RFC for SOA record for delegated subdomaain
Dear All, Is there any RFC which specifies that every delegated subdomain shall have SOA record ? Thanks and regards Abdul Khader -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: domain-unable-resolve
On your DNS server(recursing) put the following do that any query for the domain abudawood.com all the requests are forwarded to google DNS server. zone "abudawood.com" IN { type forward; forward only; forwarders { 8.8.8.8; }; }; Regards On 2/9/2017 1:34 PM, Ejaz wrote: Thank you all, for the detailed explanation, I understood as sys admin but our client will comparing with Google open DNS server. No, I can’t use his DNS server. From ns10.cyberia.net.sa, connection timed out.. It is one of our VIP customer and complaining that if “I have problem in my “name servers” when we use open DNS server such as google and several others, they don’t have any issue to resolve their records. Satisfying customer is become tough. Only they have problem to resolve the queries when they start using our DNS ns10.cyberia.net.sa Ejaz *From:*bind-users [mailto:bind-users-boun...@lists.isc.org] *On Behalf Of *Abdul Khader *Sent:* Thursday, February 9, 2017 11:31 AM *To:* bind-users@lists.isc.org *Subject:* Re: domain-unable-resolve Is your DNS server(ns10.cyberia.net.sa) able to connect NS servers of of abudawood.com ? On 2/9/2017 11:32 AM, Ejaz wrote: Helo, Time to time we are having problem in resolving some domains, one of them is “*abudawood.com*” we unable to resolve through our DNS servers of “ns10.cyberia.net.sa” where I have latest bind version and all, what could be the issue and what is the best way to trouble shoot. My bind version [root@ns10 ~]# named -v BIND 9.11.0 The below is trace result, it reached to their DNS server, but could not able to get query results. [root@ns10 ~]# dig ns SAMANet.gov.sa \ ; <<>> DiG 9.11.0 <<>> ns SAMANet.gov.sa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31831 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: b7510c2058b91a7d3bc824e8589c0f68772d7bfd43357c41 (good) ;; QUESTION SECTION: ;SAMANet.gov.sa. IN NS ;; ANSWER SECTION: SAMANet.gov.sa. 3587IN NS ns2.bluvalt.sa. SAMANet.gov.sa. 3587IN NS ns1.bluvalt.sa. ;; ADDITIONAL SECTION: ns1.bluvalt.sa. 23003 IN A 46.49.128.130 ns2.bluvalt.sa. 23003 IN A 46.49.140.146 ;; Query time: 5 msec ;; SERVER: 212.119.64.2#53(212.119.64.2) ;; WHEN: Thu Feb 09 09:42:48 AST 2017 ;; MSG SIZE rcvd: 147 [root@ns10 ~]# dig ns sama.org.sa ; <<>> DiG 9.11.0 <<>> ns sama.org.sa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11980 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 2bebca3cf5e2d6f3cad9e21b589c0f726413bf957d972607 (good) ;; QUESTION SECTION: ;sama.org.sa. IN NS ;; ANSWER SECTION: sama.org.sa.3600IN NS ns1.bluvalt.sa. sama.org.sa.3600IN NS ns2.bluvalt.sa. ;; ADDITIONAL SECTION: ns1.bluvalt.sa. 22993 IN A 46.49.128.130 ns2.bluvalt.sa. 22993 IN A 46.49.140.146 ;; Query time: 9 msec ;; SERVER: 212.119.64.2#53(212.119.64.2) ;; WHEN: Thu Feb 09 09:42:58 AST 2017 ;; MSG SIZE rcvd: 144 [root@ns10 ~]# sama.org.sa. 3600IN NS ns1.bluvalt.sa. bash: sama.org.sa.: command not found... [root@ns10 ~]# sama.org.sa. 3600IN NS ns2.bluvalt.sa.sa ma.org.sa.3600IN NS ns1.bluvalt.sa. bash: sama.org.sa.: command not found... [root@ns10 ~]# sama.org.sa. 3600IN NS ns2.bluvalt.sa.^C [root@ns10 ~]# named -v BIND 9.11.0 [root@ns10 ~]# vi /etc/named.conf [root@ns10 ~]# dig abudawood.com +trace ; <<>> DiG 9.11.0 <<>> abudawood.com +trace ;; global options: +cmd . 106794 IN NS a.root-servers.net. . 106794 IN NS c.root-servers.net. . 106794 IN NS k.root-servers.net. . 106794 IN NS l.root-servers.net. . 106794 IN NS f.root-servers.net. . 106794 IN NS b.root-servers.net. . 106794 IN NS h.root-servers.net. . 106794 IN NS m.root-servers.net. . 106794 IN NS j.root-servers.net. . 106794 IN NS d.root-servers.net. . 106794 IN NS i.root-servers.net.
