Re: Syncing DNS zones with different names

2011-11-14 Thread Barry Margolin 
In article ,
 "Chris Balmain"  wrote:

> Let's say I have two domain names, d1.com and d2.com, and I want to 
> synchronise all records underneath them (one-way sync, that is). So if I 
> create an A record www.d1.com pointing at 1.2.3.4, www.d2.com is also 
> automatically created, with the same value. So it's almost like a 
> master/slave relationship, but the slave zone has a different name to the 
> master.
> 
> Let's assume the two zones will be hosted on the same set of nameservers, so 
> even the SOA and NS records will be identical between them.
> 
> I've been googling, but haven't found anything. Does anyone know if this is 
> natively possible with Bind 9, or will I have to hack a script together to 
> do a transfer from the d1.com zone and parse the data to build an equivalent 
> zone file for d2.com?

See the DNAME record. It's like a CNAME, but applies to the whole 
domain. But you need to put the DNAME in the zone where the domain is 
delegated; so in your case, you'd have to get the DNAME into the .COM 
zone.

Another way to do it is to use the same zone file for both zones on the 
master server. Make sure that you use unqualified names everywhere in 
the zone file that you're not referencing outside the zone.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Syncing DNS zones with different names

2011-11-14 Thread Chris Balmain 
Let's say I have two domain names, d1.com and d2.com, and I want to 
synchronise all records underneath them (one-way sync, that is). So if I 
create an A record www.d1.com pointing at 1.2.3.4, www.d2.com is also 
automatically created, with the same value. So it's almost like a 
master/slave relationship, but the slave zone has a different name to the 
master.


Let's assume the two zones will be hosted on the same set of nameservers, so 
even the SOA and NS records will be identical between them.


I've been googling, but haven't found anything. Does anyone know if this is 
natively possible with Bind 9, or will I have to hack a script together to 
do a transfer from the d1.com zone and parse the data to build an equivalent 
zone file for d2.com?


- Chris 


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help with dig to check NS servers for DNSSEC setup

2011-11-14 Thread Eduardo Bonsi 

Barry;

Thanks, I fixed that!
I am also not sure if that will help with the server "fail" or status 
"refused" issue when checked from outside.


Eduardo

On 11/14/11 6:58 PM, Barry Margolin wrote:

In article,
  Eduardo Bonsi  wrote:


Since my servers are getting status "refused" from outside, could
someone shine me a light what is wrong here? Here is a copy of my named
conf file for the master.


You have the same 'match-clients {any;}' clause in both the internal and
external views.  Although I don't see how this would cause us to get
"refused" responses.  It should mean that we see the internal zones
instead of the external ones.

BTW, it's customary to put all the view options (like match-clients) at
the beginning of the view clause, not hide them in the middle of all the
zone sub-clauses.



Thanks!

//
// Include keys file
key rndc-key {
algorithm hmac-md5;
secret "yyxx-not-the-real-key-xmc/xxx/z/x==";
};
//
//
// Declares control channels to be used by the rndc utility.
//
// It is recommended that 127.0.0.1 be the only address used.
// This also allows non-privileged users on the local host to manage
// your name server.
//
// Default controls
  controls {
inet 127.0.0.1 port 953 allow { localhost; } keys { rndc-key; };
};
//
//20
//21
//
options {
  directory "/var/named";
  version "Undisclosed";
  //
   // If there is a firewall between you and name servers you want
   // to talk to, you might need to un-comment the query-source
   // directive below.  Previous versions of BIND always asked
   // questions using port 53, but BIND 8.1 uses an unprivileged
   // port by default.
   //query-source address 192.168.1.cc port 53;
   //
dnssec-enable yes;
dnssec-validation yes;
forward first;
transfer-format one-answer;
forwarders {
68.94.156.1 port 53;
68.94.157.1 port 53;
};
dnssec-lookaside . trust-anchor dlv.isc.org.;
  };
//44
//45
//
//
statistics-channels {
  inet * port 8053 allow { 127.0.0.1; };
};
//
// ACL statement

acl trusted {
192.168.1.254;
192.168.1.0/24;
localhost;
localnets;
};

view "internal" {

match-clients { 192.168.1.0/24; };

recursion yes;

zone "." IN {
  type hint;
  file "named.ca";
};

