IPV6 & BULK DNS Resource Records
Hi Bind Developers, Just wondering if there are any plans to have BIND DNS support synthetic DNS records Is there anything similar to the below in the BIND development pipeline? Such a feature would be very valuable for IPv6 PTR record creations without using the memory consuming $GENERATE directive. https://tools.ietf.org/html/draft-woodworth-bulk-rr-07 Thanks Neil ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.9.8 Assertion Failure
Hi Bind Community,
Had a BIND Crash on 9.9.8.
Any ideas?
12-Oct-2015 02:09:06.457 general: error: socket.c:5407: unexpected error:
12-Oct-2015 02:09:06.458 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 02:59:08.850 general: error: socket.c:5407: unexpected error:
12-Oct-2015 02:59:08.850 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 04:55:34.944 general: error: socket.c:5407: unexpected error:
12-Oct-2015 04:55:34.944 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 06:15:35.638 general: error: socket.c:5407: unexpected error:
12-Oct-2015 06:15:35.638 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 07:55:37.894 general: error: socket.c:5407: unexpected error:
12-Oct-2015 07:55:37.894 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 08:29:12.235 security: error: client 12.168.40.21#32469: view
host_resolver_trusted: request has invalid signature: TSIG
alexlembke.members.mac.com: tsig verify failure (BADKEY)
12-Oct-2015 08:35:39.175 general: error: socket.c:5407: unexpected error:
12-Oct-2015 08:35:39.176 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 08:49:17.268 general: error: socket.c:5407: unexpected error:
12-Oct-2015 08:49:17.268 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 08:50:37.524 general: error: socket.c:5407: unexpected error:
12-Oct-2015 08:50:37.524 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 09:39:10.215 general: error: socket.c:5407: unexpected error:
12-Oct-2015 09:39:10.215 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 10:15:40.924 general: error: socket.c:5407: unexpected error:
12-Oct-2015 10:15:40.924 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 10:29:08.849 general: error: socket.c:5407: unexpected error:
12-Oct-2015 10:29:08.850 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 11:15:41.259 general: error: socket.c:5407: unexpected error:
12-Oct-2015 11:15:41.260 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 12:49:38.443 general: error: socket.c:5407: unexpected error:
12-Oct-2015 12:49:38.443 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 19:39:08.302 general: error: socket.c:5407: unexpected error:
12-Oct-2015 19:39:08.302 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 20:15:49.022 general: error: socket.c:5407: unexpected error:
12-Oct-2015 20:15:49.023 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 20:35:49.056 general: error: socket.c:5407: unexpected error:
12-Oct-2015 20:35:49.056 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 21:01:47.916 general: critical: resolver.c:1784:
INSIST(fctx->references > 1) failed
12-Oct-2015 21:01:47.916 general: critical: exiting (due to assertion
failure)
Neil
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mukund Sivaraman
Sent: Monday, 12 October 2015 7:59 PM
To: Wolfgang Riedel [CISCO] <wolfg...@cisco.com>
Cc: bind-users@lists.isc.org
Subject: Re: RPZ - override TXT records {REP=5.6}
Hi Wolfgang
On Thu, Oct 08, 2015 at 11:25:14PM +0200, Wolfgang Riedel [CISCO] wrote:
> Hi Folks,
>
> I am currently struggling with using RPZ for inserting or overriding
> TXT resource records.
>
> This is my goal:
>
>; do not rewrite www.cisco.com (so, PASSTHRU) and add or override
>missing metadata
>www.cisco.com CNAME rpz-passthru.
>www.cisco.com TXT "CISCO-CLS=app-name:HTTP|app-class:TD"
>
> What work's is that I can do one or the other but not both at the same
> time if I need to use a CNAME.
>
> This works:
>
>wolfgang.dns-as.org A 193.34.28.108
>wolfgang.dns-as.org TXT "CISCO-CLS=app-name:RPZ|app-class:TD"
>
> but in reality this will not work for CDN or load-balanced sites which
> don't have fixed IP address.
>
> Any hint's what I am doing wrong?
You aren't doing anything wrong. Yours is a corner case.
I hope I understood what you're trying to do correctly: From the zone
comment, perhaps you want the TXT query type to return the TXT RDATA you've
supplied and everything else passthru to regular processing. It can't be
done as triggers don't use the question's TYPE field.
An alternative is to include all the RRs for that QNAME in the answer (your
second example). Yours is a weird case, because you can't use the following
in the policy zone which named wouldn't allow loading (it won't allow CNAME
to coexist):
www.cisco.com CNAME www.cisco.com.akadns.net.
www.cisco.com TXT "CISCO-CLS=app-name:HTTP|app-class:TD"
So using the A record (your second example) or adding triggers for the
target of the CNAME record chain
RE: BIND 9.9.8 Assertion Failure {REP=5.5}
Hi Wah,
RHEL 6.7
BIND 9.9.8 (Extended Support Version)
built by make with '--prefix=/usr/local' '--enable-threads'
'--enable-fixed-rrset' '--enable-fetchlimit' '--with-openssl=/usr'
'--with-libtool' '--with-make-clean'
Just did another recompile as you said, What would the cause be?
