How can I log only autorized queries
Hello,
I'm logging queries
channel queries_file {
file "/var/log/queries.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
category queries { queries_file; };
And queries that are not allowed
channel "dns_secu" {
file "/var/log/dnssecurity" versions 2 size 10485760;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category "update-security" { "dns_secu"; };
In the file queries.log I can see the queries but I would like to have it only
for valid queries (not REFUSED)
How can I do this ?
Thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: switching entire DNS system to new servers and IP addresses
Hello, From my personnal experience I would add * Check if you have monitoring in place, you might want to monitor all types of queries and error messages. * Since you have external and internal DNS then there might be firewalls between them, check if the flows are opened and prepare a test plan with many cases long queries, tcp etc. * Don't do everything at once, do external DNS first, then internal DNS, then DHCP * Check if your bind version and Infoblox bind versions are roughly the same, if your bind version is really old it might tolerate things that newer bind version won't * Take care about your ACLs, you might want to do some cleaning and you also might want to make sure you don't have any security holes * If you delegate zones or zones are delegated to you or another university is slave for your zones or some of you zones is slave of other servers that don't belong to you, check with them to update firewalls rules and ACLs * Make sure your new IP adresses are routed :D * Prepare your rollback I would really pay attention to the cleaning and everything that goes around this swap (my points above) because in my opinion failure is often because of these things more than upgrading bind or changing vendor Le Vendredi 24 février 2017 11h57, Phil Mayers a écrit : On 23/02/17 20:21, Mitchell Kuch wrote: > In practice, we have encountered caching resolvers that provide > non-decrementing TTL values to downstream resolvers and clients. Even That is a depressingly common residential ISP trick :o( ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Difference between delegation and forward zone
Hello, I would like to check if my understanding is correct regarding delegation and forward Delegation: I want to delegate the administrative tasks to someone else for one subdomainsubdomain1.mydomain.orgI'll specify the NS of that subdomain1.mydomain.org in my mydomain.org zone fileThe other person will be able to create rr1.subdomain1.mydomain.org Forward zone: I can forward a specific zone to a DNS that is different from the default fowarders or I won't attempt to do an iterative lookup. => Question 1: Can I have a forward zone that is a subdomain subdomain1.mydomain.org ? Or when the zone is a subdomain of mydomain (I'm athoritative) it's always a delegation ? => Question 2: When I do a delegation, is it correct that the remote DNS server holding subdomain1.mydomain.org must always answer the SOA with SOA records and NS records (RFC 2181 chapter 6.1) Regards ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Difference between delegation and forward zone
Barry: "Also, if there are no delegation records for the subdomain, the parent server believes it's authoritative for them, despite having forwarders configured." I don't understand what you just wrote above. Are you saying I need to do both delegation and forwarding on my authoritative server on the parent domain ? So yes the case is load balancers or other devices that are not real DNS, they behave in funny way. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Why would a master zone use forwarders ?
Hello,
If my DNS is master/slave for a zone, why would I want it to use forwarders.
In other terms why would I wantzone "mydomain.com"
{
type master;
file "zones/master/com/mydomain.com";
allow-update { acl; };
};
Instead of (forwarders {};)zone "mydomain.com"
{
type master;
file "zones/master/com/mydomain.com";
allow-update { acl; }; forwarders {};};
Why would I want to forward requests if I'm autoritative for the zone ?
Thank you for those who can hightligh this point.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Why would a master zone use forwarders ?
Thank you Ben for your answer
My server uses a global forwarding
I don't understand what you wrote"If it is master for a foo.com and also has
global forwarding it will use the global forward for any delegated child
domains under foo.com unless they are also loaded locally."
If my DNS is autoritative, why would I use a forwarding ?
For my sub domains I use delegationssub.mydomain.com NS
ns.sub.mydomain.comns.sub.mydomain.com A 1.1.1.1
What's the difference between the global forward for delegated child domains
and the delegation I do ?
Thank you
Le Vendredi 12 mai 2017 15h34, Ben Croswell a
écrit :
This would only change behavior if the server has global forwarding.
