Re: DNS Flag Day: I had to open the TCP/53 port
Ben, thanks a lot !!! Regards On Mon, Feb 4, 2019 at 11:04 AM Ben Croswell wrote: > When a DNS response is too large to fit in a single UDP packet, 512 bytes > up to 4k with edns, the DNS server will respond with as much as it can fit > in the UDP packet. It will also set the truncate, TC, bit to let the client > doing the query that the answer is truncated and the client should query > again over TCP for the full answer. > > The TC bit is also used in conjunction with RRL. > > On Mon, Feb 4, 2019, 8:57 AM Roberto Carna wrote: > >> Thanks Ben for your response, can you tell me the types of TCP traffic I >> have to expect in BIND, excepting Zone Tansfer? >> >> Thans a lot again!!! >> >> El lun., 4 feb. 2019 a las 10:50, Ben Croswell () >> escribió: >> >>> BIND has always required UDP and TCP 53 for proper functionality. It >>> sometimes mistakenly believed that TCP is only for zone transfers but that >>> is not the case. >>> >>> On Mon, Feb 4, 2019, 8:46 AM Roberto Carna >> wrote: >>> Dear, I have a BIND 9.10 public server and I have delegated some public domains. When I test these domains with the EDNS tool offered in the DNS Flag Day webpage, the test was wrong wit just UDP/53 port opened to Internet. After that, when I opened also TCP/53 port, the test was succesful. Please can you explain me the reason I have to open TCP/53 port to Internet from February 1st to the future??? Really thanks, regards. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users >>> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Forwarding request to another DNS server but the same domain
Dear, I would like to ask for solution related with DNS (bind)
configuration to allow forward requests to another DNS but related with the
same domain.
I'm asking about two authoritative name servers serving the same domain but
with different zone file info on each and have one of them forward
recursive queries to another one if first one cannot find some particular
subdomain record that is missing in his version of zone file.
My named.conf.local is as follow, but it doesn't work:
zone company.com {
type master;
file /etc/bind/zones/company.com.db;
allow-transfer { key company; };
check-names ignore;
forward first;
forwarders { 172.16.1.1; };
};
Thanks a lot,
JeLo
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding request to another DNS server but the same domain
Dear John, this is my scenario:
1) Office 1: people work with some machines and fill up a local master zone
company.com with records in DNS1
2) Office 2: people works with some others machines and fill up a local
master zone company.com with another records in DNS2
So both office have a different master zone.
Both offices belong to the same company, so I need that any client PC can
resolve a hostname from company.com domain, independently if this record
is in DNS1 or DNS2.
Thanks again, regards.
JeLo
On Wed, Apr 30, 2014 at 5:21 PM, John Miller johnm...@brandeis.edu wrote:
Hi Jeronimo,
First of all, please just tell us the real domain. Yes, we could try and
talk about a fictitious example.com or company.com, but having the
real domain name lets us actually query your nameservers.
Let me be sure I understand: you have two DNS servers. Each of them is
authoritative for the same domain. Are both set as master?
The two servers have different copies of the zone--what's your reason for
that?
If both servers think they are authoritative for a zone, then they will
answer recursive queries for those zones themselves. From the manual:
Forwarding occurs only on those queries for which the server is not
authoritative and does not have the answer in its cache.
What exactly are you trying to achieve?
John
On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral
jelocab...@gmail.comwrote:
Dear, I would like to ask for solution related with DNS (bind)
configuration to allow forward requests to another DNS but related with
the same domain.
I'm asking about two authoritative name servers serving the same domain
but with different zone file info on each and have one of them forward
recursive queries to another one if first one cannot find some particular
subdomain record that is missing in his version of zone file.
My named.conf.local is as follow, but it doesn't work:
zone company.com {
type master;
file /etc/bind/zones/company.com.db;
allow-transfer { key company; };
check-names ignore;
forward first;
forwarders { 172.16.1.1; };
};
Thanks a lot,
JeLo
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
John Miller
Systems Engineer
Brandeis University
johnm...@brandeis.edu
(781) 736-4619
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding request to another DNS server but the same domain
In office #1, the company.com master zone is updated automatically from
some Windows machines inn DNS1 and in office #2 the same zone is updated
manually in DNS2 by the administrator who shouldn't update (using freeze
and unfreeze) the master zone from office #1. This is the scenario, and we
need that a simple query to DNS1 be responded with any record from both
zones.