Thinking of going back to some other version.
From: Wah Peng [mailto:wah_p...@yahoo.com.sg]
Sent: Monday, 12 October 2015 10:37 PM
To: Neil <nei...@iprimus.com.au>
Cc: bind-users@lists.isc.org
Subject: Re: BIND 9.9.8 Assertion Failure {REP=5.5}
What system and what release of BIND?
I met this similiar issue months ago and I just recompiled from the source then
the problem got fixed.
regards,
Wah.
2015-10-12 18:30 GMT+08:00 Neil <nei...@iprimus.com.au
<mailto:nei...@iprimus.com.au> >:
Hi Bind Community,
Had a BIND Crash on 9.9.8.
Any ideas?
12-Oct-2015 02:09:06.457 general: error: socket.c:5407: unexpected error:
12-Oct-2015 02:09:06.458 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 02:59:08.850 general: error: socket.c:5407: unexpected error:
12-Oct-2015 02:59:08.850 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 04:55:34.944 general: error: socket.c:5407: unexpected error:
12-Oct-2015 04:55:34.944 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 06:15:35.638 general: error: socket.c:5407: unexpected error:
12-Oct-2015 06:15:35.638 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 07:55:37.894 general: error: socket.c:5407: unexpected error:
12-Oct-2015 07:55:37.894 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 08:29:12.235 security: error: client 12.168.40.21#32469: view
host_resolver_trusted: request has invalid signature: TSIG
alexlembke.members.mac.com <http://alexlembke.members.mac.com> : tsig verify
failure (BADKEY)
12-Oct-2015 08:35:39.175 general: error: socket.c:5407: unexpected error:
12-Oct-2015 08:35:39.176 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 08:49:17.268 general: error: socket.c:5407: unexpected error:
12-Oct-2015 08:49:17.268 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 08:50:37.524 general: error: socket.c:5407: unexpected error:
12-Oct-2015 08:50:37.524 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 09:39:10.215 general: error: socket.c:5407: unexpected error:
12-Oct-2015 09:39:10.215 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 10:15:40.924 general: error: socket.c:5407: unexpected error:
12-Oct-2015 10:15:40.924 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 10:29:08.849 general: error: socket.c:5407: unexpected error:
12-Oct-2015 10:29:08.850 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 11:15:41.259 general: error: socket.c:5407: unexpected error:
12-Oct-2015 11:15:41.260 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 12:49:38.443 general: error: socket.c:5407: unexpected error:
12-Oct-2015 12:49:38.443 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 19:39:08.302 general: error: socket.c:5407: unexpected error:
12-Oct-2015 19:39:08.302 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 20:15:49.022 general: error: socket.c:5407: unexpected error:
12-Oct-2015 20:15:49.023 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 20:35:49.056 general: error: socket.c:5407: unexpected error:
12-Oct-2015 20:35:49.056 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 21:01:47.916 general: critical: resolver.c:1784:
INSIST(fctx->references > 1) failed
12-Oct-2015 21:01:47.916 general: critical: exiting (due to assertion
failure)
Neil
-Original Message-
From: bind-users-boun...@lists.isc.org
<mailto:bind-users-boun...@lists.isc.org>
[mailto:bind-users-boun...@lists.isc.org
<mailto:bind-users-boun...@lists.isc.org> ] On Behalf Of Mukund Sivaraman
Sent: Monday, 12 October 2015 7:59 PM
To: Wolfgang Riedel [CISCO] <wolfg...@cisco.com <mailto:wolfg...@cisco.com> >
Cc: bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
Subject: Re: RPZ - override TXT records {REP=5.6}
Hi Wolfgang
On Thu, Oct 08, 2015 at 11:25:14PM +0200, Wolfgang Riedel [CISCO] wrote:
> Hi Folks,
>
> I am currently struggling with using RPZ for inserting or overriding
> TXT resource records.
>
> This is my goal:
>
>; do not rewrite www.cisco.com <http://www.cisco.com> (so, PASSTHRU) and
> add or override
>missing metadata
>www.cisco.com <http://www.cisco.com> CNAME rpz-passthru.
>www.cisco.com <http://www.cisco.com> TXT
> "CISCO-CLS=app-name:HTTP|app-class:TD"
>
> What work's is that I can do one or the other but not both at the same
> time if I need to use a CNAME.