If it is master for a foo.com and also has global forwarding it will use the
global forward for any delegated child domains under foo.com unless they are
also loaded locally. The forward{} turns off global forwarding for that branch
of the tree.
On May 12, 2017 9:27 AM, "Mik J via bind-users"
wrote:
Hello,
If my DNS is master/slave for a zone, why would I want it to use forwarders.
In other terms why would I wantzone "mydomain.com"
{
type master;
file "zones/master/com/mydomain.com ";
allow-update { acl; };
};
Instead of (forwarders {};)zone "mydomain.com"
{
type master;
file "zones/master/com/mydomain.com ";
allow-update { acl; }; forwarders {};};
Why would I want to forward requests if I'm autoritative for the zone ?
Thank you for those who can hightligh this point.
__ _
Please visit https://lists.isc.org/mailman/ listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/ listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Why would a master zone use forwarders ?
Thank you Ben,"With no forward {} the path for blah.bar.foo.com directed at
server A will be A > C > B"Do you see any reason why I would use this non
optimal path ?
In your example, how would C contact B, there would be a zone forward ?Regards
Le Vendredi 12 mai 2017 18h10, Ben Croswell a
écrit :
If you load foo.com on server A and delegate bar.foo.com to server B with a
global forwarder of server C you resolution will vary depending on forward
first vs forward only and forwarders {}.
With no forward {} the path for blah.bar.foo.com directed at server A will be A
> C > BWith forward {} the global forward will be short circuited for foo.com
and below resulting in a path of A > B
On May 12, 2017 11:56 AM, "Mik J" wrote:
Thank you Ben for your answer
My server uses a global forwarding
I don't understand what you wrote"If it is master for a foo.com and also has
global forwarding it will use the global forward for any delegated child
domains under foo.com unless they are also loaded locally."
If my DNS is autoritative, why would I use a forwarding ?
For my sub domains I use delegationssub.mydomain.com NS
ns.sub.mydomain.comns.sub.mydomain.com A 1.1.1.1
What's the difference between the global forward for delegated child domains
and the delegation I do ?
Thank you
Le Vendredi 12 mai 2017 15h34, Ben Croswell a
écrit :
This would only change behavior if the server has global forwarding.
If it is master for a foo.com and also has global forwarding it will use the
global forward for any delegated child domains under foo.com unless they are
also loaded locally. The forward{} turns off global forwarding for that branch
of the tree.
On May 12, 2017 9:27 AM, "Mik J via bind-users"
wrote:
Hello,
If my DNS is master/slave for a zone, why would I want it to use forwarders.
In other terms why would I wantzone "mydomain.com"
{
type master;
file "zones/master/com/mydomain.com ";
allow-update { acl; };
};
Instead of (forwarders {};)zone "mydomain.com"
{
type master;
file "zones/master/com/mydomain.com ";
allow-update { acl; }; forwarders {};};
Why would I want to forward requests if I'm autoritative for the zone ?
Thank you for those who can hightligh this point.
