Re: dig -t txt output variation

[Mark Andrews]

In message , "M. Meadows" writes:
> We've noticed that the following command gets a variable result:
> 
> dig -t txt exacttarget.com @ns2.exacttarget.com +short
> 
> We get 2 results from this. Seems to be somewhat random. They are:
> 
> "v=3Dspf1 a mx ip4:207.250.79.101 ip4:207.67.98.192/27 ip4:72.18.216.98 inc=
> lude:cust-spf.exacttarget.com include:salesforce.com include:message1-spf-i=
> nc.exacttarget.com include:hotels-spf-inc.exacttarget.com ip4:206.246.157.1=
>  -all"
> "spf2.0/pra ip4:207.250.79.101 ip4:207.67.98.192/27 ip4:72.18.216.98 includ=
> e:cust-senderid.exacttarget.com include:salesforce.com include:message1-sen=
> derid-inc.exacttarget.com include:hotels-senderid-inc.exacttarget.com ip4:2=
> 06.246.157.1 -all"
> 
> 
> And=20
> 
> "spf2.0/pra ip4:207.250.79.101 ip4:207.67.98.192/27 ip4:72.18.216.98 includ=
> e:cust-senderid.exacttarget.com include:salesforce.com include:message1-sen=
> derid-inc.exacttarget.com include:hotels-senderid-inc.exacttarget.com ip4:2=
> 06.246.157.1 -all"
> "v=3Dspf1 a mx ip4:207.250.79.101 ip4:207.67.98.192/27 ip4:72.18.216.98 inc=
> lude:cust-spf.exacttarget.com include:salesforce.com include:message1-spf-i=
> nc.exacttarget.com include:hotels-spf-inc.exacttarget.com ip4:206.246.157.1=
>  -all"
> 
> 
> So ... the text output flips. Sometimes the spf1 entry is first ... sometim=
> es it's second.
> 
> We are aware of at least one application that sees the spf2.0 (if it's firs=
> t) and returns a neutral result for SPF testing. If the spf1 is first in th=
> e feedback it gets a pass for SPF.=20

The application is broken.
 
> ns2.exacttarget.com is running BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2.
> 
> Is this a BIND bug?=20

No.  The DNS does not preserve record order.  This is documented in RFC 1035.
 
> Thanks=2C
> Martin Meadows
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dig -t txt output variation

[WBrown]

Alan wrote on 03/09/2012 02:38:25 PM:

> Don't base anything on RRset ordering.
> 
> Be sure that the application is able to handle the "random" order -- you
> never know who owns the intermediate caching servers, so you will never
> know the order even if you "fix" it on the authoritative.

That prompted me to look at the original post...  The owner of the domain 
needs to reconcile the two records (including included records) and verify 
all allowed servers are listed.  It's more of an email/spam filtering 
issue than a BIND problem.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dig -t txt output variation

[Alan Clegg]

On 3/9/2012 2:24 PM, M. Meadows wrote:

> Thanks to both of you for your feedback.
> I see the rrset ordering explanation in the arm.
> Good information.

Don't base anything on RRset ordering.

Be sure that the application is able to handle the "random" order -- you
never know who owns the intermediate caching servers, so you will never
know the order even if you "fix" it on the authoritative.

AlanC
-- 
a...@clegg.com | 1.919.355.8851



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: dig -t txt output variation

[M. Meadows]

Thanks to both of you for your feedback.
I see the rrset ordering explanation in the arm.
Good information.



> To: sun-g...@live.com
> CC: bind-users@lists.isc.org
> Subject: Re: dig -t txt output variation
> From: wbr...@e1b.org
> Date: Fri, 9 Mar 2012 13:54:47 -0500
> 
> sun-guru wrote on 03/09/2012 01:45:33 PM:
> 
> 
> > Is this a BIND bug? 
> 
> Check ARM for RRSet Ordering.  
> 
> 
> 
> Confidentiality Notice: 
> This electronic message and any attachments may contain confidential or 
> privileged information, and is intended only for the individual or entity 
> identified above as the addressee. If you are not the addressee (or the 
> employee or agent responsible to deliver it to the addressee), or if this 
> message has been addressed to you in error, you are hereby notified that 
> you may not copy, forward, disclose or use any part of this message or any 
> attachments. Please notify the sender immediately by return e-mail or 
> telephone and delete this message from your system.
  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master/slave configuration

[michoski]

On 3/9/12 7:58 AM, "Romgo"  wrote:
> Even if I use a VIP I can reproduce the issue :
> If the first VIP (so the nameserver 1) is down, I'll have the same
> drawbacks. As the resolver will timeout before falling back to the second
> nameserver.

