RE: Enterprise DNS Architecture - AD and BIND
Hi Ray, I'm not quite sure why you would have your caching servers forward to other DNS servers (Google, OpenDNS, etc). I would enable recursion on them and would not forward anything. I would also consider making these caching servers at each location slave your *internal* authoritative zones (or views) to override recursion. As you stated, you can keep your AD DNS servers authoritative for your AD domains and point your AD clients directly to these servers. They can be configured to forward to your BIND environment which performs recursion and resolution for non-AD 'internal' domains/views. You can also configure your BIND 'internal' caching servers to slave your AD zones as well. Cheers, Josh -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Ray Van Dolson Sent: Tuesday, November 8, 2016 7:10 PM To: bind-users@lists.isc.org Subject: Enterprise DNS Architecture - AD and BIND Greetings; Am reviewing our DNS setup which has organically evolved over the years and most certainly is due for an update: - We have AD servers responsible for our primary domain (internally). - We have other sets of AD servers responsible for other domains in DMZ's and such. - We have a BIND Master/Slave pair acting as a hidden master for external zones as well as doing split view for some of those same zones where we want to return "non-public" IP's for queries that would otherwise be answered with an external address. - We have multiple BIND caching servers. Some at remote sites that handle split duty for Internet resolution (enabling accurate geolocation for Internet based services -- our own included) and internal lookups. In some cases, these "remote" caching servers need to forward lookups to other "super" caching servers which have more privileged access to the authoritative servers listed above... there are about a dozen of these zones. They do static-stub zones for the AD managed zones. Another challenge is when clients point to them directly, Dynamic DNS (RFC2136) doesn't work. Theoretically we could make BIND handle this and forward on to AD, but adds complexity. The caching servers also do RPZ. We're now wanting to add some additional logic to resopnd differently to VPN clients for some of our VoIP technologies to send RTP over the Internet vs. over a VPN tunnel... I'd like to make this all much simpler, avoid mixing roles of servers and help guide us as we decide what servers to deploy where. KISS principle I guess. In an ideal world, I could completely pitch the whole split view thing (where rr.domain.com resolves differently for Internet clients than for "internal" clients). I can't think of a good way to avoid this complexity, however. What I'm thinking: - Have an AD server at every location we have a BIND server. This way client machines talk DNS *only* to AD servers so Dynamic DNS & friends work reliably. AD servers would then forward to BIND servers as needed. + Alternative: Configure clients to do DNS updates via DHCP Option 81, etc. instead of via Dynamic DNS. This would allow clients to point at BIND and take advantage of Anycast for resiliency and I avoid needing to figure out how to make BIND pass RFC 2136 requests on from clients to AD reliably... - Caching Servers will be the same configuration no matter where they are, and do the same things: + "." will forward out to OpenDNS or Google, etc. for Internet lookups. + Will be a "slave" for all AD owned domains. Thought here is better client response times and fewer issues w/ TTL and cache and better resiliency... - Alternative: Leave these as static-stub, but now I made need logic in Ansible or whereever to point to "nearby" AD servers depending on where the BIND server lives to keep response times low when things aren't cached. That or not care about latency... + Will be a "slave" for all of the split-view zones (only for the "internal" view). Could do static-stub here as well, but think slave may serve us better for similar reasons as w/ AD. + I can introduce my split view zones for VPN here as well. I haven't thought this one through fully yet, but am hopeful I don't need to fully duplicate the zones above and could instead forward queries from one view to another - Authoritative BIND Servers mostly stay as-is aside from needing to be configured to send notify's out to caching servers and proper FW access maintained for AXFR. Please pick this apart and let me know where I'm going astray. :) Thanks, Ray ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___
Slaves or Forwarders?
Hi, In the past, when I have had a requirement to bring a slave zone into our environment; I created a slave zone on my master(s) (defining the external nameserver as a master) and then created slave zones on my slaves using *my* master as a master (not the master outside of my environment). This seems to work well and makes management easier on my end. Is this method of 'sub-slaves' considered an acceptable practice? Some folks also like to use forwarders if they don't have the capability to slave the zone. In this scenario, I would have to create a 'forward' zone on each of my caching servers that forwards requests for 'xyz.com' to the up-stream nameserver authoritative for the zone. Given the choice of creating forwarders or slaving the zone into my environment, which is preferred? I would think that slaving the zone would be the preferred method, since my master/slaves could still serve the zone if the up-stream/forwarder becomes unreachable (until my slave expires). In my infrastructure, it just so happens that managing slave zones across our environment is also simpler than managing independent forward zone(s) on each of our servers as well. Any thoughts/suggestions are appreciated! Thanks, Josh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Adding CNAME for the root domain issue
Any thoughts on a service like Cloudfare's 'CNAME Flattening' [1]? [1] https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/ -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Stephane Bortzmeyer Sent: Wednesday, April 27, 2016 10:36 AM To: Daniel Dawalibi Cc: comp-protocols-dns-b...@isc.org; 'Barry Margolin' Subject: Re: Adding CNAME for the root domain issue On Wed, Apr 27, 2016 at 05:26:53PM +0300, Daniel Dawalibi wrote a message of 50 lines which said: > DNS registrar that can offer this option by using apex/naked/root > domain redirection Sorry, but I cannot parse this sentence. Also, as I said, this is not about the root, it is about your ourweddingaccount.com and its parent (.com). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Problem with resolution
Hi, Does anyone see anything strange about the two hosts? www.ca.greattextbookgiveaway.com www.sorteodelibrospucmm.com.do My BIND 9.9.4 servers are unable to resolve these hosts, but I have older servers that can. I noticed that I am unable to resolve the two authoritative servers (ns1.500bucksaday.com/ns2.500bucksaday.com) from anywhere (http://pastebin.com/kHUYHqDc), yet I am still able to resolve the two above hosts from several locations. Dig from server that can resolve the hostnames: http://pastebin.com/CYWCMdLn Dig from server that cannot resolve the hostnames: http://pastebin.com/EepCFyh9 Thanks, Josh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: In BIND 8.2 running on Solaris 8, how to start logging
Enable query logging or run tcpdump on port 53. A quick Google search should explain exactly how to do either of these very easily. Josh -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Barry S. Finkel Sent: Friday, June 27, 2014 5:02 PM To: bind-users@lists.isc.org Subject: Re: In BIND 8.2 running on Solaris 8, how to start logging On 6/27/2014, Samad Agha wrote: > Hi All, > I have two Solaris 8 servers running BIND 8.2. I'd like to retire them > both and transfer everything to a couple of RHEL 7 boxes. The City (I > work for a mid-size California city) has outsourced different aspects > of our DNS that I even lost track and have no idea what these two DNS > servers serve. I'd like to start logging all queries on these two > boxes to know who queries them. How do I start a comprehensive logging > to capture all transactions going through these two servers? > > Please advise; please be thorough and don't assume anything. Many > thanks in advance. > Regards, > Samad I may be missing something here. The servers are running BIND. What zones do the servers serve? They serve the zones listed in the BIND configuration file(s), and they may be recursive servers for your clients. Look at the config files to see what zones are mastered or slaved on the servers. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Architecture Questions
Hi, I have historically hosted authoritative slave zones on my internal caching/recursive servers to override recursion for internal zones. These servers are not directly reachable from the internet. Generally speaking, I realize that it is considered a bad practice for any authoritative servers to perform recursion. Is it a common practice in this particular scenario though? The other option would be to have 'X' number of authoritative servers with recursion disabled, and then spin up another dedicated caching/recursive tier which used stub zones to communicate with the authoritative servers. Clients would point directly to the caching tier for name resolution. This scenario sounds like it would be more cumbersome to maintain. It would also require additional servers. I'm not sure the additional hardware and complexity is worth trouble in this scenario, but I am looking for opinions. Furthermore, I was recently told by one of the larger managed IPAM/DNS vendors that it was on ISC's roadmap to no longer allow authoritative servers to perform recursion (ie, the 'recusion yes' option would be disabled if the server contained authoritative zones). Is this actually true? Thanks, Josh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Book recomendations?
