> ns2IN  A 1.1.2.2
>
>
>
>
> // On 1.1.2.2
> [r...@1.1.2.2]# cat /etc/named.conf
>
> fix up as above
>

Right.

> options {
> directory "/etc";
> pid-file "/var/run/named/named.pid";
> listen-on {
> any;
> };
> };
>
>
>
> zone "." {
> type hint;
> file "/etc/db.cache";
> };
>
> zone "example.de" {
> type slave;
> masters { 1.1.1.1; };
> allow-update { 1.1.1.1; };
>
>     ^  not needed
>

Thanks.

>     file "/var/named/example.de.hosts";
> notify yes;
>
>       remove
>

Thanks.

> allow-query { any; };
>
> ya got one right :)
>

Pure luck, I assure you!

>     allow-notify { 1.1.2.2; };
>     };
>
> remove
>

Right.

> [r...@1.1.2.2]# cat /var/named/example.de.hosts
>
>
> irrelevant since it gets this from master
>

I did think that was the case, thanks.

> Of course, when I make a change to a hosts file I increment the serial
> number and restart bind. I also restart bind after making a change to
>
> 'rndc reload'   is all u need to do
>

Nice, thanks.

> named.conf. What am I doing wrong? Thanks!
>
> once you tell us your real domains and NS's, maybe, just maybe we can help
> more
>

Server mercury:
178.63.65.136
178.63.65.171
178.63.65.188

Server venus:
88.198.27.251

ns1.sharingcenter.eu - 178.63.65.136
ns2.sharingcenter.eu - 178.63.65.188

ns1.sharingcenter.de - 178.63.65.171
ns2.sharingcenter.de - 88.198.27.251



-- 
Dotan Cohen

http://gibberish.co.il
http://what-is-what.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More ignorance (I have no shame) /var/named conventions

2010-10-05 Thread Stewart Dean 
 In the standard 'yum install bind' installation, I see there are 
/var/named/data and /var/named/slaves directories.  What are they for?  I do so 
like to follow standards particularly if there is a good reason :)

In AIX, everything was just there (in /etc/dns).
I plan to use views and have the internal zone files in /var/named/internal (or 
/var/named/data/internal) and the external zone files in /var/named/external (or 
/var/named/data/external).

What is /var/named/slaves for?

Enlighten my ignorance, please.

I take it if you define an internal view and then, subsequently, an external 
view with

match-clients {any;};
that it isn't really an any but an "everything else"...?
--
"One must think like a hero to behave like a merely decent human being." - May 
Sarton Stewart Dean, Unix System Admin, Bard College, New York 12504 
sd...@bard.edu voice: 845-758-7475, fax: 845-758-7035


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to query the nameserver

2010-10-05 Thread Lyle Giese 
Andrey G. Sergeev (AKA Andris) wrote:
> Hello Dotan,
>
>
> Tue, 5 Oct 2010 20:35:24 +0200 Dotan Cohen wrote:
>
>   
>> The two domains names are sharingcenter.eu and sharingcenter.de. The
>> eu domain has ns1 and ns2 on the same server (IP addresses
>> 178.63.65.136 and 178.63.65.188) and works fine. The de domain has
>> ns1 on this same server (IP address 178.63.65.171) but ns2 on a
>> different server (IP address 88.198.21.168).
>> 
>
> The commands
>
> dig @178.63.65.171 sharingcenter.de. soa +norec +short
> dig @88.198.21.168 sharingcenter.de. soa +norec +short
>
> were done without any delays or errors from my location so the UDP
> connections from the external hosts are fine too. If you still
> experience troubles while working with the registrar control panel you
> should consult with their support.
>
>
>   
Eurodns is currently autoritative for sharingcenter.de domain. If he
wants to move the dns to his new servers and IP addresses, he needs to
create proper A records for ns1 and ns2.sharingcenter.de at eurodns
first. Eurodns won't let him move the dns until the new servers answer
properly. However they are not querying the ip addresses he is inputing
but the current A records eurodns returns when asking about ns1 or
ns2.sharingcenter.de. Those queries appear to be returning a wild card
entry of 80.92.66.130 for ns1 and ns2.sharingcenter.de. There is no name
server answering at 80.92.66.130 and thus Eurodns reports that name
server is not answering.

Lyle Giese
LCR Computer Services, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: GSS-TSIG and Active Directory

2010-10-05 Thread Nicholas F Miller 
Is there a bug in the implementation of the update-policy or do I not have a 
grasp on how it should work?

If wanted to only allow machines in an Active Directory the ability to update 
their 'A' records shouldn't I be able to use a statement like this:

update-policy {
grant  ms-self * A;
}

For some reason the only thing that works is setting a grant ANY and then 
restricting records with a deny before the grant statement. This seems like 
overkill if all I want to allow is 'A' records.

