Re: are you using lwres?
On 18.05.17 21:13, Evan Hunt wrote: At ISC we've recently been discussing the idea of deprecating the lightweight resolver interface as of BIND 9.12. This means removing lwresd and liblwres, and deprecating the lwres statement in named.conf. (Note that they would remain available in earlier releases; BIND 9.11 will be supported for several years yet.) Before we decide to do this, it would be helpful to know whether there are any legacy applications depending on it. Based on the number of support questions we get about lwresd (i.e., pretty close to none) there aren't many, but perhaps they're just quiet. Do you run lwresd or named-with- lwres? Do you have code that links with liblwres? If so, please let me know. I tried using it some 10 years ago. I had strange results related to rrset ordering (with nss_dns the bind-provided ordering worked, with ndd_lwres I got re-sorted IPs) so I disabled it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: inline-signing a zone that exists in two views
Gordon Messmer <gordon.mess...@gmail.com> wrote: > Is it considered best-practice (or just normal) for authoritative > servers to just not use the local server for resolution? On Wed, May 10, 2017 at 5:56 AM, Tony Finch <d...@dotat.at> wrote: Mine don't :-) On 18.05.17 16:38, Bob Harold wrote: My authoritative servers are non-recursive. They use the same DNS resolvers that any other server uses, and not themselves. this configuration will make your recursive servers provide correct data when your customers move their domains out without telling you so (which happend quite often)... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Overwrite A record from DNSSEC protected domain if I am the owner of the domain
On 26.04.17 18:36, Matthias Fechner wrote: I have a domain fechner.net which is protected using DNSSEC. The zone is managed on a server located in a data center. Some A records are pointing to a computer that has a low speed internet connection on the WAN site, but very fast connection on the LAN site. If I know located in this LAN and I resolve the hostname (in this LAN also bind9.10 is running), I will get the IP of the WAN connection and the traffic is flowing out of the interface where the standard gateway is defined, goes to the provider and is coming back over a tunnel using the WAN connection. I can explain it more in detail, but the routing should not be important for the question I have. routing iw one of ways to avoid your issue. 7 Now I would like to overwrite some of the A records from my zone (I have full access to public and private key for DNSSEC). Some CNAMEs will point to this A record, so I have to change only the IP from the A record, all other CNAMEs can be handled by the offical bind that it reachable on the internet. Normally I would use RPZ to handle this, but it seems that this will not work if the A record is using DNSSEC (at least the manual says that it will not rewrite the A record if DNSSEC is used to protect the A record). So what I would like to have: - if I resolve from external it should reolve to the official IP that is reachable from the internet - if I resolve from my local LAN it should return the internal IP like 192.168.0.1, that is only reachable from the LAN this can be done using small resolver in the LAN that resolves the name to internal IP. Should be no problem unless your end-resolvers check DNSSEC -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 99 percent of lawyers give the rest a bad name. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to slave root zones
On 07.04.17 07:36, Mark Knight wrote: I've just noticed (after the slave zones expired), that the root name servers have been refusing my zone transfer requests since the end of March. My confirm is per the standard named.conf example, e.g.: zone "." { type slave; file "/usr/local/etc/namedb/slave/root.slave"; masters { 192.5.5.241;// F.ROOT-SERVERS.NET. }; allow-query { localnets; }; notify no; }; 1. are you sure you need slaving the root? most of clients doesn't... 2. there are ~13 servers for root zone. did you check on more of them? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to build BIND 9.11.0-P3 on RHEL 6.0 64-bit
On 28.03.17 22:05, greg.ra...@bt.com wrote: I am having trouble getting BIND 9.11.0-P3 to build on RHEL 6.0 64-bit. I am linking it with static OpenSSL (1.0.2j) and GeoIP (1.6.6) libraries. Here are my configure options: Make fails with this error, which seems to indicate that it is still trying to build a shared-library, even though I have explicitly disabled that feature. Again, I've tried both --disable-shared and --enable-shared=no. why? In case of insecurities within shared library you will be forced to recompile bind again with the library. shared libraries are great to avoid this. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recognizing remote IP in shared connections
On 28.02.17 14:35, Job wrote: for policies purpuose, we need to know which remote site is resolving a Bind 9.x public DNS Server. The problem occurs when some carriers "share" the same IP address between more customers and they surf behind a shared NAT. Is there a way? Perhaps with DNS crypt o dnssec? not with dnssed. You can configure DNS client and DNS server to communicate using encryption (and thus verifying each other), but in such case, VPN is much better to achieve whatever you want. Otherwise, you can not do that. DNS servers don't give* information about clients they are forwarding for. Neither do DNS clients say that. Also - since the DNS uses caching, answer provided to a remote client would be provided to multipld DNS clients accessing the cache. *To be more precise, there IS an extension to indicate clients subnet but it's not usable for this purpose. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enforce EDNS
In message <df501874-ddc1-a864-77b8-1f3646c10...@switch.ch>, Daniel Stirnimann writes: Hello all, Our resolver failed to contact an upstream name server as a result of network connectivity issues. named retries eventually worked but as it reverted back to not using EDNS and the answer should have been signed, the query response failed to validate. Subsequent queries towards this upstream name server were not utilizing EDNS as well because named remembers a name servers capabilities for some time (See also https://deepthought.isc.org/article/AA-00510/0) My question is, can I enforce EDNS usage for a name server? I was thinking of the 'edns' clause in the server settings [1]. However, this is already enabled by default and only applies to an "attempt". On 07.02.17 11:59, Mark Andrews wrote: I've also been thinking about no longer falling back to plain DNS on no answer. False positives on not supporting EDNS impact on DNSSEC resolution. Most firewalls now pass EDNS and most of the old Microsoft servers that don't answer a second EDNS request are gone. Any remaining servers would then need to be handled via server ... { edns no; }; Unfortunately we then need to decide what to do with servers that don't answer EDNS + DNS COOKIE queries. Currently we fall back to plain DNS which works except when there is a signed zone involved and the server is validating. fall back for how long? maybe for the same random time as RTT measurements are done - remember for a while, but retry with edns on after. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Boost your system's speed by 500% - DEL C:\WINDOWS\*.* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rDNS
On 20.01.17 09:57, Ron Wingfield wrote: I am having difficulty configuring reverse DNS. This has been a problem for over a year between my server(s) and my ISP, AT Specifically, I cannot eMail to any recipient that requires rDNS verification, e.g., SBCglobal.net, Comcast.net, or AOL. Very frustrating. . . .why shouldn’t this “point” to my server, 162.202.233.81 and not AT’s? because reverse domains are also tracked from the DNS root: 233.202.162.in-addr.arpa. 7200IN SOA ns1.swbell.net. postmaster.swbell.net. 2016061700 10800 900 604800 3600 81.233.202.162.in-addr.arpa.7200IN CNAME 81.80.233.202.162.in-addr.arpa. I have coded my BIND 9 in-addr.arpa zone file as follows: $ORIGIN 233.202.162.in-addr.arpa. stop defining $ORIGIN in zone file. the $ORIGIN is taken from named "zone" statement. According to those above you have to configure zone 80.233.202.162.in-addr.arpa. and adk swbell.net to fetchit from you. $TTL 3h @ IN SOA ns1.archaxis.net. me.archaxis.net. ( 2017012002 ; Serial 1h ; Refresh 1h ; Retry 1h ; Expire 1h ) ; Negative cashing TTL 3600 IN NS ns1.archaxis.net. 3600 IN NS ns2.archaxis.net. 80 3600 IN PTR network.archaxis.net. 81 3600 IN PTR alpha.archaxis.net. 82 3600 IN PTR bravo.archaxis.net. 87 3600 IN PTR broadcast.archaxis.net. What is wrong? Is this my problem, or with AT? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind does not resolved all domains (SERVFAIL)
On 13.01.17 09:57, Clément Fevrier wrote: I have a weird issue. I have at least one domain that bind9 can't resolved (phdcomics.com, so a very important one ^^), with status SERVFAIL. Bind server IP is 192.168.1.8, client is 192.168.1.7 Example #1 *client* % dig phdcomics.com On 01/13/2017 10:06 AM, Matus UHLAR - fantomas wrote: try: dig +trace any phdcomics.com On 13.01.17 10:26, Clément Fevrier wrote: here the result: % dig +trace any phdcomics.com phdcomics.com. 172800 IN NS ns2.speakeasy.net. phdcomics.com. 172800 IN NS ns1.speakeasy.net. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20170117054831 20170110043831 6404 com. c/zPRDrQtCoVh+htMF53DvkVesgW326ejQ5wIewgCPiBoKeEbqIMK+Kx grKC4X74EdrgxCZj9kyv8tktEPsfDhNO0tOHX9Cll2crC3Me5IsDOpqE PFCeRg/t7ToelaG2EgsftqPYGXAM9W83JhhBCjI+4QMAkDLx+LIn1osY gY8= B7DI2Q1SAO6INJMOD4C3LIMV9US3S8SV.com. 86400 IN NSEC3 1 1 0 - B7DNPO8AU6JBOMQ8E9HM02MIH4V2REKE NS DS RRSIG B7DI2Q1SAO6INJMOD4C3LIMV9US3S8SV.com. 86400 IN RRSIG NSEC3 8 2 86400 20170118054114 20170111043114 6404 com. cYE8YzLv0mdE+mmBT1PgwhxHbxHQVgnJdGN0YWvyUJc2BX8567nzlMMS q8lrremlw+Gpzby7SlrMrvS2Od4QgZVIgG6i9Y0QuqN4pMtSC63CoDxZ U2zl2e+kvv59ubm2lvnWx69s+dTBZO6d4KJXGG0DeKd0Neq+HWYM/D0r Nbc= ;; Received 608 bytes from 192.31.80.30#53(d.gtld-servers.net) in 33 ms and here the problem: ;; connection timed out; no servers could be reached you can't contact speakeasy.net name servers... phdcomics.com. 172800 IN NS ns2.speakeasy.net. phdcomics.com. 172800 IN NS ns1.speakeasy.net. here are their IPs: ns1.speakeasy.net. 600 IN A 64.29.149.113 ns2.speakeasy.net. 600 IN A 64.29.153.113 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind does not resolved all domains (SERVFAIL)
On 13.01.17 09:57, Clément Fevrier wrote: I have a weird issue. I have at least one domain that bind9 can't resolved (phdcomics.com, so a very important one ^^), with status SERVFAIL. Bind server IP is 192.168.1.8, client is 192.168.1.7 Example #1 *client* % dig phdcomics.com try: dig +trace any phdcomics.com that should help more than comparing to other nameservers if they can query that domain. Note that the domain has mismatched delegation, according to some DNS checkers. also, the servers have very short TTLs. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Blocking reverse lookup queries for private ips
On 25.11.16 00:02, Sachin Patil wrote: My bind setup only modifies response/resolved ips for certain domains, this is the only purpose of my setup (apart from caching). I don't have any private/local zones, thus I have kept it in forwarded mode. once again: you should only use forwarders when you are unable to resolve yourself. Bind can resolve itself, so forwarders are not required. Forwarding can also cause useless troubles, just two days ago the google infrastructure (including their dns servers) had outage in central europe. being here, you would cause troubles by using their dns servers as forwarders - without any real need. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Blocking reverse lookup queries for private ips
