Re: Unable to query the nameserver
its as if they think hackers main source of targets comes from here.doesn't appear to really want any help anyway. -g On Oct 4, 2010, at 8:35 PM, Noel Butler wrote: On Mon, 2010-10-04 at 17:29 -0500, Lyle Giese wrote: Dotan Cohen wrote: The ports aren't blocked as another site (example.eu) hosted on the 1.1.1.1 server works fine. The working site has both nameservers pointed to that same server (on two different IP addresses on eth0 and etho0:0). Only the example.de site which has one nameserver on the 1.1.1.1 machine and the second nameserver on 1.1.2.2 is giving me a headache. I would like to help but since you are refusing to post the real ip address or the real hostnames or the real domain names involved, I can not. I could do some testing from here to see if your firewall was configured correctly or what the view was from outside your network. But I can not. Quite right, too many people with paranoia come here looking for help but refuse to let us do correct remote testing. First post was 7.08am local, its 3 /12 hours later and we still have no real info, had it been supplied his problem may been identified and resolved 3 hours ago. ATT2..txt ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Unable to query the nameserver
someone with way more bind clues than I would be able to give you a better answer.the error returned begs two questions.. 1. is this server behind or running a local firewall? 2. is bind actually listening on the proper interface? you could confirm #2 by typing 'nslookup ns1.example.de 1.1.1.1' where 1.1.1.1 is the ip of the local machine(you could even do this on another machine, its telling the resolver to use 1.1.1.1 as the name server for initial queries, if it works internally, try an exterior machine to run the command on). it should return your A RR. also you could try typing netstat -an | grep \:53\ | grep LIST and see if its listening on the proper interface. do the logs complain about any zones? something like not loading zone X.. good luck with things, -g From: Sent: Monday, October 04, 2010 5:08 PM To: bind-users@lists.isc.org Subject: Unable to query the nameserver I am configuring BIND on two servers: ns1.example.de on a server with IP address 1.1.1.1 and ns2.example.de on a server with IP address 1.1.2.2. BIND starts fine on both servers, but when I try to configure my domain name in the registrar's control panel I get this error: Error : Unable to query the nameserver ns1.example.de Of course ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: repository for zone files
they (the distro maintainers) could not agree to put anything in the same place if the worlds sanity depended on it. /var/named /srv/bind /etc/bind /var/lib/named /usr/local/named it's all over the place. myself i just create links from /var/named (which is where I think it was found on most commercial UNIX's I've used, IRIX admin here..) to wherever they decided to stick it. That being said, if you build it from source (which I'd be inclined to do if not using a linux wiht a support contract), you can pass the path to configure and place it anywhere you wish with zero functionally loss. its a bunch of my way makes sense, i'll pee in this corner, its mine now). its UNIX fragmentation all over again. 8) rant off, sorry -g On Sep 23, 2010, at 4:01 PM, Michael Sinatra wrote: On 09/23/10 12:53, Stewart Dean wrote: On AIX, I'm used to /etc/dns. CentOS seems to place in /var/named. Is there any blessed, bestofallpossibleworlds place for the zone files. I'm moving our DNS from from AIX to CentOS/Fedora. I'm inclined to create the /etc/dns dir but maybe it'd be better to put it in /var/named.Comments, brickbats? I have always found it to be a good idea to do what the OS wants. Many OSes now are set up to run bind in a chroot jail (a good thing), but this requires a specific directory structure. If your OS has already set that up (and if the startup scripts work with that structure), then it's best to keep them that way. Probably the ideal thing to do is use the OS defaults and then symlink your previous directory structure to the OS defaults as necessary to maintain compatibility with your in-house scripts and processes. michael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: My ISP's private address space has dns entries available on the public net , is this right ?