zone "localhost" IN {
  type master;
  allow-query { any; };
  file "localhost.zone";
  allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
  type master;
allow-query {
any;
};
  file "named.local";
allow-update {
none;
};
allow-transfer {
none;
};
};
//
//90
//100
// internal zones
//
zone "bonsi.org" IN {
type master;
allow-query {
any;
};
notify yes;
file "/var/named/db.bonsi.org";
also-notify {
192.168.1.cc;
};
  };

zone "1.168.192.in-addr.arpa" IN {
type master;
allow-query {
any;
};
notify no;
file "/var/named/db.192.168.1";
also-notify {
192.168.1.cc;
};
   };

zone "168.192.in-addr.arpa" IN {
type master;
allow-query {
any;
};
file "/var/named/db.192.168";
also-notify {
192.168.1.cc;
};
   };
zone "domain2.com" {
type master;
  allow-query { any; };
file "domain2.internal.hosts";
};
allow-query {
any;
};
also-notify {
192.168.1.cc;
};
};
//150
// www.external zones
//
view "external" {

match-clients { any; };
recursion no;

zone "bonsi.org" {
type master;
allow-query {
any;
};
file "/var/named/bonsi.org.external.hosts";
notify yes;
also-notify {
192.168.1.cc;
};
};

zone "ns1.bonsi.org" {
type master;
allow-query {
any;
};
file "ns1.bonsi.org.external.hosts";
also-notify {
192.168.1.cc;
};
};

zone "sub.bonsi.org" {
type master;

Re: Help with dig to check NS servers for DNSSEC setup

2011-11-14 Thread Barry Margolin 
In article ,
 Eduardo Bonsi  wrote:

> Since my servers are getting status "refused" from outside, could 
> someone shine me a light what is wrong here? Here is a copy of my named 
> conf file for the master.

You have the same 'match-clients {any;}' clause in both the internal and 
external views.  Although I don't see how this would cause us to get 
"refused" responses.  It should mean that we see the internal zones 
instead of the external ones.

BTW, it's customary to put all the view options (like match-clients) at 
the beginning of the view clause, not hide them in the middle of all the 
zone sub-clauses.

> 
> Thanks!
> 
> //
> // Include keys file
> key rndc-key {
>   algorithm hmac-md5;
>   secret "yyxx-not-the-real-key-xmc/xxx/z/x==";
>   };
> //
> //
> // Declares control channels to be used by the rndc utility.
> //
> // It is recommended that 127.0.0.1 be the only address used.
> // This also allows non-privileged users on the local host to manage
> // your name server.
> //
> // Default controls
>  controls {
>   inet 127.0.0.1 port 953 allow { localhost; } keys { rndc-key; };
> };
> //
> //20
> //21
> //
> options {
>  directory "/var/named";
>  version "Undisclosed";
>  //
>   // If there is a firewall between you and name servers you want
>   // to talk to, you might need to un-comment the query-source
>   // directive below.  Previous versions of BIND always asked
>   // questions using port 53, but BIND 8.1 uses an unprivileged
>   // port by default.
>   //query-source address 192.168.1.cc port 53;
>   //
>   dnssec-enable yes;
>   dnssec-validation yes;
>   forward first;
>   transfer-format one-answer;
>   forwarders {
>   68.94.156.1 port 53;
>   68.94.157.1 port 53;
>   };
>   dnssec-lookaside . trust-anchor dlv.isc.org.;
>  };
> //44
> //45
> //
> //
> statistics-channels {
>  inet * port 8053 allow { 127.0.0.1; };
> };
> //
> // ACL statement
> 
> acl trusted {
>   192.168.1.254;
>   192.168.1.0/24;
>   localhost;
>   localnets;
>   };
> 
> view "internal" {
>   recursion yes;
> 
> zone "." IN {
>  type hint;
>  file "named.ca";
> };
> 
> zone "localhost" IN {
>  type master;
>  allow-query { any; };
>  file "localhost.zone";
>  allow-update { none; };
> };
> 
> zone "0.0.127.in-addr.arpa" IN {
>  type master;
>   allow-query {
>   any;
>   };
>  file "named.local";
>   allow-update {
>   none;
>   };
>   allow-transfer {
>   none;
>   };
> };
> //
> //90
> //100
> // internal zones
> //
> zone "bonsi.org" IN {
> type master;
>   allow-query {
>   any;
>   };
>   notify yes;
> file "/var/named/db.bonsi.org";
>   also-notify {
>   192.168.1.cc;
>   };
>  };
> 
> zone "1.168.192.in-addr.arpa" IN {
> type master;
>   allow-query {
>   any;
>   };
>   notify no;
> file "/var/named/db.192.168.1";
>   also-notify {
>   192.168.1.cc;
>   };
>   };
> 
> zone "168.192.in-addr.arpa" IN {
> type master;
>   allow-query {
>   any;
>   };
> file "/var/named/db.192.168";
>   also-notify {
>   192.168.1.cc;
>   };
>   };
>   match-clients {any; };
>   zone "domain2.com" {
>   type master;
> allow-query { any; };
>   file "domain2.internal.hosts";
>   };
>   allow-query {
>   any;
>   };
>   also-notify {
>   192.168.1.cc;
>   };
> };
> //150
> // www.external zones
> //
> view "external" {
>   zone "bonsi.org" {
>   type master;
>   allow-query {
>   any;
>   };
>   file "/var/named/bonsi.org.external.hosts";
>   notify yes;
>   also-notify {
>   192.168.1.cc;
>   };
>   };
>   recursion no;
>   zone "ns1.bonsi.org" {
>   type master;
>   allow-query {
>   any;
>   };
>   file "ns1.bonsi.org.external.hosts";
>   also-notify {
>   192.168.1.cc;
>   };
>   };
>   match-clients { any; };
>   zone "sub.bonsi.org" {
>   type master;
> allow-query { any; };
>   file "sub.bonsi.org.external