On 24.11.16 13:57, Sachin Patil wrote: I have changed option - "forward only;" to "forward first;" and it has enabled empty zones. I can see request for private ips not going over internet using tcpdump. This configurations works, but is this good configuration for forward only dns server or will there be any problems related caching etc with this conf. On Thu, Nov 24, 2016 at 3:06 PM, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: no, the good configuration is if you do the recursion yourself, without forwarding to google. On 24.11.16 17:10, Sachin Patil wrote: I need to forward requests to google as I am using this as forwarding server. then, don't use google as forwarding server - BIND can do DNS lookups itself. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Blocking reverse lookup queries for private ips
On 24.11.16 13:57, Sachin Patil wrote: I have changed option - "forward only;" to "forward first;" and it has enabled empty zones. I can see request for private ips not going over internet using tcpdump. This configurations works, but is this good configuration for forward only dns server or will there be any problems related caching etc with this conf. no, the good configuration is if you do the recursion yourself, without forwarding to google. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Error while building BIND 9.11 on linux host
On Sun, 2016-11-20 at 16:12 -0800, blrmaani wrote: > I am trying to build BIND 9.11 on RHEL linux host and see this error. > What am I missing? On 20.11.16 17:39, blrmaani wrote: These steps helped (openssl-1.0.2j and BIND 9.11 P1) ./config --prefix=/usr/local --openssldir=/usr/local/openssl make make install just a side note: it's quite funny that some people set system that has 10-years support and start installing things they won't get support for... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enterprise DNS Architecture - AD and BIND
On Wed, Nov 09, 2016 at 01:11:16AM +, Baird, Josh wrote: I'm not quite sure why you would have your caching servers forward to other DNS servers (Google, OpenDNS, etc). I would enable recursion on them and would not forward anything. I would also consider making these caching servers at each location slave your *internal* authoritative zones (or views) to override recursion. On 08.11.16 17:15, Ray Van Dolson wrote: A couple thoughts on this: 1) The external caches tend to be pretty "close" latency wise and presumably have a very large cache to pull from. My belief is we'd probably see lower average response times for queries *not* already cached this way 2) Security folks prefer external access to fewer IP's. Simpler red tape wise I guess. I don't know hot big security is to rely on external DNS provider you don't have contract with... shorter path should make better results and forwarding makes the path longer... if you are going the multi-AD way, simply forward from requests from AD to a few BIND caching servers (slaving your internal zones) that will have access to outside. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Boost your system's speed by 500% - DEL C:\WINDOWS\*.* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enterprise DNS Architecture - AD and BIND
On 08.11.16 16:09, Ray Van Dolson wrote: What I'm thinking: - Have an AD server at every location we have a BIND server. This way client machines talk DNS *only* to AD servers so Dynamic DNS & friends work reliably. AD servers would then forward to BIND servers as needed. This could work, multiple AD servers could give you more services than just BIND (if you need them). In fact AD servers don't really need to forward to BIND servers, unless you of course run something special on forwarders. + Alternative: Configure clients to do DNS updates via DHCP Option 81, etc. instead of via Dynamic DNS. This would allow clients to point at BIND and take advantage of Anycast for resiliency and I avoid needing to figure out how to make BIND pass RFC 2136 requests on from clients to AD reliably... Even a better idea... - Caching Servers will be the same configuration no matter where they are, and do the same things: + "." will forward out to OpenDNS or Google, etc. for Internet lookups. Don't do that - your caching servers should do their own recursion and not rely on public DNS servers. + Will be a "slave" for all AD owned domains. Thought here is better client response times and fewer issues w/ TTL and cache and better resiliency... this might be a problem, using multiple AD servers is AFAIK not possible (they don't have consistent data, so using *XFR is unreliable) so each caching server will only rely on one AD server - Alternative: Leave these as static-stub, but now I made need logic in Ansible or whereever to point to "nearby" AD servers depending on where the BIND server lives to keep response times low when things aren't cached. That or not care about latency... BIND does measure latency on its own, so providing all AD servers in configuration should not be a problem + Will be a "slave" for all of the split-view zones (only for the "internal" view). Could do static-stub here as well, but think slave may serve us better for similar reasons as w/ AD. + I can introduce my split view zones for VPN here as well. I haven't thought this one through fully yet, but am hopeful I don't need to fully duplicate the zones above and could instead forward queries from one view to another - Authoritative BIND Servers mostly stay as-is aside from needing to be configured to send notify's out to caching servers and proper FW access maintained for AXFR. if you have authoritative zones that are important to you, better slave them and send notifies... that will give you better performance and faster propagation of changes. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forward only recursive server doesn't forward
On 19.10.16 21:27, Alex wrote: I have a bind-9.10.3 server on fedora22 that is authoritative for a few domains and their corresponding IP ranges. I'd like to set up another domain server (rbldnsd) on a host in one of those domains as a forward-only server. The problem appears to be that the queries from the local box to the subdomain being managed by the rbldnsd server are being answered by the local bind instead of being sent to the remote machine running rbldnsd. In other words, I believe the issue is that the host is already authoritative for the reverse zone, so there would be no reason for it to forward these queries to another system. Mark already took care of first part of your post. zone "96/28.104.104.66.in-addr.arpa" { type slave; file "slaves/db.104.104.66"; masters { 64.1.1.3; }; allow-query { any; }; allow-transfer { trusted; }; }; I set up the reverse zone a long time ago, and I don't think the "zone 96/28.104.104.66.in-addr.arpa" is completely correct, but it appears to work. I'm not sure if that's related to the problem, but would appreciate advice there. The domain 96/28.104.104.66.in-addr.arpa is completely correct, however the DNS clients must know they have to search for this domain. Thus, you must ask your ISP to delegate part of 104.104.66.in-addr.arpa to your subdomain: 96/28 IN NS your.server.name. 96 IN CNAME 96/28 97 IN CNAME 97/28 ... 111 IN CNAME 111/28 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: R: Reloading match-clients
On 14.10.16 13:51, Job wrote: There is now way to update dinamically the match_clients without reconfig/reloading? no. changing configuration requires reconfiguration. maybe if you were able to implement what you want ugins RPZ, but that would still require reloading the RPZ zone (or, sending dns update for the RPZ zone). On 14/10/16 11:48, Job wrote: is there a way to update/change this section without reloading or with a very-soft reload? Yes. Use "rndc reconfig" instead of "rndc reload". Regards, Anand -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to request ixfr updates against public ip directly instead of unicast ip in bind
On 12.10.16 20:57, rams wrote: I have master and slave servers. When we have updates in master, slave is getting updating after 20 or 30 minutes. When I look into tcpdump pcakets, Slave is trying with master unicast ip to get updates. We don't have port opened slave to master with unicast ip and we have port opened slave to master with public ip. Do we have any option checking for SOA value directly with public ip of master instead of unicast ip. I don't get it. What do you mean by "unicast" and "public" IP? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unspecified error DNS query
On 07.10.16 15:01, Daniel Dawalibi wrote: We are getting "Unspecified error" when querying our DNS server (Query: outlook.live.com) from a PC communication with our DNS We tried to perform the same query from the DNS itself (local host) and we found that the Dig output is showing with the following message "Truncated, retrying in TCP mode". We also observed that the message size of the requested query "outlook.live.com" increased recently from MSG SIZE 221 to 770 Can you please help why we are getting this error (client side) and why the TCP mode is shown in the dig output since other queries do not show TCP mode in their output? responses that are over 512 bytes (maximum packet size without EDNS) must be truncated in UDP mode and thus must be responded in TCP mode. try running: dig +bufsize=4096 outlook.live.com. that shoud avoid TCP... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple A Records - Followup Question
IOW, can a given *IP* appear in more than one A record? I realize that this does have the problem that the reverses would resolve to hostX not test On 2016-10-02 12:59, Reindl Harald wrote: on IP should only have on PTR - period avoid anything else than PTR/A-matching if the machine is supposed to send outbound mail On 02.10.16 20:42, David Ford wrote: it is very helpful to have multiple PTR records for an IP on a mail server so anti-spam engines can accurately make fully verified forward and reverse lookups not just for DNS but also certificate verification. mail servers that can't correctly emit the right EHLO for outbound email should remain in the 1990s. I found it problematic, not helpful. It's much safer and easier to have one PTR record with correct fcrdns when sending mail than having multiple DNS records (even with valid fcrdns). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: adding zone forwards without restart
On 29.09.16 12:25, Frank Even wrote: I am running chrooted. I'm relying on the "feature" of BIND "mounting" the standard dirs into a chroot via the standard startup scripts in Cent6/7. My understanding is it's not "copying" the files anywhere, but using those that are there. I am modifying them via puppet on the system. I've even created a "service" to only do an "rndc reconfig" instead of refreshing the service to ensure I can do safe puppet runs. But yeah, no matter what I do, nothing short of a restart of the service (typically "service named restart" on EL6 and "service named-chroot restart" on EL7) works. apparently there's something like that (copying files) in startup scripts or related to puppet installation. tried running without chroot for a while, if it helps? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to Load the Zone file