__ _
Please visit https://lists.isc.org/mailman/ listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/ listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
DNS Flag signification in Syslog
Hello, Do you know where I can find the signification of DNS syslog messages ? client x.x.x.x#64111 (webmail.google.NET): query: webmail.google.NET IN + (y.y.y.y)=> I'm looking for the signification of the + client z.z.z.z#39953 (www.mydomain.org): query: www.mydomain.org IN A -ED (y.y.y.y)=> I'm looking for the signification of the -EC Thank you ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Flag signification in Syslog
Thank you very much Mark for your quick answer Le Vendredi 18 août 2017 13h46, Mark Andrews a écrit : In message <1744062904.346000.1503053675...@mail.yahoo.com>, Mik J via bind-users writes: > Hello, > Do you know where I can find the signification of DNS syslog messages ? In the Administrators Reference Manual https://ftp.isc.org/isc/bind9/9.11.2/doc/arm/Bv9ARM.pdf Search for querylog > client x.x.x.x#64111 (webmail.google.NET): query: webmail.google.NET > IN + (y.y.y.y)=> I'm looking for the signification of the + > client z.z.z.z#39953 (www.mydomain.org): query: www.mydomain.org IN > A -ED (y.y.y.y)=> I'm looking for the signification of the -EC > Thank you The query log entry first reports a client object identifier in @0x format. Next, it reports the client’s IP address and port number, and the query name, class and type. Next, it reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in used along with the EDNS version number (E(#)), if TCP was used (T), if DO (DNSSEC Ok) was set (D), if CD (Checking Disabled) was set (C), if a valid DNS Server COOKIE was received (V), or if a DNS COOKIE option without a valid Server COOKIE was present (K). After this the destination address the query was sent to is reported. client 127.0.0.1#62536 (www.example. com):query:www.example.com IN +SE client ::1#62537 (www.example.net): query:www.example.net IN -SE (The first part of this log message, showing the client address/port number and query name, is repeated in all subsequent log messages related to the same query.) -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Recommended values for a zone
Hello, I would like to have your thoughts about what should be the best values for refresh, retry, expire and negative cache. In my case I have 2 DNS which are hosted in 2 different locations. These location are near one another (100km). The latency is very low and packet is 0.I configured a lot of zones on my DNS and they not master for someone else.This is a very simple setup in termes of master/slave. I would be tempted to* configure a high refresh period since I have notify configured on the master. What about 7200s ?* Configure a high retry period because I don't expect the master to be offline, what about 3600 ?* configure a expire very high like 2 days so that the DNS service would work even if the master is down* I don't have any opinion about the negative ttl yet but any advices are welcomed. What about your setups if it looks like mine ? Regards ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recommended values for a zone
Thank you Bob for your answer.I continued to search and saw rfc1912 page 4It's much higher than I first thought Le mercredi 3 janvier 2018 à 20:05:57 UTC+1, Bob Harold a écrit : On Wed, Jan 3, 2018 at 1:57 PM, Mik J via bind-users wrote: Hello, I would like to have your thoughts about what should be the best values for refresh, retry, expire and negative cache. In my case I have 2 DNS which are hosted in 2 different locations. These location are near one another (100km). The latency is very low and packet is 0.I configured a lot of zones on my DNS and they not master for someone else.This is a very simple setup in termes of master/slave. I would be tempted to* configure a high refresh period since I have notify configured on the master. What about 7200s ?* Configure a high retry period because I don't expect the master to be offline, what about 3600 ?* configure a expire very high like 2 days so that the DNS service would work even if the master is down* I don't have any opinion about the negative ttl yet but any advices are welcomed. What about your setups if it looks like mine ? Regards I typically use an expire time of 14 days or a month. But that said, you need some way to get notified that zone transfers are failing.The refresh and retry are ok, but personally I would set them lower because they don't generate a lot of traffic, and a notify could get lost. It depends on how sensitive you are to extra traffic. Negative TTL depends partly on how fast you want new (or accidentally deleted) records to be usable. I use 10 minutes. -- Bob Harold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RPZ question autoritative/recursive servers