Re: Help with dig to check NS servers for DNSSEC setup

2011-11-14 Thread Eduardo Bonsi 
Since my servers are getting status "refused" from outside, could 
someone shine me a light what is wrong here? Here is a copy of my named 
conf file for the master.


Thanks!

//
// Include keys file
key rndc-key {
algorithm hmac-md5;
secret "yyxx-not-the-real-key-xmc/xxx/z/x==";
};
//
//
// Declares control channels to be used by the rndc utility.
//
// It is recommended that 127.0.0.1 be the only address used.
// This also allows non-privileged users on the local host to manage
// your name server.
//
// Default controls
controls {
inet 127.0.0.1 port 953 allow { localhost; } keys { rndc-key; };
};
//
//20
//21
//
options {
directory "/var/named";
version "Undisclosed";
//
 // If there is a firewall between you and name servers you want
 // to talk to, you might need to un-comment the query-source
 // directive below.  Previous versions of BIND always asked
 // questions using port 53, but BIND 8.1 uses an unprivileged
 // port by default.
 //query-source address 192.168.1.cc port 53;
 //
dnssec-enable yes;
dnssec-validation yes;
forward first;
transfer-format one-answer;
forwarders {
68.94.156.1 port 53;
68.94.157.1 port 53;
};
dnssec-lookaside . trust-anchor dlv.isc.org.;
};
//44
//45
//
//
statistics-channels {
inet * port 8053 allow { 127.0.0.1; };
};
//
// ACL statement

acl trusted {
192.168.1.254;
192.168.1.0/24;
localhost;
localnets;
};

view "internal" {
recursion yes;

zone "." IN {
type hint;
file "named.ca";
};

zone "localhost" IN {
type master;
allow-query { any; };
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
allow-query {
any;
};
file "named.local";
allow-update {
none;
};
allow-transfer {
none;
};
};
//
//90
//100
// internal zones
//
zone "bonsi.org" IN {
type master;
allow-query {
any;
};
notify yes;
file "/var/named/db.bonsi.org";
also-notify {
192.168.1.cc;
};
};

zone "1.168.192.in-addr.arpa" IN {
type master;
allow-query {
any;
};
notify no;
file "/var/named/db.192.168.1";
also-notify {
192.168.1.cc;
};
 };