On 27.09.16 07:34, Harshith Mulky wrote: ; Name Server (NS) records enum.bhnis.net. IN NS atlanta.enum.bhnis.net. NS72.31.4.5. NS72.31.4.36. getting these errors when starting named service enum.bhnis.net:3: ignoring out-of-zone data (.) enum.bhnis.net:12: NS record '72.31.4.5.' appears to be an address enum.bhnis.net:13: NS record '72.31.4.36.' appears to be an address zone enum.bhnis.net/IN: has 0 SOA records zone enum.bhnis.net/IN: not loaded due to errors. _default/enum.bhnis.net/IN: bad zone What is the problem here? is there something you don't understand on error message? "NS record '72.31.4.5.' appears to be an address" IP Address can only appear at right side of A record ( for ipv6 addresses). NS records needs domain names on right side. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Boost your system's speed by 500% - DEL C:\WINDOWS\*.* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: root.hind or named.hint file update
Pol Hallen <bin...@fuckaround.org> wrote: is it recommend put a cron script for auto-update root.hind and named.hint db? On 23.09.16 12:54, Tony Finch wrote: No, it's best not to have a hints file and just use the one built in to BIND. i would not say that... it's better to use builtin hints file than having outdated hints file. But if someone does care about hints file, it's better to have current version, when the builtin one is older. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: R: Minimal responses and speeding up queries
On 23.09.16 09:33, Job wrote: Very interesting answers, thank you first of all. Regarding: BIND 9.11 adds two more stops on the knob There will be an option to add these stops or, by default, bind-9.11 will care about this? care about what? DNS client will fetch data it needs to resolve a query. If you turn mimimal-responses on, the required data may not be in the answer. That will result into another query send, which means number of queries increases. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Fwd: Re: adding second zone
On 23.09.16 09:31, Pol Hallen wrote: Sep 22 21:27:12 asia.bunker.org named[6079]: /etc/bind/named.conf.local:32: zone '1.168.192.in-addr.arpa': already exists previous definition: /etc/bind/named.conf.local:17 Sep 22 21:27:12 asia.bunker.org named[6079]: loading configuration: failure 1.168.192.in-addr.arpa is on primary zone, if I add second zone I've this error you apparently have 1.168.192.in-addr.arpa defined two times what are you trying to do? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: adding zone forwards without restart
Benny Pedersen <m...@junc.eu> wrote: > why does reload not flush ? In article <mailman.272.1474471859.7.bind-us...@lists.isc.org>, Tony Finch <d...@dotat.at> wrote: Often you want to reload zone files without throwing away the cache. On 22.09.16 11:39, Barry Margolin wrote: It shouldn't flush the entire cache, but it would certainly make sense to flush entries within a forwarding zone that's modified. I don't see reason to implicitly flush entries just because existing domain changed servers. Changing servers does not necessarily mean changing content. there's "rndc flushtree" command since 9.9, that flushes domain and subdomains when issued. You can use it if needed. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimal responses and speeding up queries
On 22.09.16 16:41, Job wrote: in Bind 9.10 we tried minimal-responses = yes to limit "additional queries" when resolving. I notice that resolution is faster. Actually, dig @host some_url still shows an additional query, maybe not needed for a caching-only resolver: ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54581 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 Is there a way to improve limiting of "additional queries" after minimal-responses = yes? using minimal responses often results into additional queries needed, by definition. If you want to avoid additional queries, turn minimal_responses off. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist "So does syphillis. Good thing we have penicillin." - Matthew Alton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: adding zone forwards without restart
On 21.09.16 14:49, philippe.simo...@swisscom.com wrote: and after a forward add a rndc flush can help too .. not needed unless old forwarders provide invalid data. -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Matus UHLAR - fantomas Sent: Wednesday, September 21, 2016 10:03 AM To: bind-users@lists.isc.org Subject: Re: adding zone forwards without restart On 2016-09-21 02:40, Frank Even wrote: Is there a way to add forwarders for specific zones without a restart? Everything I've read seems to indicate an "rndc reconfig" or an "rndc reload" should take care of this, but they do not. I add forwarders to "named.conf" and neither will load the new forwarded zone until I do a full daemon restart. On 20.09.16 19:44, Frank Even wrote: The basics are fine. BIND just doesn't load newly added forwarded zones, period. It also kind of lies in the output: the reconfig SHOULD cause bind reload the configuration. the reload SHOULD cause bind reload the zones. if it does not, it's probably a bug. for forwarding zones, reconfig should be enough. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Support bacteria - they're the only culture some people have. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarder (YES/NO)
so simply leave BIND running and see if it's better tomorrow... On 21.09.16 09:29, Pol Hallen wrote: seems better today, but how I realize if bind runs correclty? I mean: if the speed of it is normal or if there are lags? try running dig +trace and see how fast it runs. It should return in about same time as BIND does (when it doesn't have anything in cache). It will show you how the recursion works, and you can see where do the lags come from. Now I tested some domains, almost all are ok but 2 of these are slow... using @8.8.8.8 with these two are fast Actually I commented: // forwarders { // 8.8.8.8; 8.8.4.4; //} but testing 127.0.0.1, bind keep also 4000/5000ms to resolve a query forwarders { 127.0.0.1; } do you forward to yourself??? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Querying locally on a nameserver - odd behavior
On 20.09.16 20:27, blrmaani wrote: I have a DNS server (which is both forwarder and authoritative NS) and I see this odd behavior locally on the host: dig @localhost # returns immediately with right response dig @ # returns sometimes, timesout most of the time I have allow-query {any;} in BIND config and the above is local on the host (obtained via slaving). The listen-on is set to 'any' on port-53 What am I missing? Why this odd behavior? a firewall probably? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: adding zone forwards without restart
On 2016-09-21 02:40, Frank Even wrote: Is there a way to add forwarders for specific zones without a restart? Everything I've read seems to indicate an "rndc reconfig" or an "rndc reload" should take care of this, but they do not. I add forwarders to "named.conf" and neither will load the new forwarded zone until I do a full daemon restart. On 20.09.16 19:44, Frank Even wrote: The basics are fine. BIND just doesn't load newly added forwarded zones, period. It also kind of lies in the output: the reconfig SHOULD cause bind reload the configuration. the reload SHOULD cause bind reload the zones. if it does not, it's probably a bug. for forwarding zones, reconfig should be enough. I guess, if the configuration is invalid, the old one should keep being used. Sep 20 17:57:48 host01 named[26453]: reloading configuration succeeded Sep 20 17:57:48 host01 named[26453]: any newly configured zones are now loaded ...except they're not. Thus far I think the only condition I've actually seen BIND load new zones without a restart after being added to named.conf is if it's not already authoritative for a lower level part of a domain and you're adding an authoritative zone. Bind checks for zone file timestamps, although files do not apply for forwarding zones, so they are also not loaded, because queries for them are of course being forwarded (or recursed, if they are set to "forward first" and the forwarders do not answer). Even adding another master zone that is higher up in the hierarchy will not load until a full restart I've found (meaning you have "domain.com" configured as a master zone and add "subdomain.domain.com" as a master zone as well). so, do you have problems with forwarding zones or master zones? Did you run named-checkconf as Benny advised? Did you run named-checkzone for the newly added zones? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarder (YES/NO)
with 9.10, leave prefetch on and see... On 20.09.16 15:12, Pol Hallen wrote: I've 9.9.5 version on debian stable :-/ so simply leave BIND running and see if it's better tomorrow... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarder (YES/NO)
On 20.09.16 15:03, Pol Hallen wrote: what happend if you leave it working (without forwarders) for some time? BIND should cache frequently used data and provide them quickly. I don't know. I start now testing without forwarders and tonight I see when you use google forwarder, the main difference is that most of those data are probably already cached. How can I replicate same thing? just leave bind running for some time. with 9.10, leave prefetch on and see... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarder (YES/NO)
On 20.09.16 12:29, Pol Hallen wrote: I've a quad core 2.4Ghz with standard italian DSL I tested BIND with either forwarder activated and disactivated forwarders { 8.8.8.8; 8.8.4.4; }; without forwarder, using dig command, "query time" only on some domains (I tested italian domains - I live in Italy) is 350-800ms, with forwarder almost always is less 100ms (!) I'd like have my BIND (no forwarder) that works for my lan :-) how can I optimize BIND speed? (or maybe I've a wrong config?) what happend if you leave it working (without forwarders) for some time? BIND should cache frequently used data and provide them quickly. when you use google forwarder, the main difference is that most of those data are probably already cached. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: replicate a whole master
On 19.09.16 15:51, Pol Hallen wrote: dig yahoo.it @192.168.1.212 query is 38ms, second query is 1msec Can I replicate a whole internet primary dns to have on my bind in local network all domains name updated? are you sure you want to replicate whole server? Are you sure you know what that means? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fighting for peace is like fucking for virginity... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS views and zone transfers
On 06.09.16 16:23, project722 wrote: I'm interested in the "view forwarding" method. I'm only setting up views to resolve a split DNS issue with one domain. I'd like to have that one zone/domain in my internal view and then if the source IP requests info for any other zone forward that to my external view. To me this sounds like a whole lot less work. Do you have any specifics on how I would go about setting that up or can you point me in the direction where I can get info on setting that up? Ideally, I'd want my "internal" clients to still find example.com even if the internal view only had example.org in it. Something like this but how do I incorporate the forwarding? in think "in-view" statemend in BIND 9.10 is what you search for. view internal { match clients - internal; zone - example.org }; view external { match clients - external { zone example.org { }; zone example.com { }; }; -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!". ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about dynamic IPv6-PTR-Generation
On 26.08.16 07:34, Tom Tom wrote: I'm searching a way to respond to IPv6-PTR-Queries like the "$GENERATE"-mechanism for IPv4 has done it. why? configuring single IP addresses or taking them from DHCP is easier than creating new useless mechanism. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slaves or Forwarders?
