Re: Delegation check failed
On 21 Sep 2011, at 02:08, Kevin Oberman wrote: > dig confirms that .com had the glue for water.com. As does dnscheck.iis.se. Indeed, none of the test history (5 tests, today and yasterday) archived for water.com at this site shows any delegation problem. Only a warning is shown against the SOA: Failed to connect to smtpbh1.water.com (12.44.84.193). I guess that this means that an MX host is protected in some way. Is there some other "dnscheck" that people are using, and which is causing confusion? ATB Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A few (too) simple questions about DNS records
On Wed, Sep 21, 2011 at 02:55:08AM +0200, Yanek wrote 1/ What is the bind record format for the zone itself? On 21.09.11 08:44, Stephane Bortzmeyer wrote: Strictly speaking, it is not the BIND format but the standard format (RFC 1035, section 5). However, not all name servers follow it (standardizing the input file format is regarded as a bad idea, today) and, anyway, it is underspecified so problems occur even when name servers try to follow it. mydomain.tld. IN A 1.2.3.4 Am I wrong? This line is correct. when you are defining a new zone, you will need SOA and in most cases NS records too (that means, unless you are configuring private zone running in your network). Most of other zones include MX records for the zone. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS-cache with custom gTLDs
2011/9/20 Drunkard Zhang :
> I got 4 DNSs doing recursive resolution, which splited into 2 groups,
> and a couple of dns caches. Each group of recursion DNS using their
> own net link, which is different.
>
> Here's problem: I want a dns-cache to use one group of recursion DNS
> as their forwarders, and use another group as backup. ( I have to,
> because 2 groups of recursion DNS get different results, and sometimes
> one of them can't resolves, while another can. ) All solution I can
> find out is "forward first" to one group, and use all 2 groups as
> gTLDs, is this __safe__?
>
This is not working... I did some test, and if dns-cache got a
NXDomain response, it won't go any far. Is it intended? or I missed
something? I'm using 9.7.3-P3. Here's my configuration on dns-cache.
options {
directory "/var/";
pid-file "file-named.pid";
dump-file "file-dumpfile";
statistics-file "file-stat";
max-cache-size 3000M; # 3 GB
allow-query { any; };
max-ncache-ttl 600;
max-cache-ttl 86400;
recursive-clients 100;
tcp-clients 50;
interface-interval 0;
cleaning-interval 3600;
recursion yes;
};
zone "." IN {
type hint;
file "named.cache";
};
zone "." {
type forward;
forward first;
forwarders {
211.161.192.1;
211.161.192.13;
};
};
Put forward section to option clause not working too.
> Is there any other solution I can hack?
>
>
> Another problem: there's a lot of resolution on dns-cache querying
> a.root-servers.net, is it safe that i hijack a.root-servers.net to my
> own DNS? If it's safe, I can cut down queries to a.root-servers.net by
> millions of times per hour.
>
> Look forwarding to your kind responses :-)
>
When I query a name, the dns-cache queries forwarders for gTLDs
instead of using local hint file, why? And the dns-cache does not
trust forwarder returned result when set "forward first", is it
possible to fake it?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS-cache with custom gTLDs
2011/9/20 Drunkard Zhang : I got 4 DNSs doing recursive resolution, which splited into 2 groups, and a couple of dns caches. Each group of recursion DNS using their own net link, which is different. Here's problem: I want a dns-cache to use one group of recursion DNS as their forwarders, and use another group as backup. ( I have to, because 2 groups of recursion DNS get different results, and sometimes one of them can't resolves, while another can. ) All solution I can find out is "forward first" to one group, and use all 2 groups as gTLDs, is this __safe__? On 21.09.11 19:33, Drunkard Zhang wrote: This is not working... I did some test, and if dns-cache got a NXDomain response, it won't go any far. Is it intended? or I missed something? I'm using 9.7.3-P3. Here's my configuration on dns-cache. It IS indented. The NXDOMAIN means that the requested name does not exist. It is a correct DNS answer and DNS client should not search any further. If there is a domain name for which some servers return an positive answer, and some negative one, then there is something broken with that domain. Another problem: there's a lot of resolution on dns-cache querying a.root-servers.net, is it safe that i hijack a.root-servers.net to my own DNS? I think you should not hijack others' DNS requests. Blocking them would be much more correct. Note that there are more root servers than just a.root-servers.net - if someone queries this one server, something is apparently broken at their side. When I query a name, the dns-cache queries forwarders for gTLDs instead of using local hint file, why? local "hint" file? I'm not sure what you mean here. And the dns-cache does not trust forwarder returned result when set "forward first", is it possible to fake it? Why do you think it does not trust what forwarder returned? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Delegation check failed