>
> This works:
>
>wolf
Bind 9.9.8 assertion failure
Had a crash on bind recursive server, Is this a BUG or just handler limits causing the issue? Should bind core dump because of this? 02-Oct-2015 18:03:01.110 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.110 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.110 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.110 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.119 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.122 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.126 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.129 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.139 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.139 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.141 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.141 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.142 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.142 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.153 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.153 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.155 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.156 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.158 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.158 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.163 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.164 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.165 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.165 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.167 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.167 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.182 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.184 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.188 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.188 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.190 general: error: socket: file descriptor exceeds limit (4096/4096) 02-Oct-2015 18:03:01.190 general: critical: resolver.c:1784: INSIST(fctx->references > 1) failed 02-Oct-2015 18:03:01.190 general: critical: exiting (due to assertion failure) Neil ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: 9.10.2-P2 not receiving/logging inbound queries. {REP=5.6}
Hi Bob,
(dns1)[/etc/]root# sestatus
SELinux status: disabled
Thanks
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Bob McDonald
Sent: Friday, 10 July 2015 11:25 PM
To: bind-us...@isc.org
Subject: Re: 9.10.2-P2 not receiving/logging inbound queries. {REP=5.6}
Is SELINUX enabled on the server? (several of the red hat centric distros have
it enabled by default.) That would cause the server to act as if it were
running normally while not accepting queries.
Regards,
Bob
Message: 2
Date: Fri, 10 Jul 2015 08:42:32 +1000
From: Neil mailto:nei...@iprimus.com.au nei...@iprimus.com.au
To: 'Tony Finch' mailto:d...@dotat.at d...@dotat.at
Cc: mailto:bind-users@lists.isc.org bind-users@lists.isc.org
Subject: RE: 9.10.2-P2 not receiving/logging inbound queries.
{REP=5.6}
Message-ID: 02dc01d0ba98$8bca4a30$a35ede90$@ http://iprimus.com.au/
iprimus.com.au
Content-Type: text/plain; charset=us-ascii
Yes
-Original Message-
From: Tony Finch [mailto: mailto:fa...@hermes.cam.ac.uk
fa...@hermes.cam.ac.uk] On Behalf Of Tony Finch
Sent: Thursday, 9 July 2015 7:50 PM
To: Neil
Cc: mailto:bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: 9.10.2-P2 not receiving/logging inbound queries. {REP=5.6}
Neil mailto:nei...@iprimus.com.au nei...@iprimus.com.au wrote:
What would cause a query to not show in any logs on BIND 9.10.2-p2,
seems
9.10.2-p2 is not receiving
Is your server able to make queries over TCP?
Tony.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: 9.10.2-P2 not receiving/logging inbound queries. {REP=5.6}
Yes
-Original Message-
From: Tony Finch [mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony Finch
Sent: Thursday, 9 July 2015 7:50 PM
To: Neil
Cc: bind-users@lists.isc.org
Subject: Re: 9.10.2-P2 not receiving/logging inbound queries. {REP=5.6}
Neil nei...@iprimus.com.au wrote:
What would cause a query to not show in any logs on BIND 9.10.2-p2,
seems
9.10.2-p2 is not receiving
Is your server able to make queries over TCP?
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/ Viking, North Utsire:
Northwesterly 5 to 7, occasionally gale 8 at first, decreasing 4 later in
Viking. Rough or very rough, becoming moderate later.
Showers. Good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
9.10.2-P2 not receiving/logging inbound queries.