Cricket's "DNS & BIND" seems rather dated at this point with the last edition over 8 years old. Josh -Original Message- From: Warren Kumari [mailto:war...@kumari.net] Sent: Tuesday, May 27, 2014 7:24 PM To: Baird, Josh Cc: bind-users@lists.isc.org Subject: Re: Book recomendations? On Tue, May 27, 2014 at 6:51 PM, Baird, Josh wrote: > Hi, > > Can someone recommend a modern/new-ish book on DNS (specifically BIND)? I > know there have been several O'Reily books throughout the years, but haven't > kept up on anything in the past few years. I'm looking for architecture > design, best practices in designing enterprise and service provider DNS > architectures, etc. Yeah, the "DNS and BIND" (http://www.amazon.com/DNS-BIND-Cricket-Liu-ebook/dp/B0026OR2QS/ref=sr_1_1?ie=UTF8&qid=1401232807&sr=8-1&keywords=cricket+liu) "DNS and BIND cookbook" (http://www.amazon.com/DNS-Bind-Cookbook-Cricket-Liu-ebook/dp/B004VB3VFK/ref=sr_1_4?ie=UTF8&qid=1401232883&sr=8-4&keywords=cricket+liu) and "DNS and BIND on IPv6" O'Reily books are all still good and relevant... As Andrew says, the included ARM is good, but the O'Reily ones above are more readable and cover more design type things (IMO) W > > Thanks! > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Book recomendations?
Hi, Can someone recommend a modern/new-ish book on DNS (specifically BIND)? I know there have been several O'Reily books throughout the years, but haven't kept up on anything in the past few years. I'm looking for architecture design, best practices in designing enterprise and service provider DNS architectures, etc. Thanks! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Multi-master (HA)
Hi, For those of you who operate at multiple sites or datacenters, are you doing any HA for your BIND masters? Ideally, we would have a master in each datacenter; maybe not an active one, but one that is standing by in case your primary master becomes unavailable. Do you have multiple "active" masters and list them as master in each of your slave's zone definitions? This seems like it could get rather messy. One thought is to use a technology like VMWare SRM which will spin up a master/virtual machine automatically in a second datacenter if your primary master goes down. This coupled with Layer2 connectivity between your sites could make things fairly simple. The standby/secondary master would retain the same IP address as your primary, so everything should just *work*. What are others doing? Any thoughts, ideas or advice is much appreciated. Thanks, Josh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Enterprise IPAM/DNS Solutions
Kevin,
No - our DNS servers do only one thing depending on their role - either to
serve internal clients (caching/recursive/override external authoritative) or
to serve authoritative external clients. I used to cringe at these appliance
based solutions because I want to be in control of BIND and the server's
operating system - but, they are beginning to sound more attractive since they
don't require someone with operating system knowledge run maintain the
application. The bonuses would be things like DNSSEC an Anycast support out of
the box.
Thanks,
Josh
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kevin Darcy
Sent: Monday, April 28, 2014 12:50 PM
To: bind-users@lists.isc.org
Subject: Re: Enterprise IPAM/DNS Solutions
Are you running *other*, non-network-service functions on these boxes besides
BIND/M&M? If not, then you might find an appliance-based solution like Bluecat
or Infoblox might be more cost-effective than adding a DNS-management layer to
a generic server. Your security folks should love you too, since appliances are
"hardened" (usually they don't even have a OS-like command line or a
"superuser" function). Lastly, if you're planning to implement things like
Anycast, HA clustering, IPv6, etc. these things are probably a lot easier for
an appliance that already has these capabilities built in, than hacking the OS
to support them. DNSSEC is likely to be a lot easier too.
The argument for appliances becomes even stronger if you want to support other
network services, e.g. DHCP, NTP, discovery.
If, on the other hand, you're running "other stuff" on those servers, besides
network services, or you just *have* to have that OS-level control down to the
kernel, filesystems, devices, etc. it might make sense to stick with an agent-
or wrapper-based solution like you already have (M&M). I think IPControl (by
British Telecom) is also a strong player in that space.
- Kevin
On 4/28/2014 12:31 PM, Baird, Josh wrote:
> Hi,
>
> We currently use the Men & Mice DNS/IPAM/DHCP suite which is essentially a
> front-end "wrapper" for BIND. We deploy our own BIND boxes and simply
> install the Men & Mice agent on them which allows us to centrally manage the
> zones from a GUI (or CLI) based interface.
>
> I'm curious about the other "enterprise" solutions that are on the market.
> Bluecat is the first one that comes to mind, but I'm completely unfamiliar
> with their product. Does their product run alongside native BIND (like M&M)
> or do I need to purchase their own appliances and place them all over my
> network?
>
> Are there any other suggestions for products similar to Men & Mice and
> Bluecat that I should be looking at? I'm looking for DNS and IPAM and
> central management.
>
> Thanks,
>
> Josh
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Enterprise IPAM/DNS Solutions
Ray, Overall, M&M has worked quite nicely for us. The CLI leaves a lot to be desired though and we have found several bugs in the application throughout the past several years (who doesn't have bugs, though?). I have also had a hard time getting someone on their Sales team to answer my questions lately. I do really like the fact that it doesn't require some third party appliance and it can run alongside BIND. At this point - I'm just looking to see what else is available in this same space (Infoblox, Bluecat, etc). Any feedback from users of these various platforms is appreciated! (apologies for the top-post) Thanks, Josh -Original Message- From: Ray Van Dolson [mailto:rvandol...@esri.com] Sent: Monday, April 28, 2014 12:35 PM To: Baird, Josh Cc: bind-users@lists.isc.org Subject: Re: Enterprise IPAM/DNS Solutions On Mon, Apr 28, 2014 at 04:31:28PM +, Baird, Josh wrote: > Hi, > > We currently use the Men & Mice DNS/IPAM/DHCP suite which is > essentially a front-end "wrapper" for BIND. We deploy our own BIND > boxes and simply install the Men & Mice agent on them which allows us > to centrally manage the zones from a GUI (or CLI) based interface. > > I'm curious about the other "enterprise" solutions that are on the > market. Bluecat is the first one that comes to mind, but I'm > completely unfamiliar with their product. Does their product run > alongside native BIND (like M&M) or do I need to purchase their own > appliances and place them all over my network? > > Are there any other suggestions for products similar to Men & Mice and > Bluecat that I should be looking at? I'm looking for DNS and IPAM and > central management. > > Thanks, > > Josh Josh, I'm curious what shortcomings you're finding with the M&M suite? We've looked at BlueCat recently and my recollection is that it required their DNS appliances. Quite costly and in our case, overkill. M&M has worked pretty well for us, but we're a corporate type use case, not a provider or ISP. Ray ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Enterprise IPAM/DNS Solutions
Hi, We currently use the Men & Mice DNS/IPAM/DHCP suite which is essentially a front-end "wrapper" for BIND. We deploy our own BIND boxes and simply install the Men & Mice agent on them which allows us to centrally manage the zones from a GUI (or CLI) based interface. I'm curious about the other "enterprise" solutions that are on the market. Bluecat is the first one that comes to mind, but I'm completely unfamiliar with their product. Does their product run alongside native BIND (like M&M) or do I need to purchase their own appliances and place them all over my network? Are there any other suggestions for products similar to Men & Mice and Bluecat that I should be looking at? I'm looking for DNS and IPAM and central management. Thanks, Josh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Wildcard CNAME record?