I think it is safe to say the issue is the iis.se site is broken so far as delegation test goes. Another user reported to me that he had several domains return the same thing at this site. Thanks everyone for the replies. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Niall O'Reilly Sent: Wednesday, September 21, 2011 5:26 AM To: bind-users Subject: Re: Delegation check failed On 21 Sep 2011, at 02:08, Kevin Oberman wrote: > dig confirms that .com had the glue for water.com. As does dnscheck.iis.se. Indeed, none of the test history (5 tests, today and yasterday) archived for water.com at this site shows any delegation problem. Only a warning is shown against the SOA: Failed to connect to smtpbh1.water.com (12.44.84.193). I guess that this means that an MX host is protected in some way. Is there some other "dnscheck" that people are using, and which is causing confusion? ATB Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Delegation check failed
On Wed, Sep 21, 2011 at 2:25 AM, Niall O'Reilly wrote: > > On 21 Sep 2011, at 02:08, Kevin Oberman wrote: > >> dig confirms that .com had the glue for water.com. > > As does dnscheck.iis.se. > Indeed, none of the test history (5 tests, today and yasterday) > archived for water.com at this site shows any delegation problem. > Only a warning is shown against the SOA: > > Failed to connect to smtpbh1.water.com (12.44.84.193). > > I guess that this means that an MX host is protected in some way. > > Is there some other "dnscheck" that people are using, and which > is causing confusion? Matt, Are you running the "Undelegated domain test" or just the default "Domain test"? Only the "Undelegated domain test" is showing the error. It is still reporting it now. Nameserver dswadns1.water.com is listed for zone water.com without address information. Nameserver dswadns2.water.com is listed for zone water.com without address information. The SOA issue is sort of real. The preferred MX for the SOA contact is smtpbh1.water.com and attempts to connect to port 25 on that system time out, as does an attempt to smtpbh2. But smtp.water.com is fine so I don't this this an appropriate report, either. Again, the gtld servers do have the required glue. ; <<>> DiG 9.8.1 <<>> ns +norecurse water.com. @f.gtld-servers.net. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55373 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;water.com. IN NS ;; AUTHORITY SECTION: water.com. 172800 IN NS dswadns1.water.com. water.com. 172800 IN NS dswadns2.water.com. ;; ADDITIONAL SECTION: dswadns1.water.com. 172800 IN A 12.44.84.213 dswadns2.water.com. 172800 IN A 12.44.84.214 ;; Query time: 39 msec ;; SERVER: 192.35.51.30#53(192.35.51.30) ;; WHEN: Wed Sep 21 09:28:37 2011 ;; MSG SIZE rcvd: 105 Still looks like a bug in dnscheck to me. -- R. Kevin Oberman, Network Engineer - Retired E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Delegation check failed
I was the one asking about water.com. I'd started a separate thread hoping not to tromp on the OP of the earlier thread but apparently didn't succeed. I know the reason for the SOA/MX report so never asked about that. I did ask about the delegation messages but at this point as noted earlier I'm fairly convinced it is a bug in the way they do the test at iis.se rather than an actual issue. (Believe me - I'd HEAR VERY QUICKLY if water.com became inaccessible from the internet.) I was asking the question to see if there was a tweak I needed but based responses I don't think so. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Kevin Oberman Sent: Wednesday, September 21, 2011 12:30 PM To: Niall O'Reilly Cc: bind-users Subject: Re: Delegation check failed On Wed, Sep 21, 2011 at 2:25 AM, Niall O'Reilly wrote: > > On 21 Sep 2011, at 02:08, Kevin Oberman wrote: > >> dig confirms that .com had the glue for water.com. > >As does dnscheck.iis.se. >Indeed, none of the test history (5 tests, today and yasterday) >archived for water.com at this site shows any delegation problem. >Only a warning is shown against the SOA: > >Failed to connect to smtpbh1.water.com (12.44.84.193). > >I guess that this means that an MX host is protected in some way. > >Is there some other "dnscheck" that people are using, and which >is causing confusion? Matt, Are you running the "Undelegated domain test" or just the default "Domain test"? Only the "Undelegated domain test" is showing the error. It is still reporting it now. Nameserver dswadns1.water.com is listed for zone water.com without address information. Nameserver dswadns2.water.com is listed for zone water.com without address information. The SOA issue is sort of real. The preferred MX for the SOA contact is smtpbh1.water.com and attempts to connect to port 25 on that system time out, as does an attempt to smtpbh2. But smtp.water.com is fine so I don't this this an appropriate report, either. Again, the gtld servers do have the required glue. ; <<>> DiG 9.8.1 <<>> ns +norecurse water.com. @f.gtld-servers.net. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55373 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;water.com. IN NS ;; AUTHORITY SECTION: water.com. 172800 IN NS dswadns1.water.com. water.com. 172800 IN NS dswadns2.water.com. ;; ADDITIONAL SECTION: dswadns1.water.com. 172800 IN A 12.44.84.213 dswadns2.water.com. 172800 IN A 12.44.84.214 ;; Query time: 39 msec ;; SERVER: 192.35.51.30#53(192.35.51.30) ;; WHEN: Wed Sep 21 09:28:37 2011 ;; MSG SIZE rcvd: 105 Still looks like a bug in dnscheck to me. -- R. Kevin Oberman, Network Engineer - Retired E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
One IP in multiple zones
Hi, Is it possible to have one IP in multiple zone files for forward lookups? What type of troubles would be encountered? Larry Lawrence Adamiec Unix Manager/Web Support Specialist Center for Law and Computers Chicago-Kent College of Law Illinois Institute of Technology Room 525B 565 W. Adams St. Chicago, Illinois 60661 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: One IP in multiple zones
Yes, and none. FYI, traditionally PTR records contain only one hostname. Doug On 09/21/2011 12:56, Adamiec, Lawrence wrote: > Hi, > > > > Is it possible to have one IP in multiple zone files for forward > lookups? What type of troubles would be encountered? > > > > Larry > > > > Lawrence Adamiec > > Unix Manager/Web Support Specialist > > Center for Law and Computers > > Chicago-Kent College of Law > > Illinois Institute of Technology > > Room 525B > > 565 W. Adams St. > > Chicago, Illinois > > 60661 -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: One IP in multiple zones
Adamiec, Lawrence wrote: > Is it possible to have one IP in multiple zone files for forward > lookups? What type of troubles would be encountered? Like, having www.example.com and ftp.example.org point to the same IP address? Yes, it's nothing weird about it. Regards Eivind Olsen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: One IP in multiple zones
What I am looking at doing is the following. www.existingdomain.edu 86400 A 192.0.0.1 www.existingdomain.newdomain.edu 86400 A 192.0.0.1 Larry > -Original Message- > From: Warren Kumari [mailto:war...@kumari.net] > Sent: Wednesday, September 21, 2011 15:18 > To: Adamiec, Lawrence > Cc: Warren Kumari; bind-users@lists.isc.org > Subject: Re: One IP in multiple zones > > > On Sep 21, 2011, at 3:56 PM, Adamiec, Lawrence wrote: > > > Hi, > > > > Is it possible to have one IP in multiple zone files for forward lookups? > Yup, happens all the time: > > example.com: > www.example.com. 600 IN A 192.0.2.1 > > example.net: > www.example.net. 600 IN A 192.0.2.1 > > foo: > www.foo.com. 600IN A192.0.2.1 > > > > What type of troubles would be encountered? > > That all depends on how you are trying to use it -- when an application looks up the label it > is presumably going to so something like connect to it, and the server is going to have to > know how to respond. > > For example, if this is a web-server it will need to have virtual hosts configured to is can > respond as example.com / example.net / foo.com, etc. > > If a mail server, it will need to know what all domains it handles mail for (aliases file, etc) > > W > > > > Larry > > > > Lawrence Adamiec > > Unix Manager/Web Support Specialist > > Center for Law and Computers > > Chicago-Kent College of Law > > Illinois Institute of Technology > > Room 525B > > 565 W. Adams St. > > Chicago, Illinois > > 60661 > > > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: One IP in multiple zones
On Sep 21, 2011, at 12:56 PM, Adamiec, Lawrence wrote: > Is it possible to have one IP in multiple zone files for forward lookups? Yes. > What type of troubles would be encountered? None. This sort of thing is very commonly done, for example with shared/virtual webservers. Regards -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: One IP in multiple zones