Hello, I tried to dissociate roles and have:- 1 set of authoritative master/slave server- 1 set of recursive servers For a zone that I owned, the "recursive" servers forwards the request to the authoritative server. Otherwise the server resolves the query directly on the Internet.The authoritative servers hold my zones and recursion is disabled. I was reading about RPZ zones but it seems to me these are implemented on authoritative servers ?I'm interested in RPZ zone in order to intercept some queries aiming to the internet youp*rn or wannacry. As I explained, my authoritative servers are not on the path to Internet, only my forward servers are, should I implement the RPZ functionality on these forward only servers ? Any thoughts on this ? Thank you ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Advice for DNS reverse zones
Hello, I would like to know how do you manage reverse zones and the 10.x.x.x zone particularly. I can see three choices:- One global 10.in-addr.arpa zone- Many /24 zones 1.1.10.in-addr.arpa zone- Something in between One global zone:The problem is that I end having a very populated zone and if someone asks me to setup an acl or anything like that it has to be global.This solution might be the easiest but definatly not the best in terms of scalability Many /24 zones:The problem is that I end creating zones all the time or make them first in one go, so 65536 zones...And when someone has a /16 network I need to delete the 256 x /24 zones to make one single. What do you people do on your DNS servers ? And is it possible to make a 1.1.10.in-addr.arpa for the 16 first adresses (a /28 network) ? Regards ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Advice for DNS reverse zones
Hello Bob, Tony, Thank you for your answers, I'm going to study this topic. Regards Le mercredi 6 février 2019 à 21:11:59 UTC+1, Bob Harold a écrit : On Wed, Feb 6, 2019 at 1:03 PM Mik J via bind-users wrote: Hello, I would like to know how do you manage reverse zones and the 10.x.x.x zone particularly. I can see three choices:- One global 10.in-addr.arpa zone- Many /24 zones 1.1.10.in-addr.arpa zone- Something in between One global zone:The problem is that I end having a very populated zone and if someone asks me to setup an acl or anything like that it has to be global.This solution might be the easiest but definatly not the best in terms of scalability Many /24 zones:The problem is that I end creating zones all the time or make them first in one go, so 65536 zones...And when someone has a /16 network I need to delete the 256 x /24 zones to make one single. What do you people do on your DNS servers ? And is it possible to make a 1.1.10.in-addr.arpa for the 16 first adresses (a /28 network) ? Regards For ranges with few records, that don't need to be acl'ed or delegated, put them in the 10.in-addr.arpa zone.Any /16 that has a lot of records can be split off into its own 2.10.in-addr.arpa.An if a /24 gets really busy, you can split it out 5.1.10.in-addr.arpa There is no need to create all 256 /16's or all the /24's, just create them as needed. If having different sizes is too confusing, I suggest all /16's. -- Bob Harold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.14.1 will not build on OpenBSD 6.5 (amd64)
Hello, I'm also an Openbsd user I see you used CC can you try with GCC ? I hope that will help Le samedi 27 avril 2019 à 22:56:25 UTC+2, paranoid sysadmin a écrit : I have begun work on upgrading a group of OpenBSD boxes that are used at a bunch of small sites as a "network services" processor and gateway.. The existing boxes are mostly running some version of 9.12, though one is running a 9.11.Aside from the usual "version-ites" problems, this has been a largely mechanical "turn the crank and let the scripts run" process. EXCEPT for Bind. The biuld process keeps failing when it gets down far enough to trying to compile isc/lib/rwlock.c which fails miserably.. Using the "out of the box" gcc compiler generates the following: --- snip --- gcc -std=gnu99 -I/opt/src/bind-9.14.1 -I../.. -I./unix/include -I./pthreads/include -I./include -I./include -I/opt/src/bind-9.14.1/lib/dns/include -I../../lib/dns/include -I/usr/include -g -O2 -pthread -I /usr/local/include -I/usr/local/include/libxml2 -I/usr/local/include -I /usr/local/include -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing -fno-delete-null-pointer-checks -c rwlock.c rwlock.c:51:24: error: immintrin.h: No such file or directory