Thanks again
On Wed, Apr 30, 2014 at 5:54 PM, Kevin Darcy k...@chrysler.com wrote:
Oh, I thought this was an external-versus-internal scenario. But, this
is even easier.
A) One of the nameservers (pick DNS1 or DNS2) becomes a slave (of the
stealth variety, if you want) of the other
B) People use nsupdate to maintain the zone
For security, TSIG-sign the updates. For fast change propagation, set up
NOTIFY if and as necessary.
- Kevin
On 4/30/2014 4:32 PM, Jeronimo L. Cabral wrote:
Dear John, this is my scenario:
1) Office 1: people work with some machines and fill up a local master
zone company.com with records in DNS1
2) Office 2: people works with some others machines and fill up a local
master zone company.com with another records in DNS2
So both office have a different master zone.
Both offices belong to the same company, so I need that any client PC
can resolve a hostname from company.com domain, independently if this
record is in DNS1 or DNS2.
Thanks again, regards.
JeLo
On Wed, Apr 30, 2014 at 5:21 PM, John Miller johnm...@brandeis.eduwrote:
Hi Jeronimo,
First of all, please just tell us the real domain. Yes, we could try
and talk about a fictitious example.com or company.com, but having
the real domain name lets us actually query your nameservers.
Let me be sure I understand: you have two DNS servers. Each of them is
authoritative for the same domain. Are both set as master?
The two servers have different copies of the zone--what's your reason
for that?
If both servers think they are authoritative for a zone, then they will
answer recursive queries for those zones themselves. From the manual:
Forwarding occurs only on those queries for which the server is not
authoritative and does not have the answer in its cache.
What exactly are you trying to achieve?
John
On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral
jelocab...@gmail.com wrote:
Dear, I would like to ask for solution related with DNS (bind)
configuration to allow forward requests to another DNS but related with
the same domain.
I'm asking about two authoritative name servers serving the same domain
but with different zone file info on each and have one of them forward
recursive queries to another one if first one cannot find some particular
subdomain record that is missing in his version of zone file.
My named.conf.local is as follow, but it doesn't work:
zone company.com {
type master;
file /etc/bind/zones/company.com.db;
allow-transfer { key company; };
check-names ignore;
forward first;
forwarders { 172.16.1.1; };
};
Thanks a lot,
JeLo
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
John Miller
Systems Engineer
Brandeis University
johnm...@brandeis.edu
(781) 736-4619
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing
listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding request to another DNS server but the same domain
DNS1 with dynamic update and DNS2 with manually update
On Wed, Apr 30, 2014 at 8:11 PM, Kevin Darcy k...@chrysler.com wrote:
I'm still not understanding your constraints. If *all* updates come in
through Dynamic Update, then you don't need freeze/unfreeze.
-
Kevin
On 4/30/2014 6:47 PM, Jeronimo L. Cabral wrote:
In office #1, the company.com master zone is updated automatically from
some Windows machines inn DNS1 and in office #2 the same zone is updated
manually in DNS2 by the administrator who shouldn't update (using freeze
and unfreeze) the master zone from office #1. This is the scenario, and we
need that a simple query to DNS1 be responded with any record from both
zones.
Thanks again
On Wed, Apr 30, 2014 at 5:54 PM, Kevin Darcy k...@chrysler.com wrote:
Oh, I thought this was an external-versus-internal scenario. But, this
is even easier.
A) One of the nameservers (pick DNS1 or DNS2) becomes a slave (of the
stealth variety, if you want) of the other
B) People use nsupdate to maintain the zone
For security, TSIG-sign the updates. For fast change propagation, set up
NOTIFY if and as necessary.
- Kevin
On 4/30/2014 4:32 PM, Jeronimo L. Cabral wrote:
Dear John, this is my scenario:
1) Office 1: people work with some machines and fill up a local master
zone company.com with records in DNS1
2) Office 2: people works with some others machines and fill up a local
master zone company.com with another records in DNS2
So both office have a different master zone.