Is it acceptable to have a wildcard CNAME? Example: * IN CNAMEsomewhere.com. Or, would it be advised to only use wildcard 'A' records? Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Problem with ed.gov
Nope, no firewall in front or behind these particular boxes.
Josh
-Original Message-
From: Faehl, Chris [mailto:cfa...@rightnow.com]
Sent: Thursday, January 19, 2012 3:34 PM
To: Baird, Josh
Cc: bind-users@lists.isc.org
Subject: Re: Problem with ed.gov
Josh - are you using Cisco firewalls? We've seen problems resolving
other
.gov sites due to EDNS/DNSSEC requests being truncated by "dns inspect
size" set to 512 bytes (out-of-box conf). Changing to 4k yielded good
results and fixed those problems without other operational impact.
Chris Faehl
Director, Cloud Architecture
RightNow Technologies
On 1/19/12 12:39 PM, "Baird, Josh" wrote:
>Ugly fix, but it does work. I already had that in place as a
"band-aid"
>anyways.
>
>Josh
>
>-Original Message-
>From: wbr...@e1b.org [mailto:wbr...@e1b.org]
>Sent: Thursday, January 19, 2012 2:36 PM
>To: Baird, Josh
>Cc: bind-users@lists.isc.org
>Subject: Re: Problem with ed.gov
>
>Josh wrote on 01/19/2012 02:06:05 PM:
>
>> My resolvers seem to be having problems resolving ed.gov hosts.
>Others
>> have reported similar problems, but I am having trouble figuring out
>> where the problem lies. Some other resolvers seem to be resolving
>> ed.gov correctly. I am able to query their authoritative servers
>> directly from the same network where my resolvers are located. But,
>my
>> resolvers are not able to recurse to them.
>
>[snip]>
>> Is anyone else having problems? Can you spot anything that could be
>> preventing my/our resolvers to successfully query this?
>>
>
>Years ago, we had problems with ed.gov. We added the following to our
>config on 2009-08-11 to forward to their name servers:
>
>zone "ed.gov" {
>type forward;
>forwarders { 148.9.101.50; 148.9.101.52; 160.109.63.185;
>160.109.63.186;
> };
>};
>
>Ugly fix? You bet! But the problems went away...
>
>IIRC, we did network sniffs at the perimeter and a bunch of other
>troubleshooting to no avail.
>
>
>
>Confidentiality Notice:
>This electronic message and any attachments may contain confidential or
>privileged information, and is intended only for the individual or
>entity
>identified above as the addressee. If you are not the addressee (or the
>employee or agent responsible to deliver it to the addressee), or if
>this
>message has been addressed to you in error, you are hereby notified
that
>
>you may not copy, forward, disclose or use any part of this message or
>any
>attachments. Please notify the sender immediately by return e-mail or
>telephone and delete this message from your system.
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>unsubscribe from this list
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Problem with ed.gov
Ugly fix, but it does work. I already had that in place as a "band-aid"
anyways.
Josh
-Original Message-
From: wbr...@e1b.org [mailto:wbr...@e1b.org]
Sent: Thursday, January 19, 2012 2:36 PM
To: Baird, Josh
Cc: bind-users@lists.isc.org
Subject: Re: Problem with ed.gov
Josh wrote on 01/19/2012 02:06:05 PM:
> My resolvers seem to be having problems resolving ed.gov hosts.
Others
> have reported similar problems, but I am having trouble figuring out
> where the problem lies. Some other resolvers seem to be resolving
> ed.gov correctly. I am able to query their authoritative servers
> directly from the same network where my resolvers are located. But,
my
> resolvers are not able to recurse to them.
[snip]>
> Is anyone else having problems? Can you spot anything that could be
> preventing my/our resolvers to successfully query this?
>
Years ago, we had problems with ed.gov. We added the following to our
config on 2009-08-11 to forward to their name servers:
zone "ed.gov" {
type forward;
forwarders { 148.9.101.50; 148.9.101.52; 160.109.63.185;
160.109.63.186;
};
};
Ugly fix? You bet! But the problems went away...
IIRC, we did network sniffs at the perimeter and a bunch of other
troubleshooting to no avail.
Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or
entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if
this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or
any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Problem with ed.gov
Hi, My resolvers seem to be having problems resolving ed.gov hosts. Others have reported similar problems, but I am having trouble figuring out where the problem lies. Some other resolvers seem to be resolving ed.gov correctly. I am able to query their authoritative servers directly from the same network where my resolvers are located. But, my resolvers are not able to recurse to them. $ dig +tcp fafsa.ed.gov ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> +tcp fafsa.ed.gov ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64510 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;fafsa.ed.gov. IN A ;; Query time: 9995 msec ;; SERVER: 209.65.192.141#53(209.65.192.141) ;; WHEN: Thu Jan 19 13:56:56 2012 ;; MSG SIZE rcvd: 30 $ dig +notcp fafsa.ed.gov ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> +notcp fafsa.ed.gov ;; global options: printcmd ;; connection timed out; no servers could be reached Is anyone else having problems? Can you spot anything that could be preventing my/our resolvers to successfully query this? Thanks, Josh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
True queries per second?