Also, it appears that you cannot deny '' and allow 'A'. Any time I set a 
deny for '' it also blocks 'A' records.

Are these bugs or by design?
_
Nicholas Miller, ITS, University of Colorado at Boulder



On Oct 1, 2010, at 1:27 PM, Nicholas F Miller wrote:

> YES Brilliant Thanks Rob.
> 
> I think it is working now. I have the update-policy setup as follows:
> 
>grant d...@realm wildcard * ANY;
>grant d...@realm wildcard * ANY;
>grant dns_serv...@realm wildcard * ANY;
>deny REALM ms-self * SRV;
>grant REALM ms-self * ANY;
> 
> If I understand things correctly I am allowing the DCs and DNS server to 
> update any record type in the domain and any subdomains. The clients are 
> allowed to update any of their own records except SRV, MX and NS. Do I even 
> need to deny NS for ms-self?
> 
> If it is truly working correctly, I wonder why I can't deny  records. 
> When I add  to the deny statement it blocks A records as well. If try A6 
> it still allows  records to be set by client machines. 
> _
> Nicholas Miller, ITS, University of Colorado at Boulder
> 
> 
> 
> On Oct 1, 2010, at 12:12 PM, Rob Austein wrote:
> 
>> If you're trying to grant update rights to a specific machine (rather
>> than every machine in the realm), something like:
>> 
>> grant d...@realm. subdomain dnsname.;
>> 
>> might work better, where "d...@realm" is (eg) the Kerberos principle
>> corresponding to your DC and "dnsname" is the tree to which you want
>> to grant rights.  The "$" is a Microsoft-ism.
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to query the nameserver

2010-10-05 Thread Andrey G. Sergeev (AKA Andris) 
Hello Dotan,


Tue, 5 Oct 2010 20:35:24 +0200 Dotan Cohen wrote:

> The two domains names are sharingcenter.eu and sharingcenter.de. The
> eu domain has ns1 and ns2 on the same server (IP addresses
> 178.63.65.136 and 178.63.65.188) and works fine. The de domain has
> ns1 on this same server (IP address 178.63.65.171) but ns2 on a
> different server (IP address 88.198.21.168).

The commands

dig @178.63.65.171 sharingcenter.de. soa +norec +short
dig @88.198.21.168 sharingcenter.de. soa +norec +short

were done without any delays or errors from my location so the UDP
connections from the external hosts are fine too. If you still
experience troubles while working with the registrar control panel you
should consult with their support.


-- 

Yours sincerely,

Andrey G. Sergeev (AKA Andris) http://www.andris.name/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to query the nameserver

2010-10-05 Thread Dotan Cohen 
On Tue, Oct 5, 2010 at 02:35, Noel Butler  wrote:
> Quite right, too many people with paranoia come here looking for help but
> refuse to let us do correct remote testing.
> First post was 7.08am local, its 3 /12 hours later and we still have no real
> info, had it been supplied his problem may been identified and resolved 3
> hours ago.
>

No paranoia at all! Actually, just a few minutes ago I did post the
corrent info, I saw that I wasn't getting very far with this whole
learning thing! :)

The two domains names are sharingcenter.eu and sharingcenter.de. The
eu domain has ns1 and ns2 on the same server (IP addresses
178.63.65.136 and 178.63.65.188) and works fine. The de domain has ns1
on this same server (IP address 178.63.65.171) but ns2 on a different
server (IP address 88.198.21.168).

The  178.63.65.* machine has these files:

On the machine intended for
[r...@mercury ~]# cat /etc/named.conf
options {
directory "/etc";
pid-file "/var/run/named/named.pid";
listen-on {
any;
};
};

zone "." {
type hint;
file "/etc/db.cache";
};

zone "sharingcenter.de" {
type master;
file "/var/named/sharingcenter.de.hosts";
notify yes;
allow-query { any; };
};
zone "sharingcenter.eu" {
type master;
file "/var/named/sharingcenter.eu.hosts";
};
[r...@mercury ~]# cat /var/named/sharingcenter.de.hosts
$ORIGIN sharingcenter.de.
$TTL 86400
sharingcenter.de. IN  SOA sharingcenter.de. foo.sharingcenter.de. (
2010100401; Serial - increment me
10800
3600
604800
38400 )
   IN  NSns1.sharingcenter.de.
   IN  NSns2.sharingcenter.de.
   IN  A 178.63.65.171
wwwIN  A 178.63.65.171
ns1IN  A 178.63.65.171
ns2IN  A 88.198.21.168
[r...@mercury ~]# cat /var/named/sharingcenter.eu.hosts
$ORIGIN sharingcenter.eu.
$TTL 86400
sharingcenter.eu. IN  SOAsharingcenter.eu. foo.sharingcenter.eu. (
2010092801; Serial - increment me
10800
3600
604800
38400 )
   IN  NSns1.sharingcenter.eu.
   IN  NSns2.sharingcenter.eu.
   IN  A 178.63.65.136
   IN  A 178.63.65.188
wwwIN  A 178.63.65.136
wwwIN  A 178.63.65.188
ns1IN  A 178.63.65.136
ns2IN  A 178.63.65.188
[r...@mercury ~]#