In message <844475874024407090c1c2e9d5718...@mxph4chrw.fgremc.it>, "Darcy Kevin (FCA)" writes: From an InfoSec standpoint, of course one would prefer to use cryptographic methods of securing DNS data, but, in the absence of that, slaving could, arguably, be considered more secure than forwarding, in the sense that forwarding usually generates more network transactions, over time, for any given resolution of any given name, and thus more chances for a bad guy to successfully spoof a response and have that forged answer be cached. One could also eke out a small measure of extra security (again, if cryptographic methods are for some reason unavailable) by turning off IXFR and thus causing all zone transfers to occur with AXFR, which is TCP-based and thus presumably harder to spoof. But, that's a heavy price to pay for a small increment of extra security. Better to go for crypto, at that point, either within the DNS protocol itself (e.g. TSIG, DNSSEC), by implementing (as many have) an out-of-band method of replicating zone data (e.g. rsync-over-ssh, Infoblox-style "grid replication" over OpenVPN tunnels) or by securing *all* communicati on between nameserver instances (e.g. IPSEC tunnels). On 24.08.16 08:00, Mark Andrews wrote: named only accepts IXFR over TCP. While the protocol supports sending deltas with IXFR/UDP named does not use that part of the protocol. just IXFRs or AXFRs too? Isn't edns over UDP enough in many cases? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: getting not authoritative with some notifies - Solved
On Sun, 2016-07-31 at 19:25 -0700, Dave Warren wrote: Or, separate your resolver and authoritative roles, in which case this won't be an issue. One should still monitor for zones for customers who have departed, obviously, but it's not likely to cause any operational issues. On 01.08.16 10:37, Carl Byington wrote: Yes, I should have prefixed my comments with a note that this applies mainly to users of some low end multi-tenant hosting solutions that (by default) run both dns roles on the same box, and point /etc/resolv.conf to localhost. in such a small system it shouldn't happen often that someone migrates domain off your server. However you can avoid this issue by running either multiple dns servers, bind instances or views, recursive-only on 127.0.0.1 and authoritative on public IP. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: getting not authoritative with some notifies - Solved
On Sat, 2016-07-30 at 21:40 +0200, Matus UHLAR - fantomas wrote: or simply wait till customers complain and tell them they should tell you when tthey migrated their zones off. On 31.07.16 18:00, Carl Byington wrote: Which customers will complain? funny that you have answered below. Consider the case where you have customer A and ex-customer B, and you still have ex-customer B zones loaded in your master dns servers. The rest of the world properly sees the (new) zone content for ex-customer B. But when your existing customer A tries to send mail to ex-customer B, it may go to the wrong place or bounce. And that will only happen for your *other* customers. B thinks everything is ok, since they can receive mail from gmail, etc. both customer A and ex-customer B will complain because of mail doesn't working. Happened multiple times. To properly serve your customers like A, you need to purge B's zones soon after they move, whether they notify you or not. that's the whole problem - we have to watch and notify. Separating authoritative and recursive DNS works much better. we can put different measures on protecting each of those. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows." ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: getting not authoritative with some notifies - Solved
On 2016-07-29 08:21, Matus UHLAR - fantomas wrote: On 28.07.16 12:13, Paul A wrote: Now what is everyone using to make sure the zones in named.conf are still pointing to your NS servers? I have a lot of stale DNS zones I want to remove. separate authoritative and recursive servers. bill for having zones in DNS. or simply wait till customers complain and tell them they should tell you when tthey migrated their zones off. On 30.07.16 12:36, Dave Warren wrote: At what point will a customer complain when they switch authoritative servers if the old ones are still online, I haven't said that the non-auth servers have to keep old zones whether serving current data, out of date data this is what TTL is for. the same behaviour applies to zones all other servers. or the zone eventually expires? that can't happen on master servers -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: getting not authoritative with some notifies - Solved
On 28.07.16 12:13, Paul A wrote: Now what is everyone using to make sure the zones in named.conf are still pointing to your NS servers? I have a lot of stale DNS zones I want to remove. separate authoritative and recursive servers. bill for having zones in DNS. or simply wait till customers complain and tell them they should tell you when tthey migrated their zones off. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: outgoing-traffic
On 27 July 2016 at 15:10, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: however, if no responses will come from his server, it's more likely that the queries will stop. On 27.07.16 15:19, S Carr wrote: If you look at the capture there doesn't appear to be any responses being sent for the ANY queries to start with, yet the queries keep coming. you seem to be the only one who got the capture (in a private mail). (and no, I'm not interested in seeing it anymore, I trust you). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh". ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: outgoing-traffic
On 27 July 2016 at 14:44, Ejaz <me...@cyberia.net.sa> wrote: Such as, if someone is sending ANY request , by default it should be denied when users requests for it.. On 27.07.16 14:57, S Carr wrote: Denying the request isn't going to solve anything in this case, they are still going to repeatedly ask for it and the traffic has already hit your system before ANY queries would be denied. however, if no responses will come from his server, it's more likely that the queries will stop. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Overriding TTL per resource-record on slave
On 26.07.16 00:27, blrmaani wrote: Sorry for not being clear. Our DNS server scrapes entries from a database and creates a DNS zone entries. Our DNS server is configured as a DNS master i.e type=master in BIND config for this zone. The database is the source of truth for DNS hosts which are in multiple locations and we do not want to modify per resource-record TTL value in the database since it impacts all locations. Our DNS server needs to customized such that TTL values for few 'special' records needs to be customized. How do I modify per resource-record TTL on our DNS master? since all resource records have their own TTL, you can simply give those you want lover TTL than the others. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "To Boot or not to Boot, that's the question." [WD1270 Caviar] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Overriding TTL per resource-record on slave
On 25.07.16 22:44, blrmaani wrote: We slave a zone and would like to override default TTL for bunch of resource-records. What is the right way to do it? there's no "default TTL" on recourse records, there's only TTL on resource records, and the "default TTL" on master server, that uses it for any resource without explicitly configured TTL. For example, here are few records for which we have to customize TTLs: host1.zone1.com.: default_ttl = 300 preferred_ttl = 3600 host2.zone1.com: default_ttl = 300 preferred_ttl = 86400 this does not make sense. My Idea is to run a dynamic update (nsupdate) wrapper script to update TTL entries for desired resource-records on our slave. Is there a better way to achieve this? your slave will only forward the update to master. Your description does not make sense, what exactly do you want to achieve? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Questions on how to setup Reverse DNS in bind 9
On 20.07.16 21:40, Spork Schivago wrote: I don't remember the tools, but I know that the way cPanel handles stuff with Apache, it broke my website for me. Using the cPanel / WHM interface, I could tell Apache to listen on one IP or the other, not both, unfortunately. Some people (my wife's cell for instance) could make it to my site, but on her laptop, I could not. I believe this is because I redirect everything to port 443 and the SSL certs were setup for the first IP, not the second. huh? SSL certs should be created with required hostname, e.g. franklin.jetbbs.com in CommonName - not the IPs. you just need transfer both public and private keys to other server... just watch out if you don't make the private key available to others. I believe when I assigned the second IP address to the A record jetbbs.com, sometimes I'd go to the first IP and Apache would pick it up, other times, I'd go to the second IP and Apache wouldn't know how to handle it. Maybe it was because the SSL certs were created when I only had the one IP, I don't know. But it really messed things up and I had to remove the second IP again. I think if I manually edited the httpd.conf file and regenerated the SSL certs, things might have started working. this is your problem. don't generate ssl keys when adding IPs. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Questions on how to setup Reverse DNS in bind 9
On 19.07.16 19:28, Spork Schivago wrote: I got the A records set back up again. Here's the important stuff I think. Does it look right? yes, although you may safely skip the localhost, and you may skip ".jetbbs.com." or replace simply "jetbbs.com." by "@" (if cpannel supports that - it should) e.g. jetbbs.com. 86400 IN NS ns1.jetbbs.com. @ 86400 IN NS ns1 For the reverse DNS pointer records, I think when I contact GoDaddy, I'm going to ask if they can setup a PTR record so 104.238.117.105 points to franklin.jetbbs.com and 132.148.11.44 points to franklin.jetbbs.com as well. I think that'll help with mail filtering and stuff. that will help your mail in getting delivered in the first place ;-) On Tue, Jul 19, 2016 at 5:45 PM, Spork Schivago <sporkschiv...@gmail.com> wrote: I had removed the A record after it didn't work. I was speaking in past tense there. One of the DNS checking tools I was using went nuts complaining about something not being right so I undid my changes. I'll recreate it. I'd like to see which tool and what complaints were they. some tools are good, some insist on useless things and some miss important things... The idea behind having two IP addresses and setting up the DNS servers was because I wanted to eventually setup some redundancy and play around with running a server out of my house. I'll create the second A record for jetbbs.com again but when we get into the new house, I'll change it so the IP address for the second A record points to my server at the house. That way, if one server goes down, people can still connect. It'd be a great opportunity to learn this stuff a bit more I think. good idea. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Questions on how to setup Reverse DNS in bind 9
On 18.07.16 19:44, Spork Schivago wrote: At this time franklin.jetbbs.com ONLY RESOLVES TO 104.238.117.105 The way I wanted it was 104.238.117.105 AND 132.148.11.44to point to jetbbs.com but I think I setup the DNS record wrong. I just added another A record for jetbbs.com and added the IP address 132.148.11.44 to it. This part wasn't for the reverse DNS. I got two IP addresses I'm using. jetbbs.com IS NOT franklin.jetbbs.com I got an A name for franklin, and that's the 104.238.117.105. Should I have added another A name for franklin as well to setup the round robin stuff? You know, when someone connects to JetBBS.com, the first time they connect, it takes them to 104.238.117.105. The next time they connect, it takes them to 132.148.11.44. you don't have to set up "round robin" and you can't decide who connects to which IP. If you set up two IP addresses for one DNS name, random servers will connect to random addresses in rantom times. Is this why whenever I pinged jetbbs.com, I only got a reply from 132.148.11.44 and not from 104.238.117.105 you think? that is because jetbbs.com only contains 104.238.117.105 now... Because I didn't setup another A name for franklin? Thanks and sorry for all the questions. I know these probably aren't really bind related questions anymore. Thanks! once more: jetbbs.com IS NOT franklin.jetbbs.com ! FYI currently they both only contain 104.238.117.105 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query on the Order in which RR are answered by Bind of Order/preference are Same
On 18.07.16 13:59, Harshith Mulky wrote: I had a query on how the following Records can be ordered on how the Records are configured in the Zone file I have done 2 different Tests I have configured following records in the Zone file e164enum.net with TTL value as 0 2.7.5.2.7.9.2.5.3.1.8.e164enum.net. IN NAPTR 100 10 "u" "E2U+sip" "!^.*$!sip:7895673...@atlanta.com;user=phone!" . 2.7.5.2.7.9.2.5.3.1.8.e164enum.net. IN NAPTR 100 10 "u" "E2U+sip" "!^.*$!sip:7895673...@atlanta.com;user=phone!" . Since I did not want the Answers to be toggled in each susbsequent digs, and I wanted the Answers to be in the same Order they were configured in the Zone file(since the Order and Preference of both these records were same), I enabled this line in the options field of named.conf rrset-order {order fixed;}; and restarted named I ran the dig query again This time, the Answers did not toggle, but I found that, the second configured RR was being Answered as first always sip:7895673...@atlanta.com Why is Bind answering the Second RR as first and not my original First RR as 1st Answer? the order provided applies only for your bind instance - any other nameserver can change the order. why don't you use higher order if you want to have them in order? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Resolving issue on specific domain
