Re: BIND 9.4.3-P2 assertion failure

[Kevin Oberman]

> Date: Fri, 1 Apr 2011 08:56:14 +0200
> From: Matus UHLAR - fantomas 
> Sender: bind-users-bounces+oberman=es@lists.isc.org
> 
> On 29.03.11 10:32, Oleksii Krykun wrote:
> > I used BIND 9.4.3-P2 on FreeBSD 7.2-RELEASE (which is built-in) about two
> > years without problems.
> > 
> > Since last Friday sometimes I see  error messages like following:
> > 
> > Mar 28 16:44:06 gate2 named[60455]:
> > /usr/src/lib/bind/isc/../../../contrib/bind9/lib/isc/unix/socket.c:2361:
> > INSIST(!sock->pending_accept) failed
> > Mar 28 16:44:06 gate2 named[60455]: exiting (due to assertion failure)
> > Mar 28 16:44:06 gate2 kernel: pid 60455 (named), uid 53: exited on signal 6
> 
> Hasn't FreeBSD incorporated BIND9.4-ESV ?
> You can always install newer from ports.
> 9.8 is newest BIND version, ESV versions are supported for 9.4 and 9.6

Yes, it has, but FreeBSD-7.2 is rather old and not supported. FreeBSD is
now at 8.2 and includes 9.6-ESV-R4. 7.4 is also fully supported and has
9.4-ESV.

Of course, as you mention, the ports are more current. It has several
versions including 9.7.3 and 9.8.0. (Lots of people avoid .0 releases of
anything.)
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: ober...@es.net  Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [RI-DISCUSS] Is it possible to block or modify DNS' resolution of a malware address?

[Stewart Dean]

Came up with this as a simple straight-forward quick answer
http://www.malwaredomains.com/bhdns.html

My thanks to everyone who responded so quickly!

Our phishing email looked like this

You have exceeded the storage capacity of your designated mail box and
is thus required to revalidate immediately.
you may not receive/send mails until your mailbox is revalidated,
revalidation increases your mailbox storage capacity and is fast and easy.
Please click here
 to
revalidate your mailbox.
- Admin


Note that even tho my internal DNS server is now authoritative for 10001mb.com, 
anyone who's swallowed the bait (before I set up the dummy domain) gets a cookie 
set in the browser that keeps them going to that malign webpage even after the 
address resolution call times out :(


On 4/1/2011 10:36 AM, Jose Nazario wrote:

On Apr 1, 2011, at 10:22 AM, Stewart Dean wrote:


That is, if we know that a symbolic address is malign, is there some way to 
refuse to resolve it or change its resolution when an internal users asks for 
its resolution from the internal DNS server?

All my Google searching turns up DNSBLs and blocking incoming mail from BLed 
addresses, but this is another matter...



hrm .. i may have mis-read this. i was thinking you didn't want to do the 
standard DNSBL approach (have your local DNS servers become authoritative for 
the zone and control its resolution). i was thinking you wanted to do this off 
the DNS servers, hence the network-centric approach (read the DNS traffic and 
rewrite it as needed).

_
jose nazario, ph.d. j...@arbor.net
sr. manager of security research, arbor networks
http://asert.arbor.net/



--

"One must think like a hero to behave like a merely decent human being." - May 
Sarton
"Having overcome your worst fear, the thing you are most vulnerable to, that is 
the definition of heroic.

Also, it's such a worthwhile human activity. The most." -Fran Liebowitz

Funny how it's women who see the real heroism (that of going on, of being true) 
so clearly.

Stewart Dean, Unix System Admin, Bard College, New York 12504 sd...@bard.edu
voice: 845-758-7475, fax: 845-758-7035

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Is it possible to block resolution of a malware address?

[Baird, Josh]

We typically override malware-ish domains's by creating a zone on our
caching servers for them and create a wildcard similar to:

*   IN  A   127.0.0.1

That way, when clients try to resolve xyz.com, our caching/resolvers
return 127.0.0.1, not the real IP address.

Josh

-Original Message-
From: bind-users-bounces+jbaird=follett@lists.isc.org
[mailto:bind-users-bounces+jbaird=follett@lists.isc.org] On Behalf
Of Stewart Dean
Sent: Friday, April 01, 2011 10:22 AM
To: bind-users@lists.isc.org
Subject: Is it possible to block resolution of a malware address?

That is, if we know that a symbolic address is malign, is there some way
to 
refuse to resolve it or change its resolution when an internal users
asks for 
its resolution?

All my Google searching turns up DNSBLs and blocking incoming mail from
BLed 
addresses, but this is another matter...

