Re: Separate DNS slaves as internal and external

2018-03-22 Thread McDonald, Daniel (Dan) 
I've hidden those sort of things using response policy zones.

On 3/19/18, 6:34 AM, "bind-users on behalf of King, Harold Clyde (Hal)" 
 wrote:

I have DNS slaves for internal and external entities. I don't know how to 
work the NS records so that outside users would only get the external slave and 
internal would only get the internal slave.

How can I do this? If I put only the internal slaves with NS records 
external users query the internal servers. If I put both external users still 
see and use internal slave. If I put only external, internal users get the 
external slave. I have put the external slave in our registrar. 

Any help would be appreciated.

Thanks in advance 


-- 
Hal King  - h...@utk.edu
Systems Administrator
Office of Information Technology
Shared Systems Services

The University of Tennessee
103C5 Kingston Pike Building
2309 Kingston Pk. Knoxville, TN 37996
Phone : 974-1599
Helpdesk 24/7 : 974-9900

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dkim cname records replication

2017-05-22 Thread McDonald, Daniel (Dan) 
That's great! I've disabled checknames for over a decade because I couldn't get 
AD to work without it when I first set it up, and hadn't tried without it 
since. I'll go play in the lab tomorrow and see if I can turn that back on in 
production with the squirrelly version my distro provides ( they call it 
9.9.1-400, or something like that. Every security patch applied, since 9.9.1, 
some of the bug fixes applied)

Get Outlook for iOS<https://aka.ms/o0ukef>



On Mon, May 22, 2017 at 9:11 PM -0500, "Mark Andrews" 
<ma...@isc.org<mailto:ma...@isc.org>> wrote:



In message , "McDonald, Daniel
(Dan)" writes:
> In this case, Microsoft names the records
> selector1._domainkeys.example.com and selector2._domainkeys.example.com.
> The poster said he was running bind 9.9.5, which to my knowledge doesn't
> support leading underscores without check-names ignore.

Named DOES support underscore.  It stops you using underscore in
HOSTNAME contexts which definitely don't apply to DKIM records.

* The owner name of a A record.  This is what bites with AD as
  there is a A record at gc._msdcs..  An exception has
  been added for this prefix (gc._msdcs) recently.
* The owner name of a  record.
* The names of nameservers (NS rdata).
* The owner names of MX records.
* The names of mail exchangers (MX rdata).

DKIM uses underscores so that the owner names of the records it
uses do not clash with the syntax of valid hostnames.  DKIM does
no use A,  or MX records at these names.  This is also why SRV
uses records with underscore prefixes.

Mark

> Get Outlook for iOS
>
>
>
> On Mon, May 22, 2017 at 8:45 PM -0500, "Mark Andrews"
> > wrote:
>
>
>
> In message , "McDonald, Daniel (Dan)" writes:
> > You need to add check-names ignore;  to the zone definition when dealing
> > with active directory.  That ignores the invalid underscore character.
>
> DKIM is not active directory.  Named can serve DKIM records without
> adding "check-names ignore;" to named.conf.
>
> The latest versions of named don't need "check-names ignore;" to
> serve AD zones with gc._msdcs. (BIND 9.9.10, 9.10.5, 9.11.1).
>
> It also doesn't help that Microsoft confuses "Host Name" with "Owner
> Name" / "Record Name" / "Domain Name" in the documentation referenced
> below.  Host name has a specific meaning and the documentation
> referenced there is just plain wrong in its use of "Host Name".
>
> Mark
>
> > From: bind-users  on behalf of Vidal
> > Garza
> > Date: Monday, May 22, 2017 at 10:31
> > To: Bind Users
> > Subject: dkim cname records replication
> >
> > Hello List,
> >
> > I have this question about replication.
> >
> > I have a replication between BIND 9.9.5-3.
> > We try to make dkim work with Microsoft office 365. In the documentation
> > they said that it should be a CNAME record with the sectors and it works
> > in the master. The problem is in the slave, with the name and the
> > underscore character.
> >
> > I wonder if bind support the underscore character? Or if someone has
> link
> > that help me.
> >
> > Reference:
> > https://technet.microsoft.com/en-us/library/mt695945(v=exchg.150).aspx
> >
> > Thanks in advance!
> >
> >
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dkim cname records replication

2017-05-22 Thread McDonald, Daniel (Dan) 
In this case, Microsoft names the records selector1._domainkeys.example.com and 
selector2._domainkeys.example.com. The poster said he was running bind 9.9.5, 
which to my knowledge doesn't support leading underscores without check-names 
ignore.