rwlock.c: In function 'isc__rwlock_lock': rwlock.c:302: warning: cast to pointer from integer of different size rwlock.c:302: warning: cast to pointer from integer of different size rwlock.c:302: warning: assignment makes integer from pointer without a cast rwlock.c: In function 'isc_rwlock_lock': rwlock.c:342: warning: implicit declaration of function '_mm_pause' rwlock.c: In function 'isc_rwlock_trylock': rwlock.c:395: warning: cast to pointer from integer of different size rwlock.c:395: warning: cast to pointer from integer of different size rwlock.c:395: warning: assignment makes integer from pointer without a cast rwlock.c: In function 'isc_rwlock_tryupgrade': rwlock.c:427: warning: cast to pointer from integer of different size rwlock.c:427: warning: cast to pointer from integer of different size rwlock.c:427: warning: assignment makes integer from pointer without a cast *** Error 1 in lib/isc (Makefile:273 'rwlock.o') *** Error 1 in lib (Makefile:89 'subdirs') *** Error 1 in /opt/src/bind-9.14.1 (Makefile:96 'subdirs') --- snip --- After looking, I found that the ./configure had selected the default gcc ( 4.2.1 ) which is old. I have since retried this with both clang (7.0.1) and egcc (8.3.0) with similar, but slightly more illuminating results. While I'm not much of a C programmer, the problem appears to be in the "new code" that was added between 9.12.4-P1 (which builds fine on this same platform) and the 9.14 version. --- snip from rwlock.c --- #if defined(_MSC_VER) # include # define isc_rwlock_pause() YieldProcessor() #elif defined(__x86_64__) # include # define isc_rwlock_pause() _mm_pause() #elif defined(__i386__) --- snip --- Since I know you are going to ask, I'm trying to use the following configure: CC=/usr/bin/cc ./configure --prefix=/usr/local \ --sbindir=/usr/local/sbin \ --bindir=/usr/local/sbin \ --libdir=/usr/local/lib \ --includedir=/usr/local/include \ --mandir=/usr/local/share/man \ --sysconfdir=/etc \ --enable-shared \ --enable-static \ --with-openssl=/usr \ --with-python=/usr/local/bin/python \ --with-libxml2 \ --with-libjson \ --without-readline \ --without-protobuf-c \ --without-libfstrm \ --with-lmdb \ --disable-dnstap \ --with-dlopen=no I have tried this with variations on this theme ( with libtool, etc.). Your thoughts will be appreciated. Attachments area -- paranoid sysadmin___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RPZ with Spamhaus
Hello, I tried to understand how to use Spamhaus as a RPZ provider but without any success. I'll use the non commercial service at least for some time because I have a few servers and one or two users, the trafic is very low. What I thought I should do first is be able to dig axfr the spamhaus rpz $ dig axfr rpz.spamhaus.org @ns3.spamhaus.org Of course I see a failed transfer I registered in spamhaus but don't know how to be able to axfr the content of the zone Regards ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind-Efficientip
Hello, Efficient IP uses bind (+ nsd/unbound) as the DNS server. One major difference between Efficient IP and bind is when you want to delegate the zone configuration to users and groups. I think it's called role based management.So let's say you want team1 to have read/write access to the zone team1.cyberia.net.sa, team2 to team2.cyberia.net.sa... on one server.You can have team2 to be able to view all the content of the zone team1.cyberia.net.sa and so on.I don't think it's possible to do this on bind only / unixThere are granular rights. The second thing it that DHCP, DNS, IPAM work together. You can automate the IP reservation and the DNS record creation for example. The ability to import/export data from csv or API SOAP/Rest Infoblox and Bluecat are other similar products along with a few others. etc. Le lundi 21 octobre 2019 à 18:34:24 UTC+2, - a écrit : We tested Bluecat, Infoblox, Solarwinds and EfficientIP solutions. In the end we went with EfficentIP for our IPAM solution. We don't run their DNS servers but do use their DHCP package on our own servers. When we reviewed the major players EfficientIP had the most versatility in how one could run and setup their products. We still run our own DNS servers using BIND. Our DNS servers get their zone files from our EfficientIP server. EfficientIP offer hardware, VMs and packages for DNS and DHCP. We chose to only use their IPAM VM server and DHCP package. This is partially to keep from being reliant on a single vendor. EfficientIP offers a lot of customization, be it you modifying things or paying them to create them for you. We have done both. They are using ISC BIND and DHCP under the hood. In the case of DHCP they are running their own branch of DHCP to leverage some features they wanted that ISC didn't provide. The biggest being they can HUP DHCP instead of restarting it when a config change it made. DNS is still standard BIND as far as I am aware. We are very happy with EfficientIP and wouldn't hesitate recommending them. -- NM ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind-Efficientip