Hi binders, What would cause a query to not show in any logs on BIND 9.10.2-p2, seems 9.10.2-p2 is not receiving Queries tcpdump shows the query's getting in but bind does not show the same incoming query in its logs, Therefore no response is returned ID8 shows this. Load on dns server is low with ~600 r-clients. The dummyrecordtest is a local hosted (test/canary) record on the recursive server. 122.150.6.5 is a recursive server with a virtual eth1:1 nic in CeonOS64bit on VMware with setting of responses-per-second 0; Running bind 9.9.7 does not show the same issues of missed inbound query's not being received by bind. Could this be some sort of socket/binding issue in bind9.10.2?, Is there something I need to do in the bind config? Sequence of bind logs and tcpdump were matched on time and clients source port. #Tcpdump log # ID1 13:07:39.567250 IP 122.150.6.3.7397 122.150.6.5.53: 26437+ A? dummyrecordtest. (50) ID1 13:07:39.567542 IP 122.150.6.5.53 122.150.6.3.7397: 26437* 1/0/0 A 254.254.254.254 (66) ID2 13:07:50.633388 IP 122.150.6.2.46493 122.150.6.5.53: 26437+ A? dummyrecordtest. (50) ID2 13:07:50.633554 IP 122.150.6.5.53 122.150.6.2.46493: 26437* 1/0/0 A 254.254.254.254 (66) ID3 13:07:54.496787 IP 122.150.6.3.55067 122.150.6.5.53: 26437+ A? dummyrecordtest. (50) ID3 13:07:54.497113 IP 122.150.6.5.53 122.150.6.3.55067: 26437* 1/0/0 A 254.254.254.254 (66) ID4 13:08:05.562151 IP 122.150.6.2.43627 122.150.6.5.53: 26437+ A? dummyrecordtest. (50) ID4 13:08:05.562309 IP 122.150.6.5.53 122.150.6.2.43627: 26437* 1/0/0 A 254.254.254.254 (66) ID5 13:08:09.523669 IP 122.150.6.3.42231 122.150.6.5.53: 26437+ A? dummyrecordtest. (50) ID5 13:08:09.523787 IP 122.150.6.5.53 122.150.6.3.42231: 26437* 1/0/0 A 254.254.254.254 (66) ID6 13:08:20.588682 IP 122.150.6.2.45139 122.150.6.5.53: 26437+ A? dummyrecordtest. (50) ID6 13:08:20.589284 IP 122.150.6.5.53 122.150.6.2.45139: 26437* 1/0/0 A 254.254.254.254 (66) ID7 13:08:24.545489 IP 122.150.6.3.45318 122.150.6.5.53: 26437+ A? dummyrecordtest. (50) ID7 13:08:24.548876 IP 122.150.6.5.53 122.150.6.3.45318: 26437* 1/0/0 A 254.254.254.254 (66) We get the packet coming in to the host but nothing logged into bind as show in queylog below ID8 13:08:35.620586 IP 122.150.6.2.59437 122.150.6.5.53: 26437+ A? dummyrecordtest. (50) ID9 13:08:39.577113 IP 122.150.6.3.43186 122.150.6.5.53: 26437+ A? dummyrecordtest. (50) ID9 13:08:39.589492 IP 122.150.6.5.53 122.150.6.3.43186: 26437* 1/0/0 A 254.254.254.254 (66) #Bind query log # ID1 09-Jul-2015 13:07:39.567 queries: info: client 122.150.6.3#7397 (dummyrecordtest): view resolver: query: dummyrecordtest IN A + (122.150.6.5) ID2 09-Jul-2015 13:07:50.633 queries: info: client 122.150.6.2#46493 (dummyrecordtest): view resolver: query: dummyrecordtest IN A + (122.150.6.5) ID3 09-Jul-2015 13:07:54.496 queries: info: client 122.150.6.3#55067 (dummyrecordtest): view resolver: query: dummyrecordtest IN A + (122.150.6.5) ID4 09-Jul-2015 13:08:05.562 queries: info: client 122.150.6.2#43627 (dummyrecordtest): view resolver: query: dummyrecordtest IN A + (122.150.6.5) ID5 09-Jul-2015 13:08:09.523 queries: info: client 122.150.6.3#42231 (dummyrecordtest): view resolver: query: dummyrecordtest IN A + (122.150.6.5) ID6 09-Jul-2015 13:08:20.588 queries: info: client 122.150.6.2#45139 (dummyrecordtest): view resolver: query: dummyrecordtest IN A + (122.150.6.5) ID7 09-Jul-2015 13:08:24.548 queries: info: client 122.150.6.3#45318 (dummyrecordtest): view resolver: query: dummyrecordtest IN A + (122.150.6.5) ID8 No query received into bind.??? ID9 09-Jul-2015 13:08:39.589 queries: info: client 122.150.6.3#43186 (dummyrecordtest): view resolver: query: dummyrecordtest IN A + (122.150.6.5) Thanks Neil ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND recursive - DNS Nonsense Name Attacks
Hi Bind users, Just wondering if anyone else has seen the DNS nonsense name attacks on their recursives? Any way to mitigate such attacks? Currently running version 9.10, I already ACL's and have RPZ deployed but this is a reactive solution. I read that fetches-per-server and fetches-per-zone have been deployed to subscription releases, any time line for code to be released in the public version? Anything else I can do? Some tcpdump logs 17:35:26.520596 IP 211.27.99.62.1028 210.50.44.4.53: 17436+ A? nbpdrsthvwxlm.w.jiajiaxhhq.com. (52) 17:35:26.572225 IP 211.27.99.62.1028 210.50.44.4.53: 17437+ A? gcjycliyggj.w.jiajiaxhhq.com. (50) 17:35:26.604453 IP 211.27.99.62.1028 210.50.44.4.53: 17438+ A? zvltevrzkmfhtcq.w.jiajiaxhhq.com. (54) 17:35:26.605662 IP 211.27.99.62.1028 210.50.44.4.53: 17439+ A? xcfpgnlbbwvwoyk.w.jiajiaxhhq.com. (54) 17:35:26.63 IP 211.27.99.62.1028 210.50.44.4.53: 17440+ A? ttqikqwpcvk.w.jiajiaxhhq.com. (50) 17:35:26.704413 IP 211.27.99.62.1028 210.50.44.4.53: 17441+ A? abcqrsghijxlz.w.jiajiaxhhq.com. (52) 17:35:26.704950 IP 211.27.99.62.1028 210.50.44.4.53: 17442+ A? aopdefthijklm.w.jiajiaxhhq.com. (52) 17:35:26.715783 IP 211.27.98.70.1029 210.50.44.4.53: 63183+ A? eqw.w.jiajiaxhhq.com. (42) 17:35:26.760114 IP 210.50.8.23.41508 210.50.44.4.53: 56630+ A? yjmtmpqxwbuh.w.jiajiaxhhq.com. (51) 17:35:26.762262 IP 210.50.8.23.41508 210.50.44.4.53: 54127+ A? abelutejkzcl.w.jiajiaxhhq.com. (51) 17:35:26.835637 IP 211.27.99.62.1028 210.50.44.4.53: 17443+ A? nbcqrsthvwxym.w.jiajiaxhhq.com. (52) Thanks Neil ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: BIND NXDOMAIN {REP=5.1}
That solution worked Mark , Thank you.