Thanks in advance...
-- 

Stewart Dean, Unix System Admin, Henderson Computer Resources
Center of Bard College, Annandale-on-Hudson, New York  12504
sd...@bard.edu  voice: 845-758-7475, fax: 845-758-7035
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to block resolution of a malware address?

[Eivind Olsen]

> That is, if we know that a symbolic address is malign, is there some way
> to
> refuse to resolve it or change its resolution when an internal users asks
> for
> its resolution?

Two different ways of doing this:

- configure your BIND to believe it's authoritative for the address(es) in
question by configuring it as a zone

or, if you run a recent enough version of BIND:
- set up RPZ, it really is easy to implement (and has the advantage of
scaling nicely with multiple servers as well - configure the RPZ zone
somewhere and let normal zone transfers copy it to the other servers you
have as well)

Regards
Eivind Olsen
eiv...@aminor.no


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Is it possible to block resolution of a malware address?

[Stewart Dean]

That is, if we know that a symbolic address is malign, is there some way to 
refuse to resolve it or change its resolution when an internal users asks for 
its resolution?


All my Google searching turns up DNSBLs and blocking incoming mail from BLed 
addresses, but this is another matter...


Thanks in advance...
--

Stewart Dean, Unix System Admin, Henderson Computer Resources
Center of Bard College, Annandale-on-Hudson, New York  12504
sd...@bard.edu  voice: 845-758-7475, fax: 845-758-7035
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone File IP address/Hostname

[Tony MacDoodle]

I think it's something with one of the zone files, here is what I get

nslookup rac-scan
Server: xxx.xxx.xxx.xxx
Address:xxx.xxx.xxx.xxx#53

Name:   rac-scan.rac.local
Address: xxx.xxx.xxx.xxx
Name:   rac-scan.rac.local
Address: xxx.xxx.xxx.xxx
Name:   rac-scan.rac.local
Address: xxx.xxx.xxx.xxx

root:jabba:~# nslookup rac2-scan
;; connection timed out; no servers could be reached



/var/adm/messages
Apr  1 09:05:16 apple named[1695]: [ID 873579 daemon.info] shutting down
Apr  1 09:05:16 apple named[1695]: [ID 873579 daemon.notice] stopping
command channel on 127.0.0.1#953
Apr  1 09:05:16 apple named[1695]: [ID 873579 daemon.info] no longer
listening on 127.0.0.1#53
Apr  1 09:05:16 apple named[1695]: [ID 873579 daemon.info] no longer
listening on xxx.xxx.xxx.24#53
Apr  1 09:05:16 apple named[1695]: [ID 873579 daemon.notice] exiting
Apr  1 09:05:16 apple named[1715]: [ID 873579 daemon.notice] starting BIND
9.6.1-P3 -4
Apr  1 09:05:16 apple named[1715]: [ID 873579 daemon.notice] built with
--prefix=/usr --with-libtool --bindir=/usr/sbin --sbindir=/usr/sbin
--libdir=/usr/lib/dns --sysconfdir=/etc --localstatedir=/var
--with-openssl=/usr/sfw --enable-threads=yes --enable-devpoll=yes
--enable-fixed-rrset --disable-openssl-version-check -DNS_RUN_PID_DIR=0
Apr  1 09:05:16 apple named[1715]: [ID 873579 daemon.info] found 8 CPUs,
using 8 worker threads
Apr  1 09:05:16 apple named[1715]: [ID 873579 daemon.info] using up to 4096
sockets
Apr  1 09:05:16 apple named[1715]: [ID 873579 daemon.info] loading
configuration from '/etc/named.conf'
Apr  1 09:05:16 apple named[1715]: [ID 873579 daemon.info] using default
UDP/IPv4 port range: [1024, 65535]
Apr  1 09:05:16 apple named[1715]: [ID 873579 daemon.info] using default
UDP/IPv6 port range: [1024, 65535]
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.info] no IPv6
interfaces found
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.info] listening on IPv4
interface lo0, 127.0.0.1#53
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.info] listening on IPv4
interface vnet0:1, xxx.xxx.xxx.24#53
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.info] automatic empty
zone: 0.IN-ADDR.ARPA
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.info] automatic empty
zone: 127.IN-ADDR.ARPA
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.info] automatic empty
zone: 254.169.IN-ADDR.ARPA
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.info] automatic empty
zone: 2.0.192.IN-ADDR.ARPA
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.info] automatic empty
zone: 255.255.255.255.IN-ADDR.ARPA
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.info] automatic empty
zone:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.info] automatic empty
zone:
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.info] automatic empty
zone: D.F.IP6.ARPA
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.info] automatic empty
zone: 8.E.F.IP6.ARPA
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.info] automatic empty
zone: 9.E.F.IP6.ARPA
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.info] automatic empty
zone: A.E.F.IP6.ARPA
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.info] automatic empty
zone: B.E.F.IP6.ARPA
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.notice] command channel
listening on 127.0.0.1#953
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.error] zone
xxx.10.10.in-addr.arpa/IN: NS 'apple.xxx.10.10.in-addr.arpa' has no address
records (A or )
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.info] zone
xxx.10.10.in-addr.arpa/IN: loaded serial 1
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.error] zone
xxx.10.10.in-addr.arpa/IN: NS 'apple.xxx.10.10.in-addr.arpa' has no address
records (A or )
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.info] zone
xxx.10.10.in-addr.arpa/IN: loaded serial 1
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.error] zone
0.0.127.in-addr.arpa/IN: NS 'apple.0.0.127.in-addr.arpa' has no address
records (A or )
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.info] zone
0.0.127.in-addr.arpa/IN: loaded serial 1
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.error] zone
rac.local/IN: NS 'apple.rac.local' has no address records (A or )
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.info] zone
rac.local/IN: loaded serial 2
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.error] zone
rac2.local/IN: NS 'apple.rac2.local' has no address records (A or )
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.info] zone
rac2.local/IN: loaded serial 3
Apr  1 09:05:17 apple named[1715]: [ID 873579 daemon.notice] running