Get Outlook for iOS<https://aka.ms/o0ukef>



On Mon, May 22, 2017 at 8:45 PM -0500, "Mark Andrews" 
<ma...@isc.org<mailto:ma...@isc.org>> wrote:



In message , "McDonald, Daniel (Dan)" writes:
> You need to add check-names ignore;  to the zone definition when dealing
> with active directory.  That ignores the invalid underscore character.

DKIM is not active directory.  Named can serve DKIM records without
adding "check-names ignore;" to named.conf.

The latest versions of named don't need "check-names ignore;" to
serve AD zones with gc._msdcs. (BIND 9.9.10, 9.10.5, 9.11.1).

It also doesn't help that Microsoft confuses "Host Name" with "Owner
Name" / "Record Name" / "Domain Name" in the documentation referenced
below.  Host name has a specific meaning and the documentation
referenced there is just plain wrong in its use of "Host Name".

Mark

> From: bind-users  on behalf of Vidal
> Garza
> Date: Monday, May 22, 2017 at 10:31
> To: Bind Users
> Subject: dkim cname records replication
>
> Hello List,
>
> I have this question about replication.
>
> I have a replication between BIND 9.9.5-3.
> We try to make dkim work with Microsoft office 365. In the documentation
> they said that it should be a CNAME record with the sectors and it works
> in the master. The problem is in the slave, with the name and the
> underscore character.
>
> I wonder if bind support the underscore character? Or if someone has link
> that help me.
>
> Reference:
> https://technet.microsoft.com/en-us/library/mt695945(v=exchg.150).aspx
>
> Thanks in advance!
>
>

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dkim cname records replication

2017-05-22 Thread McDonald, Daniel (Dan) 
You need to add “check-names ignore; “ to the zone definition when dealing with 
active directory.  That ignores the invalid underscore character.

From: bind-users  on behalf of Vidal Garza 

Date: Monday, May 22, 2017 at 10:31
To: Bind Users 
Subject: dkim cname records replication

Hello List,

I have this question about replication.

I have a replication between BIND 9.9.5-3.
We try to make dkim work with Microsoft office 365. In the documentation they 
said that it should be a CNAME record with the sectors and it works in the 
master. The problem is in the slave, with the name and the underscore character.

I wonder if bind support the underscore character? Or if someone has link that 
help me.

Reference:
https://technet.microsoft.com/en-us/library/mt695945(v=exchg.150).aspx

Thanks in advance!


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

global server load balancing with the domain name

2017-04-14 Thread McDonald, Daniel (Dan) 
Setting up global server load balancing seems easy enough – just add ns records 
pointing at the load balancer and away you go:

example.com. 38400INSOAns20.example.net. 
dan\.mcdonald.example.com. 2017011107 10800 3600 604800 3600
example.com. 38400INNS   ns1.example.com.
example.com. 38400INNS   ns2.example.com.
test.example.com. 900 INNS   
gslb1.example.com.
test.example.com. 900 INNS   
gslb2.example.com.

That works fine for test.example.com.  But when I go to production, I need to 
do it for example.com and www.example.com.  How do I 
delegate just the A record and not the SOA, TXT, MX, SPF, and NS records, nor 
any of the other entries in the zone.  As I recall, I can’t just delegate , as 
an example,  www.example.com, then use a CNAME for 
example.com.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Difference between delegation and forward zone

2017-03-06 Thread McDonald, Daniel (Dan) 
Yes, you can forward to a subdomain.  Just define it as a separate zone and 
include the forwarders and forward-only lines.  I believe you need 
allow-query-cache for this to work.

Delegated zones don’t necessarily need to respond with SOA and NS records.  
Many load balancers use delegated zones for global server load balancing.  Just 
point your NS records at the load balancer and it should refer the querying DNS 
server along to the load balancer.  Assuming something else is doing the 
recursive lookups, you just need allow-query for this.  If this device is doing 
the recursive lookups, then you need allow-recursion for this to work.

You do need SOA and NS records if you are going to set up either a secondary or 
a stub zone.  In this case, you would need allow-query.

From: bind-users  on behalf of Bind Users 

Reply-To: Mik J 
Date: Monday, March 6, 2017 at 10:24
To: Bind Users 
Subject: Difference between delegation and forward zone

Hello,

I would like to check if my understanding is correct regarding delegation and 
forward

Delegation: I want to delegate the administrative tasks to someone else for one 
subdomain
subdomain1.mydomain.org
I'll specify the NS of that subdomain1.mydomain.org in my mydomain.org zone file
The other person will be able to create rr1.subdomain1.mydomain.org

Forward zone: I can forward a specific zone to a DNS that is different from the 
default fowarders or I won't attempt to do an iterative lookup.