Re: domain-unable-resolve
Is your DNS server(ns10.cyberia.net.sa) able to connect NS servers of of abudawood.com ? On 2/9/2017 11:32 AM, Ejaz wrote: Helo, Time to time we are having problem in resolving some domains, one of them is “*abudawood.com*” we unable to resolve through our DNS servers of “ns10.cyberia.net.sa” where I have latest bind version and all, what could be the issue and what is the best way to trouble shoot. My bind version [root@ns10 ~]# named -v BIND 9.11.0 The below is trace result, it reached to their DNS server, but could not able to get query results. [root@ns10 ~]# dig ns SAMANet.gov.sa \ ; <<>> DiG 9.11.0 <<>> ns SAMANet.gov.sa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31831 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: b7510c2058b91a7d3bc824e8589c0f68772d7bfd43357c41 (good) ;; QUESTION SECTION: ;SAMANet.gov.sa. IN NS ;; ANSWER SECTION: SAMANet.gov.sa. 3587IN NS ns2.bluvalt.sa. SAMANet.gov.sa. 3587IN NS ns1.bluvalt.sa. ;; ADDITIONAL SECTION: ns1.bluvalt.sa. 23003 IN A 46.49.128.130 ns2.bluvalt.sa. 23003 IN A 46.49.140.146 ;; Query time: 5 msec ;; SERVER: 212.119.64.2#53(212.119.64.2) ;; WHEN: Thu Feb 09 09:42:48 AST 2017 ;; MSG SIZE rcvd: 147 [root@ns10 ~]# dig ns sama.org.sa ; <<>> DiG 9.11.0 <<>> ns sama.org.sa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11980 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 2bebca3cf5e2d6f3cad9e21b589c0f726413bf957d972607 (good) ;; QUESTION SECTION: ;sama.org.sa. IN NS ;; ANSWER SECTION: sama.org.sa.3600IN NS ns1.bluvalt.sa. sama.org.sa.3600IN NS ns2.bluvalt.sa. ;; ADDITIONAL SECTION: ns1.bluvalt.sa. 22993 IN A 46.49.128.130 ns2.bluvalt.sa. 22993 IN A 46.49.140.146 ;; Query time: 9 msec ;; SERVER: 212.119.64.2#53(212.119.64.2) ;; WHEN: Thu Feb 09 09:42:58 AST 2017 ;; MSG SIZE rcvd: 144 [root@ns10 ~]# sama.org.sa. 3600IN NS ns1.bluvalt.sa. bash: sama.org.sa.: command not found... [root@ns10 ~]# sama.org.sa. 3600IN NS ns2.bluvalt.sa.sa ma.org.sa.3600IN NS ns1.bluvalt.sa. bash: sama.org.sa.: command not found... [root@ns10 ~]# sama.org.sa. 3600IN NS ns2.bluvalt.sa.^C [root@ns10 ~]# named -v BIND 9.11.0 [root@ns10 ~]# vi /etc/named.conf [root@ns10 ~]# dig abudawood.com +trace ; <<>> DiG 9.11.0 <<>> abudawood.com +trace ;; global options: +cmd . 106794 IN NS a.root-servers.net. . 106794 IN NS c.root-servers.net. . 106794 IN NS k.root-servers.net. . 106794 IN NS l.root-servers.net. . 106794 IN NS f.root-servers.net. . 106794 IN NS b.root-servers.net. . 106794 IN NS h.root-servers.net. . 106794 IN NS m.root-servers.net. . 106794 IN NS j.root-servers.net. . 106794 IN NS d.root-servers.net. . 106794 IN NS i.root-servers.net. . 106794 IN NS g.root-servers.net. . 106794 IN NS e.root-servers.net. . 107999 IN RRSIG NS 8 0 518400 2017022205 201 7020904 61045 . TMv9X94Rxe6LPkPDaUB4KgOOP80SX5cNBXSawftLwIofkZWLDB1H9BUk EP8 P+7OobV6BxU/prHrNaReq4V7GY5GyOIBkvH7N6QqbrTpaYyAuWlWz gdtF9DthsLfsKSqUMqB50NGBDR V3erxuenHmX5f2VkLK/Dor3eUMdSBN wwUN4NPPst9PaORSqmTzSIirRfm7oglOvjKMtIrTu4+cOofHs XO0bi7j fXu+TT/+6SlFu2x3NXxOZStGSmeWOf6xmkIUNUShjP0HDFz0KxrxOYPj Y8agXhxchni2js4 92pY6/oFeb4txcps6tk28WdSeYljCCUTsQ39tQTBO PjrnvA== ;; Received 1125 bytes from 212.119.64.2#53(212.119.64.2) in 0 ms com.172800 IN NS l.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS a.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.
