Suggestions for primary DNS hosting
Within the last few years, we have drastically reduced our DNS footprint, as well as our datacenter size. We are looking to migrate our primary DNS to a provider, but I'm having trouble finding ones that meet our requirements 1) Provide primary DNS without necessary being the registar for the domain 2) Provide primary DNS for both forward and reverse zones. 3) Support IPv4 and IPv6 records 4) Provide IPv6 nameservers (not required, but nice to have) 5) Allow arbitrary RR records such as SPF, TXT, etc... Any suggestions? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Configuring CNAME for nosslsearch.google.com
Actually, this can be done. Create a zone file for www.google.com, not google.com. The zone file should like this (replace THIS_HOSTNAME with the name of your nameserver: @ IN SOA localhost root@localhost. ( 2012041100 7200 1800 1209600 300 ) IN NS THIS_HOSTNAME IN CNAME nosslsearch.google.com. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: bind-users-bounces+mhuff=ox@lists.isc.org [mailto:bind-users- bounces+mhuff=ox@lists.isc.org] On Behalf Of Lyle Giese Sent: Monday, April 16, 2012 8:50 AM To: bind-users@lists.isc.org Subject: Re: Configuring CNAME for nosslsearch.google.com On 4/16/2012 3:30 AM, Phil Mayers wrote: On 04/15/2012 11:40 PM, Tobias Krais wrote: Hi Ben, hmm. How can I manage what google suggests: Information for school network administrators about the No-SSL option To utilize the no SSL option for your network, configure the DNS entry for www.google.com to be a CNAME for nosslsearch.google.com. Source: http://support.google.com/websearch/bin/answer.py?hl=enhlrm=enanswer= 186669. You can find this quite at the end of the document. How can I realize such a configuration in bind? As you've been told, you can't. CNAMEs can't live at zone apex, so you can't a CNAME at the zone apex of www.google.com. And if you create google.com as a zone, all other hostnames will be blackholed, including nosslsearch.google.com. I don't know why Google have made that suggestion; it's a bad suggestion, that's not supported by many nameservers. I personally think it's a bad idea to try and disable SSL search for your users too, but that's your decision. unbound might be able to to this, with a transparent local-zone and local-data override for www.google.com. ___ Or did they really mean, create a hosts file on the local machine that contains... Or in your proxy server redirect www.google.com to nosslsearch.google.com DNS server software is not very supportive of doing this for good reasons. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Cisco ACE config for internal DNS load balancing
Anyone have any suggestions/best practices/config examples for DNS load balancing for internal use on CISCO ACE blades? I've got the standard example working, but wondered about keepalive frequency, timeouts, fragments, etc. Anyone got any examples they use that they could share? Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139 smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Windows 2008 R2 validating DNSSEC resolvers
I know this is a bind list, but does anyone know any public information about when/if Microsoft is going to release a SHA2 compatible DNS server so it can be used as a validating DNSSEC resolver without forwarders? Since the root trust anchor is published in SHA2, currently it can't be used (unless someone knows a workaround). Thanks. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: 2GB Memory Limits on Solaris 10
enable-largefile support turns on 64 bit filesystem, but not 64 bit memory. Normally under Solaris even a 32 bit process should be able to use the full 4GB address space (or at least 3.5-3.8GB). Try checking your ulimits in the script that starts the process. BTW, by default the named process even on a 64 bit system is compiled in 32 bit mode. The main reason is that any other libraries it might use (openssl, etc) will also need to have 64 bit versions. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http:// http://www.otaotr.com/ www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Raymond Popowich Sent: Monday, June 08, 2009 3:35 PM To: bind-users@lists.isc.org Subject: 2GB Memory Limits on Solaris 10 Hello, I am running several Bind 9.6.0-P1 DNS resolvers on Solaris 10. The largest does around 2500 queries/second at peak times. They are configured with --enable-largefile support. About once a month I am having a problem with the largest resolvers breaking when the named process hits 2GB. I've logged a few different errors including file descriptor limits which I increased when that happened, to increasing the option for max-cache-size, to my current errors such as ns_client_replace() failed: out of memory. The servers have 8GB of physical memory. I am OK with telling bind to use an unlimited amount of resources or specifying a double in the current maximum up to 4GB. Would it be possible for someone to provide a full list of all of the named.conf options that I need to specify in named.conf and increase from the default settings? I've been fixing these errors one at a time for a while now and I really can't afford to keep troubleshooting this problem by waiting for new errors to happen. Thank you for your time, -Raymond image001.jpg Matthew Huff.vcf Description: Binary data smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Adding records to a domain I don't control for anyone who uses my nameserver