Hi, I'm looking at the output from 9.7's "rndc stats," and I see both incoming and outgoing statistics. I'm trying to get a true queries per second stat from these numbers. Wouldn't this be both incoming+outgoing queries? Or, from a performance standpoint should I only be concerned about incoming queries? In this case: +++ Statistics Dump +++ (1317224125) ++ Incoming Requests ++ 43128 QUERY ++ Incoming Queries ++ 28719 A 381 NS 22 CNAME 16 SOA 811 PTR 5269 MX 629 TXT 6721 15 SRV 141 A6 2 DS 266 SPF 136 ANY The "incoming requests" (43128) number is the total number of requests/queries. So to get a TOTAL queries per second on all types of queries, I would perform calculations on this number, correct? Thanks, Josh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Stats ouput 9.3 vs 9.7
Thanks, Alan. So, I'm looking for the stats under the "Server Statistics" section if I want the same stats that <9.5 BIND produced, correct? Thanks, Josh -Original Message- From: bind-users-bounces+jbaird=follett@lists.isc.org [mailto:bind-users-bounces+jbaird=follett@lists.isc.org] On Behalf Of Alan Clegg Sent: Wednesday, September 07, 2011 1:16 PM To: bind-users@lists.isc.org Subject: Re: Stats ouput 9.3 vs 9.7 On 9/7/2011 11:13 AM, Baird, Josh wrote: > Is there a way to revert back to the old stats format? Is there an > easier way to reveal query stats via SNMP in 9.7? Any recommendations? > I'm really looking to get QPS statistics. I can modify my parser > script if necessary, but I thought I would check here first. Look at the statistics channel. Provides lot of information via XML. Some uses: http://www.zabbix.com/forum/showthread.php?t=11920 http://collectd.org/wiki/index.php/Plugin:BIND AlanC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Stats ouput 9.3 vs 9.7
All, Just upgraded some authoritative boxes to RHEL6, thus upgrading to BIND 9.7.3. On RHEL5 (BIND 9.3.x), I had scripts that parsed the output of the named.stats file, and piped them through net-snmpd so my NMS could monitor query statistics. On 9.3.x, the named.stats looked like: +++ Statistics Dump +++ (1315407900) success 1647248092 referral 17 nxrrset 239520115 nxdomain 2058478892 recursion 829899933 failure 15795471 --- Statistics Dump --- (1315407900) My [simple] script parsed each value accordingly. Now, in 9.7, it looks like named.stats format has changed drastically: ++ Name Server Statistics ++ 33653927 IPv4 requests received 19899191 requests with EDNS(0) received 171 TCP requests received 10655888 auth queries rejected ... Is there a way to revert back to the old stats format? Is there an easier way to reveal query stats via SNMP in 9.7? Any recommendations? I'm really looking to get QPS statistics. I can modify my parser script if necessary, but I thought I would check here first. Thanks, Josh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Problem with resolution
I'm having trouble with the resolution of www.pncactivepay.com. It appears that most nameservers will resolve this host to 208.86.144.222. Resolution for this host only works about half of the time, as shown by my logs below. When my resolvers are not able to get the real IP (208.86.144.22), they get a bogus IP of 209.62.20.200. It seems like there is a misconfiguration on pnactivepay.com's side, but I'm not certain. Can anyone see an obvious problem? $ host www.pncactivepay.com www.pncactivepay.com has address 209.62.20.200 $ host www.pncactivepay.com www.pncactivepay.com has address 209.62.20.200 $ host www.pncactivepay.com www.pncactivepay.com has address 208.86.144.222 $ host www.pncactivepay.com www.pncactivepay.com has address 209.62.20.200 5 minutes ago, I was not able to dig +trace this host, and it kept dying at the 'J' root server. Now, though, dig +trace seems to resolving the host correctly. There is still some inconsistency here, though. Any ideas? Still, half of my "nslookups" and "hosts" are returning 209.62.20.200 for www.pnactivepay.com. I have no idea where this response is coming from. $ dig +trace www.pncactivepay.com ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> +trace www.pncactivepay.com ;; global options: printcmd . 339346 IN NS c.root-servers.net. . 339346 IN NS d.root-servers.net. . 339346 IN NS e.root-servers.net. . 339346 IN NS f.root-servers.net. . 339346 IN NS g.root-servers.net. . 339346 IN NS h.root-servers.net. . 339346 IN NS i.root-servers.net. . 339346 IN NS j.root-servers.net. . 339346 IN NS k.root-servers.net. . 339346 IN NS l.root-servers.net. . 339346 IN NS m.root-servers.net. . 339346 IN NS a.root-servers.net. . 339346 IN NS b.root-servers.net. ;; Received 512 bytes from 172.26.137.135#53(172.26.137.135) in 0 ms com.172800 IN NS c.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS a.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. ;; Received 510 bytes from 192.33.4.12#53(c.root-servers.net) in 14 ms pncactivepay.com. 172800 IN NS dns11.pnc.com. pncactivepay.com. 172800 IN NS dns12.pnc.com. pncactivepay.com. 172800 IN NS dns15.pnc.com. pncactivepay.com. 172800 IN NS dns16.pnc.com. ;; Received 186 bytes from 192.26.92.30#53(c.gtld-servers.net) in 33 ms www.pncactivepay.com. 3600IN A 208.86.144.222 pncactivepay.com. 3600IN NS dns12.pnc.com. pncactivepay.com. 3600IN NS dns11.pnc.com. pncactivepay.com. 3600IN NS dns15.pnc.com. pncactivepay.com. 3600IN NS dns16.pnc.com. ;; Received 202 bytes from 161.150.129.184#53(dns11.pnc.com) in 20 ms Thanks, Josh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Is it possible to block resolution of a malware address?
We typically override malware-ish domains's by creating a zone on our caching servers for them and create a wildcard similar to: * IN A 127.0.0.1 That way, when clients try to resolve xyz.com, our caching/resolvers return 127.0.0.1, not the real IP address. Josh -Original Message- From: bind-users-bounces+jbaird=follett@lists.isc.org [mailto:bind-users-bounces+jbaird=follett@lists.isc.org] On Behalf Of Stewart Dean Sent: Friday, April 01, 2011 10:22 AM To: bind-users@lists.isc.org Subject: Is it possible to block resolution of a malware address? That is, if we know that a symbolic address is malign, is there some way to refuse to resolve it or change its resolution when an internal users asks for its resolution? All my Google searching turns up DNSBLs and blocking incoming mail from BLed addresses, but this is another matter... Thanks in advance... -- Stewart Dean, Unix System Admin, Henderson Computer Resources Center of Bard College, Annandale-on-Hudson, New York 12504 sd...@bard.edu voice: 845-758-7475, fax: 845-758-7035 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: GUI for bind
We have used the commercial Men & Mice suite for 3 years now and have had great success with it. It meets all of your requirements listed below. It has an intuitive Windows based console as well as a web application that can be used to manage DNS, IPAM and DHCP. It works directly on top of BIND without any modifications. Josh -Original Message- From: bind-users-bounces+jbaird=follett@lists.isc.org [mailto:bind-users-bounces+jbaird=follett@lists.isc.org] On Behalf Of Jorg B. Sent: Monday, March 28, 2011 6:55 PM To: bind-users Subject: GUI for bind Hello, I'm looking for a GUI for bind that meets the following requirements: (1) Must still be under development (and supported, either commercially or via community support) (2) Supports "accounts/groups" that will allow me to create user accounts that are able to modify only zone records assigned to the account/group. (3) Administrator access with the permissions to modify any zone record. (4) Should support most common features of bind. (5) Should support 100's of zone records. (6) Should be somewhat easy to use, so that "non-experts" can figure it out. The product does not have to be free... a commercial product is perfectly fine. I've spend some time searching around, but most of the GUI products either don't support bind or are no longer maintained... Any recommendations would be appreciated... Thanks JB ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: RHEL5 BIND in PROD
For new deployments, I would likely choose RHEL6 over RHEL5; unless you have a compelling reason to run RHEL5. RHEL6 includes BIND 9.7.0. You mention that you would like to keep your DNS boxes "appliance" like. If this is the case, rolling out source code and compiling on each box may not be the best solution for you. If you decide to compile your own BIND, I would look at rolling RPM's for them to make deployment and upgrades easier. Also, keep in mind that while RHEL BIND versions will never be cutting-edge/brand-new, security patches are backported into them. Hope this helps. Josh -Original Message- From: bind-users-bounces+jbaird=follett@lists.isc.org [mailto:bind-users-bounces+jbaird=follett@lists.isc.org] On Behalf Of Mike Diggins Sent: Tuesday, March 15, 2011 9:45 AM To: bind-us...@isc.org Subject: RHEL5 BIND in PROD I'm about to transition my name servers from Solaris 10 to RedHat Linux 5.6. I'm debating whether to compile BIND directly from source as I usually do or use one of the RHEL packages, likely the newly released 9.7.0-6.P2. I would like to make our DNS a little more appliance based to ease some of the support burden. I'm also concerned with stability over new features. I'm interested to know what others are doing. -Mike ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How do I stress test my newly setup DNS BIND server?