Sure, we don't live in a perfect world.  You can establish reasonable
countermeasures based on your time/budget which will help reduce the
likelihood and impact of failure, but it is likely cost prohibitive to
optimize the edge case and try to implement perfection.  :-)

This is why VIPs + resolv.conf options were suggested.  In most cases, the
VIP will save you.  When it doesn't, you still have a reasonable failover
time.  Monitoring, automation, well-planned maintenance windows, etc. should
help further reduce unexpected issues for your clients.

> On 9 March 2012 10:13, Phil Mayers  wrote:
>> We also make the two different VIPs use different underlying tech - one is
>> an anycast route advertised with eBGP, the other is via load-balancing. The
>> diversity of tech gives us a bit more resilience and flexibility - taking
>> out the load-balancer no longer destroys DNS, for example.

Good deal, but there are pros and cons to any approach.  Added "diversity"
-- while useful and touted for years (I always enjoy the "genetic diversity"
discussions saying each of my clusters should run 4-5 different operating
systems) -- also means added "complexity", which has its own cost.  :-)

-- 
Work is the curse of the drinking classes.
-- Mike Romanoff

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Anycast DNS - LB/LTM

[ju wusuo]

so the script would run on the LTM, it will periodically check each physical 
DNS node, if one cannot resolve then takes it out of the pool; it will also 
check the VIP, if the VIP cannot resolve, pool is empty or LTM issue, stop the 
advertising?



 From: David Klein 
To: ju wusuo  
Cc: "bind-users@lists.isc.org"  
Sent: Wednesday, March 7, 2012 11:18 PM
Subject: Re: Anycast DNS
 


You would need to create a custom script to use as your monitor, which does a 
lookup of an address that you know will always be in your domain. If that 
fails, force-down/inactive the node, and tie this script as a monitor to the 
pool holding the DNS server nodes. 

You can advertise the /32 containing the VIPA to the up-stream router via 
either OSPF or IBGP, and if the pool goes empty, stop advertising the route 
(the only option is stop advertising, not actively withdraw the route, since 
that could cause a massive reconvergence cycle in your enterprise-wide RIB, if 
done wrong, just because of a flapping interface). 



HTH,

 -DTK



On Wed, Mar 7, 2012 at 2:34 PM, ju wusuo  wrote:


>
>thanks everyone for all responses with the great inputs ..
>
>
>now if I want to put the DNS servers behind LBs, 1) would the LTMs be able to 
>announce the routes dynamically for the DNS servers, and a VIP can be 
>withdrawn when the site is gone? 2) would the LTMs be able to detect a DNS 
>service failure and stop sending over DNS queries, i.e., in the case a named 
>is still up but just not able to resolve names (assuming LTM can detect a 
>named is down)?  
>
>
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
>from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users
>


-- 

david t. klein

Cisco Certified Network Associate (CSCO11281885)
Linux Professional Institute Certification (LPI000165615)
Redhat Certified Engineer (805009745938860)

Quis custodiet ipsos custodes?___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cisco ACE config for internal DNS load balancing

[michoski]

On 3/9/12 8:39 AM, "Phil Mayers"  wrote:

> On 09/03/12 16:23, Matthew Huff wrote:
>> Anyone have any suggestions/best practices/config examples for DNS load
>> balancing for internal use on CISCO ACE blades?
>> 
>> I¹ve got the standard example working, but wondered about keepalive
>> frequency, timeouts, fragments, etcŠ
>> 
>> Anyone got any examples they use that they could share?
> 
> We do transparent LB; the servers all have the service VIP as a /32 on
> their loopback interface. The packet flow is:
> 
> Req: client -> ace -> dns server
> Rsp: dns server -> client
> 
> This has the advantage that the DNS servers don't have to sit "behind"
> the ACE.

+1 -- Some times called "DSR" or "Direct Server Return", I consider it the
only way to configure sites/services of any significant size.

-- 
All his life he has looked away... to the horizon, to the sky,
to the future.  Never his mind on where he was, on what he was doing.
-- Yoda

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dig -t txt output variation

[WBrown]

sun-guru wrote on 03/09/2012 01:45:33 PM:


> Is this a BIND bug? 

Check ARM for RRSet Ordering.  



