Re: truncated responses vs. minimal-responses?
On 11/30/2012 01:30 PM, Matus UHLAR - fantomas wrote: On 28.11.12 18:38, Tony Finch wrote: Yes it does. For example, have a look at responses to queries for dotat.at in mx for various buffer sizes and observe that RRsets are dropped but the TC bit is not set. Nice to see. I'm seeing recommendations to set minimal-responses to avoid truncation problem anywhere and I'd like to have documented somewhere that it just won't help... Truncation happens only if the ANSWER section is too large, and as minimal-responses only affects AUTHORITY and ADDITIONAL the effect on truncation should be null. For UPD fragmentation it is an entirely different matter, of course. But should default settings really be optimized to accomodate broken firewalls? Gilles -- Fondation RESTENA - DNS-LU 6, rue Coudenhove-Kalergi L-1359 Luxembourg tel: (+352) 424409 fax: (+352) 422473 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Can't find named_dump.db
Using BIND 9.8.1 on Ubuntu 12.04, I try to save the server cache using the command sudo rndc dumpdb -cache (without quotes, obviously), but then I can't find the file /etc/bind/named_dump.db being /etc/bind/ the working directory of the server. Why? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can't find named_dump.db
On 03/12/12 15:41, Daniele Imbrogino wrote: Using BIND 9.8.1 on Ubuntu 12.04, I try to save the server cache using the command sudo rndc dumpdb -cache (without quotes, obviously), but then I can't find the file /etc/bind/named_dump.db being /etc/bind/ the working directory of the server. Check that named has permissions to write to that file. It would be unusual for it to have write on /etc in my experience. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Expiration TTLs
On Dec 2, 2012, at 6:10 PM, Paul Romano wrote: Chris. Thanks for the correction on the term TTL instead of timer. The engineer I inherited this environment from has the refresh set to 40 minutes and the zone expiration set to 2 hours. The explanation I got was that since we are authoritative for AD we want ensure that some kind of scavenging is in place. Your explanation suggests that the refresh time is strictly survivability and will not force an update if the serial numbers do not increment enough to implement the refresh. Am I stating this correctly? Any suggestions? No, that's not quite right. Here are some definitions: - Refresh timer: Controls how often a slave or stub server will check in with its configured master(s) to see if the zone has been updated, in the absence of a notify message. This check is an SOA query. This is related to master/slave and master/stub zone replication. If the serial number in the retrieved SOA record is larger than the serial number the server currently has -- even by 1 -- it triggers either a zone transfer (slave) or further queries for NS and A records (stub). - Retry timer: If a refresh check fails, the slave or stub server will start the retry timer instead of the refresh timer. When it runs out, the server tries again to refresh from its master(s). The purpose is to control how often a slave or stub server refreshes while the master is unavailable. - Expire timer: At every successful refresh check, this timer is reset. If the zone has not been refreshed by the time this timer runs out, the zone is expired. The server will not respond authoritatively (for slave zones); I'm not sure exactly what happens with stub servers, or whether they use this timer at all. Typically, the refresh timer is set to the longest amount of time the organization will permit a slave to be out of date compared to its master -- depending on the usage, usually somewhere between 1 hour and 1 day. The retry timer is often set to a smaller value -- often between 10 minutes and 2 hours -- but I've seen installations where it is set longer (and not due to misunderstanding). The expire timer is generally set to between 1 and 6 weeks, to allow time for a problem with a master to be noticed and corrected before a slave stops responding authoritatively. The notify mechanism, whereby an authoritative server proactively notifies other authoritative servers (typically a primary master notifying its slaves) when a zone is updated, augments this system of timers. When a notify is received, it causes a refresh check to occur immediately; this resets the timers. Note that there is no scavenging function in BIND (nothing similar to MS DNS' aging and scavenging feature set), and no way to really implement it purely in DNS. Any attempt to use the expire timer to achieve this is evidence of a profound misunderstanding of the use of these timers. Regards, Chris Buxton BlueCat Networks signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can't find named_dump.db