On Sep 21, 2011, at 3:56 PM, Adamiec, Lawrence wrote: > Hi, > > Is it possible to have one IP in multiple zone files for forward lookups? Yup, happens all the time: example.com: www.example.com. 600 IN A 192.0.2.1 example.net: www.example.net. 600 IN A 192.0.2.1 foo: www.foo.com. 600IN A192.0.2.1 > What type of troubles would be encountered? That all depends on how you are trying to use it -- when an application looks up the label it is presumably going to so something like connect to it, and the server is going to have to know how to respond. For example, if this is a web-server it will need to have virtual hosts configured to is can respond as example.com / example.net / foo.com, etc. If a mail server, it will need to know what all domains it handles mail for (aliases file, etc) W > Larry > > Lawrence Adamiec > Unix Manager/Web Support Specialist > Center for Law and Computers > Chicago-Kent College of Law > Illinois Institute of Technology > Room 525B > 565 W. Adams St. > Chicago, Illinois > 60661 > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: One IP in multiple zones
One thing we do is create a single "alias" zone with generic information in it to have multiple zones all go to the same IP. Typically the main zone we'll put in its own zone file and have named.conf associate that zone with that zone file. For other zones we tell named.conf to point to the alias zone file: Something like: @ IN SOA ns1.example.com. techuser.example.com. ( 2011091902 ; serial 10800 ; refresh 3600; retry 604800 ; expire 86400 ) ; Minimun TTL ; ; Name Servers ; IN NS ns1.example.com. IN NS ns2.example.com. ; ; Mail Servers ; IN MX 10 mail.example.com. ; Primary MX BH IN MX 30 mail.example.com. ; Primary MX BH ; ; Addresses ; ; @ IN A192.168.1.1 ; www IN A192.168.1.1 ; Any domain in named.conf pointing to this alias zone will be substituted automatically for the "@" seen in this file whenever a lookup occurs. So if named.conf sent examplestore.com to the alias file it would see that examplestore.com and www.examplestore.com are both at 192.168.1.1. If named.conf also sent examplesite.com to the file then it would see that examplesite.com and www.examplesite.com are both at 192.168.1.1 as well. As noted by someone else you should only have one PTR record (we keep that in a separate arpa zone) that points to your primary domain. Note that in the above the NS (name server) and MX (mail) records point to your regular mail and name servers in a primary domain and are not relative to the alias domains like the www is. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Chuck Swiger Sent: Wednesday, September 21, 2011 4:15 PM To: Adamiec, Lawrence Cc: bind-users@lists.isc.org Subject: Re: One IP in multiple zones On Sep 21, 2011, at 12:56 PM, Adamiec, Lawrence wrote: > Is it possible to have one IP in multiple zone files for forward lookups? Yes. > What type of troubles would be encountered? None. This sort of thing is very commonly done, for example with shared/virtual webservers. Regards -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Max Cache Objects
I have couple of questions. bind cache memory limit is 4GB. can I increase it. or this is hard-coded limit. i'm running the x64 bit version. also to increase the cache hit ratio I have created script to query my dns for the top 1 million sites. would this give any performance advantages or is it useless. thx in advance ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Max Cache Objects
On 9/21/2011 5:00 PM, TMK wrote: I have couple of questions. bind cache memory limit is 4GB. can I increase it. or this is hard-coded limit. i'm running the x64 bit version. You can _try_ to raise that limit above 4Gb (see the various configuration elements under "Operating System Resource Limits" in the ARM), but your OS may still limit you. You'd need to look at your OS documentation to see how to raise "soft" and/or "hard" limits. also to increase the cache hit ratio I have created script to query my dns for the top 1 million sites. would this give any performance advantages or is it useless. Since a large percentage of those top sites use DNS-based load-balancing with small TTLs on their records, it's pretty useless. Of course, you can measure your cache hit ratio to see if it's really helping you or not. Real data always beats pure speculation. - Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS-cache with custom gTLDs