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dig -t txt output variation

[M. Meadows]

We've noticed that the following command gets a variable result:

dig -t txt exacttarget.com @ns2.exacttarget.com +short

We get 2 results from this. Seems to be somewhat random. They are:

"v=spf1 a mx ip4:207.250.79.101 ip4:207.67.98.192/27 ip4:72.18.216.98 
include:cust-spf.exacttarget.com include:salesforce.com 
include:message1-spf-inc.exacttarget.com include:hotels-spf-inc.exacttarget.com 
ip4:206.246.157.1 -all"
"spf2.0/pra ip4:207.250.79.101 ip4:207.67.98.192/27 ip4:72.18.216.98 
include:cust-senderid.exacttarget.com include:salesforce.com 
include:message1-senderid-inc.exacttarget.com 
include:hotels-senderid-inc.exacttarget.com ip4:206.246.157.1 -all"


And 

"spf2.0/pra ip4:207.250.79.101 ip4:207.67.98.192/27 ip4:72.18.216.98 
include:cust-senderid.exacttarget.com include:salesforce.com 
include:message1-senderid-inc.exacttarget.com 
include:hotels-senderid-inc.exacttarget.com ip4:206.246.157.1 -all"
"v=spf1 a mx ip4:207.250.79.101 ip4:207.67.98.192/27 ip4:72.18.216.98 
include:cust-spf.exacttarget.com include:salesforce.com 
include:message1-spf-inc.exacttarget.com include:hotels-spf-inc.exacttarget.com 
ip4:206.246.157.1 -all"


So ... the text output flips. Sometimes the spf1 entry is first ... sometimes 
it's second.

We are aware of at least one application that sees the spf2.0 (if it's first) 
and returns a neutral result for SPF testing. If the spf1 is first in the 
feedback it gets a pass for SPF. 

ns2.exacttarget.com is running BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2.

Is this a BIND bug? 

Thanks,
Martin Meadows



  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cisco ACE config for internal DNS load balancing

[Phil Mayers]

On 09/03/12 16:23, Matthew Huff wrote:

Anyone have any suggestions/best practices/config examples for DNS load
balancing for internal use on CISCO ACE blades?

I’ve got the standard example working, but wondered about keepalive
frequency, timeouts, fragments, etc…

Anyone got any examples they use that they could share?


We do transparent LB; the servers all have the service VIP as a /32 on 
their loopback interface. The packet flow is:


Req: client -> ace -> dns server
Rsp: dns server -> client

This has the advantage that the DNS servers don't have to sit "behind" 
the ACE.


We then use this config:

probe tcp TCP_53_RECDNS
  ip address 
  port 53
  interval 10
serverfarm host INTERNAL-DNS
  transparent
  predictor leastconns
  probe TCP_53_RECDNS
  rserver RSERVER1 53
inservice
  rserver RSERVER2 53
inservice
  rserver RSERVER3 53
inservice
  rserver RSERVER4 53
inservice

class-map match-any VIP_RECURSIVE-DNS
  2 match virtual-address  udp eq domain
  3 match virtual-address  tcp eq domain
policy-map type loadbalance first-match SLB_INTERNAL-DNS
  class class-default
serverfarm INTERNAL-DNS

policy-map multi-match VIPS_VLANXX
  class VIP_RECURSIVE-DNS
loadbalance vip inservice
loadbalance policy SLB_INTERNAL-DNS
loadbalance vip icmp-reply
loadbalance vip advertise

We didn't fiddle with the keepalive, probes, or anything else. It's been 
very well behaved in this config.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Cisco ACE config for internal DNS load balancing

[Matthew Huff]

Anyone have any suggestions/best practices/config examples for DNS load
balancing for internal use on CISCO ACE blades?

 

I've got the standard example working, but wondered about keepalive
frequency, timeouts, fragments, etc.

 

Anyone got any examples they use that they could share?

 



Matthew Huff | 1 Manhattanville Rd

Director of Operations   | Purchase, NY 10577

OTA Management LLC   | Phone: 914-460-4039

aim: matthewbhuff| Fax:   914-460-4139

 



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master/slave configuration

[Romgo]

Hello,

I know that I can use VIP with any software (corosync, Linux HA...) But
this will not explain the origin of the issue I am facing :)


Even if I use a VIP I can reproduce the issue :
If the first VIP (so the nameserver 1) is down, I'll have the same
drawbacks. As the resolver will timeout before falling back to the second
nameserver.

Right ?



On 9 March 2012 10:13, Phil Mayers  wrote:

> On 03/08/2012 06:26 PM, michoski wrote:
>
>  Meant to add one thing...  In our configuration, we actually have two
>> recursive VIPs per site, and even considered three (internal IPs are
>> cheap).
>>
>
> We do this.
>
> We also make the two different VIPs use different underlying tech - one is
> an anycast route advertised with eBGP, the other is via load-balancing. The
> diversity of tech gives us a bit more resilience and flexibility - taking
> out the load-balancer no longer destroys DNS, for example.
>
> __**_
> Please visit 
> https://lists.isc.org/mailman/**listinfo/bind-usersto
>  unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/**listinfo/bind-users
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS Amplification Attack Mitigation

[Fr34k]

All,

I am (we all are (?)) interested in techniques for mitigating DNS amplification 
attacks for both recursive and authoritative BIND servers (versions 9.x).