The 88.198.21.168 machine has these files:

[r...@venus ~]# cat /etc/named.conf
options {
directory "/etc";
pid-file "/var/run/named/named.pid";
listen-on {
any;
};
};

zone "." {
type hint;
file "/etc/db.cache";
};

zone "sharingcenter.de" {
type slave;
masters { 178.63.65.171; };
allow-update { 178.63.65.171; };
file "/var/named/sharingcenter.de.hosts";
notify yes;
allow-query { any; };
allow-notify { 88.198.21.168; };
};
[r...@venus ~]# cat /var/named/sharingcenter.de.hosts
$ORIGIN sharingcenter.de.
$TTL 86400
sharingcenter.de. IN  SOA sharingcenter.de. foo.sharingcenter.de. (
2010100401; Serial - increment me
10800
3600
604800
38400 )
   IN  NSns2.sharingcenter.de.
ns2IN  A 88.198.21.168
[r...@venus ~]#

-- 
Dotan Cohen

http://gibberish.co.il
http://what-is-what.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to query the nameserver

2010-10-05 Thread Andrey G. Sergeev (AKA Andris) 
Hello Dotan,


Tue, 5 Oct 2010 20:20:02 +0200 Dotan Cohen wrote:

>> Can you successfuly telnet port 53 from an external host?
> 
> Yes, but it's only a connection. I don't see any output. That' me
> typing "helo":
> 
> $ telnet 178.63.65.136 53
> Trying 178.63.65.136...
> Connected to 178.63.65.136.
> Escape character is '^]'.
> helo
> USER test
> ^C^C
> Connection closed by foreign host.

The DNS protocol has no human-readable verbs. The fact that you can
connect to the port 53 from the external location indicates that the
TCP connections aren't blocked. But DNS uses TCP only in a limited
number of cases - most time the UDP protocol is being used for queries.

So you must verify that you _can_ query your server for something like
this:

dig @server-name-or-ip example.de. soa +norec


-- 

Yours sincerely,

Andrey G. Sergeev (AKA Andris) http://www.andris.name/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to query the nameserver

2010-10-05 Thread Eivind Olsen 
--On 5. oktober 2010 20.20.02 +0200 Dotan Cohen  
wrote:

Yes, but it's only a connection. I don't see any output. That' me typing
"helo":

$ telnet 178.63.65.136 53
Trying 178.63.65.136...
Connected to 178.63.65.136.
Escape character is '^]'.
helo
USER test
^C^C
Connection closed by foreign host.


DNS isn't a clear-text protocol (unlike POP3, SMTP etc), so that's fine. It 
won't display a banner or anything.



From googling I see that I must start Bind with the -g option to

enable logging, but I must be doing it wrong as it's still not
logging:
# service named restart -g


The "-g" option is to get debug output. I doubt that works nicely with the 
"service" command. Running RedHat?

I don't have a RedHat system in front of me... but.. you could try:

# service named stop
# /usr/sbin/named -g

..and see if that works at all.

Regards
Eivind Olsen

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to query the nameserver

2010-10-05 Thread Eivind Olsen 
--On 5. oktober 2010 20.07.57 +0200 Dotan Cohen  
wrote:

# nslookup ns1.sharingserver.de 178.63.65.171
Server: 178.63.65.171
Address:178.63.65.171#53

** server can't find ns1.sharingserver.de: NXDOMAIN


In this case, you're trying to look up ns1.sharingserver.de on the 
nameserver on 178.63.65.171.



However, another site that _does_ work (with both nameservers on this
host, not just ns1) shows the same thing:

# nslookup ns1.sharingserver.eu 178.63.65.136
Server: 178.63.65.136
Address:178.63.65.136#53

** server can't find ns1.sharingserver.eu: NXDOMAIN


How do you mean this one is working? It's working just as badly as your 
first example.


I've tried looking up the domain "sharingserver.de" and "sharingserver.eu" 
on both the IP addresses you listed, and in all cases your nameserver 
replies with NXDOMAIN - it doesn't know about those domains.



I don't see a named or bind log, but messages is clean of such things.