On 15.07.16 14:05, Daniel Dawalibi wrote: Dig domainname -> Server failed On Jul 15, 2016, at 8:48 AM, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: please show us output of it. when 127.0.0.1 is first in /etc/resolv.conf, dig should contact localhost first, and the result should be the same as dig @localhost domainname. On 15.07.16 09:56, Chris Buxton wrote: You should not rely on the order of entries in resolv.conf. Servers will not always be queried in the listed order. This is implementation-specific. got more info? looks liker some implementations don't support preferred/fallback mechanism. If you have two servers that will answer differently to the same query, then you shouldn't have those two servers in resolv.conf. Aim for a consistent (and consistently useful) result. yes, why to have fallback when you may not have it... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Resolving issue on specific domain
On 15.07.16 14:05, Daniel Dawalibi wrote: Dig domainname -> Server failed please show us output of it. when 127.0.0.1 is first in /etc/resolv.conf, dig should contact localhost first, and the result should be the same as dig @localhost domainname. Dig domainname ServerIP -> Server failed Dig domainame localhost -> Resolving properly and, please remove the parts that are not important, don't sent useless crap to mailing list. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Resolving issue on specific domain
On 15.07.16 12:05, Daniel Dawalibi wrote: To: 'Matus UHLAR - fantomas' <uh...@fantomas.sk>, bind-users@lists.isc.org please avoid personal replies. use list-reply whenever possible. I already did it as per below output of resolv.conf but problem persists. do you want to say, even if you run "dig domainname" without @localhost, the dig sends query to 194.126.10.18 ? /etc/resolv.conf # Generated by NetworkManager nameserver 127.0.0.1 nameserver 194.126.10.18 -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Matus UHLAR - fantomas Sent: 15 July, 2016 11:58 AM To: bind-users@lists.isc.org Subject: Re: Resolving issue on specific domain On 12.07.16 17:13, Daniel Dawalibi wrote: We are facing a weird issue while resolving a specific domain name from our authoritative DNS server running on BIND 9.10.4-P1 Server has only one public IP address. If you try to resolve the domain using either dig or nslookup you will not get any result whereas if you specify @localhost you will get the answer [...] #dig @localhost soa domainname [...] #dig soa domainname ;; SERVER: 194.126.10.18#53(194.126.10.18) as you can see, in the latter example it's not the localhost (127.0.0.1) but 194.126.10.18 that gives you answer. That means, 194.126.10.18 does not know the "domainname" you must add localhost to resolv.conf as first nameserver to get answers from it by default. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Sending extra info in bind dns query packet
On 14.07.16 11:19, Sachin Patil wrote: I am just looking into bind and want to send extra information while querying dns bind server. This information will be used at the bind server side to return the resolved ip. Do you mean something like proposed "edns client subnet" that may return different server IP address based on the client's IP? I'm afraid it's not supported by BIND yet. I have control of dns query and bind server, I mean I can modify the source codes of both. Can I use additional section of dns protocol to send my extra information in dns query packet? Is there other way I can send this extra info through the bind dns query packet? it's highly dependent on what exactly you want to achieve. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist "So does syphillis. Good thing we have penicillin." - Matthew Alton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Resolving issue on specific domain
On 12.07.16 17:13, Daniel Dawalibi wrote: We are facing a weird issue while resolving a specific domain name from our authoritative DNS server running on BIND 9.10.4-P1 Server has only one public IP address. If you try to resolve the domain using either dig or nslookup you will not get any result whereas if you specify @localhost you will get the answer [...] #dig @localhost soa domainname [...] #dig soa domainname ;; SERVER: 194.126.10.18#53(194.126.10.18) as you can see, in the latter example it's not the localhost (127.0.0.1) but 194.126.10.18 that gives you answer. That means, 194.126.10.18 does not know the "domainname" you must add localhost to resolv.conf as first nameserver to get answers from it by default. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to understand why a different A record response being sent by bind
On 20.06.16 13:05, Harshith Mulky wrote: I have the following Records in my Zone file denver1.test10.com. IN A10.54.80.17 test10.com clearly does not belong here... denver2.test1.com. IN A10.54.80.150 IN A10.54.80.35 When I am doing a dig for the record denver2.test1.com. for A ;; ANSWER SECTION: denver2.test1.com. 600 IN A 10.54.80.150 denver2.test1.com. 600 IN A 10.54.80.35 1. I am not able to understand why this answer is being Received denver2.test1.com. 600 IN A 10.54.80.35 as I have not configured any owner-name for the record type that's it, if you don't specify owner name, the last one will apply 2. If there is no owner-name specified in the DNS Records, what owner-name does the record actually pick? the one previously used, so you can define multiple RRs for the same owner name without repeating is. It's the same as: @ IN SOA atlanta.test1.com. admin.test1.com. ( 2003022720 ; Serial 56800 ; Refresh 14400 ; Retry 360; Expire 2h ); Minimum IN NS atlanta.test1.com. the first owner name "@" (this means the one specified in bing config, is also used for NS record for the current zone. btw you should use example.com instead of test1.com for examples... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Append a Hard-coded Text Tuple into Additional Section of "dig" Feature
On 15.06.16 18:43, Jun Xiang X Tee wrote: When I query for "google.com", the additional section returned is: ;; ADDITIONAL SECTION: ns1.google.com. 200487 IN A 216.239.32.10 ns2.google.com. 197774 IN A 216.239.34.10 ns3.google.com. 246981 IN A 216.239.36.10 ns4.google.com. 193728 IN A 216.239.38.10 I wish to append a hard-coded text tuple into end of the section. An example after the change is: ;; ADDITIONAL SECTION: [deleted] google.com 123456 IN TXT "some information that I want to include" 1. there's no point in adding TXT rrs to additional section, they do not belong there 2. why at all do you want to put them there? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Ability to limit memory usage for zones on an authoritative server.
On 02.06.16 21:28, MURTARI, JOHN wrote: We'd like to limit RAM usage by BIND (9.9.8/RHEL) on some authoritative test servers. A load of configured zones would require over 10 Gig of RAM, but the boxes only have 4 Gig. We actually query only a few zones for testing (response time is not an issue) and didn't want to do the work of changing some standard zone lists and data we use. what kind of zones are they? why do you load them if you don't want to use them? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh". ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange intermittent resolution
On 27.05.16 12:39, Ronald F. Guilmette wrote: Over the past week or more, I have occasionally tried to drop in and read the forum discussions on this one particular site: www.amlinuxmedia.com what do dns checkers say for that one? http://www.intodns.com/amlinuxmedia.com http://dnscheck.pingdom.com/?domain=www.amlinuxmedia.com http://mxtoolbox.com/SuperTool.aspx?action=dns%3awww.amlinuxmedia.com=toolpage most of them report delegation errors. dig +trace shows the error: amlinuxmedia.com. 172800 IN NS ns1.hothostinginc.com. amlinuxmedia.com. 172800 IN NS ns2.hothostinginc.com. ;; Received 120 bytes from 192.35.51.30#53(192.35.51.30) in 323 ms www.amlinuxmedia.com. 14400 IN CNAME amlinuxmedia.com. amlinuxmedia.com. 14400 IN A 192.99.104.150 amlinuxmedia.com. 86400 IN NS ns1.host-for.com. amlinuxmedia.com. 86400 IN NS ns2.host-for.com. got it? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: resolution problem
In article <mailman.812.1463666011.73610.bind-us...@lists.isc.org>, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: often a problem of invalid NS delegation, or bad TTL (A record for a server expires before NS record). On 19.05.16 15:31, Sam Wilson wrote: Glue A records for the nameservers have 172800 TTL, authoritative A records have 1200. that's it! ;; ANSWER SECTION: colostate.edu. 3600IN NS dns3.colostate.edu. colostate.edu. 3600IN NS dns1.colostate.edu. ;; ADDITIONAL SECTION: dns3.colostate.edu. 1200IN A 129.82.103.111 dns1.colostate.edu. 1200IN A 129.82.103.121 after 1200 seconds, the A records expire, but the NS records don't. Next 2400 seconds you know that you have to ask dns3.colostate.edu and dns1.colostate.edu, but you can't find their IPs, because ... you don't know their IPs. while some DNS servers can cope with that, it's still broken setup. On 24.05.16 11:14, Thomas Schulz wrote: Our server here running BIND 9.10.3-P4 seems to handle it OK. Do some versions of Bind work with this broken setup while other versions do not? I wonder what versions of Bind are running on the two servers that do work and what versions on the two that do not. I can't tell you under what circumstances it works and when it doesn't. I can only repeat that this setup is broken and why. There's no point of complaining before it's fixed, it's just ranting: "I have broken setup and it doesn't work on some servers..." -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam = (S)tupid (P)eople's (A)dvertising (M)ethod ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward zone not working
On 20.05.16 21:09, Woodworth, John R wrote: This is exactly what some colleagues and I are working to get a handle on. We see this as becoming a larger and larger issue especially as IPv6 adoption increases. We have had several customers already request generics at /96 and larger blocks as they are accustom to doing with IPv4. From a sheer marketing perspective $GENERATEs with PTRs "brand" the IPs to a network and a few other ISPs already have hacks in place to provide similar functionality so why drive away potential customers? Just because something seems silly? Why not go and give your money to the provider that doesn't think your business is silly. $GENERATE is a master-only (and apparently even BIND-only) thing. it is not something that is transferred to the slaves - it generates records and those records are transferred to slaves. $GENERATE for /64 network would create 2^64=18,446,744,073,709,551,616 records, needing ~30 bytes for each you would need about 590295810358705651712 bytes of RAM which is 590 295 810 358 705 651 712 which it 590 exabyes. I doubt all computers on the earth have this much of memory. you would need to create whole new DNS protocol just to provide generic DNS records for each leaf (home) network... yes, we need something new for IPv6. But not for creating bulks of useless generic records. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward zone not working
2016-05-20 23:09 GMT+02:00 Woodworth, John R <john.woodwo...@centurylink.com>: The below referenced I-D for "BULK" records: * Provides "generics" which are automatically generated based on a set of rules. * The records have similar features as wildcards where they may be superimposed an appear only where more specific records do not already exist. * There are provisions for DNSSEC support of BULK generated records. * Can be done at any place in the DNS tree and overridden throughout the tree. * Can be easily AXFRed between servers. * Have immeasurably lower memory footprint compared with $GENERATEs (esp. IPv6). On 21.05.16 03:10, MegaBrutal wrote: I wanted to comment earlier that I really like the idea of BULK records, and the invention of it seems logical. I think it fits well into the evolution of the DNS protocol, it seems to be an answer to a need not seen before. I hope it will be supported by BIND in the future. It would be really insane to generate & store PTR records the traditional way when we talk about typical sizes of IPv6 ranges. what would you do if someone started using his home /64 network to ping your servers? your DNS server would run out of memory very short time after. As for the usefulness of PTR records for dynamic pools, I think proper, forward-confirmed PTR records tell valuable information of the user of the network. While normally this information is available in WHOIS, it is not so easy and straightforward to retrieve, and it is not always accurate. More often than not, WHOIS records only lead back to the ISP when actually you want to know the user of the network. In case of small businesses and home users, WHOIS does not reflect the actual user of the IP range, while a reverse PTR could give a shorthand. I have no idea how will ordinary DNS in ipv6 look like, but I doubt it will look like this... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: resolution problem