Google found http://www.secureworks.com/research/threats/dns-amplification/ and 
http://www.publicsafety.gc.ca/prg/em/ccirc/2009/av09-011-eng.aspx
which mention limiting clients via ACLs and using "additional-from-cache no;" 
as mitigation techniques.


Good articles, but written several years ago so there might be additional 
configuration suggestions from the community since 2009.
Are there and, if so, what are they?
Perhaps said another way, what other named.conf settings could we be looking at 
in this effort?


Thank you.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind Memory Usage

[Patrick Cauchi]

Hi all,

I have just upgraded from Bind 9.7 to Bind 9.8.1 Patch 1  and is noticing that 
the occupied physical memory is increasing to values larger than usual. Whilst 
in the former release the occupied physical memory stabilises at a value of 
approximately 4GB, I am now noticing that the occupied memory is using all the 
16GB available to the server.

Was there any major change or could this be a memory leak in the named daemon 
process? I am using a Solaris 10 Operating System running on Oracle Hardware 
with Sparc Architecture.

Regards

Patrick Cauchi
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can I set TTL served to users in bind?

[Jeff Peng]

于 2012-3-9 17:20, Cathy Almond 写道:

Many ISP's caching DNS servers do this stuff.
>  AFAIK there is not such an option for that, but you can do it from
>  BIND's source.

max-cache-ttl ?



Thanks Cathy for pointing out that.
From what googled:
http://www.menandmice.com/knowledgehub/dnsqa/44/

max-cache-ttl does do this but I never know that.

Regards.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can I set TTL served to users in bind?

[Cathy Almond]

On 09/03/12 08:22, Jeff Peng wrote:
> 于 2012-3-9 16:11, Drunkard Zhang 写道:
>> I got some bind servers doing iteration resolution, and return the
>> results to users. But I found that some names got too big TTLs, whose
>> RRs can not be replaced correctly by new RRs in time. This leads to
>> user‘s blame, we have to flush the caches by hand, and restart the
>> SOHO router to resolve the "dead site" issue.
>>
>> So I wonder can bind set a (lower) TTL by force before response to
>> users. If I can, which option? I digged ARM, but got nothing.
> 
> 
> Many ISP's caching DNS servers do this stuff.
> AFAIK there is not such an option for that, but you can do it from
> BIND's source.

max-cache-ttl ?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master/slave configuration

[Phil Mayers]

On 03/08/2012 06:26 PM, michoski wrote:


Meant to add one thing...  In our configuration, we actually have two
recursive VIPs per site, and even considered three (internal IPs are cheap).


We do this.

We also make the two different VIPs use different underlying tech - one 
is an anycast route advertised with eBGP, the other is via 
load-balancing. The diversity of tech gives us a bit more resilience and 
flexibility - taking out the load-balancer no longer destroys DNS, for 
example.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can I set TTL served to users in bind?

[Jeff Peng]

于 2012-3-9 16:11, Drunkard Zhang 写道:

I got some bind servers doing iteration resolution, and return the
results to users. But I found that some names got too big TTLs, whose
RRs can not be replaced correctly by new RRs in time. This leads to
user‘s blame, we have to flush the caches by hand, and restart the
SOHO router to resolve the "dead site" issue.

So I wonder can bind set a (lower) TTL by force before response to
users. If I can, which option? I digged ARM, but got nothing.



Many ISP's caching DNS servers do this stuff.
AFAIK there is not such an option for that, but you can do it from 
BIND's source.


HTH.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Can I set TTL served to users in bind?

[Drunkard Zhang]

I got some bind servers doing iteration resolution, and return the
results to users. But I found that some names got too big TTLs, whose
RRs can not be replaced correctly by new RRs in time. This leads to
user‘s blame, we have to flush the caches by hand, and restart the
SOHO router to resolve the "dead site" issue.

So I wonder can bind set a (lower) TTL by force before response to
users. If I can, which option? I digged ARM, but got nothing.

Thx :)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: reverse dns for IPV6 ranges

[Matus UHLAR - fantomas]

On 05.03.12 22:19, hugo hugoo wrote:
But if only some IP have e reverse..what about the other server who 
have received an IP in the range?  Ip that can be changed every x 
hours.  IF no reverse, it can be blacklisted for some reasons or 
having some problems with services asking a reverse dns resolution.


Working with reverse DNS and blacklist records in the IPv6 is something 
very different from IPv4. Each end user will get mote IPs than whole 
IPv4 internet has, and it's easy to 

while you _can_ set up IPv6 reverse DNS records, you should not think 
of them same way as you did in IPv4.


SpamHaus has some recommendations related to IPv6 in order to avoid 
overhauling DNS when abusive client changes IPs to abuse servers.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users