Re: outgoing-traffic
Ejaz As per the trace file QPS is around 1,158. Not sure what are the specs of your server, but it is very less compared to other ISP's. You need to rate-limit following IP's to around 20 QPS. All of these IP's are sending ANY queries for cpsc.gov. This is an amplification attack. 212.118.122.99/100/101 How you want to apply rate-limit is up to you. You can ask your security to do it or you can do it using iptables on the server. I feel almost all redhat servers will have iptables installed by default. Regards Abdul Khader On 7/27/2016 6:15 PM, Ejaz wrote: Denying the request isn't going to solve anything in this case, they are still going to repeatedly ask for it and the traffic has already hit your system before ANY queries would be denied. Agreed but at least it minimize the problem, as if request is 50 bytes and then response also 50 bytes not more than that?? Ejaz -Original Message- From: S Carr [mailto:sjc...@gmail.com] Sent: Wednesday, July 27, 2016 4:58 PM To: Ejaz Cc: bind-users Subject: Re: outgoing-traffic On 27 July 2016 at 14:44, Ejaz wrote: Such as, if someone is sending ANY request , by default it should be denied when users requests for it.. Denying the request isn't going to solve anything in this case, they are still going to repeatedly ask for it and the traffic has already hit your system before ANY queries would be denied. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: outgoing-traffic
Did not find any attachment. Ejaz wrote: >Thank you so much Abdul for you instant support. > >As requested, Find the attached. > > >Ejaz >-Original Message- >From: akha...@ies.etisalat.ae [mailto:akha...@ies.etisalat.ae] >Sent: Wednesday, July 27, 2016 3:04 PM >To: Ejaz ; 'S Carr' >Cc: bind-users@lists.isc.org >Subject: RE: outgoing-traffic > >You can use tcpdump on your DNS server to take the trace. > >Command would be like below. > >tcpdump -i any port 53 -w trace.pcap > >You can share trace.pcap with us. > >Regards >Abdul Khader > >Ejaz wrote: > >> >>Thanks you. >> >>The traffic will go to router which is handled by the Network dept. The fear >>that may router can crash if we start enabling the packet capture since it >>is layer 7. >> >>Is advisable, if we deny outbound UDP port 0 from the DNS servers, after >>enabling firewall. >> >> >>Ejaz >> >>-Original Message- >>From: S Carr [mailto:sjc...@gmail.com] >>Sent: Wednesday, July 27, 2016 10:51 AM >>To: Ejaz >>Cc: bind-users >>Subject: Re: outgoing-traffic >> >>On 27 July 2016 at 08:41, Ejaz wrote: >>> Thanks for all. >>> >>> But the strange thing is that if the request comes on 53 port then it >>> should go only from 53 is it?? Why goes out from 0, any clue would be >>> highly appreciate. >>> >>> Regards >>> Ejaz >> >>Where's the packet capture to review? >> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: outgoing-traffic
You can use tcpdump on your DNS server to take the trace. Command would be like below. tcpdump -i any port 53 -w trace.pcap You can share trace.pcap with us. Regards Abdul Khader Ejaz wrote: > >Thanks you. > >The traffic will go to router which is handled by the Network dept. The fear >that may router can crash if we start enabling the packet capture since it >is layer 7. > >Is advisable, if we deny outbound UDP port 0 from the DNS servers, after >enabling firewall. > > >Ejaz > >-Original Message- >From: S Carr [mailto:sjc...@gmail.com] >Sent: Wednesday, July 27, 2016 10:51 AM >To: Ejaz >Cc: bind-users >Subject: Re: outgoing-traffic > >On 27 July 2016 at 08:41, Ejaz wrote: >> Thanks for all. >> >> But the strange thing is that if the request comes on 53 port then it >> should go only from 53 is it?? Why goes out from 0, any clue would be >> highly appreciate. >> >> Regards >> Ejaz > >Where's the packet capture to review? > >___ >Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >from this list > >bind-users mailing list >bind-users@lists.isc.org >https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: outgoing-traffic