Both offices belong to the same company, so I need that any client PC
can resolve a hostname from company.com domain, independently if this
record is in DNS1 or DNS2.
Thanks again, regards.
JeLo
On Wed, Apr 30, 2014 at 5:21 PM, John Miller johnm...@brandeis.eduwrote:
Hi Jeronimo,
First of all, please just tell us the real domain. Yes, we could try
and talk about a fictitious example.com or company.com, but having
the real domain name lets us actually query your nameservers.
Let me be sure I understand: you have two DNS servers. Each of them
is authoritative for the same domain. Are both set as master?
The two servers have different copies of the zone--what's your reason
for that?
If both servers think they are authoritative for a zone, then they
will answer recursive queries for those zones themselves. From the manual:
Forwarding occurs only on those queries for which the server is not
authoritative and does not have the answer in its cache.
What exactly are you trying to achieve?
John
On Wed, Apr 30, 2014 at 3:55 PM, Jeronimo L. Cabral
jelocab...@gmail.com wrote:
Dear, I would like to ask for solution related with DNS (bind)
configuration to allow forward requests to another DNS but related
with the same domain.
I'm asking about two authoritative name servers serving the same domain
but with different zone file info on each and have one of them forward
recursive queries to another one if first one cannot find some particular
subdomain record that is missing in his version of zone file.
My named.conf.local is as follow, but it doesn't work:
zone company.com {
type master;
file /etc/bind/zones/company.com.db;
allow-transfer { key company; };
check-names ignore;
forward first;
forwarders { 172.16.1.1; };
};
Thanks a lot,
JeLo
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
John Miller
Systems Engineer
Brandeis University
johnm...@brandeis.edu
(781) 736-4619
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing
listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone transfer doesn't work when I set allow-update statement
Dear, thanks for your help. Please the last question: can I dynamically update a zone and -when necessary- make a freeze, manually add/delete records, and after that make a thaw to continue with the dynamic update In other words, a mix betwwen dynamic and manually update. Thanks again, JeLo On Fri, Apr 25, 2014 at 6:04 PM, Evan Hunt e...@isc.org wrote: On Fri, Apr 25, 2014 at 05:29:30PM -0300, Jeronimo L. Cabral wrote: But the master zone is not refreshed until I execute service bind9 restart (service bind9 reload doesn't refresh the master zone). The zone has been updated, but the changes are stored in a journal file (zonefile.jnl). You can look at the contents of the journal file with named-journalprint filename. If you want to dump the current version of the zone to disk so you can look at the whole thing, use rndc sync zonename. (That's assuming this is a fairly recent BIND. If it doesn't support sync, use rndc freeze zone; rndc thaw zone.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Zone transfer doesn't work when I set allow-update statement
Dear, I'm using Bind 9.8.4 with a master / slave scenario. Zone transfer
works OK when I have this config in named.conf.local from master server,
add some A records and execute service bind9 reload:
zone company.com.ar {
type master;
file /etc/bind/zones/company.com.ar.db;
allow-transfer { key company; };
check-names ignore;
After that I add the allo-update statement and restart bind9 service:
zone company.com.ar {
type master;
file /etc/bind/zones/company.com.ar.db;
allow-transfer { key company; };
allow-update { 172.12.88.3; 10.8.91.7;};
check-names ignore;
Finally, I add some A records in my company.com.ar zone and increment the
serial number, then I execute service bind9 reload but the Slave doesn't
receive the new records. The only way Slave receives the new records is
when I execute service bind9 restart in Master which is not the idea.
What is the problem please ???
Thanks a lot,
JeLo
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone transfer doesn't work when I set allow-update statement
Thanks a lot, but using the allow-update statement, I use nsupdate in order
to add a new record:
# nsupdate
server x.x.x.x
zone company.com.ar
update add test.company.com.ar 86400 A 1.1.1.1
send
quit
But the master zone is not refreshed until I execute service bind9
restart (service bind9 reload doesn't refresh the master zone).
How can I do in order to add new records using nsupdate without restarting
the bind9 service ???
Thanks again !!!