Thanks
On Fri, Apr 1, 2011 at 2:10 AM, Torinthiel  wrote:

> On 04/01/11 03:47, Tony MacDoodle wrote:
> > Hello,
> >
> > I am trying to configure 2 different domains on one host

Re: RRSIG Expired

[Stephane Bortzmeyer]

On Fri, Apr 01, 2011 at 05:24:57PM +0800,
 Paul Ooi Cong Jen  wrote 
 a message of 266 lines which said:

> This file came with default bind installation

There is a zone file of in-addr.arpa with BIND? I strongly doubt
it. Anyway, check your named.conf: you must not declare in-addr.arpa
in a zone directive.

> Do we update the RRSIG manuall when its expired? 

You are not the manager of in-addr.arpa so do not touch it.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RRSIG Expired

[Paul Ooi Cong Jen]

Hi All, 

First of all apologize using existing email created new question 

On 29-Mar-2011, at 3:49 PM, Stephane Bortzmeyer wrote:  

> [Stealing email threads is a bad idea:
> ]
> 
> On Tue, Mar 29, 2011 at 03:25:29PM +0800,
> Paul Ooi Cong Jen  wrote 
> a message of 28 lines which said:
> 
>> Anyone has issue with RRSIG expired on in-addr.arpa on b.root
>> server? 
> 
> You probably mean b.in-addr-servers.arpa, since b.root-servers.net is
> not authoritative for in-addr.arpa.
> 
> And, no, I do not see the problem.
> 
>> general: /etc/namedb/slave/in-addr.arpa.slave:10: signature has
>> expired
> 
> How should I read that? Do you really slave in-addr.arpa? If so, this
> may be the problem.
> 
>> in-addr.arpaIN SOA  b.in-addr-servers.arpa. nstld.iana.org. (
>>2011022011 ; serial

This file came with default bind installation

> 
> It's an old SOA.
> 
> % dig +dnssec SOA in-addr.arpa
> 
> ; <<>> DiG 9.7.2-P3 <<>> +dnssec SOA in-addr.arpa
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44984
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;in-addr.arpa.IN  SOA
> 
> ;; ANSWER SECTION:
> in-addr.arpa. 3436IN  SOA b.in-addr-servers.arpa. 
> nstld.iana.org. 2011022215 1800 900 604800 3600
> in-addr.arpa. 3436IN  RRSIG   SOA 8 2 3600 20110405074734 
> 20110329042525 32721 in-addr.arpa. 
> DAUgwhRmsmrVI7ph9a593VGtK7IxBfrTTrB7yBLIzgW9NNLlx77JIB5B 
> INWOZlGAuFfX7B5EQBCJdL8Xg9aAxhXtgzZAaP/aEb/oCcEk+J7i23y1 
> HxS1aY4cStZimmQ9G9QfztX+6G5FU9qYKoTEYoq1d0gARgSQ5OLGVVFP G9E=
> 
> ;; AUTHORITY SECTION:
> in-addr.arpa. 86236   IN  NS  a.in-addr-servers.arpa.
> in-addr.arpa. 86236   IN  NS  b.in-addr-servers.arpa.
> in-addr.arpa. 86236   IN  NS  c.in-addr-servers.arpa.
> in-addr.arpa. 86236   IN  NS  d.in-addr-servers.arpa.
> in-addr.arpa. 86236   IN  NS  e.in-addr-servers.arpa.
> in-addr.arpa. 86236   IN  NS  f.in-addr-servers.arpa.
> in-addr.arpa. 86236   IN  RRSIG   NS 8 2 86400 20110405164354 
> 20110329042525 32721 in-addr.arpa. 
> BUxGCAURoVCHgTGjScjXANpX31rNPXcZSlPrlCBx3ybldhANtGJqfvZS 
> yhOPoe33Ka69j/fd0kfMSqmbUh+8nV4D3JWG0CtR/LFoPYEk/kwWkeIf 
> La9WfiypbUmT5VQ7xcaDH/C7FYOvQxj06ZftIIN1LkoxhdAGuThaLR97 4K8=