One more question, is it possible perform the below, from the left to right
The below does not work on NXDOMAIN override.
autodiscover.*. IN A 192.168.0.1
autodiscover.nxdomain.com.au should return 192.168.0.1
autodiscover.domainnoexist.net.au should return 192.168.0.1
Is something like this possible?
Thanks
Neil
-Original Message-
From: Mark Andrews [mailto:ma...@isc.org]
Sent: Tuesday, 23 September 2014 9:49 AM
To: Neil
Cc: bind-us...@isc.org
Subject: Re: BIND NXDOMAIN {REP=5.1}
You just have to break the wildcard matching.
*. IN A 10.100.100.4
*.au. IN A 10.100.100.4
*.com.au. IN A 10.100.100.4
nooverride.com.au. TXT break wildcard matching
nxreturn.com.au. TXT break wildcard matching
Mark
In message 00ab01cfd60d$1365a0a0$3a30e1e0$@iprimus.com.au, Neil writes:
Hi,
We are investigating the features of NXDOMAIN redirect as explained in
https://kb.isc.org/article/AA-00376/0/BIND-9.9-redirect-zones-for-NXDO
MAIN-r
edirection.html
We are running BIND 9.9 stream.
My question is, Is it possible to whitelist particular domains?, The
ARM does
Not refer to any form of whitelisting
zone . {
type redirect;
file db.redirect ;
};
So if my db.redirect has the below for Status=NXDOMAIN to return the
below RR A
*. IN A 10.100.100.4
But I want to return status:NXDOMAIN for only the below domains
*.nooverride.com.au
*.nxreturn.com.au
Is this possible? If not a modification to query.c is the only option.
Has anyone got a src patch for this feature?
Thanks
Neil
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
BIND NXDOMAIN
Hi,
We are investigating the features of NXDOMAIN redirect as explained in
https://kb.isc.org/article/AA-00376/0/BIND-9.9-redirect-zones-for-NXDOMAIN-r
edirection.html
We are running BIND 9.9 stream.
My question is, Is it possible to whitelist particular domains?, The ARM
does
Not refer to any form of whitelisting
zone . {
type redirect;
file db.redirect ;
};
So if my db.redirect has the below for Status=NXDOMAIN to return the below
RR A
*. IN A 10.100.100.4
But I want to return status:NXDOMAIN for only the below domains
*.nooverride.com.au
*.nxreturn.com.au
Is this possible? If not a modification to query.c is the only option.
Has anyone got a src patch for this feature?
Thanks
Neil
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Forward zone giving SERVFAIL
Hello:
I set up a forward zone in the internal view of my named.conf:
view internal {
match-clients {
127.0.0.1;
};
recursion yes;
allow-query-cache { any; };
zone dnsbl {
type forward;
forwarders {
127.0.0.1 port 54;
};
forward only;
};
};
When I run dig against the forward zone:
dig -p 54 @127.0.0.1 2.0.0.127.zen.dnsbl
It gives me the expected output:
; DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 -p 54 @127.0.0.1
2.0.0.127.zen.dnsbl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 57571
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;2.0.0.127.zen.dnsbl. IN A
;; ANSWER SECTION:
2.0.0.127.zen.dnsbl.300 IN A 127.0.0.2
2.0.0.127.zen.dnsbl.300 IN A 127.0.0.10
2.0.0.127.zen.dnsbl.300 IN A 127.0.0.4
;; Query time: 1 msec
;; SERVER: 127.0.0.1#54(127.0.0.1)
;; WHEN: Wed Nov 27 21:24:45 2013
;; MSG SIZE rcvd: 85
But, when I run dig against bind:
dig -p 53 @127.0.0.1 2.0.0.127.zen.dnsbl
I get a SERVFAIL response:
; DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 -p 53 @127.0.0.1
2.0.0.127.zen.dnsbl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 46895
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;2.0.0.127.zen.dnsbl. IN A
;; Query time: 144 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Nov 27 21:25:50 2013
;; MSG SIZE rcvd: 37
Taking a look at /var/named/data/named.run, I see these lines:
error (chase DS servers) resolving 'zen.dnsbl/DS/IN': 127.0.0.1#54
error (unexpected RCODE REFUSED) resolving 'dnsbl/NS/IN': 127.0.0.1#54
error (no valid DS) resolving '2.0.0.127.zen.dnsbl/A/IN': 127.0.0.1#54
I am not sure what to make of this.