Unfortunately this is common in the financial services realm. Compliance requires us to archive all IM messages from google, aol, msn, and yahoo. Blocking it with acls doesn't work since the IM clients will resort to http and are pretty clever about hiding it. Blocking IP addresses doesn't work since they change frequently. Spoofing the dns zones are the only solution. The IM archive server companies usually provide email updates when some of the zones changes. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Sam Wilson Sent: Monday, March 02, 2009 12:56 PM To: comp-protocols-dns-b...@isc.org Subject: Re: Adding records to a domain I don't control for anyone who uses my nameserver In article goadgr$2au...@sf1.isc.org, Barry Margolin bar...@alum.mit.edu wrote: In article go6pea$2ru...@sf1.isc.org, Brandon Dimcheff bdimc...@wieldim.com wrote: Hello, I'm trying to configure BIND to add some records to a domain that I don't control, so that anybody who uses my nameserver will have the additional records. Specifically, I'm trying to add xmpp SRV records so our jabber infrastructure that uses our nameserver can contact a handful of domains properly. All other records for the domain should work as defined by their authoritative server. Example: dig @127.0.0.1 SRV _xmpp_client._tcp.example.com. should return my SRV record hosted by my server dig @127.0.0.1 A example.com should return example.com's A record by recursive lookup Does anybody have any suggestions? I've tried a few different things, but none of them seem to have worked. I don't think you can do this with BIND. Its database is organized by names, not types. If a server is authoritative for a name, it will never recurse for that name. He could create a local zone for the domain _xmpp_client._tcp.example.com containing only the SRV record (plus the necessary SOA and NS records). That way any lookups for *.example.com and *._tcp.example.com would get directed to the real example.com servers. It's a horrible thing to do, though, to claim authority for someone else's address space. What happens when example.com sets up its own _xmpp_client._tcp.example.com with different data in it? Who debugs that? Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Adding records to a domain I don't control for anyone who uses my nameserver
Try creating a zone file _xmpp_client._tcp.example.com and put the SRV record in there. Treat the host as an entire domain. Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users- boun...@lists.isc.org] On Behalf Of Brandon Dimcheff Sent: Thursday, February 26, 2009 2:10 PM To: bind-users@lists.isc.org Subject: Adding records to a domain I don't control for anyone who uses my nameserver Hello, I'm trying to configure BIND to add some records to a domain that I don't control, so that anybody who uses my nameserver will have the additional records. Specifically, I'm trying to add xmpp SRV records so our jabber infrastructure that uses our nameserver can contact a handful of domains properly. All other records for the domain should work as defined by their authoritative server. Example: dig @127.0.0.1 SRV _xmpp_client._tcp.example.com. should return my SRV record hosted by my server dig @127.0.0.1 A example.com should return example.com's A record by recursive lookup Does anybody have any suggestions? I've tried a few different things, but none of them seem to have worked. Thanks, Brandon ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
client query logging (refused message)
In my logging global section I have: logging { channel audit_log { file /var/log/named_audit.log versions 128 size 4m; severity debug; print-time yes; print-category yes; }; ... category client { audit_log; }; ... }; and I get: ... 17-Feb-2009 08:14:17.376 queries: client 62.109.4.89#49464: view external-in: query: . IN NS + ... logged, and I have verified that the query is refused, but nothing in the log shows that it was refused. Is there anyway to log the success/failure of the queries? Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 Matthew Huff.vcf Description: Binary data smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: rndc stats - 9.5.0-p2