>colostate.edu. 172800 IN NS dns1.colostate.edu. >colostate.edu. 172800 IN NS dns3.colostate.edu. >;; Received 119 bytes from 192.41.162.30#53(l.edu-servers.net) in 78 ms > >www.cloudsat.cira.colostate.edu. 3600 IN CNAME dpc.cira.colostate.edu. >dpc.cira.colostate.edu. 3600IN A 129.82.109.62 >;; Received 83 bytes from 129.82.103.121#53(dns1.colostate.edu) in 36 ms In article <mailman.812.1463666011.73610.bind-us...@lists.isc.org>, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: often a problem of invalid NS delegation, or bad TTL (A record for a server expires before NS record). On 19.05.16 15:31, Sam Wilson wrote: Glue A records for the nameservers have 172800 TTL, authoritative A records have 1200. that's it! ;; ANSWER SECTION: colostate.edu. 3600IN NS dns3.colostate.edu. colostate.edu. 3600IN NS dns1.colostate.edu. ;; ADDITIONAL SECTION: dns3.colostate.edu. 1200IN A 129.82.103.111 dns1.colostate.edu. 1200IN A 129.82.103.121 after 1200 seconds, the A records expire, but the NS records don't. Next 2400 seconds you know that you have to ask dns3.colostate.edu and dns1.colostate.edu, but you can't find their IPs, because ... you don't know their IPs. while some DNS servers can cope with that, it's still broken setup. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: resolution problem
On 18.05.16 14:10, Con Wieland wrote: I am having an issue resolving www.cloudsat.cira.colostate.edu from 2 of my name servers. I have 2 others with identical configs that resolve correctly. A normal lookup shows a server fail but a +trace looks ok. Any ideas how to better troubleshoot the issue? tried web dns checkers? Some of them use to provide useful results. dig www.cloudsat.cira.colostate.edu @ns1.service.uci.edu [...] ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1057 colostate.edu. 172800 IN NS dns1.colostate.edu. colostate.edu. 172800 IN NS dns3.colostate.edu. ;; Received 119 bytes from 192.41.162.30#53(l.edu-servers.net) in 78 ms www.cloudsat.cira.colostate.edu. 3600 IN CNAME dpc.cira.colostate.edu. dpc.cira.colostate.edu. 3600IN A 129.82.109.62 ;; Received 83 bytes from 129.82.103.121#53(dns1.colostate.edu) in 36 ms often a problem of invalid NS delegation, or bad TTL (A record for a server expires before NS record). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 99 percent of lawyers give the rest a bad name. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging question about message 'update-security: error: client update denied'
In message <CANX+b1K5Z28oqVnb7=fxwgrhl5yssg0ear_fnnpyudzjcdy...@mail.gmail.com>, Josh Nielsen writes: I have a message that has been showing up in my master DNS server's log over the past few weeks and I am wondering if I can find more verbose specifics from debugging messages in BIND somehow. The messsage looks like this: May 16 10:52:16 dns01 named[2591]: 16-May-2016 10:52:16.844 update-security: error: client 10.20.0.101#34148: update 'my.domain/IN' denied On 17.05.16 07:24, Mark Andrews wrote: It a UPDATE request being denied. It will be some process other than named sending the request unless you have configured named to forward updates. In the best of worlds every machine would be updating its own PTR records and keep its own addresses in the DNS up to date. depends on the idealness of the world, but I personally don't like allowing clients to update their DNS records, imho the DHCP server should do those changes if it assigne the client an IP address Master (10.20.0.110): zone "my.domain" in { type master; file "db.my.domain"; allow-transfer { 10.20.0.100/32; 10.20.0.101/32; }; allow-update { key "xcat_key"; }; notify yes; also-notify {10.20.0.100; 10.20.0.101;}; }; apparently the client who asks for update does not know the "xcat_key". ...many windows machines tend to register their name in DNS (it's on by default in netowrk settings). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows." ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: i have a question ?
Bind on non-recursive mode doesn't work i have a question , i build a dns server ( forward mode ) , i hope dns server will cover forward and cache only . On 14.04.16 23:04, johnzeng wrote: i know master reason is "|recursion yes" just now .| but when i close recursion ( recursion no ), i found forwarding required recursion. You must turn recursion on (and allos it for your IPs) to do the forwarding. Note that in most cases it's useless to do forwarding if your bind server has connectivity and can do the lookups itself. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: multi zone forward ?
On 01.04.16 15:59, lejeczek wrote: Is it possible with ISC to forward multiple zones to one(or a few) forwarders without declaring each zone separately? only by forwarding everything, with probable exceptions Something like with "view" or "policy" ? if you can define view where clients belong and forward everything... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. LSD will make your ECS screen display 16.7 million colors ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about NS server authorize
On 21.03.16 15:42, supp...@cloudwebdns.com wrote: We have two nameservers, ns5.cloudwebdns.com ns6.cloudwebdns.com the primary types of domains, like com/net/org/info can be setup to be resolved by them. But some other domsins, like .me one, can't be setup in registrar's admin panel, saying nameserver not authorized. contact your registrar about this issue. thisa is not a bind problem. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple A records and reverse DNS
On 17.03.16 09:53, Thomas Schulz wrote: This is not a BIND question but I hope people here will know the answer. We are switching service providers and I understand that many email SPAM prevention systems insist on the reverse DNS matching the forward DNS. If I have two A records for our mail server and the reverse record matches one of them, will that be good enough. Or will the fact that the other A record does not match cause trouble. Reverse DNS is only important for mailserver that connects to outside, no for receiving servers or MX records. If the mail server connects outside, it's IP address is checked by many receiving mailservers or spam filters for reverse DNS and the resolved name has to point to that IP address Invalid reverse DNS is often worse than no reverse at all... ... I have met complaints noting that recipients mail servers' IP is checked, or that rDNS must point to the MX content. They were all wrong, the problem usually lied in blacklist, invalid mailserver configuration etc... No sane admin or software will check reverse DNS of mailserver they are connecting to or MX records they send mail to. They would block out services like gmail, yahoo, aol, without any valid reason. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: what does "max-ncache-ttl 0;" mean?
MURTARI, JOHN <jm5...@att.com> wrote: So far, all the postings I've seen just echo what he already said (and knows). The question is - what happens when you set it to ZERO? I'm wondering myself - anyone have a real answer? On 02.03.16 13:29, Tony Finch wrote: The code says zero means zero, so in effect it would disable negative cacheing. which means, DON'T DO THAT. anyone searching for nonexisting DNS names (e.g. because of a misconfiguration) could easily DoS your server. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "To Boot or not to Boot, that's the question." [WD1270 Caviar] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Intermittent NXDOMAIN for a name we are forwarding
On 21.02.16 19:07, blrmaani wrote: the cache dump also has this entry (myname.mydomain.com is name I am interested in) myname.mydomain.com 10324 \-ANY ;-$NXDOMAIN Which probably means if anyone requests for myname.mydomain.com, they will be handed NXDOMAIN for upto 10324 seconds from now.. doesn't the log also contain info where did that message come from? Our current work around is to restart named (which cache) or we could do a 'rndc flush'. "rndc flushname myname.mydomain.com" should be enough - not needed to flush whole cache. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Intermittent NXDOMAIN for a name we are forwarding
On 19.02.16 17:08, blrmaani wrote: We have a DNS setup where we forward a name in one domain to 5 external nameservers. We see NXDOMAIN error intermittently (once in couple of weeks). How do I debug this issue? tcpdump? I took a cache dump on our DNS and 2 out of 5 nameserver IPs appear in "Unassociated entries" when the problem happens. anything more isble in the cache? last time I have encountered this error, it was problematic Cisco DNS load balancer, responding NXDOMAIN to a PTR (and possibly other) type queries, while standard types returned proper answer. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The only substitute for good manners is fast reflexes. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: has no address records (A or AAAA)
On 28.01.16 08:58, Bernard Fay wrote: When checking my reverse zone, I have the following error: named-checkzone cts.org 192.168.99.zone zone cts.org/IN: NS 'ns1.cts.org' has no address records (A or ) zone cts.org/IN: not loaded due to errors. you are trying to check zone "cts.org" in file "192.168.99.zone" that contains the reverse zone, not zone cts.org. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Allow-Query=any
On 07.01.16 09:56, Ejaz wrote: How to control from the DNS bind "Query type Any" such as. If someone does look up with query type =any, results will display the SOA section, mail and Name server information, which I don't want display all info.. only specific information so, instead of providing type "ANY" you want people to flood your server with multiple queries for type? if you have problems, response rate limiting should be better solution. ...I received spam from comnpany with NS hosted at cloudflare that refuses ANY query. I am considering ignoring such domains. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "One World. One Web. One Program." - Microsoft promotional advertisement "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple logs
Hello, On 26.12.15 20:30, kev wrote: I am using bind9 with ubuntu 14.04. I was wondering how to log by indivudual IP. Ive googled it but didnt find what i was looking for.Thanks, On 27.12.15 18:07, Matus UHLAR - fantomas wrote: I'd choose logging at kernel level in iptables firewall. ULOG and ulogd can log to libpcap format. kev, just for sure: do you want selectively logs requests only from particulas IP addresses? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple logs
On 26.12.15 20:30, kev wrote: I am using bind9 with ubuntu 14.04. I was wondering how to log by indivudual IP. Ive googled it but didnt find what i was looking for.Thanks, I'd choose logging at kernel level in iptables firewall. ULOG and ulogd can log to libpcap format. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux - It's now safe to turn on your computer. Linux - Teraz mozete pocitac bez obav zapnut. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple logs
On 26.12.15 20:30, kev wrote: I am using bind9 with ubuntu 14.04. I was wondering how to log by indivudual IP. Ive googled it but didnt find what i was looking for.Thanks, Am 27.12.2015 um 18:07 schrieb Matus UHLAR - fantomas: I'd choose logging at kernel level in iptables firewall. ULOG and ulogd can log to libpcap format On 27.12.15 19:12, Reindl Harald wrote: since when is iptables a logging tool? since it can log, it can be used for logging. don't abuse it and it's "-j LOG" for such things it's "-j ULOG" a.k.a. userspace log and it's used with ulogd, the userspace logging daemon. learn the difference and don't comment before. besides you risk a self-DOS when not be very careful and bother a critical system layer with non critical stuff it hardly has the capability to write different logs for different IP's, so what? it _can_ be used for logging and its usage mostly depends what the original poster means by "log by individual ip". The original post indicates hat OP wants to log only traffic from specific IPs, where ulog is best until BIND learns query logging only for specific IPs. frankly it don't write any logs at all, just the kernel ring-buffer which means it is not self-dos when cone carefully. just use the default query log and grep within cron yes, why log selectively when we can log everything and then drop the rest. Especially when it requires much more computing power and overhead... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple logs
On 26.12.15 20:30, kev wrote: I am using bind9 with ubuntu 14.04. I was wondering how to log by indivudual IP. Ive googled it but didnt find what i was looking for.Thanks, Am 27.12.2015 um 18:07 schrieb Matus UHLAR - fantomas: I'd choose logging at kernel level in iptables firewall. ULOG and ulogd can log to libpcap format On 27.12.15 19:12, Reindl Harald wrote: since when is iptables a logging tool? Am 27.12.2015 um 19:36 schrieb Matus UHLAR - fantomas: since it can log, it can be used for logging. On 27.12.15 19:55, Reindl Harald wrote: - used + abused bullshit. Please learn the difference between LOG and ULOG before commenting. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Why two lookups for a CNAME?