You can use iptables to rate-limit the IP. On 7/26/2016 12:11 PM, Ejaz wrote: All. There is huge traffic coming out from my DNS server since yesterday and flooding the IP 212.107.121.110, though I have increased the limitation of tcp-clients in named.conf but still the issue. any help would be highly appreciate. My bind version is [root@ns10 ~]# named -v BIND 9.9.2-P1 When checking there are several entries as below. Jul 26 10:53:26 ns10 named[3004]: client 212.107.121.110#4636: no more TCP clients: quota reached quota reached Jul 26 10:53:13 ns10 named[3004]: client 212.107.121.110#4571: no more TCP clients: quota reached Jul 26 10:53:13 ns10 named[3004]: client 212.107.121.110#4572: no more TCP clients: quota reached Jul 26 10:53:19 ns10 named[3004]: client 212.107.121.110#4597: no more TCP clients: quota reached Jul 26 10:53:25 ns10 named[3004]: client 212.107.121.110#4633: no more TCP clients: quota reached Jul 26 10:53:25 ns10 named[3004]: client 212.107.121.110#4635: no more TCP clients: quota reached Jul 26 10:53:26 ns10 named[3004]: client 212.107.121.110#4636: no more TCP clients: quota reached Thanks, Mohammed Ejaz Asst. Operation Director of Systems. Cyberia SAUDI ARABIA P.O.Box: 301079, Riyadh 11372 Phone: (+966) 11 464 7114 Ext. 140 Mobile: (+966) 562311787 Fax: (+966) 11 465 4735 Website: http://www.cyberia.net.sa ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Help DNS
Is 127.0.0.1 allowed to query in your named.conf ? On 8/21/2015 8:22 PM, Int wrote: Giving problem the DNS's resolution of names When I sell off a nslookup from localhost:127.0.0.1 in the servers DNS Bind9 Here what the DNS's log generates goes: For the following consultation to the DNS # nslookup ctc.cu Server: 127.0.0.1 Address: 127.0.0.1 #53 ** server can't find ctc.cu: NXDOMAIN - tail -1000 /var/log/syslog |grep namedd Respond Aug 21 01:19:08 ns2 named[4481]: client 127.0.0.1#58899: view local: query (cache) 'ctc.cu/A/IN' denied - In another one views the IP for ctc.cu makes up its mind correctly Somebody knows like solving it (Aug 21 01:19:08 ns2 named[4481]: client 127.0.0.1#58899: view local: query (cache) 'ctc.cu/A/IN' denied) My configuration's attached file of the servers sent them BIND 9, please check my views's configuration and zones, tell me if you have any recommendation to configure views's and the DNS's zones or they can send me some example of configuration for a servers DNS with 3 Interfaces of net Please tell me as I can configure the inverse, general- form zones that they can recommend me to configure the servers DNS Bind with the bigger possible security Greetings William ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-users Digest, Vol 1909, Issue 1
please add the following. server 0.0.0.0/0 { edns no; }; Then do dig and then check +trace Abdul Khader On 07-Aug-14 2:33 PM, Xuan Hung wrote: DearAbdul Khader ! I comment //edns-udp-size 512; But, I check is fail. L [root@dns data]# dig @203.113.188.3 +noedns +bufsize=0 vodafone-com.mail.protection.outlook.com ; <<>> DiG 9.9.5 <<>> @203.113.188.3 +noedns +bufsize=0 vodafone-com.mail.protection.outlook.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54802 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;vodafone-com.mail.protection.outlook.com. IN A ;; Query time: 24 msec ;; SERVER: 203.113.188.3#53(203.113.188.3) ;; WHEN: Thu Aug 07 17:23:06 ICT 2014 ;; MSG SIZE rcvd: 58 Thanks./. %%- Nguyễn Xuân Hùng 0084-966581518 P.ISP– TT CNTT – VTNet. *From:*Abdul Khader [mailto:akha...@ies.etisalat.ae] *Sent:* Thursday, August 07, 2014 5:30 PM *To:* Xuan Hung; bind-users@lists.isc.org; bind-users-boun...@lists.isc.org; jared.emp...@zitomedia.com; dave.berna...@zitomedia.com; ma...@isc.org; h.rei...@thelounge.net *Subject:* Re: bind-users Digest, Vol 1909, Issue 1 Comment the following line edns-udp-size 512; Abdul Khader On 07-Aug-14 2:15 PM, Xuan Hung wrote: DearAbdul Khader ! My Named.conf edns-udp-size 512; max-cache-size 4096M; recursive-clients 2; have no server 0.0.0.0/0 { edns no; }; ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-users Digest, Vol 1909, Issue 1