Check out the "queryperf" tool. Thanks, Josh From: bind-users-bounces+jbaird=follett@lists.isc.org [mailto:bind-users-bounces+jbaird=follett@lists.isc.org] On Behalf Of Samad Agha Sent: Thursday, August 19, 2010 10:13 AM To: bind-users@lists.isc.org Subject: How do I stress test my newly setup DNS BIND server? I'm new to setting up DNS servers, I used Webmin to set it up, and now need to test all different functionalities of it before registering it (basically a stress test). Can someone show me some cool commands to do this? Thanks in advance. Samad Agha ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Recursion problems
Hi, I am having problems with recursion for domains that reside on two particular nameservers. My BIND9 servers return a SERVFAIL and do not attempt to recurse to the authoritative nameservers for ugabookstore.com. I have verified that my caching servers are not contacting ugabookstore.com's authoritative servers via tcpdump. I have also enabled debug logging (level 99) on my caching server. Other servers are obviously able to recurse to ugabookstore.com's authoritative servers, so I feel like it may be an issue on my end. Could someone offer any advice? Recursion for all other domains is working correctly. Debug logs from my caching server: 04-Aug-2010 08:58:13.656 client: debug 3: client 172.26.101.56#46071: UDP request 04-Aug-2010 08:58:13.656 client: debug 5: client 172.26.101.56#46071: using view '_default' 04-Aug-2010 08:58:13.656 security: debug 3: client 172.26.101.56#46071: request is not signed 04-Aug-2010 08:58:13.656 security: debug 3: client 172.26.101.56#46071: recursion available 04-Aug-2010 08:58:13.656 client: debug 3: client 172.26.101.56#46071: query 04-Aug-2010 08:58:13.656 queries: info: client 172.26.101.56#46071: query: ugabookstore.com IN A + 04-Aug-2010 08:58:13.656 client: debug 10: client 172.26.101.56#46071: ns_client_attach: ref = 1 04-Aug-2010 08:58:13.656 security: debug 3: client 172.26.101.56#46071: query (cache) 'ugabookstore.com/A/IN' approved 04-Aug-2010 08:58:13.656 client: debug 3: client 172.26.101.56#46071: replace 04-Aug-2010 08:58:13.656 general: debug 3: clientmgr @0x960deb8: createclients 04-Aug-2010 08:58:13.656 general: debug 3: clientmgr @0x960deb8: recycle 04-Aug-2010 08:58:13.657 resolver: debug 1: createfetch: ugabookstore.com A 04-Aug-2010 08:58:13.657 resolver: debug 3: fctx 0x9678d50(ugabookstore.com/A'): create 04-Aug-2010 08:58:13.657 resolver: debug 3: fctx 0x9678d50(ugabookstore.com/A'): join 04-Aug-2010 08:58:13.657 resolver: debug 3: fetch 0x98ee108 (fctx 0x9678d50(ugabookstore.com/A)): created 04-Aug-2010 08:58:13.657 client: debug 3: client @0x9e2a378: udprecv 04-Aug-2010 08:58:13.657 general: debug 50: socket 0x960e2f8: socket_recv: event 0x9bdfe88 -> task 0x9913de0 04-Aug-2010 08:58:13.657 resolver: debug 3: fctx 0x9678d50(ugabookstore.com/A'): start 04-Aug-2010 08:58:13.657 resolver: debug 3: fctx 0x9678d50(ugabookstore.com/A'): try 04-Aug-2010 08:58:13.657 resolver: debug 3: fctx 0x9678d50(ugabookstore.com/A'): cancelqueries 04-Aug-2010 08:58:13.657 resolver: debug 3: fctx 0x9678d50(ugabookstore.com/A'): getaddresses 04-Aug-2010 08:58:13.657 resolver: debug 3: fctx 0x9678d50(ugabookstore.com/A'): query 04-Aug-2010 08:58:13.658 resolver: debug 3: resquery 0x99353f0 (fctx 0x9678d50(ugabookstore.com/A)): send 04-Aug-2010 08:58:13.658 general: debug 90: socket 0x991db08 0.0.0.0#49050: bound 04-Aug-2010 08:58:13.658 dispatch: debug 90: dispatch 0x976cdc0 response 0x9b9db60 192.5.6.30#53: attached to task 0x9771b28 04-Aug-2010 08:58:13.658 general: debug 50: socket 0x991db08: socket_recv: event 0x9e721c8 -> task 0x976eb80 04-Aug-2010 08:58:13.658 resolver: debug 3: resquery 0x99353f0 (fctx 0x9678d50(ugabookstore.com/A)): sent 04-Aug-2010 08:58:13.658 resolver: debug 3: resquery 0x99353f0 (fctx 0x9678d50(ugabookstore.com/A)): udpconnected 04-Aug-2010 08:58:13.658 resolver: debug 3: resquery 0x99353f0 (fctx 0x9678d50(ugabookstore.com/A)): senddone 04-Aug-2010 08:58:13.658 general: debug 60: sockmgr 0x95ba350: watcher got message -3 for socket 513 04-Aug-2010 08:58:13.658 general: debug 60: sockmgr 0x95ba350: watcher got message -3 for socket 514 04-Aug-2010 08:58:13.658 general: debug 60: sockmgr 0x95ba350: watcher got message -2 for socket -1 04-Aug-2010 08:58:13.710 general: debug 50: socket 0x991db08: dispatch_recv: event 0x9e721c8 -> task 0x976eb80 04-Aug-2010 08:58:13.710 general: debug 60: socket 0x991db08: internal_recv: task 0x976eb80 got event 0x991db68 04-Aug-2010 08:58:13.710 general: debug 60: socket 0x991db08 192.5.6.30#53: packet received correctly 04-Aug-2010 08:58:13.710 general: debug 90: socket 0x991db08: processing cmsg 0x983d880 04-Aug-2010 08:58:13.710 dispatch: debug 90: dispatch 0x976cdc0: got packet: requests 1, buffers 1, recvs 0 04-Aug-2010 08:58:13.710 dispatch: debug 92: dispatch 0x976cdc0: got valid DNS message header, /QR 1, id 21927 04-Aug-2010 08:58:13.710 dispatch: debug 90: dispatch 0x976cdc0 response 0x9b9db60 192.5.6.30#53: [a] Sent event 0x96a2560 buffer 0x987c8c0 len 4096 to task 0x9771b28 04-Aug-2010 08:58:13.710 general: debug 50: socket 0x991db08: socket_recv: event 0x9bfdd78 -> task 0x976eb80 04-Aug-2010 08:58:13.710 resolver: debug 3: resquery 0x99353f0 (fctx 0x9678d50(ugabookstore.com/A)): response 04-Aug-2010 08:58:13.710 resolver: debug 10: received packet: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21927 ;; flags: qr ; QUESTION: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;ugabookstore.com.