On Dec 3, 2012, at 7:41 AM, Daniele Imbrogino wrote: Using BIND 9.8.1 on Ubuntu 12.04, I try to save the server cache using the command sudo rndc dumpdb -cache (without quotes, obviously), but then I can't find the file /etc/bind/named_dump.db being /etc/bind/ the working directory of the server. Look in /var/cache/bind. That's the working directory for the bind9 package default configuration. (To see this, use 'grep directory /etc/bind/named.conf.options'.) Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can't find named_dump.db
I edited the working directory to /etc/bind because this is the directory where I have all the zone data files. If I use the default /var/cache/bind do I have to move also the zone data files (or, at least, create an alias)? I'm saying this because even if the default configuration has /var/cache/bind as default working directory, all the files are in /etc/bind by default. 2012/12/3 Chris Buxton chris.p.bux...@gmail.com On Dec 3, 2012, at 7:41 AM, Daniele Imbrogino wrote: Using BIND 9.8.1 on Ubuntu 12.04, I try to save the server cache using the command sudo rndc dumpdb -cache (without quotes, obviously), but then I can't find the file /etc/bind/named_dump.db being /etc/bind/ the working directory of the server. Look in /var/cache/bind. That's the working directory for the bind9 package default configuration. (To see this, use 'grep directory /etc/bind/named.conf.options'.) Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Find all authoritative domains for a nameserver?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I don't know if there's an easy, or even moderately easy way to do this, but can one somehow figure out/get a list of all domains for which the nameserver is set to a given IP/server name? For reasons I won't get into, the people who register the domains are not the same as the people who run the DNS servers (me) and occasionally the domains I have zones defined for in my nameservers do not match the WHOIS records. Normally, that problem becomes pretty obvious because nothing works right, but it does generate a lot of logging for failed queries to the nameservers. I guess that would be one way to tell when someone has made us authoritative for a domain but not had us create a zone file, but is there a way to get a list somehow? Thanks. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC9NgkACgkQmb+gadEcsb55EQCgpMYxBAswxZ97eiKqphcDd4Hr ZlgAoMwwqHbKKhTzvPN1QwPsZnQFBlyo =mPm4 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Find all authoritative domains for a nameserver?
Hi-- On Dec 3, 2012, at 3:30 PM, Novosielski, Ryan wrote: I don't know if there's an easy, or even moderately easy way to do this, but can one somehow figure out/get a list of all domains for which the nameserver is set to a given IP/server name? It's easy enough to test whether a specific domain is being delegated to your nameserver by checking WHOIS or asking for NS records for the domain. It's also easy enough if you have access to the nameserver configs to see which domains it is setup to be authoritative for. However, since someone could delegate some.strange.subdomain.from.my.domain to an arbitrary nameserver (ie, yours), there's no way of exhaustively identifying these even if you check WHOIS or the root nameservers AFAIK For reasons I won't get into, the people who register the domains are not the same as the people who run the DNS servers (me) and occasionally the domains I have zones defined for in my nameservers do not match the WHOIS records. Normally, that problem becomes pretty obvious because nothing works right, but it does generate a lot of logging for failed queries to the nameservers. I guess that would be one way to tell when someone has made us authoritative for a domain but not had us create a zone file, but is there a way to get a list somehow? Registrars are expected to have both a billing/admin contact and a technical contact; make sure that people who expect you to make their domains work put you as the tech contact, and you will at least get notified when they register new top-level domains. Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Find all authoritative domains for a nameserver?