zone "168.192.in-addr.arpa" IN {
type master;
allow-query {
any;
};
file "/var/named/db.192.168";
also-notify {
192.168.1.cc;
};
 };
match-clients {any; };
zone "domain2.com" {
type master;
  allow-query { any; };
file "domain2.internal.hosts";
};
allow-query {
any;
};
also-notify {
192.168.1.cc;
};
};
//150
// www.external zones
//
view "external" {
zone "bonsi.org" {
type master;
allow-query {
any;
};
file "/var/named/bonsi.org.external.hosts";
notify yes;
also-notify {
192.168.1.cc;
};
};
recursion no;
zone "ns1.bonsi.org" {
type master;
allow-query {
any;
};
file "ns1.bonsi.org.external.hosts";
also-notify {
192.168.1.cc;
};
};
match-clients { any; };
zone "sub.bonsi.org" {
type master;
  allow-query { any; };
file "sub.bonsi.org.external.hosts";
};
zone "domain2.com" {
type master;
allow-query { any; };
file "domain2.com.external.hosts";
};
zone "45.200.63.in-addr.arpa" {
type master;
allow-query {
any;
};
file "63.200.45.external.rev";
also-notify {
192.168.1.cc;
};
};
allow-query {
any;
};
also-notify {
63.200.45.19;

Re: Help with dig to check NS servers for DNSSEC setup

2011-11-14 Thread Stephane Bortzmeyer 
On Mon, Nov 14, 2011 at 12:38:44PM -0800,
 Eduardo Bonsi  wrote 
 a message of 123 lines which said:

> if my ns1 and ns2 are responding ok to setup DNSSEC.
...
> user:~ user1$ dig bonsi.org

dig, by default, does not request DNSSEC data. If you want to test
with DNSSEC, add "+dnssec" to the command line.

For more comprehensive tests, see

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Amplification Attack and different results in bind 9.6/9.7

2011-11-14 Thread Stephane Bortzmeyer 
On Tue, Nov 15, 2011 at 03:51:52AM +0900,
 Euiho Kim  wrote 
 a message of 215 lines which said:

> In bind-9.6 installed server, response query rcvd msg size is 600~700 byte,
> 
> But bind-9.7, response rcvd msg size is 3100~3400 byte(large size), It
> includes lots of DNSSEC RRSet.

I vaguely remember that the default config for DNSSEC changed from
"dnssec-enable no" to "dnssec-enable yes". This may be the reason. Try
to change this variable explicitely.
 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Help with dig to check NS servers for DNSSEC setup

2011-11-14 Thread lst_hoe02 

Zitat von "Adamiec, Lawrence" :


Here are some results using the same commands you used.

# dig @63.200.45.18 ns1.bonsi.org soa

; <<>> DiG 9.6.1-P3 <<>> @63.200.45.18 ns1.bonsi.org soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 986


Yupp, looks like beside the internal network of the OP no one is  
allowed to use the public nameservers for bonsi.org...


Regards

Andreas


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Help with dig to check NS servers for DNSSEC setup

2011-11-14 Thread Adamiec, Lawrence 
Here are some results using the same commands you used.



# dig bonsi.org

; <<>> DiG 9.6.1-P3 <<>> bonsi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1462
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bonsi.org. IN  A

;; Query time: 666 msec
;; SERVER: 64.131.119.11#53(64.131.119.11)
;; WHEN: Mon Nov 14 14:41:54 2011
;; MSG SIZE  rcvd: 27



# dig @63.200.45.18 ns1.bonsi.org soa

; <<>> DiG 9.6.1-P3 <<>> @63.200.45.18 ns1.bonsi.org soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 986
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns1.bonsi.org. IN  SOA

;; Query time: 75 msec
;; SERVER: 63.200.45.18#53(63.200.45.18)
;; WHEN: Mon Nov 14 14:42:25 2011
;; MSG SIZE  rcvd: 31