I don't think you've mentioned which OS you're running, and whether you run 
a bundled or self-compiled version of BIND, so I'm not sure where it puts 
its logs by default. Do you see _any_ mention of "named" in your 
/var/log/messages or /var/log/syslog or similar files if you restart BIND?
How to restart it depends on your distribution, whether you use bundled 
BIND etc. It might be "service named restart" on one distribution, and 
"rndc stop" followed by "/usr/local/sbin/named" on another, or 
"/etc/rc.d/named restart" on yet another.. And I'm not good at guessing :D


Anyway - if you don't see a single line about "named" in the logs even 
after restarting it, you need to look into fixing that, as I'm guessing 
BIND is then really trying to give you some nice information in the logs 
but it can't..


Regards
Eivind Olsen

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recover deleted zone file - FIXED

2010-10-05 Thread Jay Moore 
Thanks to all!  Zone transfers were allowed.  Already changed backups to 
include the zonefiles and setup a secondary (slave) named server.

-- 
Jay Moore, CIO 
The National Beta Club 
UT PROSIM 


- Original Message -
> On Tue, 5 Oct 2010, Jay Moore wrote:
> > I am running BIND 9.4.3-P1 on slackware 12.2. The server is only for
> > internal use. I have accidentally removed one of my zone files, and
> > I have
> > no backup! Is there a way to restore this zone file from the cache?
> > I
> > looked at rndc and named options, but don't see anything that will
> > help?
> 
> Assuming zone transfers are allowed:
> dig -t axfr zone_name @127.0.0.1 >rescued_zone_file
> 
> 
> Jay Ford, Network Engineering Group, Information Technology Services
> University of Iowa, Iowa City, IA 52242
> email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to query the nameserver

2010-10-05 Thread Dotan Cohen 
On Tue, Oct 5, 2010 at 01:03, Nuno Paquete  wrote:
> Can you successfuly telnet port 53 from an external host?

Yes, but it's only a connection. I don't see any output. That' me typing "helo":

$ telnet 178.63.65.136 53
Trying 178.63.65.136...
Connected to 178.63.65.136.
Escape character is '^]'.
helo
USER test
^C^C
Connection closed by foreign host.


> Have you seen your logs? There must be something logged.
>

>From googling I see that I must start Bind with the -g option to
enable logging, but I must be doing it wrong as it's still not
logging:
# service named restart -g



-- 
Dotan Cohen

http://gibberish.co.il
http://what-is-what.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Recover deleted zone file

2010-10-05 Thread Todd Snyder 
If you haven’t restarted the server, you could do an rndc dumpdb and grab the 
zone content I’d think

From: bind-users-bounces+tsnyder=rim@lists.isc.org 
[mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Jay Moore
Sent: Tuesday, October 05, 2010 1:13 PM
To: bind-users@lists.isc.org
Subject: Recover deleted zone file

I am running BIND 9.4.3-P1 on slackware  12.2.  The server is only for internal 
use.  I have accidentally removed one of my zone files, and I have no backup!  
Is there a way to restore this zone file from the cache?  I looked at rndc and 
named options, but don't see anything that will help?



--
Jay Moore, CIO
The National Beta Club
UT PROSIM


-
This transmission (including any attachments) may contain confidential 
information, privileged material (including material protected by the 
solicitor-client or other applicable privileges), or constitute non-public 
information. Any use of this information by anyone other than the intended 
recipient is prohibited. If you have received this transmission in error, 
please immediately reply to the sender and delete this information from your 
system. Use, dissemination, distribution, or reproduction of this transmission 
by unintended recipients is not authorized and may be unlawful.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to query the nameserver

2010-10-05 Thread Dotan Cohen 
On Mon, Oct 4, 2010 at 23:37, Greg Whynott  wrote:
> someone with way more bind clues than I would be able to give you a better 
> answer.    the error returned begs two questions..
>
> 1. is this server behind or running a local firewall?
> 2. is bind actually listening on the proper interface?
>
> you could confirm #2 by typing 'nslookup ns1.example.de 1.1.1.1'  where 
> 1.1.1.1 is the ip of the local machine(you could even do this on another 
> machine,  its telling the resolver to use 1.1.1.1 as the name server for 
> initial queries,  if it works internally,  try an exterior machine to run the 
> command on).  it should return your A RR.  also you could try typing " 
> netstat -an | grep \:53\ | grep LIST " and see if its listening on the proper 
> interface.
>

It is listening on the right port, but it's not looking up properly I think:

# nslookup ns1.sharingserver.de 178.63.65.171
Server: 178.63.65.171
Address:178.63.65.171#53

** server can't find ns1.sharingserver.de: NXDOMAIN



However, another site that _does_ work (with both nameservers on this
host, not just ns1) shows the same thing:

# nslookup ns1.sharingserver.eu 178.63.65.136
Server: 178.63.65.136
Address:178.63.65.136#53

** server can't find ns1.sharingserver.eu: NXDOMAIN

Note that both the 171 and 136 addresses are on the same hardware
(eth0 and eth0:1)


> do the logs complain about any zones?  something like "not loading zone X"..
>

I don't see a named or bind log, but messages is clean of such things.