Hi all, I don't know if there's an easy, or even moderately easy way to do this, but can one somehow figure out/get a list of all domains for which the nameserver is set to a given IP/server name? For reasons I won't get into, the people who register the domains are not the same as the people who run the DNS servers (me) and occasionally the domains I have zones defined for in my nameservers do not match the WHOIS records. Normally, that problem becomes pretty obvious because nothing works right, but it does generate a lot of logging for failed queries to the nameservers. I guess that would be one way to tell when someone has made us authoritative for a domain but not had us create a zone file, but is there a way to get a list somehow? Back in the old netsol days, a name server admin could get a list of domains for which was responsible by request. There's also a feature in very very old versions of bind called Inverse DNS, implemented against an optional part of one of the DNS spec, that comes close to this. Nowadays, verisign and a few others WILL let you download the COM zone via FTP once a day, with special signed agreements (mainly for research purposes, not to solve your problem). Your best answer comes in either your logs (with some simple grep and perl to do the dig +trace, could make a nice useful report), or some other tool like TCPDUMP, or in a passive DNS provider, but the reality is, all these methods require someone to be querying it. Thankfully, spambots seem to do this quite a lot, and manage to find new domains at an alarming pace. -Dan Mahoney ISC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Find all authoritative domains for a nameserver?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/03/2012 06:45 PM, Chuck Swiger wrote: Registrars are expected to have both a billing/admin contact and a technical contact; make sure that people who expect you to make their domains work put you as the tech contact, and you will at least get notified when they register new top-level domains. Yeah, and at lesat that is now the case, that just doesn't help with the misdeeds of the past. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC9PMoACgkQmb+gadEcsb7DVQCdHG5jQCcx5y046cHru8dftbvc V5AAoKPGH5VybFEL+JVPcd9sAd8uMp0T =LJaT -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Find all authoritative domains for a nameserver?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/03/2012 06:52 PM, Dan Mahoney wrote: Hi all, I don't know if there's an easy, or even moderately easy way to do this, but can one somehow figure out/get a list of all domains for which the nameserver is set to a given IP/server name? For reasons I won't get into, the people who register the domains are not the same as the people who run the DNS servers (me) and occasionally the domains I have zones defined for in my nameservers do not match the WHOIS records. Normally, that problem becomes pretty obvious because nothing works right, but it does generate a lot of logging for failed queries to the nameservers. I guess that would be one way to tell when someone has made us authoritative for a domain but not had us create a zone file, but is there a way to get a list somehow? Back in the old netsol days, a name server admin could get a list of domains for which was responsible by request. There's also a feature in very very old versions of bind called Inverse DNS, implemented against an optional part of one of the DNS spec, that comes close to this. Nowadays, verisign and a few others WILL let you download the COM zone via FTP once a day, with special signed agreements (mainly for research purposes, not to solve your problem). Your best answer comes in either your logs (with some simple grep and perl to do the dig +trace, could make a nice useful report), or some other tool like TCPDUMP, or in a passive DNS provider, but the reality is, all these methods require someone to be querying it. Thankfully, spambots seem to do this quite a lot, and manage to find new domains at an alarming pace. Thanks, that's about what I'd expected to hear. Luckily what you've said is true (I get hundreds of queries for umdnj.org for example) and the problem isn't actually a serious one unless someone expects the site to be working (in which case, I'd hear about it anyway). - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC9PSAACgkQmb+gadEcsb4LQACeLIfbwp6jyeqUejJ8hn6clNO0 CzgAn26KxMSAp5g8zxm3HzHj+MNsv/sI =BrTx -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Find all authoritative domains for a nameserver?