#

> -Original Message-
> From: bind-users-bounces+ladamiec=kentlaw@lists.isc.org
[mailto:bind-users-
> bounces+ladamiec=kentlaw@lists.isc.org] On Behalf Of Eduardo Bonsi
> Sent: Monday, November 14, 2011 14:39
> To: bind-us...@isc.org
> Subject: Help with dig to check NS servers for DNSSEC setup
> 
> I am checking my DNS setup from inside using dig and I am getting
> everything ok but I need a second opinion from outside of the server
to
> see if my ns1 and ns2 are responding ok to setup DNSSEC.
> 
> Thanks!
> 
> user:~ user1$ dig bonsi.org
> 
> ; <<>> DiG 9.6-ESV-R4-P3 <<>> bonsi.org
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35880
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;bonsi.org.   IN  A
> 
> ;; ANSWER SECTION:
> bonsi.org.3600IN  A   63.200.45.21
> 
> ;; AUTHORITY SECTION:
> bonsi.org.3600IN  NS  ns2.bonsi.org.
> bonsi.org.3600IN  NS  ns1.bonsi.org.
> 
> ;; ADDITIONAL SECTION:
> ns2.bonsi.org.3600IN  A   63.200.45.19
> 
> ;; Query time: 14 msec
> ;; SERVER: 63.200.45.18#53(63.200.45.18)
> ;; WHEN: Mon Nov 14 12:09:43 2011
> ;; MSG SIZE  rcvd: 95
> 
> user:~ user1$ dig @63.200.45.18 ns1.bonsi.org soa
> 
> ; <<>> DiG 9.6-ESV-R4-P3 <<>> @63.200.45.18 ns1.bonsi.org soa
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31586
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;ns1.bonsi.org.   IN  SOA
> 
> ;; ANSWER SECTION:
> ns1.bonsi.org.3600IN  SOA ns1.bonsi.org.
hostmaster.bonsi.org.
> 2011101403 10800 3600 604800 3600
> 
> ;; AUTHORITY SECTION:
> ns1.bonsi.org.3600IN  NS  ns1.bonsi.org.
> 
> ;; Query time: 14 msec
> ;; SERVER: 63.200.45.18#53(63.200.45.18)
> ;; WHEN: Mon Nov 14 12:10:19 2011
> ;; MSG SIZE  rcvd: 92
> 
> user:~ user1$ dig @63.200.45.19 ns2.bonsi.org
> 
> ; <<>> DiG 9.6-ESV-R4-P3 <<>> @63.200.45.19 ns2.bonsi.org
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38660
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;ns2.bonsi.org.   IN  A
> 
> ;; ANSWER SECTION:
> ns2.bonsi.org.3600IN  A   63.200.45.19
> 
> ;; AUTHORITY SECTION:
> ns2.bonsi.org.3600IN  NS  ns2.bonsi.org.
> 
> ;; Query time: 12 msec
> ;; SERVER: 63.200.45.19#53(63.200.45.19)
> ;; WHEN: Mon Nov 14 12:11:04 2011
> ;; MSG SIZE  rcvd: 61
> 
> user:~ user1$ dig @63.200.45.19 ns2.bonsi.org soa
> 
> ; <<>> DiG 9.6-ESV-R4-P3 <<>> @63.200.45.19 ns2.bonsi.org soa
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17334
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;ns2.bonsi.org.   IN  SOA
> 
> ;; ANSWER SECTION:
> ns2.bonsi.org.3600IN  SOA ns2.bonsi.org.
hostmaster.bonsi.org.
> 2011101409 10800 3600 604800 3600
> 
> ;; AUTHORITY SECTION:
> ns2.bonsi.org.3600IN  NS  ns2.bonsi.org.
> 
> ;; ADDITIONAL SECTION:
> ns2.bonsi.org.3600IN  A   63.200.45.19
> 
> ;; Query time: 58 msec
> ;; SERVER: 63.200.45.19#53(63.2

Help with dig to check NS servers for DNSSEC setup

2011-11-14 Thread Eduardo Bonsi 
I am checking my DNS setup from inside using dig and I am getting 
everything ok but I need a second opinion from outside of the server to 
see if my ns1 and ns2 are responding ok to setup DNSSEC.


Thanks!

user:~ user1$ dig bonsi.org

; <<>> DiG 9.6-ESV-R4-P3 <<>> bonsi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35880
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;bonsi.org. IN  A

;; ANSWER SECTION:
bonsi.org.  3600IN  A   63.200.45.21

;; AUTHORITY SECTION:
bonsi.org.  3600IN  NS  ns2.bonsi.org.
bonsi.org.  3600IN  NS  ns1.bonsi.org.

;; ADDITIONAL SECTION:
ns2.bonsi.org.  3600IN  A   63.200.45.19

;; Query time: 14 msec
;; SERVER: 63.200.45.18#53(63.200.45.18)
;; WHEN: Mon Nov 14 12:09:43 2011
;; MSG SIZE  rcvd: 95

user:~ user1$ dig @63.200.45.18 ns1.bonsi.org soa

; <<>> DiG 9.6-ESV-R4-P3 <<>> @63.200.45.18 ns1.bonsi.org soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31586
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns1.bonsi.org. IN  SOA

;; ANSWER SECTION:
ns1.bonsi.org.		3600	IN	SOA	ns1.bonsi.org. hostmaster.bonsi.org. 
2011101403 10800 3600 604800 3600


;; AUTHORITY SECTION:
ns1.bonsi.org.  3600IN  NS  ns1.bonsi.org.