Comment the following line edns-udp-size 512; Abdul Khader Engineer/Network Services/SOM Mobile : 050-153-5461 Extension : 86-7292 On 07-Aug-14 2:15 PM, Xuan Hung wrote: DearAbdul Khader ! My Named.conf edns-udp-size 512; max-cache-size 4096M; recursive-clients 2; have no server 0.0.0.0/0 { edns no; }; ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-users Digest, Vol 1909, Issue 1
Make your firewall allows DNS packets > 512 bytes. In the meantime, do the following. do dig with "+noedns +bufsize=0" if the dig with "+noedns +bufsize=0" gives you answer, then add the following to named.conf server 0.0.0.0/0 { edns no; }; This should fix your issue. Once your firewall allows DNS packets > 512, you can remove the named.conf entry. Abdul Khader ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-users Digest, Vol 1909, Issue 1
Paste the result of the following command. dig @203.113.188.3 dep123.com +trace Abdul Khader On 07-Aug-14 1:27 PM, Xuan Hung wrote: Dear Partner ! I set recursive-clients = 2. I sent myserver log. Can you help me ? version: 9.9.5 (x.x.x) CPUs found: 24 worker threads: 24 UDP listeners per interface: 24 number of zones: 5537 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON recursive clients: 3686/19900/2 tcp clients: 0/100 server is up and running [root@dns data]# dig @203.113.188.3 dep123.com ; <<>> DiG 9.9.5 <<>> @203.113.188.3 dep123.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38458 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;dep123.com. IN A ;; Query time: 280 msec ;; SERVER: 203.113.188.3#53(203.113.188.3) ;; WHEN: Thu Aug 07 16:15:49 ICT 2014 ;; MSG SIZE rcvd: 39 Thanks./. %%- Nguyễn Xuân Hùng 0084-966581518 P.ISP– TT CNTT – VTNet. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-users Digest, Vol 1909, Issue 1
what is the value of "recursive-clients" in named.conf Abdul Khader On 07-Aug-14 12:54 PM, Xuan Hung wrote: Dear Partner ! This problem is show below. My DNS response fail when recusive increase to about 4000. I think Cache DNS have problem. :( Can I help me fix it ? Thanks./. %%- Nguyễn Xuân Hùng 0084-966581518 P.ISP– TT CNTT – VTNet. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of bind-users-requ...@lists.isc.org Sent: Thursday, August 07, 2014 10:50 AM To: bind-users@lists.isc.org Subject: bind-users Digest, Vol 1909, Issue 1 Send bind-users mailing list submissions to bind-users@lists.isc.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.isc.org/mailman/listinfo/bind-users or, via email, send a message with subject or body 'help' to bind-users-requ...@lists.isc.org You can reach the person managing the list at bind-users-ow...@lists.isc.org When replying, please edit your Subject line so it is more specific than "Re: Contents of bind-users digest..." Today's Topics: 1. Re: ISP caching server setup (Mark Andrews) 2. Re: ISP caching server setup (Jared Empson) 3. Re: ISP caching server setup (Jared Empson) 4. Value of memory (Robert Moskowitz) 5. Re: ISP caching server setup (Jared Empson) -- Message: 1 Date: Thu, 07 Aug 2014 09:28:45 +1000 From: Mark Andrews To: Jared Empson Cc: bind-us...@isc.org Subject: Re: ISP caching server setup Message-ID: <20140806232845.5c2b31b9f...@rock.dv.isc.org> In message <3a1ebfdb-a033-4e07-be61-9f6ba6916...@zitomedia.com>, Jared Empson w rites: I manage a small group of cache only servers for an ISP. We run Bind 9.7 You run BIND 9.7.0 and haven't applied any of the maintainence releases to BIND 9.7. and have noticed that several domains our customers would like to access are unavailable from our cache servers. These same domains work on other provider networks such as Verizon or Google. In BIND 9.7.0 we restored the code to skip to non authorative answers from supposedly authorative servers having fixed a bug in named. Unfortunately there are some zones for which all the servers are broken and don't return authorative (aa=1) answers. BIND 9.7.1 reversed the change to skip non authorative answers despite it being technically correct. What I have found is that these domains all have misconfigured glue records. This could be cause by