-- 
Dotan Cohen

http://gibberish.co.il
http://what-is-what.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: minimum cache times?

2010-10-05 Thread Eivind Olsen 
--On 5. oktober 2010 13.46.30 -0400 "Atkins, Brian (GD/VA-NSOC)" 
 wrote:

Currently, we use DNS to blackhole bad domains. The list of bad domains
are provided to us from another government entity or vetted by an
enterprise security team.


How do you implement this list? By putting those domains into your 
named.conf (or some included configuration file) as authoritative domains, 
pointing to a common dummy zonefile, and then reloading/restarting BIND?
If you do it like this and restart BIND, you'll automatically lose the old 
cached information anyway.
If you instead add to named.conf and do "rndc reconfig", I don't think it 
will drop previously cached information.
Depending on how you do this - is it feasible to do "rndc flushname 
old.cached.domain" on these domains?



The servers I manage are the DNS servers of last resort for our internal
clients before hitting up root. However, they are not the only DNS
servers available to the clients - there are several hundred internal
servers, mostly windows servers, that handle client queries. I have no
control over them.


Are all those DNS servers pointing to your server as their forwarder, or 
will any change you do on your server still have next to no impact since 
these other servers bypass you anyway?


In other words, is your setup something like this:

[clients] --> [X amount of DNS servers you don't control] --> [YOUR DNS 
server] --> Internet


?


So, when I add new domains to my block list, I am at the mercy of the
bad domain's TTL. I have had DNS cache thwarting my ability to block the
bad domain, sometimes for several days.


If the information is cached at your internal servers which _you_ have no 
control over, you'll still be at the mercy of any long TTL.



Basically, I want to make the block occur within a couple of hours after
implementation - hence setting the max-cache-ttl.
I realize that there are other ways of to do this, but I am limited by
my funding.


As long as you don't have control over all the different DNS servers used 
in your organization, you'll still have problems making a solution here.


Regards
Eivind Olsen

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: minimum cache times?

2010-10-05 Thread Atkins, Brian (GD/VA-NSOC) 
Thank you for all the good responses.

While I am unsure if Chrisoph's question was answered, I now understand
why most everyone thinks it is a bad idea to over-ride the TTL for
records I am not authoritive for:

1) It's not RFC compliant for the protocol
2) Changing it could potentially increase load on the DNS servers for
other domains
3) It's bad manners.

So, that being said, can anyone suggest an alternative to my issue?

Currently, we use DNS to blackhole bad domains. The list of bad domains
are provided to us from another government entity or vetted by an
enterprise security team. 

The servers I manage are the DNS servers of last resort for our internal
clients before hitting up root. However, they are not the only DNS
servers available to the clients - there are several hundred internal
servers, mostly windows servers, that handle client queries. I have no
control over them.

So, when I add new domains to my block list, I am at the mercy of the
bad domain's TTL. I have had DNS cache thwarting my ability to block the
bad domain, sometimes for several days. 

Basically, I want to make the block occur within a couple of hours after
implementation - hence setting the max-cache-ttl.

I realize that there are other ways of to do this, but I am limited by
my funding.

Thanks,

Brian

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to query the nameserver

2010-10-05 Thread Dotan Cohen 
On Tue, Oct 5, 2010 at 01:14, Nuno Paquete  wrote:
> Are your servers running virtualized?
>

No, it's real hardware!

-- 
Dotan Cohen

http://gibberish.co.il
http://what-is-what.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recover deleted zone file

2010-10-05 Thread Eivind Olsen 

--On 5. oktober 2010 13.12.37 -0400 Jay Moore  wrote:

I am running BIND 9.4.3-P1 on slackware  12.2.  The server is only for
internal use.  I have accidentally removed one of my zone files, and I
have no backup!  Is there a way to restore this zone file from the cache?
I looked at rndc and named options, but don't see anything that will
help?


"rndc dumpdb -zones" might work for you? I have no idea where that file 
will end up on your setup though.


Another option: If the zone transfer isn't available as an option, and you 
don't have a slave DNS to copy it from either.. I haven't tried this, so I 
can't guarantee it will work, but it might work changing the named.conf to 
allow zone transfers, then do a "rndc reconfig"? No guarantees that it will 
work as expected though :D


Regards
Eivind Olsen

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recover deleted zone file

2010-10-05 Thread Andrey G. Sergeev (AKA Andris) 
Hello Jay,


Tue, 5 Oct 2010 13:12:37 -0400 (EDT) Jay Moore wrote:

> I am running BIND 9.4.3-P1 on slackware 12.2. The server is only for
> internal use. I have accidentally removed one of my zone files, and I
> have no backup! Is there a way to restore this zone file from the
> cache? I looked at rndc and named options, but don't see anything
> that will help? 