So, Had this same issue where a customer forgot whom they actually supported. Grep the named.conf for the zones (Shows active Zones). Then grep the db file for the A records of each active zone. Then write a script to querry 8.8.8.8 or whois for the names. This returns the customer info. You can also set up query greps for dns logs. Anything answering is where you would look then again write a script against whois on the internet.No easy way around getting customer info other than a script against whois if you have a ton of A record returns. Hope this helped, Ed On Mon, Dec 3, 2012 at 6:30 PM, Novosielski, Ryan novos...@umdnj.eduwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I don't know if there's an easy, or even moderately easy way to do this, but can one somehow figure out/get a list of all domains for which the nameserver is set to a given IP/server name? For reasons I won't get into, the people who register the domains are not the same as the people who run the DNS servers (me) and occasionally the domains I have zones defined for in my nameservers do not match the WHOIS records. Normally, that problem becomes pretty obvious because nothing works right, but it does generate a lot of logging for failed queries to the nameservers. I guess that would be one way to tell when someone has made us authoritative for a domain but not had us create a zone file, but is there a way to get a list somehow? Thanks. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC9NgkACgkQmb+gadEcsb55EQCgpMYxBAswxZ97eiKqphcDd4Hr ZlgAoMwwqHbKKhTzvPN1QwPsZnQFBlyo =mPm4 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS Blackholing
All; Am looking to do some DNS blackholing based on a pre-defined, dynamic list (such as DNS-BH). Am looking for feedback on approaches for this. Sounds like automatically generating an includeable config file with zone entries which point to a fairly bare zone definition file returning a honeypot IP or some such thing is fairly commonly done. We have several resolvers (caching) servers, and am curious how others out there handle those. Do you set up each as a master or do the master/slave thing? Presumably the former do avoid needless duplication of the bare zone file. In addition, how much memory is used by BIND for each zone definition? We currently have a fairly small deployment with maybe a hundred zones tops. If we suddenly jump to 1+ -- even if they are all very small, how much memory can we expect to be chewed up so we can plan ahead? Thanks for any thoughts. Ray ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Blackholing
On Dec 3, 2012, at 5:52 PM, rvandol...@esri.com wrote: All; Am looking to do some DNS blackholing based on a pre-defined, dynamic list (such as DNS-BH). Am looking for feedback on approaches for this. Sounds like automatically generating an includeable config file with zone entries which point to a fairly bare zone definition file returning a honeypot IP or some such thing is fairly commonly done. Others may offer different advice, but while that was a common way to do it in the past, a feature in most modern versions of BIND nowadays is Response Policy Zones. Explaining them in full is beyond the scope of a simple mailing list post, but a good starting point is vixie's blog entry on the ISC website here: ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt We have several resolvers (caching) servers, and am curious how others out there handle those. Do you set up each as a master or do the master/slave thing? Presumably the former do avoid needless duplication of the bare zone file. See above. In addition, how much memory is used by BIND for each zone definition? We currently have a fairly small deployment with maybe a hundred zones tops. If we suddenly jump to 1+ -- even if they are all very small, how much memory can we expect to be chewed up so we can plan ahead? With RPZ, you have a single zone instead of 10,000. It shows promise and much better scaling, as well as the ability to replicate your single policy zone via standard AXFR/IXFR metrics. SpamHaus is currently making some of their data available in this format: http://www.spamhaus.org/news/article/669/ -Dan Mahoney ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Blackholing
We have found that RPZ works quite well for us. We have 366825 names in our RPZ zone at present and scaling thus far has been a non-issue. John --- John Hascall, j...@iastate.edu Team Lead, NIADS (Network Infrastructure, Authentication Directory Services) IT Services, The Iowa State University of Science and Technology On Dec 3, 2012, at 5:52 PM, rvandol...@esri.com wrote: All; Am looking to do some DNS blackholing based on a pre-defined, dynamic list (such as DNS-BH). Am looking for feedback on approaches for this. Sounds like automatically generating an includeable config file with zone e ntries which point to a fairly bare zone definition file returning a honeypot I P or some such thing is fairly commonly done. Others may offer different advice, but while that was a common way to do it i n the past, a feature in most modern versions of BIND nowadays is Response Pol icy Zones. Explaining them in full is beyond the scope of a simple mailing lis t post, but a good starting point is vixie's blog entry on the ISC website here : ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt We have several resolvers (caching) servers, and am curious how others out there handle those. Do you set up each as a master or do the master/slave thin g? Presumably the former do avoid needless duplication of the bare zone file. See above. In addition, how much memory is used by BIND for each zone definition? We currently have a fairly small deployment with maybe a hundred zones tops. If w e suddenly jump to 1+ -- even if they are all very small, how much memory c an we expect to be chewed up so we can plan ahead? With RPZ, you have a single zone instead of 10,000. It shows promise and muc h better scaling, as well as the ability to replicate your single policy zone v ia standard AXFR/IXFR metrics. SpamHaus is currently making some of their data available in this format: http://www.spamhaus.org/news/article/669/ -Dan Mahoney ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users