Anyone have any ideas?
Thanks,
Neil
--
Neil Aggarwal, (972) 834-1565
We lend money to investors to buy or refinance single family rent houses.
No origination fees, quick approval, no credit check.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
BIND DNSSEC-Validation issue sceggs.nsw.edu.au
Hi BIND Users I am currently trialing Bind v9.8.1 and have come across a issue with 1 particular domain. For some reason when I query the below domain on bind resolver-cache nothing gets returned.? dig @server sceggs.nsw.edu.au ns The debug logs show 13-Sep-2011 10:11:27.272 query-errors: debug 1: client 203.134.1.70#10309: view host_resolver_trusted: query failed (SERVFAIL) for sceggs.nsw.edu.au/IN/NS at query.c:6195 13-Sep-2011 10:11:27.272 query-errors: debug 2: fetch completed at resolver.c:3160 for sceggs.nsw.edu.au/NS in 30.000122: timed out/success [domain:sceggs.nsw.edu.au,referral:0,restart:7,qrysent:7,timeout:6,lame:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0] named.conf has the below settings for dnssec dnssec-enable yes; dnssec-validation auto; Even with the below and managed-keys still does not work dnssec-enable yes; dnssec-validation yes; The only way a result is given is to turn off dnssec-validation then it works! dnssec-validation no; Only then a result is given for the query. The domain is in the AU space which is not currently signed. So I don't know why this would affect sec-validation and the queried domain? Also noticed its happening in 9.7.2-P3 Any ideas why this is happening and how to fix it without loosing dnssec-validation? Does anyone else have the same issue with the above scenario? Thanks Neil ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Questions about DNAME records
I'm happy with the concept of views, and have used them previously.
Ideally, though (as Chris mentioned) I don't want to have to manage zone
data for the externally used domain, both on my name servers, and those
where it's really provided - on a managed service, hosted and provided
externally.
Having never used DNAME records before, I was really just curious as to
whether I could use them to kind of simply deal with a small number of
records for purely internal usage, without interrupting our internal
resolution of the public names.
But Chris's suggestion of subdomains looks to be very useful - many
thanks for that.
Neil
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Joseph S D Yao
Sent: 19 June 2009 02:43
To: Chris Buxton
Cc: Braebaum, Neil; bind-us...@isc.org
Subject: Re: Questions about DNAME records
On Thu, Jun 18, 2009 at 02:12:07PM -0700, Chris Buxton wrote:
...
Yes, that will absolutely work. But the OP requested a
method that did
not involve managing the public data in two places.
...
Which is exactly what views are for. External data is kept
in ONE file,
as below.
named.conf:
...
acl localfolk {
localhost;
LOC.AL.NET.WORK/MASK;
...
};
view internal {
// This should match our internal networks.
match-clients { localfolk; };
// Provide recursive service to internal clients only.
recursion yes;
// Provide a complete view of the example.com zone
// including addresses of internal hosts.
zone example.com {
type master;
file zone.example.int;
};
};
view external {
// Match all clients not matched by the previous view.
match-clients { any; };
// Refuse recursive service to external clients.
recursion no;
// Provide a restricted view of the example.com zone
// containing only publicly accessible hosts.
zone example.com {
type master;
file zone.example.ext;
};
};
zone.example.ext:
$TTL1d
@ IN SOA ...
IN NS ...
// Remember to increment the SOA serial number when this is
// updated!
$INCLUDE data/example.ext.data
zone.example.int:
$TTL1d
@ IN SOA ...
IN NS ...
// Remember to increment the SOA serial number when either of
// these is updated!
$INCLUDE data/example.ext.data
$INCLUDE data/example.int.data
*
This email and its attachments are confidential to the intended recipient. If
this has come to you in error, please notify the sender immediately and delete
this email from your system. You must take no action based on this email, nor
must you copy or disclose it or any part of its contents to any person or
organisation. Please note that email communications may be monitored. The
registered office of Shop Direct Limited is First Floor, Skyways House, Speke
Road, Speke, Liverpool, L70 1AB, registered number 04730752.