On 9/20/2011 5:08 AM, Drunkard Zhang wrote: I got 4 DNSs doing recursive resolution, which splited into 2 groups, and a couple of dns caches. Each group of recursion DNS using their own net link, which is different. Here's problem: I want a dns-cache to use one group of recursion DNS as their forwarders, and use another group as backup. ( I have to, because 2 groups of recursion DNS get different results, and sometimes one of them can't resolves, while another can. ) All solution I can find out is "forward first" to one group, and use all 2 groups as gTLDs, is this __safe__? Why are you going through all of these gyrations? The forwarding algorithm in BIND has for a long time been based on RTT, so if one forwarder, or a set of forwarders, stops working, the other(s) will be used automatically. In other words, forwarder failover works without any special configuration. I don't even understand your "forward first" solution. "Forward first" says to use iterative (non-recursive) resolution if forwarding fails (i.e. all the forwarders are non-responsive). How then can you use it to fail over from one set of forwarders to another? I don't get it. If you send a non-recursive query to a forwarder, you're at the mercy of whatever happens to be in its cache at that particular time. You can't get reliable resolution that way. Another problem: there's a lot of resolution on dns-cache querying a.root-servers.net, is it safe that i hijack a.root-servers.net to my own DNS? If it's safe, I can cut down queries to a.root-servers.net by millions of times per hour. If you're getting a lot of recursive queries for a.root-servers.net, you have a misbehaving client that you need to track down and vaporize. - Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Delegation check failed
On 21/09/11 17:30, Kevin Oberman wrote: > Are you running the "Undelegated domain test" or just the default > "Domain test"? Only the > "Undelegated domain test" is showing the error. It is still reporting it now. This is pretty-well way out of scope for "bind-users" by now. Thanks for clarifying, Kevin. I hadn't tried the "Undelegated domain test" until just now. I see. Best rregards Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS-cache with custom gTLDs
On 9/21/2011 7:33 AM, Drunkard Zhang wrote: 2011/9/20 Drunkard Zhang: I got 4 DNSs doing recursive resolution, which splited into 2 groups, and a couple of dns caches. Each group of recursion DNS using their own net link, which is different. Here's problem: I want a dns-cache to use one group of recursion DNS as their forwarders, and use another group as backup. ( I have to, because 2 groups of recursion DNS get different results, and sometimes one of them can't resolves, while another can. ) All solution I can find out is "forward first" to one group, and use all 2 groups as gTLDs, is this __safe__? This is not working... I did some test, and if dns-cache got a NXDomain response, it won't go any far. Is it intended? That's the intended behavior. NXDOMAIN is a final response. There's no need to go further. Is there any other solution I can hack? Another problem: there's a lot of resolution on dns-cache querying a.root-servers.net, is it safe that i hijack a.root-servers.net to my own DNS? If it's safe, I can cut down queries to a.root-servers.net by millions of times per hour. Look forwarding to your kind responses :-) When I query a name, the dns-cache queries forwarders for gTLDs instead of using local hint file, why? Because the hints file is only for the *root* zone. And the dns-cache does not trust forwarder returned result when set "forward first", is it possible to fake it? What do you mean "not trust"? - Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
I can dig a domain but named won't resolve it.
Hi there, I have a potentially BIND related problem and I'm positively stuck. I've posted this question on Server Fault (http://serverfault.com/questions/306997/cant-seem-to-resolve-domain-but-can-dig-it) with little exposure. The jist of it is: My name server (24.222.7.12) refuses to resolve any domains belonging to and including extremehosting.ca. It turns out that named can't get the A record for their name servers (204.15.193.163 - ns2.extremehosting.ca and 204.15.193.162 - ns1.extremehosting.ca). Running dig on the name server produces this: dig extremehosting.ca +trace ; <<>> DiG 9.3.4-P1 <<>> extremehosting.ca +trace ;; global options: printcmd . 412349 IN NS b.root-servers.net. . 412349 IN NS c.root-servers.net. . 412349 IN NS d.root-servers.net. . 412349 IN NS e.root-servers.net. . 412349 IN NS f.root-servers.net. . 412349 IN NS g.root-servers.net. . 412349 IN NS h.root-servers.net. . 412349 IN NS i.root-servers.net. . 