You won't do it within a night that's for sure.But yes the vendors assemble components with a web interface and database.But now it seems to me that all products add more intelligence. For my own needs bind alone is all fine because I'm root.But for 500+ users that need to view, modify some zones, import, export I'm not sure that would be possible. Le jeudi 24 octobre 2019 à 00:44:36 UTC+2, Reindl Harald a écrit : Am 24.10.19 um 00:35 schrieb Mik J via bind-users: > Efficient IP uses bind (+ nsd/unbound) as the DNS server. > > One major difference between Efficient IP and bind is when you want to > delegate the zone configuration to users and groups. I think it's called > role based management. > So let's say you want team1 to have read/write access to the zone > team1.cyberia.net.sa, team2 to team2.cyberia.net.sa... on one server. > You can have team2 to be able to view all the content of the zone > team1.cyberia.net.sa and so on. > I don't think it's possible to do this on bind only / unix > There are granular rights. > > The second thing it that DHCP, DNS, IPAM work together. You can automate > the IP reservation and the DNS record creation for example. > > The ability to import/export data from csv or API SOAP/Rest > > Infoblox and Bluecat are other similar products along with a few others. at the end of the day it's just some interface utilizing the underlying tools - i don't see why i couldn't expand my webinterface generating zonefiles since 11 years now with some permission delegation within a night if needed ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RPZ behavior for authoritative servers
Hello, I know that the RPZ functionality aims to block/redirect/log DNS queries from the inner network. What about the authoritative DNS facing the Internet ? I receive some spam, I get probed on my webservers etc.Many of these annoiyances start with a DNS query. What is mydomain.org ? My DNS answers 1.2.3.4Then the annoyances starts on port 25 or 80 or 443... So my question is this one.Is it possible to load a list of IP clients and/or networks that can be called the "zombie list"If a computer from the zombie list wants to resolve mydomain.org, my DNS replies 127.0.0.1 or some IP that are allocated to an antartic network.Then, I never get annoyed. Something like a mix between RPZ and views on my authoritative DNS servers sitting on Internet. Thank you ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ behavior for authoritative servers
Hello Chuck,Thank you for this clarification.I get your point and it makes sense.Regards Le jeudi 24 octobre 2019 à 05:38:03 UTC+2, Chuck Aurora a écrit : On 2019-10-23 18:14, Mik J via bind-users wrote: Hi, > I know that the RPZ functionality aims to block/redirect/log DNS > queries from the inner network. > > What about the authoritative DNS facing the Internet ? > > I receive some spam, I get probed on my webservers etc. > Many of these annoiyances start with a DNS query. > > What is mydomain.org ? My DNS answers 1.2.3.4 > Then the annoyances starts on port 25 or 80 or 443... > > So my question is this one. > Is it possible to load a list of IP clients and/or networks that can > be called the "zombie list" > If a computer from the zombie list wants to resolve mydomain.org, my Here is where you err. You're assuming that you will know the source of the query and be able to associate a certain query with an attack. That's highly improbable. Most [probably all] of these annoyances are malware running on compromised machines. Malware usually makes an effort to stay small, and as such, it's likely to offload as much as it can to the system libraries. Name resolution is a good candidate for offloading. The system library will send DNS queries to the nameserver[s] as received from DHCP. Those nameservers will do the recursion, and you will see the queries coming from ISP resolvers and open resolvers like Google's. > DNS replies 127.0.0.1 or some IP that are allocated to an antartic > network. > Then, I never get annoyed. Even if you DO correctly pin the query to the attack, you do NOT want to poison Google's cache with misinformation. Sorry. Also, if you were to do something like this, please do NOT abuse real IP address holders, especially not our .AQ friends. I'm sure network lag there is bad enough without us making it worse. -CA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Calculate the size of a DNS record in the cache