;; Query time: 14 msec
;; SERVER: 63.200.45.18#53(63.200.45.18)
;; WHEN: Mon Nov 14 12:10:19 2011
;; MSG SIZE  rcvd: 92

user:~ user1$ dig @63.200.45.19 ns2.bonsi.org

; <<>> DiG 9.6-ESV-R4-P3 <<>> @63.200.45.19 ns2.bonsi.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38660
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns2.bonsi.org. IN  A

;; ANSWER SECTION:
ns2.bonsi.org.  3600IN  A   63.200.45.19

;; AUTHORITY SECTION:
ns2.bonsi.org.  3600IN  NS  ns2.bonsi.org.

;; Query time: 12 msec
;; SERVER: 63.200.45.19#53(63.200.45.19)
;; WHEN: Mon Nov 14 12:11:04 2011
;; MSG SIZE  rcvd: 61

user:~ user1$ dig @63.200.45.19 ns2.bonsi.org soa

; <<>> DiG 9.6-ESV-R4-P3 <<>> @63.200.45.19 ns2.bonsi.org soa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17334
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ns2.bonsi.org. IN  SOA

;; ANSWER SECTION:
ns2.bonsi.org.		3600	IN	SOA	ns2.bonsi.org. hostmaster.bonsi.org. 
2011101409 10800 3600 604800 3600


;; AUTHORITY SECTION:
ns2.bonsi.org.  3600IN  NS  ns2.bonsi.org.

;; ADDITIONAL SECTION:
ns2.bonsi.org.  3600IN  A   63.200.45.19

;; Query time: 58 msec
;; SERVER: 63.200.45.19#53(63.200.45.19)
;; WHEN: Mon Nov 14 12:19:50 2011
;; MSG SIZE  rcvd: 108


--
BEARTCOMMUNICATIONS
Eduardo Bonsi
System - Network Admin
beart...@pacbell.net
webmas...@beart.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS Amplification Attack and different results in bind 9.6/9.7

2011-11-14 Thread Euiho Kim 
Hi, I wrote email 1 days ago (subject name: DDoS attack and difference
actions in bind 9.6 / 9.7)

But I wonder mail could not approach to your mailbox, so I request support
again.



First, Recently “isc.org ANY” DDoS Attack is frequently generated in our
DNS System (recursive Cache DNS)

Query type is “ANY” and I think it may be DNS Amplification Attack.

It is affecting all region in Korea, and query traffic (pps) sometimes
exceeds 160K.

Source IP’s are variable, Spoofed or infected clients.



Anyway, I have 3 questioned about this.



1. If I solve this problem (burst isc.org “ANY” query – Amplication
Attack),

Any better idea or case of blocking attack at other sites?



2. Curiosly, I found 2 different query result of “isc.org ANY”

In bind-9.6 installed server, response query rcvd msg size is 600~700 byte,

But bind-9.7, response rcvd msg size is 3100~3400 byte(large size), It
includes lots of DNSSEC RRSet.

Why response msg sizes are different depending on systems?



3. I monitored DNS traffic after attack disappeared.

It seems that Bind-9.6 servers replied all about “ISC ANY” query,

But Bind-9.7 servers almost ignored them.

I read new features of bind-9.7 doc and RELEASE-FILE.

But there were no reports preventing above attack (sort of generating large
response packet)

I have read once about preventing large RRSIG in negative query, but I
think it’s different situation compare of that.

If you know the features in bind-9.7 related to above (ignore reply),
please tell us.



Best regards,

Euiho Kim
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reason for Limited number of Root DNS Servers

2011-11-14 Thread Florian Weimer 
* Gaurav Kansal:

> As root DNS are running in anycast so number is not an issue at all. But I
> don't understand where exactly is this limitation exists???

The limitation does not exist, otherwise it would not have been possible
to add IPv6 addresses to the priming response.

-- 
Florian Weimer
BFK edv-consulting GmbH   http://www.bfk.de/
Kriegsstraße 100  tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users