You can pull your zone data from you secondaries:

dig @secondary-server-name.domain.tld. your-domain.tld. axfr


-- 

Yours sincerely,

Andrey G. Sergeev (AKA Andris) http://www.andris.name/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recover deleted zone file

2010-10-05 Thread Jay Ford 

On Tue, 5 Oct 2010, Jay Moore wrote:
I am running BIND 9.4.3-P1 on slackware  12.2.  The server is only for 
internal use.  I have accidentally removed one of my zone files, and I have 
no backup!  Is there a way to restore this zone file from the cache?  I 
looked at rndc and named options, but don't see anything that will help? 


Assuming zone transfers are allowed:
   dig -t axfr zone_name @127.0.0.1 >rescued_zone_file


Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Recover deleted zone file

2010-10-05 Thread Jay Moore 
I am running BIND 9.4.3-P1 on slackware 12.2. The server is only for internal 
use. I have accidentally removed one of my zone files, and I have no backup! Is 
there a way to restore this zone file from the cache? I looked at rndc and 
named options, but don't see anything that will help? 



-- 
Jay Moore, CIO 
The National Beta Club 
UT PROSIM 


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Custom DNS error with BIND?

2010-10-05 Thread Phan Quoc Hien 
Thank for your respond. I find for testing purpuse only.

On Tue, Oct 5, 2010 at 11:20 PM, Eivind Olsen  wrote:
> --On 5. oktober 2010 22.25.17 +0700 Phan Quoc Hien 
> wrote:
>>
>> I'm find the way to "custom DNS error with BIND". Below I explained it:
>>
>> It A record not exist => return to one IP to redirect custom error
>> page with apache! Like OpenDNS?
>>
>> Please let me know how to solve this problem...or must edit bind source
>> code?
>
> As far as I know, it's not natively supported by BIND. Are you _really_ sure
> you want this? Suggested reading is for example
> 
>
> Regards
> Eivind Olsen
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
Best regards,
Mr.Hien
E-mail: phanquoch...@gmail.com
Website: www.mrhien.info
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Custom DNS error with BIND?

2010-10-05 Thread Eivind Olsen 
--On 5. oktober 2010 22.25.17 +0700 Phan Quoc Hien  
wrote:

I'm find the way to "custom DNS error with BIND". Below I explained it:

It A record not exist => return to one IP to redirect custom error
page with apache! Like OpenDNS?

Please let me know how to solve this problem...or must edit bind source
code?


As far as I know, it's not natively supported by BIND. Are you _really_ 
sure you want this? Suggested reading is for example 



Regards
Eivind Olsen

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Custom DNS error with BIND?

2010-10-05 Thread Phan Quoc Hien 
Hi,
I'm find the way to "custom DNS error with BIND". Below I explained it:

It A record not exist => return to one IP to redirect custom error
page with apache! Like OpenDNS?

Please let me know how to solve this problem...or must edit bind source code?

-- 
Best regards,
Mr.Hien
E-mail: phanquoch...@gmail.com
Website: www.mrhien.info
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: minimum cache times?

2010-10-05 Thread Eivind Olsen 
> I asked a similar question 2 weeks ago and got a non-response (e.g., a
> response with no real information).

The only somewhat good reason I see to overriding (well, lowering) the
cache time is if it causes your server any memory issues. Although the
real solution then would be to buy more memory. Yes, an active DNS server
will cache a few GB, depending on usage patterns, how common DNSSEC
becomes etc, but if you run an active DNS-server I'd hope you'd be able to
get the budget for that memory.
Overriding the cache TTL by lowering it is essentially the same as what
happens when nameservers are restarted - it isn't optimal, but it happens
all the time all over the world.

Overriding the cache TTL by _increasing_ the value is something that's
bound to break many setups - if I set my TTL to a low value, it's
hopefully for a reason.

I have had to remove some cached information before it timed out by itself
due to TTL - depending on how often you need to do that and how many
servers you have, one option might be to do something like "rndc flushname
hostname.to.flush" on those servers.
Depending on your setup, you might also consider centralizing this so you
can do it once from one location (easiest solution: make a wrapper script,
running rndc on all servers in turn, over the network).

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: minimum cache times?