Sorry, may be my question is not clear. Do we update the RRSIG manuall when its 
expired? 


> 
> ;; Query time: 0 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Tue Mar 29 09:49:22 2011
> ;; MSG SIZE  rcvd: 547


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: children whose zones do not reflect the delegation from the parent

[Matus UHLAR - fantomas]

On 30.03.11 09:13, Lightner, Jeff wrote:
> I'm wondering if the issue isn't because you've not told your ISP what
> your name servers are.   You have to do that for reverse delegations to
> get to your servers.   (This is in addition to telling your Registrar.)

the ISP should provide 33.50.in-addr.arpa if it did ask for a delegation.
if it does not, the delegation is broken (although some parts may work) and
that's the problem.

We, for example, provide /16 and also (empty) /24's even for customers that
have /24 assigned but not delegated.

> On 03/30/2011 04:45 AM, ben thielsen wrote:
> > both fail to do so.  so - it would seem to me that at least somehow,
> > in some sense, the delegation is broken.  however, if queried further
> 
> It does seem a bit broken - there's no SOA for 33.50.in-addr.arpa i.e. 
> no zone there.
> 
> > for a /24 within that /16, both servers now work "properly", and
> > further delegate to other servers [and themselves]:
> 
> So probably they've got a zone for many of the child block e.g.
> 
> x.33.50.in-addr.arpa.
> 
> ...but not the parent one, which is lazy.

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: TTLs and Timeout Question

[Matus UHLAR - fantomas]

> On Tue, 29 Mar 2011 10:52:49 -0700, Kevin Oberman wrote
> > The relevant field in the SOA is the "expire' field. If the server 
> > has either transferred the zone from the master server or confirmed (via
> > serial #) that the current data is still current. If the data is
> > expired, the slave will stop serving it. Until then, it will serve it
> > and TTL has absolutely nothing to do with this.

On 29.03.11 12:07, listmail wrote:
> So is this correct: A slave will continue serving RRs regardless of their TTL,
> as long as the "expire" value in the SOA has not expired?
> 
> If true, I need another theory as to why the slave stopped serving records.

The slave periodically checks (interval defined by SOA refresh/retry values)
if the data are still fresh. If the data can't be verified for expire
seconds, the zone is dropped.

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dns RR method is not equal balanced?

[Matus UHLAR - fantomas]

On 29.03.11 17:36, Kay wrote:
> I use bind 8.4.7-REL on RHEL 4.4 OS and have thousands of domains.
>
> In my case ;
> some domain has 12 IPs but traffic of the server is not equal.
> The traffic of 11 IPs is same and just 1 IP is higher than others.

some time ago I noticed that some resolvers tend to sort IP Adresses in
numeric order, thus sending most of traffic to numerically smaller IP.
(iirc using nss_lwres caused this). 

However as others have noted, having multiple DNS records is NOT load
balancing and should not be used as such. you should better get/configure
load balancer like alteon, cisco ACE or linux ipvs. 

This should work much better, with less IP addreses and no requests to IP
that is currently down (health checks take care of that).

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND 9.4.3-P2 assertion failure

[Matus UHLAR - fantomas]

On 29.03.11 10:32, Oleksii Krykun wrote:
> I used BIND 9.4.3-P2 on FreeBSD 7.2-RELEASE (which is built-in) about two
> years without problems.
> 
> Since last Friday sometimes I see  error messages like following:
> 
> Mar 28 16:44:06 gate2 named[60455]:
> /usr/src/lib/bind/isc/../../../contrib/bind9/lib/isc/unix/socket.c:2361:
> INSIST(!sock->pending_accept) failed
> Mar 28 16:44:06 gate2 named[60455]: exiting (due to assertion failure)
> Mar 28 16:44:06 gate2 kernel: pid 60455 (named), uid 53: exited on signal 6

Hasn't FreeBSD incorporated BIND9.4-ESV ?
You can always install newer from ports.
9.8 is newest BIND version, ESV versions are supported for 9.4 and 9.6
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users