Hello, My cache is 100MB and I'd like to know how many records can fit inside.I suppose that it depends on the record: isc.org is 7 characters and shorter than http://www.example.com And it probably depends on the type and adress. So which size would isc.org A 1.1.1.1 be ? I ask my question because I was wondering how many nxdomainattack1.example.com, nxdomainattack2.example.com...can I generate before fil in the cache of my recursive server According to the RFC, if my example.com SOA TTL is 86400, the NXDOMAIN entry would remain in the cache for 1 day. Thank you for sharing your thoughts ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to show run the active configuration on bind
Hello, How can I check which variables are loaded in memory and considered as active. For example, I would like to check that the value of lame-ttl is 0In my named.conf configuration file I haveinclude "myconf.conf"; lame-ttl 600; And in the myconf.conf file I havelame-ttl 0; So how can I make sure which value is used ? Thank you ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
What is the meaning of an ecs log
Hello, I see logs like [ECS 192.168.2.0/24/0] but I don't understand what is the last /0 part. Where can I get an explanation ? Regards -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What is the meaning of an ecs log
Hello Daren, The entire message is client @0x53eda9122d0 172.16.11.2#48171 (example.org): query: example.org IN A -E(0)DC (1.2.3.4) [ECS 192.168.2.0/24/0] The version is: 9.18.7 It's both autoritative and recursive Le jeudi 8 décembre 2022 à 01:56:57 UTC+1, Darren Ankney a écrit : Is that the entire log message or just part of it? Is this a recursive or authoritative name server? What version of bind? Logging is covered in the manual though I don't really see a comprehensive explanation of message format (maybe it's there and I'm just not seeing it). https://bind9.readthedocs.io/en/v9_18_9/reference.html#logging-block-grammar On Wed, Dec 7, 2022 at 7:42 PM Mik J via bind-users wrote: > > Hello, > I see logs like [ECS 192.168.2.0/24/0] but I don't understand what is the > last /0 part. > Where can I get an explanation ? > Regards -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What is the meaning of an ecs log
Thank you for your answer and pointing out this information. When I showed you this message client @0x53eda9122d0 172.16.11.2#48171 (example.org): query: example.org IN A -E(0)DC (1.2.3.4) [ECS 192.168.2.0/24/0 This query was to my authoritative server which holds example.org The client IP is a Google DNS public IP (I had changed the IP to 172.16.11.2) And the 192.168.2.0/24 prefix is a prefix from a hosting company in Turkey (I had changed the IP) So I suppose that a machine hosted in that 192.168.2.0/24 subnet use google DNS as a resolver. And that resolver is quering my authoritative DNS. I had read the documentation and this /0 is noted as a scope "a statement which appears in a zone block has scope only for that zone" I understand this sentence but I don't understand this /0 In my logs it's always a /0 I'm wondering in which case it could be different that a /0 Le jeudi 8 décembre 2022 à 02:36:40 UTC+1, Darren Ankney a écrit : Found the answer in the manual: "Finally, if any CLIENT-SUBNET option was present in the client query, it is included in square brackets in the format [ECS address/source/scope]." https://bind9.readthedocs.io/en/v9_18_9/reference.html#namedconf-statement-category On Wed, Dec 7, 2022 at 8:25 PM Mik J via bind-users wrote: > > Hello Daren, > > The entire message is > client @0x53eda9122d0 172.16.11.2#48171 (example.org): query: example.org IN > A -E(0)DC (1.2.3.4) [ECS 192.168.2.0/24/0] > > The version is: 9.18.7 > It's both autoritative and recursive > > > > > Le jeudi 8 décembre 2022 à 01:56:57 UTC+1, Darren Ankney > a écrit : > > > > > > Is that the entire log message or just part of it? Is this a > recursive or authoritative name server? What version of bind? > > Logging is covered in the manual though I don't really see a > comprehensive explanation of message format (maybe it's there and I'm > just not seeing it). > https://bind9.readthedocs.io/en/v9_18_9/reference.html#logging-block-grammar > > On Wed, Dec 7, 2022 at 7:42 PM Mik J via bind-users > wrote: > > > > Hello, > > I see logs like [ECS 192.168.2.0/24/0] but I don't understand what is the > > last /0 part. > > Where can I get an explanation ? > > Regards > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
