Re: How should I configure internal and external DNS servers
Am 04.11.2023 um 19:41:44 Uhr schrieb Nick Howitt via bind-users: > Thanks for the reply. Interesting. > Option A - It works but I would like to stop maintaining two > different servers with the same data. > Option B - I have no chance of getting the company to agree to IPv6. Then you are in a stonehenge company. Tell them about the problem and that relying on IPv4 creates additional work. My recommendation: Let the people who refuse IPv6 do the DNS work if possible. :-) > Option G - Yes it would be trivial with DNSMasq internally. I don't > think I have any chance of pushing this through. Also DNSMasq does > not support replication (but it could be scripted). Is it possible to use dnsmasq as the master (does it support zone transfer?) and bind as a slave? -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How should I configure internal and external DNS servers
Am 03.11.2023 um 20:12:59 Uhr schrieb Nick Howitt via bind-users: > I have those lines, but if I remove them, then presumably I cannot > have internal overrides anywhere, like a hosts file would or like > dnsmasq would? BIND doesn't care about /etc/hosts. If you make it authoritative for a zone, it will look up what is exactly in that zone file. If it isn't authoritative, it will ask another DNS server (forwarders or hierarchy from root servers) and won't check files on your system. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How should I configure internal and external DNS servers
Am 03.11.2023 um 19:54:32 Uhr schrieb Nick Howitt:
> How do you mean remove the zone information?
In your /etc/bind are configuration files.
Look for named.conf* and find those that include zones:
zone "f.8.1.1.0.7.1.0.1.0.a.2.ip6.arpa" {
type master;
file "/etc/bind/db.f.8.1.1.0.7.1.0.1.0.a.2.ip6.arpa";
};
Those lines make it authoritative for that zone. If it isn't
authoritative for that zone, it will ask the forwarder (if
configured) or looks it up from the root servers and goes down the
hierarchy to the authoritative server (your external).
> Which bits do I change and does this then leave me able to serve out
> internal IPs for the FQDN's that require them?
No, if you need to server different information than your "external"
server, you need a source for that information.
That is why I advocate against using split DNS and migration to IPv6 to
only have one address for that server.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: How should I configure internal and external DNS servers
Am 03.11.2023 um 19:18:49 Uhr schrieb Nick Howitt via bind-users: > Can the bind-internal not be made to caching only and not > authoritative? If so, how? Of course it can, simply remove the zone configuration, but it will then cache the records from the authoritative server (your "external-bind"). -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How should I configure internal and external DNS servers
Am 03.11.2023 um 19:15:45 Uhr schrieb Nick Howitt via bind-users: > You are preaching to the converted, but we have a huge mix of SLES > 11, Ubuntu 16, 18, 20 and 22 machines + Windows Server 2016. Getting > them all current is a long term project and it has to go through all > sorts of customer authorisations. I am after a quick win with the > Bind configs Be aware that running EoL systems without security updates is a huge security risk. Do you or your customers REALLY want that? Second: Those operating systems support IPv6, so you can deploy it to remove the necessity of internal and extern IPv4 split addressing. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How should I configure internal and external DNS servers
Am 03.11.2023 um 17:58:51 Uhr schrieb Nick Howitt via bind-users: > On 03/11/2023 17:54, Marco M. wrote: > > Am 03.11.2023 um 17:48:32 Uhr schrieb Nick Howitt via bind-users: > > > >> My problem is the use of external IP's duplicated between the > >> internal and external masters for some IPs/FQDNs which I want to > >> get rid of. > > Implement IPv6 and get rid of the old IPv4 technology for internal > > communication. > > > > It is a big task, but after it is being done, many nasty stuff is > > gone like NAT hairpinning or split-DNS. > Not remotely on the cards with 200+ servers and so on, I'm afraid. You have to start at some time, rest is a matter of time. > Some of the servers are too old, I think for IPv6 - SLES 11. Already out of support. Such machines must not be connected to the internet anymore because they are a security risk. Replace them with a current operating system. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How should I configure internal and external DNS servers
Am 03.11.2023 um 17:48:32 Uhr schrieb Nick Howitt via bind-users: > My problem is the use of external IP's duplicated between the > internal and external masters for some IPs/FQDNs which I want to get > rid of. Implement IPv6 and get rid of the old IPv4 technology for internal communication. It is a big task, but after it is being done, many nasty stuff is gone like NAT hairpinning or split-DNS. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How should I configure internal and external DNS servers
Am 03.11.2023 um 15:51:32 Uhr schrieb Nick Howitt via bind-users: > As this site is externally accessible as well, we also have to put an > identical entry in bind-external so we end up having many identical > entries in bind-internal and bind-external. It seems they people who set that up didn't understand the idea of a master and slave server. You have one master where changes are being made and optionally many slaves that get their zone information from that one master. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Help about DNS documentation
Am 03.11.2023 um 15:20:50 Uhr schrieb Amaury Van Pevenaeyge: > Hello everyone, > > I'm currently a final year Master's student at the Free University of > Brussels. As part of my Master's thesis, I have to implement a DNS > amplification scenario within a Cyber Range. However, before > achieving this final goal, I first need to make amplification rate > measurements within a virtual machine system. I therefore have a few > questions about the DNS protocol and DNS servers. > > > * Why do some DNS servers respond via TCP to an ANY query made > under UDP? As I told you, they simply can't do that. But the client (e.g. dig or any other DNS client) can use TCP to query ANY. You can use a sniffer like Wireshark to see what is really transferred. > I have read in RFC8482 that modern DNS servers try to > limit responses to ANY queries in order to limit the impact of their > use in DNS amplification attack but I would like to learn more about > the security measures/best practices currently in place for this type > of query and for big TXT responses. Does anyone have any sources or > other RFCs that might be useful? The ANY record is, according to the RFC, mostly used for debugging stuff, but not for productive stuff. Maybe disable replies to it and check which services refuse to run anymore. > * Would you have any advice/recommendations or sources on the > legal Framework to be respected for my Master’s thésis, so that I can > carry out my various measures without being illegal or alerting > certain entities? Do the tests on you own network and spoof you own network's IP addresses. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS NXDOMAIN flood
Am 02.11.2023 um 12:02:00 Uhr schrieb Mosharaf Hossain: > We are receiving the traffic form random IP addresses to DNS servers. Even when those IP addresses change, can you verify in any way that those are not spoofed, so the traffic originates rom that networks? -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 9.18 BIND not resolving .gov.bd site
Am 30.10.2023 um 12:25:32 Uhr schrieb Mosharaf Hossain: > mofa.gov.bd.86400 IN NS ns1.bcc.gov.bd. > mofa.gov.bd.86400 IN NS ns2.bcc.gov.bd. > couldn't get address for 'ns1.bcc.gov.bd': not found > couldn't get address for 'ns2.bcc.gov.bd': not found > dig: couldn't get address for 'ns1.bcc.gov.bd': no more > root@ns1:/etc/bind# I can resolve them, but only A records exist. Please try it again. dig a ns2.bcc.gov.bd -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