There may be more than one named binary in your path. You may want to do an explicit reference to check the version (./named -V) or do a which named Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users- boun...@lists.isc.org] On Behalf Of Cihan Subasi (Garanti Teknoloji) Sent: Tuesday, February 17, 2009 7:51 AM To: bind-users@lists.isc.org Cc: c...@hermes.cam.ac.uk Subject: RE: rndc stats - 9.5.0-p2 I think you're rigth, when I check the file sizes they are not same but versions are matching... short -- #ls -la total 48166 drwxr-xr-x 2 root other512 Aug 15 2008 . drwxr-xr-x 13 root other512 Nov 21 14:02 .. -rwxr-xr-x 1 root other1199932 Aug 15 2008 dnssec-keygen -rwxr-xr-x 1 root other3675504 Aug 15 2008 dnssec-signzone -rwxr-xr-x 2 root other5134128 Aug 15 2008 lwresd -rwxr-xr-x 2 root other5134128 Aug 15 2008 named -rwxr-xr-x 1 root other3816336 Aug 15 2008 named-checkconf -rwxr-xr-x 1 root other3624412 Aug 15 2008 named-checkzone lrwxrwxrwx 1 root other 15 Aug 15 2008 named-compilezone - named-checkzone -rwxr-xr-x 1 root other 847676 Aug 15 2008 rndc -rwxr-xr-x 1 root other1136800 Aug 15 2008 rndc-confgen /usr/local/sbin #named -v BIND 9.5.0-P2 /usr/local/sbin long-- [garanti2]/usr/local/sbinls -la total 158646 drwxr-xr-x 2 bin bin 512 Nov 26 17:10 . drwxr-xr-x 15 root other512 Nov 26 17:01 .. -rwxr-xr-x 1 root other3318808 Nov 26 17:10 dnssec-keygen -rwxr-xr-x 1 bin bin 5182984 Mar 25 2004 dnssec-makekeyset -rwxr-xr-x 1 bin bin 5184180 Mar 25 2004 dnssec-signkey -rwxr-xr-x 1 root other9997148 Nov 26 17:10 dnssec-signzone -rwxr-xr-x 2 root other15535428 Nov 26 17:10 lwresd -rwxr-xr-x 2 root other15535428 Nov 26 17:10 named -rwxr-xr-x 1 root other10443912 Nov 26 17:10 named-checkconf -rwxr-xr-x 1 root other9923952 Nov 26 17:10 named-checkzone lrwxrwxrwx 1 root other 15 Nov 26 17:10 named-compilezone - named-checkzone -rwxr-xr-x 1 root other2917848 Nov 26 17:10 rndc -rwxr-xr-x 1 root other3061584 Nov 26 17:10 rndc-confgen [garanti2]/usr/local/sbinnamed -v BIND 9.5.0-P2 -Original Message- From: Chris Thompson [mailto:c...@hermes.cam.ac.uk] On Behalf Of Chris Thompson Sent: Tuesday, February 17, 2009 2:40 PM To: Cihan Subasi (Garanti Teknoloji) Cc: Bind Users Mailing List Subject: Re: rndc stats - 9.5.0-p2 On Feb 17 2009, Cihan Subasi (Garanti Teknoloji) wrote: When I run rndc stats on two different servers with 9.5.0-p2, I am getting two different dumps of stats, one of them dumps the stats in very short format (7 lines), the other dumps it in very long format (50-60lines per dump)..What could be the difference on both? thank you Are you *sure* they are both running BIND 9.5.0-P2 ? Much the most likely explanation is that the one producing short statistics is a pre 9.5 version. I don't believe that BIND 9.5.x even includes any code to generate the old format. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Matthew Huff.vcf Description: Binary data smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: loads of Query denied... is it an attack or a misconfiguration ?
I've been aware of this problem since it first came up on this and nanog's list, but I'm having some configuration issues trying to make the upward referrel be refused. I'm running bind-9.6.0P1, but I'm still seeing the NS queries being answered in the log: 11-Feb-2009 09:34:25.489 queries: client 195.68.176.4#53715: view external-in: query: . IN NS + 11-Feb-2009 09:35:04.525 queries: client 195.40.1.15#58313: view external-in: query: ox.com IN NS -EDC 11-Feb-2009 09:35:28.121 queries: client 195.68.176.4#48472: view external-in: query: . IN NS + 11-Feb-2009 09:35:44.138 queries: client 195.40.1.11#59164: view external-in: query: ox.com IN NS -EDC 11-Feb-2009 09:36:30.755 queries: client 195.68.176.4#39942: view external-in: query: . IN NS + 11-Feb-2009 09:37:33.388 queries: client 195.68.176.4#11158: view external-in: query: . IN NS + 11-Feb-2009 09:38:36.022 queries: client 195.68.176.4#16095: view external-in: query: . IN NS + My config follows, any suggestion? options { directory /var/named; pid-file /var/named/named.pid; statistics-file /var/named/named.stats; memstatistics-file /var/named/named.memstats; dump-file /var/adm/named.dump; zone-statistics yes; notify no; transfer-format many-answers; max-transfer-time-in 60; interface-interval 0; recursion no; allow-transfer { xfer; }; allow-query { none; }; allow-recursion { none; }; additional-from-auth no; additional-from-cache no; }; view internal-in in { match-clients { trusted; }; recursion yes; additional-from-auth yes; additional-from-cache yes; allow-query { trusted; }; allow-recursion { trusted; }; allow-query-cache { trusted; }; zone . in { type hint; file db.cache; }; zone 0.0.127.in-addr.arpa in { type master; file master/db.127.0.0; allow-query { any; }; allow-transfer { none; }; }; zone foo.com in { type master; file master/db.foo; }; ... ... ... }; view external-in in { match-clients { any; }; recursion no; allow-transfer { xfer; }; allow-query { none; }; allow-recursion { none; }; additional-from-auth no; additional-from-cache no; zone . in { type hint; file db.cache; }; zone foo.com in { type master; file master/db.foo; allow-query { any; }; }; ... ... ... }; Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 Matthew Huff.vcf Description: Binary data smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: loads of Query denied... is it an attack or a misconfiguration ?