a recent change of registrar or a misconfigured zone file pointing to NS records that no longer exist as glue records. Because of this any query of a host from these domains receive a non-authoratative response and are dropped by our cache servers. How do I configure the cache server to accept the non-authoritative response to provide our customers access to these domains with out forwarding to Google's caching servers? An example domain is losscontrol360.com. What our customers receive: ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31462 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;losscontrol360.com.IN A ;; Query time: 1380 msec ;; SERVER: 10.100.2.11#53(10.100.2.11) ;; WHEN: Wed Aug 6 16:00:55 2014 ;; MSG SIZE rcvd: 36 What our cache server receives: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38342 ;; flags: qr ; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1280 ;; QUESTION SECTION: ;losscontrol360.com.IN A ;; ANSWER SECTION: losscontrol360.com. 173 IN A 74.208.98.80 What Google provides: ; <<>> DiG 9.8.3-P1 <<>> losscontrol360.com @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17193 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;losscontrol360.com.IN A ;; ANSWER SECTION: losscontrol360.com. 586 IN A 74.208.98.80 ;; Query time: 174 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Aug 6 16:01:07 2014 ;; MSG SIZE rcvd: 52 Jared Empson Systems Administrator Zito Media -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Message: 2 Date: Wed, 6 Aug 2014 20:45:38 -0400 From: Jared Empson To: Mark Andrews Cc: Dave Bernardi , bind-us...@isc.org Subject: Re: ISP caching server setup Message-ID: <4ef85fa1-deb0-4a51-b90e-6c5e2cfcf...@zitomedia.com> Content-Type: text/plain; charset=windows-1252 Jared
Re: DNS with several ip adessess
Use views Abdul Khader Engineer/Network Services/SOM Mobile : 050-153-5461 Extension : 84-5173 On 30/12/2013 1:27 PM, Måns Hagström wrote: Hi, I'm running the same DNS for both my local and global adress-spaces. That is, when I'm on my local net, I want the DNS to reply with my local 192.168.0.1-address, and when users from the 'outside' global net queries my DNS, it shall return the global xxx.xxx.xxx.xxx ip-address. My problem is that I have to allocate both the local and the global address to the same domain-name, giving the result that both my local and global ip-address are exposed for the users. Is it possible to isolate the query so that the local users get the local ip-address and the global gets the global ip-address for the same domain-name? I'm running BIND 9.9.2 BR Mons ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: listen-to clusterIP address
Better to write a script which would first check the availability of Virtual IP before doing "rndc reconfig" during a failover. In case the script does not find the VIP in the first run, you can put in a loop to check for VIP for N number of times with N number of seconds interval. The failover time depends mostly on the resources being transferred. If VIP is the only resource, then the script should pick up the VIP in about 60-80 seconds. Regards Abdul Khader On 05/06/2013 1:57 PM, Phil Mayers wrote: On 05/06/13 20:06, paul wrote: Thanks for the quick reply. rndc reconfig has the same problem as a restart. I need to automatically listen to the new ip address without manual intervention. "rndc reconfig" need not be manual - surely your cluster software can execute a script on IP failover? Anyway, as you've spotted, lowering the listen interval can emulate this. Personally I'd want bind to respond a bit quicker than 0-60 seconds when a failover occurs. The other alternative under Linux would be a long-running process listening to a netlink socket for address changes and exec'ing a reconfig. I wonder if there is such a beast? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to flush MX records from the cache
Dear All, Is there a way to flush MX records from the cache of a caching DNS server ? Thanks Abdul Khader ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users