Am 22.10.2015 um 14:01 schrieb Matus UHLAR - fantomas: I wonder if it's not enough to verify that the first response was received from proper server. Since play.l.google.com is a subdomain of play.google.com, the lookup would go throuth google.com nameservers again... when servers for bar.example are the same as servers for foo.example, the already accepted answer for foo.example is expected to contain valid answer for bar.example too... On 22.10.15 14:07, Reindl Harald wrote: well, it's better to keep things simple and whenever possible working the same way instead premature optimization and different behavior to keep them clear and maintainable I don't see what's premature on keeping invalidated responses pending in cache for further validation ... I believe this is very common at many of DNS hosting providers that will return not just the answer but also the glue records so there's in fact no need to check for them once you make sure the NS is correct so we can spare us some RTTs. (of course DNSSEC validation will still be done, but also optimized). at the end it does not matter most DNS results are coming from caches and if they are not in the cache they are not frequent enough that it would matter it doesn't matter so much that nobody even asked for it on BIND mailing list because of noticing it... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Why two lookups for a CNAME?
In message <1401468033.15948.1445459552099.javamail.vpopm...@atl4oxapp02pod1.mg t.hosting.qts.netsol.com>, Steve Arntzen writes: Why does named perform a lookup for the A record when its IP is returned with the CNAME in the first answer? On 22.10.15 08:01, Mark Andrews wrote: To prevent cache poisoning via cnames. It it simpler to always lookup the target of the cname that to figure out if we would accepted the following data. server A has zones foo.example and bar.example configured server B has zone bar.example configured bar.example is only delegated to server B of the two server above. The is a cname from www.foo.example -> www.bar.example Server A return a complete answer but the www.bar.example data is from the wrong zone instance. This happens accidentally in real life. I wonder if it's not enough to verify that the first response was received from proper server. Since play.l.google.com is a subdomain of play.google.com, the lookup would go throuth google.com nameservers again... when servers for bar.example are the same as servers for foo.example, the already accepted answer for foo.example is expected to contain valid answer for bar.example too... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How does a Client Verify if the DNS server is Alive or down
On 20.10.15 11:56, Harshith Mulky wrote: How can a Client verify if the DNS Server is Running(named service is Running) or Down? Why should client know such info? The clients needs to have the answer - it sends message and if the server replies properly, it's up and running. Does it periodically send any messages to the server. What Kind of messages are required by the client to be sent towards server to determine if the DNS IP is reachable or not? what is your problem? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dname reverse delegation
On 14.10.15 10:11, Paul A wrote: Niall my problem is the name server that delegated the reserve does look up the record correctly. I have this in the zone, DNAME 0/24 ;; ;;; delegate to server ;; 0/24NS ns.someserver.com ;; At the ns.someserver.com the looks ups work with no problems. However at the main name server the PTR look up does not work. Not sure what im missing. You have been already advised to avoid the ".0/24." NONSENSE. You can easily delegate x.x.x.IN-ADDR.ARPA without putting useless (and as you report, problematic) subdomain ".0/24." there... ;; ANSWER SECTION: x.x.x.in-addr.arpa. 172800 IN DNAME 0/24.x.x.x.IN-ADDR.ARPA. 2.x.x.x.in-addr.arpa. 172800 IN CNAME 2.0/24.x.x.x.IN-ADDR.ARPA. 2.0/24.x.x.x.IN-ADDR.ARPA. 172800 IN CNAME 2.0/24.0/24.x.x.x.IN-ADDR.ARPA. 2.0/24.0/24.x.x.x.IN-ADDR.ARPA. 172800 IN CNAME 2.0/24.0/24.0/24.x.x.x.IN-ADDR.ARPA. 2.0/24.0/24.0/24.x.x.x.IN-ADDR.ARPA. 172800 IN CNAME 2.0/24.0/24.0/24.0/24.x.x.x.IN-ADDR... But the looking up the record on ns1.someserver.com works fine. ;; ANSWER SECTION: 13.7.69.in-addr.arpa. 172229 IN DNAME 0/24.x.x.69.IN-ADDR.ARPA. 2.13.7.69.in-addr.arpa. 172229 IN CNAME 2.0/24.x.x.69.IN-ADDR.ARPA. 2.0/24.13.7.69.IN-ADDR.ARPA. 172800 IN PTR x-x-x-x.rev.XXX.com. On Tue, 13 Oct 2015 21:40:30 +0100, Paul A wrote: I have a few /24 that I want to delegate using DNAME. Are you expecting to save yourself trouble by doing so? If not, you should probably reconsider. [...] Don't be distracted by RFC2317. It describes the trickery you need when you're dealing with a longer prefix (fewer addresses) than a /24. If you have "a few /24", you can deal with them without needing any of that. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows." ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: FW: SRV Request to DNS
On 06.10.15 09:21, Harshith Mulky wrote: Let us say we are having a FQDN and we need to Resolve it. It goes through the procedure of determining the IP and Port using NAPTR/SRV/A query mechanisms no, the ordinary resolution does NOT use NAPTR and SRV records, only A and/or records. The question I have is if I have a FQDN with a Port Number already determined, will it go through the Procedure of NAPTR/SRV/A query (or) simply do a A query (or) Is this left to the client to apply the Logic? DNS does NOT care about port numbers. Some upper-level protocols do, but they must take care themselves. please provide more detailesd question, or search archives if it hasn't been answered already. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Options for non-recursive servers
On 22.09.15 12:24, Bob McDonald wrote: for non-recursive (authoritative only) servers I have: [deleted] Note: There is actually only one interface with an inside address.. It's NATed to the outside address (query-source). Several options are defaults and specified for clarity. Does anything jump out as being incorrect? I don't see reason to redefine all defaults. when defaults change for a sane reason, you may miss that reason then. And if you wanted to change anything, defining views could cause troubles. Are there implications to setting minimal-responses to yes? you can in some cases receive multiple requests that could be avoided without this. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple A and PTR and the "main" ones?