Subsidiary companies of Shop Direct Limited include:
Shop Direct Group Financial Services Limited (SDGFS), Shop Direct Financial
Services Limited (SDFS) and Shop Direct Finance Company Limited (SDFC). The
registered office of SDGFS, SDFS and SDFC is Aintree Innovation Centre, Park
Lane, Netherton, Bootle, L30 1SL, registered numbers 05200103 (SDGFS), 04730706
(SDFS) and 04660974 (SDFC). SDFS and SDFC are authorised and regulated by the
Financial Services Authority in respect of arranging insurance products.
Shop Direct Contact Centres Limited (SDCC) and Shop Direct Home Shopping
Limited (SDHS). The registered office of SDCC and SDHS is First Floor, Skyways
House, Speke Road, Speke, Liverpool, L70 1AB, registered numbers 05330323
(SDCC), 04663281 (SDHS).
All companies registered in England.
*
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Questions about DNAME records
I don't run the external domain / zone, it's provided by a managed
service - I merely tell them the contents.
That's why I'd already ruled out views. I don't want to have to
duplicate the entries for internal use of external values, nor do I want
to drag the running of the domain to my internal nameservers.
Neil
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Joseph S D Yao
Sent: 19 June 2009 02:43
To: Chris Buxton
Cc: Braebaum, Neil; bind-us...@isc.org
Subject: Re: Questions about DNAME records
On Thu, Jun 18, 2009 at 02:12:07PM -0700, Chris Buxton wrote:
...
Yes, that will absolutely work. But the OP requested a
method that did
not involve managing the public data in two places.
...
Which is exactly what views are for. External data is kept
in ONE file,
as below.
named.conf:
...
acl localfolk {
localhost;
LOC.AL.NET.WORK/MASK;
...
};
view internal {
// This should match our internal networks.
match-clients { localfolk; };
// Provide recursive service to internal clients only.
recursion yes;
// Provide a complete view of the example.com zone
// including addresses of internal hosts.
zone example.com {
type master;
file zone.example.int;
};
};
view external {
// Match all clients not matched by the previous view.
match-clients { any; };
// Refuse recursive service to external clients.
recursion no;
// Provide a restricted view of the example.com zone
// containing only publicly accessible hosts.
zone example.com {
type master;
file zone.example.ext;
};
};
zone.example.ext:
$TTL1d
@ IN SOA ...
IN NS ...
// Remember to increment the SOA serial number when this is
// updated!
$INCLUDE data/example.ext.data
zone.example.int:
$TTL1d
@ IN SOA ...
IN NS ...
// Remember to increment the SOA serial number when either of
// these is updated!
$INCLUDE data/example.ext.data
$INCLUDE data/example.int.data
--
/*
\
**
** Joe Yaoj...@tux.org - Joseph S. D. Yao
**
\*
/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
*
This email and its attachments are confidential to the intended recipient. If
this has come to you in error, please notify the sender immediately and delete
this email from your system. You must take no action based on this email, nor
must you copy or disclose it or any part of its contents to any person or
organisation. Please note that email communications may be monitored. The
registered office of Shop Direct Limited is First Floor, Skyways House, Speke
Road, Speke, Liverpool, L70 1AB, registered number 04730752.
Subsidiary companies of Shop Direct Limited include:
Shop Direct Group Financial Services Limited (SDGFS), Shop Direct Financial
Services Limited (SDFS) and Shop Direct Finance Company Limited (SDFC). The
registered office of SDGFS, SDFS and SDFC is Aintree Innovation Centre, Park
Lane, Netherton, Bootle, L30 1SL, registered numbers 05200103 (SDGFS), 04730706
(SDFS) and 04660974 (SDFC). SDFS and SDFC are authorised and regulated by the
Financial Services Authority in respect of arranging insurance products.
Shop Direct Contact Centres Limited (SDCC) and Shop Direct Home Shopping
Limited (SDHS). The registered office of SDCC and SDHS is First Floor, Skyways
House, Speke Road, Speke, Liverpool, L70 1AB, registered numbers 05330323
(SDCC), 04663281 (SDHS).
All companies registered in England.