2010-10-05 Thread Rob Austein 
At Tue, 5 Oct 2010 10:45:04 -0400, Nicholas Wheeler wrote:
> 
> I think Brian's OP was about a max-ttl override ... Which is the
> opposite. The only disadvantages I see is a potential waste of
> bandwidth (and it violates the protocol).

max-ttl is (very) different from min-ttl.  max-ttl might (or might
not) be a waste of bandwidth, but it can't be a violation of the
protocol, because nobody can require you to cache at all, or to
preserve your cache across reboots, etc.

max-ttl has been around since at least, um, 1985, when I implemented
it in a non-BIND iterative resolver to cope with the  TTLs
that we were receiving from certain badly configured authoritative
nameservers.  It's not something to use blindly, but it's definitely
legal, and is sometimes necessary.  The trick with max-ttl is to set
it to a sane value for your situation.  Eg, an iterative resolver
associated with a busy MTA might use a max-ttl setting equal to half
of the MTA's queue lifetime, to insure that it tried looking for an
updated MX RR at least once before giving up on a message.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: minimum cache times?

2010-10-05 Thread Nicholas Wheeler 
I think Brian's OP was about a max-ttl override ... Which is the opposite. The 
only disadvantages I see is a potential waste of bandwidth (and it violates the 
protocol).

- Original Message -
From: bind-users-bounces+nwheeler=devis@lists.isc.org 

To: bind-users@lists.isc.org 
Sent: Tue Oct 05 10:36:27 2010
Subject: Re: minimum cache times?

At Tue, 5 Oct 2010 09:19:49 -0400, Atkins, Brian (GD/VA-NSOC) wrote:
> 
> I asked a similar question 2 weeks ago and got a non-response (e.g., a
> response with no real information).
> 
> From what I've read, everyone seems to frown on over-riding cache times,
> but I haven't seen any specifics as to why it's bad.

Because it's a protocol violation, deliberately ignores the cache time
set by the owner of the data, and is dangerous.

Eg, you ask me for the address of my web server.  I answer, saying
that the answer is good for a week, after which you need to ask again
because I might have changed something.  You override the TTL time and
cache the data for two weeks.  Meanwhile, I start the process of
moving my server to a different address.  Protocol says I have to wait
the time I set in the TTL, then I can assume that all cached copies of
the old data are dead, at which point it's safe for me to kill the old
address.  But you're ignoring the TTL.  So I go ahead and move my
server, your users still see your past-expiration copy of the old
address, can't reach my server, and my help desk phone starts ringing.
Your fault, but I pay for it, because you violated the protocol.

The above is a simple example.  For some real fun, throw DNSSEC into
the mix and think about signature expiration times.

"min-ttl" is a really bad idea.  I first saw it proposed in the late
'80s.  It was a bad idea then, and it's still a bad idea now.  Every
few years somebody exhumes it, it lurches, undead, into some patch
set, and we replay this discussion again.  Most likely the reason you
didn't get an immediate response is simply that playing whack-a-zombie
gets old after the first decade or so.

The TTL mechanism is part of the protocol for a reason: it's to
control how tightly consistent the data are supposed to be in the
opinion of the publisher of the data.  Nobody but the publisher of the
data has enough information to know how long it's safe to keep the
data.  Some publishers make silly decisions about this setting, which
causes other problems, but keeping data past its expiration time is
not the answer.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: minimum cache times?

2010-10-05 Thread Rob Austein 
At Tue, 5 Oct 2010 09:19:49 -0400, Atkins, Brian (GD/VA-NSOC) wrote:
> 
> I asked a similar question 2 weeks ago and got a non-response (e.g., a
> response with no real information).
> 
> From what I've read, everyone seems to frown on over-riding cache times,
> but I haven't seen any specifics as to why it's bad.

Because it's a protocol violation, deliberately ignores the cache time
set by the owner of the data, and is dangerous.

Eg, you ask me for the address of my web server.  I answer, saying
that the answer is good for a week, after which you need to ask again
because I might have changed something.  You override the TTL time and
cache the data for two weeks.  Meanwhile, I start the process of
moving my server to a different address.  Protocol says I have to wait
the time I set in the TTL, then I can assume that all cached copies of
the old data are dead, at which point it's safe for me to kill the old
address.  But you're ignoring the TTL.  So I go ahead and move my
server, your users still see your past-expiration copy of the old
address, can't reach my server, and my help desk phone starts ringing.
Your fault, but I pay for it, because you violated the protocol.

The above is a simple example.  For some real fun, throw DNSSEC into
the mix and think about signature expiration times.

"min-ttl" is a really bad idea.  I first saw it proposed in the late
'80s.  It was a bad idea then, and it's still a bad idea now.  Every
few years somebody exhumes it, it lurches, undead, into some patch
set, and we replay this discussion again.  Most likely the reason you
didn't get an immediate response is simply that playing whack-a-zombie
gets old after the first decade or so.