On 09/11/2015 02:10 PM, Reindl Harald wrote: just don't specifiy more than one PTR for a IP Am 11.09.2015 um 14:14 schrieb Marek Kozlowski: Specifying multiple CNAMEs for the same alias is not possible On 11.09.15 14:22, Reindl Harald wrote: no idea what that means, a CNAME can point to anotehr CNAME in circles that's true, however not recomended. It's also possible to have multiple CNAMEs pointing to the same record, which I would recommend. defining more than one PTR for the same IP is possible I believe there is some reason for it. I think sometimes I might be useful. Is it a bad practice? it is a bad practice and leads exactly to the problems you describe when the other side tries to verify A/PTR matching because there is just no ordering like there is also no rodering having multiple A records for the same name with different IP's agreed. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "One World. One Web. One Program." - Microsoft promotional advertisement "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: questions about DNS notify
On 10.09.15 17:46, Ken Peng wrote: zone.comIN SOA dwdns1.nsbeta.info. hostmaster.xxx.com. ( 1804 ; serial 7200 ; refresh (2 hours) 1800 ; retry (30 minutes) 604800 ; expire (1 week) 300; minimum (5 minutes) ) NS dwdns1.nsbeta.info. NS dwdns2.nsbeta.info. Before master send notify to slaves, where will master query from, to get the IP addresses for those slaves? it will run standard resolution procedure - try lookup from root, or configured forwarders, unless having nsbeta.info configured locally. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Solved - Re: A tale of two nameservers - resolution problems
On 01.09.15 13:36, Robert Moskowitz wrote: On the Fedora-arm list I was told about systemd-timesyncd. Much better for these systems than chronyd which is suppose to be the replacement for ntpdate... chrony is replacement for ntpd (not ntpdate!) on systems that are not always online. "has been hooked up with networkd to only operate when network connectivity is available" according to: http://lists.freedesktop.org/archives/systemd-devel/2014-May/019537.html I find that a bit different and i believe that chronyd is better for systems that are often offline, although it doesn't fix the issue with boards without RTC. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Negative Caching
On 28.08.15 17:32, Darcy Kevin (FCA) wrote: RFC 2308 said that the use of the last field of the SOA to set negative-caching TTL is the new defined meaning of the SOA minimum field. So you can *call* it minimum, but it is *actually* supposed to function as something else... Eventually I hope BIND will conform to the spirit of RFC 2308 and stop using the last field of the SOA to set the default TTL, as a fallback in scenarios where the file would otherwise be illegal (i.e. the first RR has no explicit TTL set, and there is no $TTL directive preceding it). RFC 2308 is so old, that if it were a person, it would be legal to buy cigarettes in some parts of the world. It's long past time for folks to get with the program. what would you expect bind to do in such case, refuse the zone? The minimum value is safe default in most cases. Note that is only matters on masters, the XFER slaves see the ttl within each record... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [OT] Re: configuration error in lists.isc.org
On Aug 6, 2015, at 4:25 PM, Heiko Richter em...@heikorichter.name mailto:em...@heikorichter.name wrote: Whenever I post something to the list (I'm not using SMTP, I'm using a usenet server to post to comp.protocols.dns.bind), my postmaster address receives DMARC notifications from list members that have employed this wonderful protocol on their servers, telling me my message had been rejected for violating my SPF policy. My SPF record doesn't include lists.ist.org http://lists.ist.org/, of course and it never will. Furthermore it ends with -all so all my messages to the list are being rejected by list members who have spf aware servers. SPF must only check envelope address, not header From: address - it was never designed to do the latter. On 07.08.15 02:54, Heiko Richter wrote: Just found another solution, that will help with any DMARC-aware server that knows Sender-ID. I just published: heikorichter.name. 60 IN TXT spf2.0/pra ?all This will force DMARC to check only the envelope sender, which is changed by lists.isc.org as /dev/rob0 pointed out earlier How did your SenderID record look before? Note that it's the SenderID specification that is horribly broken (btw, just because of mailing lists) and further any protocol that uses it (does DMARC?) Blaming the ISC mailserver for not changing header address is blaming it for doing something (all?) list servers did years before microsoft came with the braindead SenderID specification that broke this behaviour. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One World. One Web. One Program. - Microsoft promotional advertisement Ein Volk, ein Reich, ein Fuhrer! - Adolf Hitler ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [OT] Re: configuration error in lists.isc.org
Am 07.08.2015 um 08:29 schrieb Matus UHLAR - fantomas: SPF must only check envelope address, not header From: address - it was never designed to do the latter. On 07.08.15 17:23, Heiko Richter wrote: Correction: - All implementations of SPF always check 2 addresses: - Envelope-From address - From address the latter is simply not true. I repeat: SPF was designed only to match mail from address and NOT rf*22 header From: address. _No_ SPF implementations match header addresses. Implementations of Microsoft broken SenderID proposal match From: addresses, and the worst even compare it to v=spf1 record, which is fundamentally broken. Note that it's the SenderID specification that is horribly broken (btw, just because of mailing lists) and further any protocol that uses it (does DMARC?) Blaming the ISC mailserver for not changing header address is blaming it for doing something (all?) list servers did years before microsoft came with the braindead SenderID specification that broke this behaviour. You seem to mix up SenderID and SPF. SPF is the thing that is broken as it always checks Envelope- and Header-From. Sender-ID is a way (the only way) to tell SPF it should just check one of them. No, you are mixing those two. SPF is the original protocol that was made to match envelope from addresses, and the SenderID is the braindead Microsoft invention that tries to match it against headers. After publishing the SenderID record the DMARC bounces stopped as the servers just check the Envelope-From now. Before SenderID the only way had been to live with the DMARC bounces or the make the list servers change the Header-From. But with SenderID there's a working alternative. If this is true, then the DMARC is broken... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to properly update chroot-bind
On 27.07.15 18:28, Leandro Roggerone wrote: Hello , guys, I would like to know how to properly update my chroot bind version. I still can not get some nice doc / info about it. Im using: [root@centos-dns1 ~]# named -v BIND 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 running on a [root@centos-dns1 ~]# uname -a Linux centos-dns1.virtual.com.ar 2.6.32-504.23.4.el6.x86_64 #1 SMP Tue Jun 9 20:57:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux Doing yum update bind-chroot is not the way. This is not a production server yet but it will be soon. yum update bind should do that. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to properly update chroot-bind
Am 28.07.2015 um 10:56 schrieb Matus UHLAR - fantomas: but you *never ever* should only update specific packages on a RHEL/CentOS system because that is *not supported and tested* at all No? What are dependencies for, then? Or don't yum/RPM support them in the way debian does? (that is why it's quite easy to have mixed Debian... we have machine with mix of debian 5,6,7 and even 8... not that It's good idea) On 28.07.15 11:22, Reindl Harald wrote: CentOS is a RHEL clone except that there are no updates for older point releases it was multiple times statet by the maintainers on the mailing list that you have to apply *all* errata updates nothing else is supported it's not a matter of dependencies, it's just a matter of what combinations of packages are tested for regressions and the fact that there are no updates for RHEL without a good reason how does dependencies help when there was a critical bug fixed in package A which may hit your updated version of package B because the combination of that versions never was tested feel free to ignore that but you are at your own if things behave unexpected when the developers say just only use 'yum upgrade' which applies also for minor releases, when CentOS 6.7 is out there will be no single update for CentOS 6.6 packages and hence yum upgrade brings you to CentOS 6.7 in a few weeks which is from that moment on the only supported CentOS 6.x yes, this is a good explanation, I believe for the OP too. not supported can of course mean working without problems, however I agree there's no point in only updating BIND itself. Still, the OP can stick with provided BIND 9.8 that is in CentOS6, update to CentOS 7 or compile his own BIND version (and provide support for themselves) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: setting and monitoring dns cache master / slave pair
On 06.07.15 16:39, Leandro wrote: 3)Does it have any drawbacks no declaring any zone file in the long term? you should declare at least RFC 1918/3330/5735 reverse zones, to prevent from forwarding queries to root servers. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: file descriptor exceeds limit
On 17.06.15 22:39, Shawn Zhou wrote: BIND on my resolvers reaches the max open file limit and I am getting lots of SERVFAILs http://pastebin.com/SxRsHLff After I increased the max-socks (-s 8192) to 8192, I no longer saw the file limit error from the log anymore; however, I am still many SERVFAILs. no other errors? Our resolvers were doing about 15k queries per seconds when this was happening and those were legit traffic. I am aware that I am setting recursive clients to a very high number. Those resolvers are running on 12-cores cpu and 24G RAM hardware. cpu utilization was at about 20% and plenty of RAM left. I am wondering if I've reached the limit of BIND for the amount of recursive queries it can serve. Any other tunings I should try? maybe changing number of recursive-clients, max-clients-per-query. Does EDNS work for you? EDNS problems often result to increased number of TCP queries which slows down resolution ... By the way, the resolvers are running RHEL 6.x. precise BIND version would help a bit more... seems RH6.6 contains 9.8.2 but that may be different for older RH6 versions. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. LSD will make your ECS screen display 16.7 million colors ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Automatic . NS queries from BIND
On 17/06/15 12:27, Gaurav Kansal wrote: At most, what I can make sure is my hint file is up-to-dated with this cross check. On 17.06.15 14:26, Anand Buddhdev wrote: You're better off not providing a hints file at all. BIND ships with a built-in list of hints, and it will use this if you don't provide a hints file. BIND's built-in list is updated by ISC whenever root name server addresses change, or when IPv6 addresses are added, for example. This makes your configuration a bit simpler, and you don't have to care about keeping your hints file up to date. well, the hard-coded hints file changes whenever new BIND release gets out, while the bungled hints file may be updated by packagers or manually. I'd say that the bundled hints file is likely to be newer than the hard-coded one. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Where do you want to go to die? [Microsoft] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Getting an error on a simple DNS configuration
On 03.06.15 12:34, Samad Agha wrote: So, when I query my new DNS server from itself (206.117.115.93), it resolves the name to an IP, but when I query my new DNS server from another Linux box, it fails with the following error message. you must allow BIND to provide recursive DNS for other hosts, by configuring allow-recursion. otherwise, it will provide DNS resolution only for its local networks (directly connected to host interfaces). [root@new-dns2 ~]# nslookup google.com 206.117.115.93 don't use nslookup, it's very bad tool for debugging DNS problems. learn using host and/or dig -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suppress log entry...
On 14.04.15 07:36, SH Development wrote: Like what? I’ve never had any issues. Like you uselessly flush all cached data, RTTs ... and you get unwanted log line in the output. If you never had any issues with reconfig, use rndc reconfig. On Apr 13, 2015, at 12:27 PM, Emil Natan shly...@gmail.com wrote: in other words: if you everytime you change the config hard restart named instead a reload you are doing it terrible wrong with a ton of bad side effects -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc flushname not working
On 09.04.15 13:25, Frank Even wrote: Is there any place I can look to get a definitive answer in what cases flushname will and will not work? it will work if you have old entries in the cache. that will NOT help you if any of the servers that are supposed to be authoritative for a domain will return invalid answers for the domain. I've been digging around in lists and docs and can't seem to find any definitive answers. I've been having odd troubles clearing a name from a cache and after even clearing the name and the name that the name servers was attached to, still had to flush the entire cache to get resolution working properly on that domain again. this indicates that any of NS records the domain points to returns NXDOMAIN for the domain. hard to tell without more info, but some web DNS checkers are able to trace this kind of issues... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-users Digest, Vol 2083, Issue 1
On 06.04.15 15:19, Noel Butler wrote: you need an allow-query and ACL, eg: No. Don't play with allow-query if it is supposed to be authoritative for any zones (unless those zones are internal). If the server is supposed to host any zones visible from the net, allow-query would make them invisible. he should set up 'recursion yes;' and put his hosts to 'allow-recursion' statement, if he needs so. However, the housing provider will apparently provide recursive DNS service. On 06/04/2015 01:52, STEPHEN EYRE wrote: The aim is to make it authoritive as well as hosting my web sites. Sent from Yahoo Mail on Android [1] - When I change my /etc/bind/named.conf.local file from 'recursion no;' to 'recursion yes;' I get an inverse of the above. I get full replies from all my dig enquiries but I get an open recursive warning - which I obviously dont want. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Where do you want to go to die? [Microsoft] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users