*
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Questions about DNAME records
-Original Message- From: Chris Buxton [mailto:cbux...@menandmice.com] Sent: 16 June 2009 15:40 To: Braebaum, Neil Cc: Bind Mailing Subject: Re: Questions about DNAME records On Jun 16, 2009, at 1:37 AM, Braebaum, Neil wrote: What I was getting at - probably worded poorly - was say I wanted to provide resolution for something like:- _service._tcp.example.com. if I'd previously created the DNAME record (example.com.IN DNAME example2.com.), would creating a SRV RR record in example2.com.:- _service._tcp.example2.com. work as resolution for it? Yes. The final and complete answer will be: _service._tcp.example.com.IN CNAME _service._tcp.example2.com. _service._tcp.example2.com. IN SRV ... 4 fields here ... As to the forwarding thing, what I was thinking of, is that example2.com. forwards out to internet DNS servers for external resolution Unfortunately, that's a nonsensical assertion. A domain does not forward. A DNS server forwards. OK, the DNS servers that are authoritative for example2.com. and it just so happens that example.com. is a namespace we use externally. So would it work in the scenario I've given, that if I wanted to provide resolution for _service._tcp.example.com. (if it works with the DNAME scenario I've described above), would other records for example.com. that aren't catered for in example2.com., be obtained by merit of example2.com. forwarding? Or would the DNAME configuration not allow it? A DNAME record precludes child names. That is, you cannot have any names of the form foo.example.com and also have a DNAME record named example.com. I guess what I'm wondering is that if example.com. is DNAMEd to example2.com. and the records aren't in example2.com. does the enquiry end there, or could / would the question be dealt with by merit of example2.com. forwarding to internet DNS servers? If you have a DNAME record named example.com, then aside from other records named example.com, there cannot be any other records in the example.com zone. No subdomains are allowed. I think this is why I'm struggling to fully understand the DNAME usage - the example I gave above:- _service._tcp.example.com. would (effectively) be subdomain records from example.com. that I'm hoping to be able to provide responses for by using:- example.com.IN DNAME example2.com. and creating:- _service._tcp.example2.com. SRV resource records in example2.com., which you said would work above. So if example.com is hosted on the outside, and example2.com is internal, an internal resolver will see the external DNAME record (and related, synthesized CNAME records) and be able to resolve them inside example2.com (assuming it can find example2.com). What I was hoping to do was create, or perhaps more correctly, cater for a specific and small number of records for example.com. (by DNAME'ing to example2.com.) internally, by creating a very simple zone with the DNAME to example2.com. - merely to provide answers for these resource records, that I don't want - nor are relevant - to the external use of example.com. example.com. is known on the internet, provided by a managed service DNS provided, and hosts some ecom related DNS records. I'm kind of being forced down the track of providing some resolution for some specific records (the resource records I've given examples for) internally (because of the domain name used for some email addresses), but I don't want to provide a fully authoritative zone for example.com. internally, because I don't want to have to maintain duplicate records in an internal example.com. authoritative zone, and for the external example.com. zone, and because I don't want to have to maintain or expose these resource records in my external example.com. zone. So what I was wondering was, by merit of using a DNAME record, is whether I could host the small number of resource records (that really are subdomain records from example.com.), and using a DNAME record internally, provide them in example2.com., and because the nameservers that are authoritative for example2.com. forward to internet DNS servers, whether they would in the scenario that the internal name enquired on in example.com. isn't present in example2.com. (eg say, some of the ecom related records in the external example.com. that I don't really want to have to cater for internally, too). If there is no external version of example2.com, then you're creating problems, because a DNAME record from a public zone to a strictly private zone will cause resolution for the public for names in the example.com domain (except example.com itself) to fail. example2.com. is purely an internal namespace, and I wasn't thinking of creating a DNAME record in my external example.com. domain. I was thinking of creating an internal zone for example.com., creating
Questions about DNAME records
I just have a couple of questions about DNAME records:- Say I have:- example.com.IN DNAME example2.com. If I catered for the names in example2.com. that I want to be able to use from example.com., would subdomains and resource records be allowed? And secondly, if the name enquired on, didn't exist in example2.com., but example2.com. normally forwards elsewhere, would records not found in example2.com. be sent to where example2.com. forwards to, or would the question end at example2.com.? * This email and its attachments are confidential to the intended recipient. If this has come to you in error, please notify the sender immediately and delete this email from your system. You must take no action based on this email, nor must you copy or disclose it or any part of its contents to any person or organisation. Please note that email communications may be monitored. The registered office of Shop Direct Limited is First Floor, Skyways House, Speke Road, Speke, Liverpool, L70 1AB, registered number 04730752. Subsidiary companies of Shop Direct Limited include: Shop Direct Group Financial Services Limited (SDGFS), Shop Direct Financial Services Limited (SDFS) and Shop Direct Finance Company Limited (SDFC). The registered office of SDGFS, SDFS and SDFC is Aintree Innovation Centre, Park Lane, Netherton, Bootle, L30 1SL, registered numbers 05200103 (SDGFS), 04730706 (SDFS) and 04660974 (SDFC). SDFS and SDFC are authorised and regulated by the Financial Services Authority in respect of arranging insurance products. Shop Direct Contact Centres Limited (SDCC) and Shop Direct Home Shopping Limited (SDHS). The registered office of SDCC and SDHS is First Floor, Skyways House, Speke Road, Speke, Liverpool, L70 1AB, registered numbers 05330323 (SDCC), 04663281 (SDHS). All companies registered in England. * ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