=> Question 1: Can I have a forward zone that is a subdomain 
subdomain1.mydomain.org ? Or when the zone is a subdomain of mydomain (I'm 
athoritative) it's always a delegation ?

=> Question 2: When I do a delegation, is it correct that the remote DNS server 
holding subdomain1.mydomain.org must always answer the SOA with SOA records and 
NS records (RFC 2181 chapter 6.1)

Regards

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: defines ip to acl

2016-10-17 Thread McDonald, Daniel (Dan) 
Acls don’t support ranges, only prefixes.  You don’t want the whole /24.  I 
think you want:

acl net1 {192.168.1.0/26; 192.168.1.64/27; 192.168.1.96/30; }
acl net2 {192.168.1.100/30; 192.168.104/29; 192.168.1.112/28; 192.168.1.128/26; 
192.168.1.192/29; }
 

On 2016-10-17, 13:41, "bind-users on behalf of Pol Hallen" 
 wrote:

Hello all :-)

I need to setup 2 kind of acl on same network, ie:

ip from 192.168.1.1 to 192.168.1.99 belongs to acl1
and ip from 192.168.1.100 to 192.168.1.199 to acl2

acl net1 { 192.168.1.1-99/24 };
acl net1 { 192.168.1.99-199/24 };

what's the correct way? I didn't find nothing :-/

thanks for help

Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Load balancer for Bind

2016-09-14 Thread McDonald, Daniel (Dan) 
I’ve had great success using A10networks Thunder series and AX series for load 
balancing dns servers, performing GSLB, and for setting up anycast addresses 
for dns. 

On 2016-09-14, 11:18, "bind-users on behalf of Job" 
 wrote:

Hello,

which is the best load balancer for two or more Bind DNS Server, located in 
the same farm?
I read something about HAProxy but it does not manage udp connection and 
the interesting security proxy/balancer DnsDist does not pass original client 
ip for Bind-DLZ...

Thank you, regards!
Francesco
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reducing memory usage by using db storage - performance?

2016-03-24 Thread McDonald, Daniel (Dan) 

> On Mar 24, 2016, at 6:28 AM, MURTARI, JOHN  wrote:
> 
> Folks,
> Recently been looking at servers that host almost 200K ARPA 
> zones and load  about 80 million resource records.  They run on good hardware 
> and take only a few minutes to load the zones on a clean start.   The issue 
> is memory utilization of about 23 Gig in RAM.
> It seems a terrible waste of memory and a good portion of 
> those zones probably rarely see queries.

But RAM is cheap.  a 32GB stick is usually under $200. And 80 million 
customers?  Seems like a very small price to pay for reliable PTR records.

> 
> I’ve got extensive experience with mySQL and postgres, but 
> always assumed you’d really take a latency hit.  Plus, we’d be adding more 
> complexity by running a DB server.  The current DNS servers are located in 
> separate data centers – it seems we’d have to also run a master/slave DB 
> setup, with a slave DB server at each site to avoid network overhead.  This 
> all sounds very slow and more complicated.

And the development of such a system would cost significantly more than 
throwing a couple more sticks of RAM into your server, and have on-going 
training and maintenance costs.  Yes, engineers like to create an elegant 
solution, but sometimes the cheap solution just makes a lot of sense.

> 
> Anyone with experience solving this type of issue?
> Many thanks!
> John
> 
> 
> John Murtari – jm5...@att.com 
> Ciberspring
> office: 315-944-0998
> cell: 315-430-2702
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users 
>  to unsubscribe from this 
> list
> 
> bind-users mailing list
> bind-users@lists.isc.org 
> https://lists.isc.org/mailman/listinfo/bind-users 
> 


signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: monitoring/graphing/tracking named queries

2015-11-13 Thread McDonald, Daniel (Dan) 


On 11/13/15, 4:46 PM, "bind-users-boun...@lists.isc.org on behalf of Frank
Even"  wrote:

>What does everyone do for monitoring their DNS traffic, if anything?

We feed the query-logs into splunk, so they can be correlated with all of
the other network logs

>I've come to a place where I need to have a good understanding of
>general capacity.  For example, how much traffic and types of traffic
>individual servers are handling.

>
>I'd also like to get a breakdown of raw # of queries, then types of
>queries, and in some cases, the top 20 "busiest hosts" and maybe what
>they are hitting the servers with.

Yup, all easily available from splunk. And the logging is consistent for
all sorts of devices, so you only have to learn one log
parsing/reporting/cross-tabbing language.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users