RE: Unable to resolve several hosts
Ok, so I answered my own question. It was indeed our ASA's at the border. Thanks, Josh -Original Message- From: bind-users-bounces+jbaird=follett@lists.isc.org [mailto:bind-users-bounces+jbaird=follett@lists.isc.org] On Behalf Of Baird, Josh Sent: Tuesday, June 29, 2010 4:55 PM To: bind-users@lists.isc.org Subject: Unable to resolve several hosts Hi, We have clients that have started to report that they are not able to resolve certain hosts from our recursing/caching resolvers (BIND 9.3.6-4/EL5). I am wondering if this has something to do with EDNS or the DNSSEC rollout to root servers on May 5th.. or perhaps with our Cisco ASA's at the edge of these resolvers (DNS Inspection, etc). Two of these hostnames in particular are noaa.gov and www.arcytech.org: $ dig www.noaa.gov +trace @fc-wmdns1 ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> www.noaa.gov +trace @fc-wmdns1 ;; global options: printcmd . 518353 IN NS k.root-servers.net. . 518353 IN NS l.root-servers.net. . 518353 IN NS m.root-servers.net. . 518353 IN NS a.root-servers.net. . 518353 IN NS b.root-servers.net. . 518353 IN NS c.root-servers.net. . 518353 IN NS d.root-servers.net. . 518353 IN NS e.root-servers.net. . 518353 IN NS f.root-servers.net. . 518353 IN NS g.root-servers.net. . 518353 IN NS h.root-servers.net. . 518353 IN NS i.root-servers.net. . 518353 IN NS j.root-servers.net. ;; Received 500 bytes from 172.26.128.175#53(172.26.128.175) in 1 ms ;; connection timed out; no servers could be reached -- Looking at the query log on FC-WMDNS1, I see: 29-Jun-2010 16:35:39.386 queries: info: client 172.26.101.56#44428: query: . IN NS - -- There is no firewall between the machine that I ran dig on, and the FC-WMDNS1 resolver. I'm not sure if this is relevant, but the resolver does support EDNS0: $ dig @fc-wmdns1 +noall +comments +bufsize=1 query ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46378 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 -- Would someone mind giving me a hand in determining what is happening here? I'd be happy to provide more data if necessary. Thanks, Josh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Unable to resolve several hosts
Hi, We have clients that have started to report that they are not able to resolve certain hosts from our recursing/caching resolvers (BIND 9.3.6-4/EL5). I am wondering if this has something to do with EDNS or the DNSSEC rollout to root servers on May 5th.. or perhaps with our Cisco ASA's at the edge of these resolvers (DNS Inspection, etc). Two of these hostnames in particular are noaa.gov and www.arcytech.org: $ dig www.noaa.gov +trace @fc-wmdns1 ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> www.noaa.gov +trace @fc-wmdns1 ;; global options: printcmd . 518353 IN NS k.root-servers.net. . 518353 IN NS l.root-servers.net. . 518353 IN NS m.root-servers.net. . 518353 IN NS a.root-servers.net. . 518353 IN NS b.root-servers.net. . 518353 IN NS c.root-servers.net. . 518353 IN NS d.root-servers.net. . 518353 IN NS e.root-servers.net. . 518353 IN NS f.root-servers.net. . 518353 IN NS g.root-servers.net. . 518353 IN NS h.root-servers.net. . 518353 IN NS i.root-servers.net. . 518353 IN NS j.root-servers.net. ;; Received 500 bytes from 172.26.128.175#53(172.26.128.175) in 1 ms ;; connection timed out; no servers could be reached -- Looking at the query log on FC-WMDNS1, I see: 29-Jun-2010 16:35:39.386 queries: info: client 172.26.101.56#44428: query: . IN NS - -- There is no firewall between the machine that I ran dig on, and the FC-WMDNS1 resolver. I'm not sure if this is relevant, but the resolver does support EDNS0: $ dig @fc-wmdns1 +noall +comments +bufsize=1 query ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46378 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 -- Would someone mind giving me a hand in determining what is happening here? I'd be happy to provide more data if necessary. Thanks, Josh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Authoritative Redundancy
Would there be any benefit in assigning them as additional master's for all of
my zones (in addition to DNS01), or would this just complicate the entire
environment?
Thanks
In article ,
"Baird, Josh" wrote:
> Hi,
>
> I currently have three authoritative servers in the RRset for my
> internal zones:
>
> NS dns01.blah.com.
> NS dns02.blah.com.
> NS dns03.blah.com.
>
> DNS01 is the sole master for my internal zones. I have a number of
> resolving DNS servers throughout my environment that contain slave
> definitions for my internal zones to override recursion. These slave
> definitions use DNS01 as their master (only DNS01, not DNS02/03).
>
> zone "example.com." IN {
> type slave;
> masters { DNS01's_IP_ADDRESS; };
> file "hosts/slaves/example.com-hosts";
> };
>
> DNS02 and DNS03 also contain slave zones for all of my internal zones.
> Their master is also DNS01.
>
> My question is.. am I gaining anything by having DNS02/DNS03? With
> DNS01 being my sole master, it doesn't seem like DNS02/DNS03 are
> providing any additional benefit. How could I make a better use of
> DNS02/DNS03? Recursion is disabled on them, and no clients directly
> query them; they query the numerous resolving DNS servers throughout the
> environment.
I think you can safely get rid of them. With all your internal
resolvers running as stealth slaves for your zones, you don't need
published slaves. NS records are only used by recursive servers.
--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Authoritative Redundancy
Hi,
I currently have three authoritative servers in the RRset for my
internal zones:
NS dns01.blah.com.
NS dns02.blah.com.
NS dns03.blah.com.
DNS01 is the sole master for my internal zones. I have a number of
resolving DNS servers throughout my environment that contain slave
definitions for my internal zones to override recursion. These slave
definitions use DNS01 as their master (only DNS01, not DNS02/03).
zone "example.com." IN {
type slave;
masters { DNS01's_IP_ADDRESS; };
file "hosts/slaves/example.com-hosts";
};
DNS02 and DNS03 also contain slave zones for all of my internal zones.
Their master is also DNS01.
My question is.. am I gaining anything by having DNS02/DNS03? With
DNS01 being my sole master, it doesn't seem like DNS02/DNS03 are
providing any additional benefit. How could I make a better use of
DNS02/DNS03? Recursion is disabled on them, and no clients directly
query them; they query the numerous resolving DNS servers throughout the
environment.
Thanks,
Josh
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Load Balancer for DNS
Load balancing can also be used just to provide high availability for your caching/resolver servers. Often times, even though a resolver client will allow you to provide multiple resolving servers, if the primary resolver goes down the delay until the next resolver is tried often cripples applications. We load balance our resolvers for this reason. If one goes down, the load balancer removes it from the load balancing pool within seconds and the client keeps chugging right along with no interruption. DNS is easy to load balance because it is not persistent in nature. We use F5 BigIP's to load balance our resolvers, but a free solution like LVS would be sufficient as well. Thanks, Josh -Original Message- From: bind-users-bounces+jbaird=follett@lists.isc.org [mailto:bind-users-bounces+jbaird=follett@lists.isc.org] On Behalf Of Lightner, Jeff Sent: Monday, April 05, 2010 10:04 AM To: Alan Clegg; bind-users@lists.isc.org Subject: RE: Load Balancer for DNS That answer seems to imply that when load is high enough on existing caching servers the traffic will go to the others. Is that the case? At what point does this occur? -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Alan Clegg Sent: Monday, April 05, 2010 10:58 AM To: bind-users@lists.isc.org Subject: Re: Load Balancer for DNS -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4/5/2010 2:06 AM, sasa sasa wrote: > Hello everyone, > > Any one used any load balancer for DNSs? any recommendation? it's 2 > caching-only DNSs, and I'd like to make a load balance between them > using software. I would recommend that before adding "load balancers" that you consider the problem that you are actually attempting to solve. For the cost of a "load balancing solution" you might be able to deploy more caching servers that would probably work better in the long run.. AlanC -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAku5+n4ACgkQcKpYUrUDCYejngCfYritHVZBX8Is5idosnSNykO+ RYwAn2JXm+bF/u0VtRYs4Y+mq9Tb5bqH =vtqb -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: what is a SPF (type 99) record and who do I implement?