Thanks to David Forest, I realize now that the query IS being refused, however nothing in the bind log shows the refusal. Is there anyway to see that in the log? Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: David Forrest [mailto:d...@maplepark.com] Sent: Wednesday, February 11, 2009 10:11 AM To: Matthew Huff Cc: 'bind-users@lists.isc.org' Subject: RE: loads of Query denied... is it an attack or a misconfiguration ? On Wed, 11 Feb 2009, Matthew Huff wrote: I've been aware of this problem since it first came up on this and nanog's list, but I'm having some configuration issues trying to make the upward referrel be refused. I'm running bind-9.6.0P1, but I'm still seeing the NS queries being answered in the log: 11-Feb-2009 09:34:25.489 queries: client 195.68.176.4#53715: view external-in: query: . IN NS + 11-Feb-2009 09:35:04.525 queries: client 195.40.1.15#58313: view external-in: query: ox.com IN NS -EDC 11-Feb-2009 09:35:28.121 queries: client 195.68.176.4#48472: view external-in: query: . IN NS + 11-Feb-2009 09:35:44.138 queries: client 195.40.1.11#59164: view external-in: query: ox.com IN NS -EDC 11-Feb-2009 09:36:30.755 queries: client 195.68.176.4#39942: view external-in: query: . IN NS + 11-Feb-2009 09:37:33.388 queries: client 195.68.176.4#11158: view external-in: query: . IN NS + 11-Feb-2009 09:38:36.022 queries: client 195.68.176.4#16095: view external-in: query: . IN NS + My config follows, any suggestion? options { directory /var/named; pid-file /var/named/named.pid; statistics-file /var/named/named.stats; memstatistics-file /var/named/named.memstats; dump-file /var/adm/named.dump; zone-statistics yes; notify no; transfer-format many-answers; max-transfer-time-in 60; interface-interval 0; recursion no; allow-transfer { xfer; }; allow-query { none; }; allow-recursion { none; }; additional-from-auth no; additional-from-cache no; }; view internal-in in { match-clients { trusted; }; recursion yes; additional-from-auth yes; additional-from-cache yes; allow-query { trusted; }; allow-recursion { trusted; }; allow-query-cache { trusted; }; zone . in { type hint; file db.cache; }; zone 0.0.127.in-addr.arpa in { type master; file master/db.127.0.0; allow-query { any; }; allow-transfer { none; }; }; zone foo.com in { type master; file master/db.foo; }; ... ... ... }; view external-in in { match-clients { any; }; recursion no; allow-transfer { xfer; }; allow-query { none; }; allow-recursion { none; }; additional-from-auth no; additional-from-cache no; zone . in { type hint; file db.cache; }; zone foo.com in { type master; file master/db.foo; allow-query { any; }; }; ... ... ... }; Matthew, the querylog shows what was queried. To see what is answered try digging your external interface. Here is my external view: view external { // Primary nameserver for maplepark.com. match-clients { any; }; recursion no; additional-from-cache no; // https://www.dns-oarc.net/oarc/articles/upward-referrals-considered- harmful zone maplepark.com{ type master; notify yes; allow-transfer { slave-name-servers; }; file /var/named/drf/external/maplepark.com.external.; }; zone . { type hint; file named.ca; }; // Update this hint by: /usr/local/sbin/update-root-cache }; And the result of the external query: [...@maplepark ~]$ dig +bufsize=4096 @64.216.205.121 . NS ; DiG 9.6.0-P1 +bufsize=4096 @64.216.205.121 . NS ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: REFUSED, id: 24703 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.IN NS ;; Query time: 0 msec ;; SERVER: 64.216.205.121#53(64.216.205.121) ;; WHEN: Wed Feb 11 08:53:04 2009 ;; MSG SIZE rcvd: 28 [...@maplepark ~]$ Note that the status is REFUSED and MSG SIZE is 28 bytes And the querylog has this: 11-Feb-2009 08:53:04.195 queries: info: client 64.216.205.121#58714: view external: query: . IN NS +E Try digging. AFAICT your conf should return REFUSED Dave -- David Forrest e-mail d...@maplepark.com Maple Park Development Corporation http://www.maplepark.com St. Louis, Missouri Matthew Huff.vcf Description: Binary data smime.p7s Description: S/MIME cryptographic signature