The TTL mechanism is part of the protocol for a reason: it's to
control how tightly consistent the data are supposed to be in the
opinion of the publisher of the data.  Nobody but the publisher of the
data has enough information to know how long it's safe to keep the
data.  Some publishers make silly decisions about this setting, which
causes other problems, but keeping data past its expiration time is
not the answer.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to query the nameserver

2010-10-05 Thread Greg Whynott 
its as if they think hackers main source of targets comes from here.doesn't 
appear to really want any help anyway.  

-g



On Oct 4, 2010, at 8:35 PM, Noel Butler wrote:

> On Mon, 2010-10-04 at 17:29 -0500, Lyle Giese wrote:
>> Dotan Cohen wrote: 
> 
>>> The ports aren't blocked as another site (example.eu) hosted on the
>>> 1.1.1.1 server works fine. The working site has both nameservers
>>> pointed to that same server (on two different IP addresses on eth0 and
>>> etho0:0). Only the example.de site which has one nameserver on the
>>> 1.1.1.1 machine and the second nameserver on 1.1.2.2 is giving me a
>>> headache.
>>> 
>>> 
>>>   
>> I would like to help but since you are refusing to post the real ip address 
>> or the real hostnames or the real domain names involved, I can not.  I could 
>> do some testing from here to see if your firewall was configured correctly 
>> or what the view was from outside your network.  But I can not.  
>> 
> 
> Quite right, too many people with paranoia come here looking for help but 
> refuse to let us do correct remote testing.
> First post was 7.08am local, its 3 /12 hours later and we still have no real 
> info, had it been supplied his problem may been identified and resolved 3 
> hours ago.
> 
> 
> 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: minimum cache times?

2010-10-05 Thread Dave Sparro 

On 10/5/2010 9:19 AM, Atkins, Brian (GD/VA-NSOC) wrote:

I asked a similar question 2 weeks ago and got a non-response (e.g., a
response with no real information).


From what I've read, everyone seems to frown on over-riding cache times,

but I haven't seen any specifics as to why it's bad.



Basically, it is impolite.

If you ignore my Authoritative server's request to cache answers, you'll 
end up either increasing the load on my server, or missing an update I 
make to my data (depending on which direction you adjust the cache time).


Now imagine a world where everybody ignores my TTL.

--
Dave

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: minimum cache times?

2010-10-05 Thread Atkins, Brian (GD/VA-NSOC) 
I asked a similar question 2 weeks ago and got a non-response (e.g., a
response with no real information).

>From what I've read, everyone seems to frown on over-riding cache times,
but I haven't seen any specifics as to why it's bad.

Brian
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to query the nameserver

2010-10-05 Thread Christopher Cain 
Dotan - Are zone transfers working correctly between ns1 & ns2?  Although
you have ns2 defined as a slave to ns1, your cat output of the zone on ns2
shows a zone with contents different from the master.  The slave zone is
missing a host record for ns1.  Is it possible the system trying to resolve
ns1 is querying ns2?

Christopher Cain
E: ch...@christophercain.ca
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Unable to query the nameserver

2010-10-05 Thread Eivind Olsen 
> but when I try to configure
> my domain name in the registrar's control panel I get this error:
> """
> Error : Unable to query the nameserver ns1.example.de
> """

Hm, you mention in another posting that you're hosting other domains. Are
they using the same registrar as the one that's giving you this error
message? Are you _naming_ the nameservers the same? I know some registrars
require you to first register your nameservers with them, so they can add
any glue records if needed. I'm just wondering if the error message might
be misleading.

But maybe they really can't contact your nameserver. As a few others have
mentioned, it's hard to help troubleshoot this when you've given no real
information.

Check your logs on your nameserver. Depending on your OS, it might end up
in /var/log/messages, /var/adm/messages, or somewhere else entirely (or
maybe not at all). You should at least see some log-entries when you start
BIND. The copies of named.conf you listed didn't show any custom logging
statements.

Verify nameserver operation, by doing something like this:

# dig any your.troublesome.domain @1.1.1.1
(replace the domain name + IP-address of your nameserver with the real data)

Do this from multiple places:
- from the nameserver itself
- from another server in the same subnet if possible, to avoid routing
issues etc...:
- from somewhere outside of your network

If it for example works from the nameserver itself + another server in
your local network, but doesn't work from an external address, I suggest
you look at any firewalls / access controls in your network.

You also mentioned you had another domain which worked, on the same
nameservers. Do the same kind of queries on that as well, from the same
places.

Let us know how these tests went. And/or post real data so we can check a
bit for ourselves.

Oh, and another thing - you mentioned you were running both nameservers on
the same server (eth0 and eth0:0). You _are_ aware of what this means, if
your domain name is only served by a single physical server and that
server happens to go down some day? Any server _will_ go down sometimes,
even if you decide to not patch it...
If it's serving a domain name you care about, I'd _really_ recommend
having multiple _separate_ nameservers, hosted on separate subnets. There
are various companies that sell cheap slave-DNS services.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users