You struggled to find anything about SPF? http://www.zytrax.com/books/dns/ch9/spf.html Josh From: bind-users-bounces+jbaird=follett@lists.isc.org [mailto:bind-users-bounces+jbaird=follett@lists.isc.org] On Behalf Of Security Admin (NetSec) Sent: Wednesday, March 24, 2010 1:54 PM To: bind-users@lists.isc.org Subject: what is a SPF (type 99) record and who do I implement? Struggled to find anything explicit on this subject via google to no avail. Best Explanation I could find was http://www.enyo.de/fw/software/exim/spf-update.html#6 Currently hosts file looks like: Mydomain.com 172800 IN TXT "v=spf1 mx -all" Mydomain.com 172800 IN SPF "v=spf1 mx -all" Mydomain.com 172800 IN MX 10 Mail.Mydomain.com Mail.Mydomain.com 172800 IN Avvv.xxx.yyy.zzz Is this correct? FYI not using DNSSEC Thanks in advance! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: tcp versus udp
In addition, TCP is used for queries > 512bytes. Josh From: bind-users-boun...@lists.isc.org on behalf of Eduardo Júnior Sent: Mon 5/4/2009 8:35 PM To: Martin McCormick Cc: bind-us...@isc.org Subject: Re: tcp versus udp Hi, On Mon, May 4, 2009 at 9:28 PM, Martin McCormick wrote: When are tcp dns queries necessary? It was my understanding that clients could user tcp or udp. According to what I read, dns queries are executed using udp Only zone transfers use tcp connections. But still according to my reading, it's possible do dns queries through tcp connections. Read RFC 1035 Everything will be more clear. :) []'s -- Eduardo Júnior GNU/Linux user #423272 :wq ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS Appliance
I can vouch for Men & Mice. I currently have the enterprise version running in an environment managing 2000+ domains and 15+ DNS servers. Support is great as well. Josh -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of da...@from525.com Sent: Wednesday, March 25, 2009 12:19 PM To: bind-users@lists.isc.org Subject: Re: DNS Appliance You may want to look into the Men & Mice suite. I have been testing their software for the last couple of months for consideration at our site. The suite offers a windows GUI client, CLI & web interface. An agent gets installed on each server hosting BIND and their suite will manage the servers accordingly. The pricing doesn't seem that bad either. On Wed, 25 Mar 2009 12:09:35 -0400, "John D. Vo" wrote: > I am running Bind on two Solaris servers. It's pretty much command line, > old school. > I can see some GUI with Webmin but that's probably not as pretty as the > appliances. > My boss wants "visibility" so I'm looking. eh. meh. :) > > Thanks. > > Gainey, Joe (AT - Atlanta) wrote: >> blue cat Adonis/XMB provide a great GUI interfaces for dns power users >> with enough intuitive widgets for dns novices. they have been fairly >> stable and easy to manage and their support has been knowledgeable. >> >> -Original Message- >> From: bind-users-boun...@lists.isc.org >> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of John D. Vo >> Sent: Wednesday, March 25, 2009 11:41 AM >> To: bind-users@lists.isc.org >> Subject: DNS Appliance >> >> Anyone has experience (good or bad) with a dns appliance? >> >> Bluecatnetwork >> infoblox >> infoweapons.. >> >> Thanks. >> >> ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS Appliance
Not an appliance, but has a nice offering including a MMC-ish console and Web GUI. Josh -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Gainey, Joe (AT - Atlanta) Sent: Wednesday, March 25, 2009 10:43 AM To: j...@eagle.net; bind-users@lists.isc.org Subject: RE: DNS Appliance blue cat Adonis/XMB provide a great GUI interfaces for dns power users with enough intuitive widgets for dns novices. they have been fairly stable and easy to manage and their support has been knowledgeable. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of John D. Vo Sent: Wednesday, March 25, 2009 11:41 AM To: bind-users@lists.isc.org Subject: DNS Appliance Anyone has experience (good or bad) with a dns appliance? Bluecatnetwork infoblox infoweapons.. Thanks. -- Best Regards, John D. Vo Eagle Teleconferencing Services, Inc. Network-System Administrator j...@eagle.net Office: (212) 200-2000 Ext. 105 Cell: (212) 200-3016 --- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-usersNot smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Case For Microsoft DNS v. BIND 9 - Or Best Practices ForCoexisting
Actually, yes, if you have dynamic DNS registration enabled on the client/host and server, an 'A' record will automatically be created in the AD zone. Josh From: bind-users-boun...@lists.isc.org on behalf of Danny Mayer Sent: Sat 2/7/2009 2:29 PM To: wiskbr...@hotmail.com Cc: bind-users@lists.isc.org Subject: Re: Case For Microsoft DNS v. BIND 9 - Or Best Practices ForCoexisting wiskbr...@hotmail.com wrote: > The case the windows team made was ease of adding entries, you simply > add into the MMC, or even easier, when you join a host into a domain, it > adds itself. > This is not even true. To add a host to a domain you have to register it manually, either by going into ADS and adding it or a Domain Adminstrator has to enter it on the machine using his/her adminstrator password. There's nothing automatic about this. Danny ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Case For Microsoft DNS v. BIND 9 - Or Best Practices ForCoexisting
In my case, we let AD/MSDNS do dynamic updates.. no dynamic updates are necessary with BIND. Not sure I understand your "split" lookups - but your external authoritative nameservers should NOT allow recursion. Josh -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of wiskbr...@hotmail.com Sent: Friday, February 06, 2009 9:09 AM To: jlight...@water.com; bind-users@lists.isc.org Subject: RE: Case For Microsoft DNS v. BIND 9 - Or Best Practices ForCoexisting Thanks for the reply. My DMZ, or external lookups, are all performed via one of six BIND-9 servers. The product that we use is based on BIND-8, though they've recently come out with a BIND-9 version. If I "split" my lookups and have internal lookups pointed at the MS DNS servers, and non-authoritative lookups to my external servers (running BIND-9), then shouldn't this address the issues you spoke of? How are you able to allow for the windoze boxes to automatically add entries? In other words, a strong case they made is that they must presently maintain two databases, AD *and* DNS. With MS DNS, they say, this is not the case whereby when you add an entry or join a host, that entry is automatically added in DNS. In there a way to do this in BIND? Thanks again, .vp > Subject: RE: Case For Microsoft DNS v. BIND 9 - Or Best Practices For Coexisting > Date: Fri, 6 Feb 2009 09:49:42 -0500 > From: jlight...@water.com > To: wiskbr...@hotmail.com; bind-users@lists.isc.org > > I don't see why it is either/or. > > Here we have Windoze DNS servers for internal lookups and Linux/BIND 9 > DNS servers for external lookups. The internal servers refer all > queries they aren't authoritative for to the external ones which in turn > refer all queries for domains we don't own to the root servers. > > The only "gotcha" is that we have some domains that we want to present > different IPs for internally (10.x.x.x) or externally (12.x.x.x). On > the Windoze DNS servers they have our primary domain with those internal > addresses and on the BIND DNS servers we have those external addresses. > > > Of course you could do it all with just BIND servers running views but > this is the way I inherited the BIND servers here. > > We don't seem to have the headaches your Windoze team is moaning about. > Hopefully you are running redundant (master/slave) BIND servers? > > Also I'd suggest upgrading to BIND 9 once you've got all the rest of > this quieted down. > > -Original Message- > From: bind-users-boun...@lists.isc.org > [mailto:bind-users-boun...@lists.isc.org] On Behalf Of > wiskbr...