412349 IN NS j.root-servers.net. . 412349 IN NS k.root-servers.net. . 412349 IN NS l.root-servers.net. . 412349 IN NS m.root-servers.net. . 412349 IN NS a.root-servers.net. ;; Received 512 bytes from 24.222.7.12#53(24.222.7.12) in 2 ms ca. 172800 IN NS e.ca-servers.ca. ca. 172800 IN NS l.ca-servers.ca. ca. 172800 IN NS a.ca-servers.ca. ca. 172800 IN NS sns-pb.isc.org. ca. 172800 IN NS j.ca-servers.ca. ca. 172800 IN NS c.ca-servers.ca. ca. 172800 IN NS k.ca-servers.ca. ca. 172800 IN NS f.ca-servers.ca. ca. 172800 IN NS z.ca-servers.ca. ca. 172800 IN NS m.ca-servers.ca. ;; Received 434 bytes from 192.228.79.201#53(b.root-servers.net) in 105 ms extremehosting.ca. 86400 IN NS ns1.extremehosting.ca. extremehosting.ca. 86400 IN NS ns2.extremehosting.ca. ;; Received 103 bytes from 192.228.30.9#53(e.ca-servers.ca) in 37 ms dig: couldn't get address for 'ns1.extremehosting.ca': failure And yet, if I run the following command, everything works: dig @204.15.193.162 extremehosting.ca ; <<>> DiG 9.3.4-P1 <<>> @204.15.193.162 extremehosting.ca ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46828 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;extremehosting.ca. IN A ;; ANSWER SECTION: extremehosting.ca. 3600IN A 204.15.193.162 ;; AUTHORITY SECTION: extremehosting.ca. 3600IN NS ns1.extremehosting.ca. extremehosting.ca. 3600IN NS ns2.extremehosting.ca. ;; ADDITIONAL SECTION: ns1.extremehosting.ca. 3600IN A 204.15.193.162 ns2.extremehosting.ca. 3600IN A 204.15.193.163 ;; Query time: 35 msec ;; SERVER: 204.15.193.162#53(204.15.193.162) ;; WHEN: Wed Sep 21 20:54:52 2011 ;; MSG SIZE rcvd: 119 Initially I thought it was a source-natting issue that I had noticed on my firewall. DNS packets coming from my firewall were being source-natted to port 53 and had broken the ability to dig @204.15.193.162. I've since removed the source-natting, allowing full dig-aility. And yet, I can't dig +trace, and I suspect that's the reason why I can't perform a recursive lookup on my name server. I'm running BIND-9.3.4. Old, I know. The server is scheduled to be replaced, but I need to get this working in the meantime. Any advice would be massively appreciated. Thank you, Keith ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS-cache with custom gTLDs
>> When I query a name, the dns-cache queries forwarders for gTLDs >> instead of using local hint file, why? > > local "hint" file? I'm not sure what you mean here. This file just replace the original root-servers with all my 4 recursive DNS's domain name and IP, nothing other. >> >> And the dns-cache does not >> trust forwarder returned result when set "forward first", is it >> possible to fake it? > > Why do you think it does not trust what forwarder returned? > When using "forward first", it discards forwarders's response and did a rscursive resolution. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS-cache with custom gTLDs
> Why are you going through all of these gyrations? The forwarding algorithm > in BIND has for a long time been based on RTT, so if one forwarder, or a set > of forwarders, stops working, the other(s) will be used automatically. In > other words, forwarder failover works without any special configuration. > > I don't even understand your "forward first" solution. "Forward first" says > to use iterative (non-recursive) resolution if forwarding fails (i.e. all > the forwarders are non-responsive). How then can you use it to fail over > from one set of forwarders to another? I don't get it. If you send a > non-recursive query to a forwarder, you're at the mercy of whatever happens > to be in its cache at that particular time. You can't get reliable > resolution that way. > Oops, I misunderstood. But I want to resolve this problem: take news.qq.com for example, I DID saw that it's unresolvable to one group (they returned NXDomain), at meantime it's no problem to another group, and "dig news.qq.com +trace" returned correct answer on both group. It seems like it's just a temporary failure, but I want to correct. Any other choices? >> Another problem: there's a lot of resolution on dns-cache querying >> a.root-servers.net, is it safe that i hijack a.root-servers.net to my >> own DNS? If it's safe, I can cut down queries to a.root-servers.net by >> millions of times per hour. > > If you're getting a lot of recursive queries for a.root-servers.net, you > have a misbehaving client that you need to track down and vaporize. > It's an ISP, hard to track down every one, I just want to suppress it that the misbehaving can't go further. Is it safe to hijack on dns-cache? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