I'd say no, and your ISP may need to gain a working knowledge of bind views if they need to resolve 1812 addresses for their own needs without affecting customers who are using the ISP DNS servers as their resolver. the way you could fix this without their involvement is to bring up your own DNS server which is master for the zone you are using internally. any queries it can't answer, will only then be forwarded off to your ISP. -g On Aug 9, 2010, at 8:09 PM, donovan jeffrey j wrote: Greetings my isp has some private address space which has dns resolution and can be queried from the outside world. I asked them about this because we use this private address space and it is showing up in our DNS lookups. here was there response; I've discussed this with our systems administrators and have been told that this is performing as expected. ISP DNS servers do contain information about private adresses that are in use on our network. If you are utilizing our DNS servers, you will see resolution of private IPs to ISP hostnames when appropriate. That will not occur using external DNS servers. You will see resolution of PTD hostnames to private IPs from external servers, but not IP resolution to hostnames. As long as reverse DNS (IP to hostname) is not propogating, things are functioning normally. so even from google public dns i see lookups that refer back to a private address space on my ISP's net. is that right ? -j ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: error on start: initializing DST: no engine (v9.7.0-P2)
Hi Cathy and thanks for the reply. I stole the options from what the previous binary being replaced was built with. Its a redhat system, thought I'd try and keep things the same as much as possible. Later on that day I stripped the options down to just path preferences and a few others, the error went away. thanks again and have a great day, greg On Jun 14, 2010, at 6:25 AM, Cathy Almond wrote: Greg Whynott wrote: sorry, forgot the subject. not very good on my first posting Hello, I'm seeing an unfamiliar error while attempting to start a newly built from source named instance. I've search on the net and within the bind-user list without luck, DST returns lots of hits, but nothing with named DST. hoping someone here might know what its about. Is it really a Day Light related? thanks much for your time, greg the error: [r...@fido ~]# /etc/init.d/named start Starting named:[FAILED] [r...@fido ~]# grep named /var/log/messages Jun 13 10:20:00 fido named[2430]: starting BIND 9.7.0-P2 -u named Jun 13 10:20:00 fido named[2430]: built with '--build=i386-redhat-linux-gnu' '--host=i386-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-pkcs11=/usr/lib/pkcs11/PKCS11_API.so' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' 'build_alias=i386-redhat-linux-gnu' 'host_alias=i386-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables' 'CPPFLAGS= -DDIG_SIGCHASE' Jun 13 10:20:00 fido named[2430]: adjusted limit on open files from 1024 to 1048576 Jun 13 10:20:00 fido named[2430]: found 2 CPUs, using 2 worker threads Jun 13 10:20:00 fido named[2430]: using up to 4096 sockets Jun 13 10:20:00 fido named[2430]: initializing DST: no engine Jun 13 10:20:00 fido named[2430]: exiting (due to fatal error) No - not daylight saving time :-) It's the Digital Signature Toolkit subsystem (it interfaces between BIND and the cryptography it uses). The error is reported during from ~/bin/named/server.c during the initialization/startup phase because an error is returned from the call to dst_lib_init2(). This function initializes the DST subsystem - you can find it in ~/lib/dns/dst_api.c. What api calls it makes depends on what options named was built with. Looking at the long list of options passed to configure I would first hazard a guess that something is missing from your environment that named is expecting because of how it has been built. Are these all configure options that you selected manually? For example, --with-pkcs11=... is one likely candidate to cause problems if you're not going to be using a PKCS#11 interface to a hardware module. A good rule with configure is always to use the defaults except where you definitely know why you need something different. Hope this helps. Cathy ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[no subject]
Hello, I'm seeing an unfamiliar error while attempting to start a newly built from source named instance. I've search on the net and within the bind-user list without luck, DST returns lots of hits, but nothing with named DST. hoping someone here might know what its about. Is it really a Day Light related? thanks much for your time, greg the error: [r...@fido ~]# /etc/init.d/named start Starting named:[FAILED] [r...@fido ~]# grep named /var/log/messages Jun 13 10:20:00 fido named[2430]: starting BIND 9.7.0-P2 -u named Jun 13 10:20:00 fido named[2430]: built with '--build=i386-redhat-linux-gnu' '--host=i386-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-pkcs11=/usr/lib/pkcs11/PKCS11_API.so' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' 'build_alias=i386-redhat-linux-gnu' 'host_alias=i386-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables' 'CPPFLAGS= -DDIG_SIGCHASE' Jun 13 10:20:00 fido named[2430]: adjusted limit on open files from 1024 to 1048576 Jun 13 10:20:00 fido named[2430]: found 2 CPUs, using 2 worker threads Jun 13 10:20:00 fido named[2430]: using up to 4096 sockets Jun 13 10:20:00 fido named[2430]: initializing DST: no engine Jun 13 10:20:00 fido named[2430]: exiting (due to fatal error) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users