@hotmail.com > Sent: Friday, February 06, 2009 9:25 AM > To: bind-users@lists.isc.org > Subject: Case For Microsoft DNS v. BIND 9 - Or Best Practices For > Coexisting > > > > Hello; > > My site is presently using a product derived from BIND-8 for internal > DNS only. > > For years our Windows team has been arguing that they want to be > non-dependent on the non-MS DNS servers; which they say causes them much > grief on firmwide shutdown/bootups. > > Well, their concerns have fallen on ears of those who can make that > decision and it now appears as though we must either come up with good > reasons why we should retain BIND, or a BIND derived product, or simply > a plan to allow MSDNS and BIND to coexist at all. > > Can anyone provide me, or point me at, any good docs on this subject, I > am certain that their a tons of stuff out there, I need simple, to the > point type of stuff. > > Also, can anyone think of any good reason why our internal, non-public > accessible network, should not just be allowed to run either a mixed > BIND/MS-DNs setup? The slave/cache/whatever-but not master, would have > to be BIND. > > > The case the windows team made was ease of adding entries, you simply > add into the MMC, or even easier, when you join a host into a domain, it > adds itself. > > Thanks all, > > .vp > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > Please consider our environment before printing this e-mail or attachments. > -- > CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. > -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users smime.p7s Description: S/MIME cryptographic signature __
RE: Case For Microsoft DNS v. BIND 9 - Or Best Practices ForCoexisting
We also run in a mixed MSDNS/BIND environment. All of our AD domain controllers run MSDNS and are authoritative for the AD domain only. They forward all non-authoritative requests (all non AD domain queries) to caching BIND9/Linux servers which also contain slave zones for all of our internal domains (non AD) to override recursion. Our BIND environment also gets a copy of the AD zone so they are also able to resolve the AD domain requests if necessary. Our external authoritative infrastructure is entirely BIND. We do not use views. We have separate internal and external (stealth) masters. Josh -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jeff Lightner Sent: Friday, February 06, 2009 8:50 AM To: wiskbr...@hotmail.com; bind-users@lists.isc.org Subject: RE: Case For Microsoft DNS v. BIND 9 - Or Best Practices ForCoexisting I don't see why it is either/or. Here we have Windoze DNS servers for internal lookups and Linux/BIND 9 DNS servers for external lookups. The internal servers refer all queries they aren't authoritative for to the external ones which in turn refer all queries for domains we don't own to the root servers. The only "gotcha" is that we have some domains that we want to present different IPs for internally (10.x.x.x) or externally (12.x.x.x). On the Windoze DNS servers they have our primary domain with those internal addresses and on the BIND DNS servers we have those external addresses. Of course you could do it all with just BIND servers running views but this is the way I inherited the BIND servers here. We don't seem to have the headaches your Windoze team is moaning about. Hopefully you are running redundant (master/slave) BIND servers? Also I'd suggest upgrading to BIND 9 once you've got all the rest of this quieted down. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of wiskbr...@hotmail.com Sent: Friday, February 06, 2009 9:25 AM To: bind-users@lists.isc.org Subject: Case For Microsoft DNS v. BIND 9 - Or Best Practices For Coexisting Hello; My site is presently using a product derived from BIND-8 for internal DNS only. For years our Windows team has been arguing that they want to be non-dependent on the non-MS DNS servers; which they say causes them much grief on firmwide shutdown/bootups. Well, their concerns have fallen on ears of those who can make that decision and it now appears as though we must either come up with good reasons why we should retain BIND, or a BIND derived product, or simply a plan to allow MSDNS and BIND to coexist at all. Can anyone provide me, or point me at, any good docs on this subject, I am certain that their a tons of stuff out there, I need simple, to the point type of stuff. Also, can anyone think of any good reason why our internal, non-public accessible network, should not just be allowed to run either a mixed BIND/MS-DNs setup? The slave/cache/whatever-but not master, would have to be BIND. The case the windows team made was ease of adding entries, you simply add into the MMC, or even easier, when you join a host into a domain, it adds itself. Thanks all, .vp ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: BIND9 Logging
Good point.. didn't even think to use tcpdump. Thanks, Josh -Original Message- From: Doug Barton [mailto:do...@dougbarton.us] Sent: Wednesday, January 21, 2009 3:51 PM To: Baird, Josh Cc: bind-us...@isc.org Subject: Re: BIND9 Logging Baird, Josh wrote: > I have one instance of named that is listening on multiple IP’s. I am > looking to see how many queries are destined to one of those IP’s that > named is listening on. IMO it would actually be easier to do this with tcpdump. Interesting idea for named's logs though Doug smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND9 Logging
I have one instance of named that is listening on multiple IP's. I am
looking to see how many queries are destined to one of those IP's that named
is listening on. I do have query logging enabled, but I don't see it
revealing the destination interface. Is there a way make it log this as
well? This is the most current version of BIND9 in the EL5 repos.
channel querylog {
file "/etc/dns/query.log";
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
Thanks,
Josh
smime.p7s
Description: S/MIME cryptographic signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Establishing a backup primary-master
I am in the process of developing a DR (disaster recovery) plan for my primary
masters. Could someone please confirm (or correct me) that a second server in
the "masters {}" statement of a slave zone will only be used in the event that
the first master cannot be reached? Example:
zone "example.com"{
type slave;
masters {
1.1.1.1; // primary-master
2.2.2.2; // primary-master backup
}
I only want 2.2.2.2 to be used when 1.1.1.1 is not available.
I plan on writing a script to add the primary-master backup's IP address to the
masters statement of all slave zones as well as replacing "type: slave;" with
"type: master;" and removing the masters {} statement from the primary-master
backup zones (which are currently slave zones) which will become master zones
in the event of a failure.
All servers are running the most current EL5 BIND package.
Any input or suggestions?
Thanks!
Josh Baird
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Question about Records not authoritative for
You could just create an authoritative zone for the domain on your internal view to override recursion. You can then create a wildcard 'A' record or such to resolve to 127.0.0.1, etc. Josh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Casartello, Thomas Sent: Thursday, December 11, 2008 10:25 AM To: '[EMAIL PROTECTED]' Cc: Childs, Aaron Subject: Question about Records not authoritative for I was wondering if Bind allows you to override certain records for zones we are not authoritative for. Essentially we have a virus that some users have been infected with, and we want to temporarily blockout the domain name of the server that this virus connects to to send its information out. (Basically by having this domain name point to 127.0.0.1) I know it is a protocol violation, but I was just wondering if it is possible to do this and what would be the best way of going about it. We essentially have two servers with two views. One view serves our DNS zones to the outside world (With recursion disabled) and the other performs recursive queries for our on campus users. Obviously we would only be doing this on our internal view. Thomas E. Casartello, Jr. Staff Assistant - Wireless Technician/Linux Administrator Information Technology Wilson 105A Westfield State College (413) 572-8245 Red Hat Certified Technician (RHCT) smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