On Fri, Apr 25, 2014 at 5:12 PM, Kevin Darcy k...@chrysler.com wrote:
allow-update + manual editing of zone file = bad.
Use nsupdate.
- Kevin
On 4/25/2014 4:03 PM, Jeronimo L. Cabral wrote:
Dear, I'm using Bind 9.8.4 with a master / slave scenario. Zone transfer
works OK when I have this config in named.conf.local from master server,
add some A records and execute service bind9 reload:
zone company.com.ar {
type master;
file /etc/bind/zones/company.com.ar.db;
allow-transfer { key company; };
check-names ignore;
After that I add the allo-update statement and restart bind9 service:
zone company.com.ar {
type master;
file /etc/bind/zones/company.com.ar.db;
allow-transfer { key company; };
allow-update { 172.12.88.3; 10.8.91.7;};
check-names ignore;
Finally, I add some A records in my company.com.ar zone and increment
the serial number, then I execute service bind9 reload but the Slave
doesn't receive the new records. The only way Slave receives the new
records is when I execute service bind9 restart in Master which is not
the idea.
What is the problem please ???
Thanks a lot,
JeLo
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing
listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Master to Slave initial zone transfer question
Dear, I've implemented two Debian 7 servers with Bind9 as a Master - Slave schema. Everything works OK, but I have just a question: When a create a new zone in the Master and reload the bind9 daemon, this zone doesn't appear automatically in the Slaveit only appears if I restart the bind9 daemon in the Slave server. Is this behaviour correct or is there any statement to transfer a new zone from Master to Slave withouth restarting the bind9 daemon in the Slave ??? Really thanks, JeLo ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Master to Slave initial zone transfer question
Dear Jim, where do I have to execute the command rndc reconfig, in master
or slave ??
Thanks a lot to both.
On Wed, Apr 16, 2014 at 12:42 PM, Jim Glassford jmgl...@iup.edu wrote:
On 4/16/2014 11:35 AM, Barry Margolin wrote:
In article mailman.2651.1397662255.20661.bind-us...@lists.isc.org
mailman.2651.1397662255.20661.bind-us...@lists.isc.org,
Jeronimo L. Cabral jelocab...@gmail.com jelocab...@gmail.com wrote:
Dear, I've implemented two Debian 7 servers with Bind9 as a Master - Slave
schema.
Everything works OK, but I have just a question:
When a create a new zone in the Master and reload the bind9 daemon, this
zone doesn't appear automatically in the Slaveit only appears if I
restart the bind9 daemon in the Slave server.
Is this behaviour correct or is there any statement to transfer a new zone
from Master to Slave withouth restarting the bind9 daemon in the Slave ???
To pick up new zones added to named.conf, you just need to use:
rndc reconfig
You don't need to restart the daemon on either the master or slave.
To quicken the update process can use also-notify in options
also-notify {
slave1.n.n.n;
slave2.n.n.n;
};
*also-notify*
Only meaningful if *notify* is active for this zone. The set of machines
that will receive a DNS NOTIFY message for this zone is made up of all
the listed name servers (other than the primary master) for the zone plus
any IP addresses specified with *also-notify*. A port may be specified
with each *also-notify* address to send the notify messages to a port
other than the default of 53. *also-notify* is not meaningful for stub
zones. The default is the empty list.
best!
jim
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Master to Slave initial zone transfer question
Dear Alan, sorry but I don't understand...can yo help me on this please:
When create a new zone in Master and add the zone parameters in
named.conf.local, before the Slave get the new zone do I have to write by
hand the same zone parameters in Slave's named.conf.local and restart its
bind9 daemon ???
Thanks again.
JeLo
On Wed, Apr 16, 2014 at 2:17 PM, Alan Clegg a...@clegg.com wrote:
On 4/16/14, 11:42 AM, Jim Glassford wrote:
To quicken the update process can use also-notify in options
also-notify {
slave1.n.n.n;
slave2.n.n.n;
};
There is no reason to use also-notify in this situation.
Please don't do this unless you know what you are doing and actually
NEED to do this.
It makes cleaning up a few years from now so much easier when you have a
sane configuration.
AlanC
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
