Re: A record of domain name must be name server ?
Hi Kevin, Thanks for your help. Do not worry. The IP address 192.168.1.100 is just for example. Best Regards, Pete Fong 2014-09-09 3:30 GMT+08:00 Kevin Darcy k...@chrysler.com: Based on the zone contents below, you shouldn't have any problem changing the 192.168.1.100 address to anything you want. But, of course, the zone is illegal because it only has 1 NS record published at the apex (there is a strict minimum of at least 2), and, as it stands now, if it is an Internet-facing zone, it's also illegal due to the presence of a private (192.168.*.*) address in the zone. You said that 192.168.1.100 is our one of DNS server, but hopefully you don't mean that it's a nameserver for *this* zone, or that the zone is not Internet-facing, or the 192.168.1.100 address is presented in a NAT (network address translated) form to the Internet, since, again, you can't use private addresses on the Internet. By definition. - Kevin On 9/8/2014 3:43 AM, Pete Fong wrote: Hi Everybody, The below item is our DNS (BIND) server configuration. our Domain* xxx.com http://xxx.com *is assigned IP address 192.168.1.100 which is our one of DNS server. Can we change it to our web server IP address ? Because we want anybody access our domain *xxx.com http://xxx.com* with internet browser then it will go to our webpage. Am I correct ? I really appreciate anybody help. @ IN SOA ns1.xxx.com. root.ns1.xxx.com ( 2014090801 ; serial 2h ; refresh 10m; retry 1w ; expiry 1h ) IN NS ns1.xxx.com. IN A 192.168.1.100 Thank and Best Regards, Pete Fong ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A record of domain name must be name server ?
Hi, xxx.com and IP address 192.168.1.100 is just a example domain name and IP address. Our boss want everybody access our domain example.com through browser, then it will redirect to our web site www.example.com. So I want to get more information about unexpected impact when we changed DNS records. Thanks for your help. Best Regards, Pete Fong 2014-09-08 20:02 GMT+08:00 /dev/rob0 r...@gmx.co.uk: On Mon, Sep 08, 2014 at 03:43:22PM +0800, Pete Fong wrote: The below item is our DNS (BIND) server configuration. our Domain* xxx.com I think that is a porn site. If you mean to use that name as an example, please use example.com instead. Putting HTTP links to pornography in your emails is a sure way to fall afoul of various content filtering solutions which are in common use. See RFC 2606 regarding reserved domain names like example.com. http://xxx.com *is assigned IP address 192.168.1.100 which is our one of DNS server. Can we change it to our web server IP address ? Because we want anybody access our domain *xxx.com http://xxx.com* with internet browser then it will go to our webpage. Am I correct ? I really appreciate anybody help. It's not unusual to point an A record for @ at a HTTP server. Whatever you are not understanding here, I can't tell. @ IN SOA ns1.xxx.com. root.ns1.xxx.com ( 2014090801 ; serial 2h ; refresh 10m; retry 1w ; expiry 1h ) IN NS ns1.xxx.com. IN A 192.168.1.100 This zone file would fail named-checkzone(8) testing if loaded as xxx.com, because there is no A record for the NS name, ns1.xxx.com. This zone would fail to load. If any of your NS names are inside the zone, you must have either or both A and records for those NS names. Here is the same zone without the XXX and with all relative names: @ IN SOA ns1 root.ns1 ( 2014090801 ; serial 2h ; refresh 10m; retry 1w ; expiry 1h ) IN NS ns1 IN A 192.168.1.100 ns1 IN A 192.168.1.100 -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
A record of domain name must be name server ?
Hi Everybody, The below item is our DNS (BIND) server configuration. our Domain* xxx.com http://xxx.com *is assigned IP address 192.168.1.100 which is our one of DNS server. Can we change it to our web server IP address ? Because we want anybody access our domain *xxx.com http://xxx.com* with internet browser then it will go to our webpage. Am I correct ? I really appreciate anybody help. @ IN SOA ns1.xxx.com. root.ns1.xxx.com ( 2014090801 ; serial 2h ; refresh 10m; retry 1w ; expiry 1h ) IN NS ns1.xxx.com. IN A 192.168.1.100 Thank and Best Regards, Pete Fong ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A record of domain name must be name server ?
Hi Matus UHLAR - fantomas, Sorry, I do not understand the meaning of It could only issue a problem if you pointed example.com. NS example.com. or similar MX etc records. Do you mind to explain more details ? Thank you very much. Best Regards, Pete Fong 2014-09-08 16:06 GMT+08:00 Matus UHLAR - fantomas uh...@fantomas.sk: On 08.09.14 15:43, Pete Fong wrote: Subject: A record of domain name must be name server ? no. The below item is our DNS (BIND) server configuration. our Domain* xxx.com http://xxx.com *is assigned IP address 192.168.1.100 which is our one of DNS server. Can we change it to our web server IP address ? yes. ... it's completely irelevant where does example.com A record point to. It could only issue a problem if you pointed example.com. NS example.com . or similar MX etc recods. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good. __ _ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Insufficient DNS Source Port Randmoization
Hi Everybody, My Linux is OpenSuSE 11.4 with Kernel 2.6.37.6-0.5 which is used for DNS server. I have installed bind-9.7.3P3-0.2.1 Our external auditor used NeXpose for scanning my system. It showed Insufficient DNS Source Port Randomization Vulnerability. Therefore I have followed BIND 9 Configuration Reference Guide, I have adjusted named.conf configuration file as below : query-source address * port * ; query-source-v6 address * port *; use-v4-udp-ports { range 1024 65535; }; use-v6-upd-ports ( range 1024 65535; }; But I am not lucky, The NeXpose software still showed the same vulnerability. Anybody has some issue ? Anybody can help me ? Thanks a lot, Pete Fong ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Insufficient DNS Source Port Randmoization
Hi, Matus UHLAR No, The scanner PC and DNS server is connected by crossover cable in my environment. Therefore I have not any idea. Thanks a lot, Pete Fong 2011/7/28 Matus UHLAR - fantomas uh...@fantomas.sk: On 28.07.11 15:33, Pete Fong wrote: My Linux is OpenSuSE 11.4 with Kernel 2.6.37.6-0.5 which is used for DNS server. I have installed bind-9.7.3P3-0.2.1 Our external auditor used NeXpose for scanning my system. It showed Insufficient DNS Source Port Randomization Vulnerability. The insufficient randomization was afaik fixed in 9.5.0. Therefore I have followed BIND 9 Configuration Reference Guide, I have adjusted named.conf configuration file as below : query-source address * port * ; query-source-v6 address * port *; use-v4-udp-ports { range 1024 65535; }; use-v6-upd-ports ( range 1024 65535; }; Did you have these before? I think that BIND tries those ports by default, so configuring them should not affect it. But I am not lucky, The NeXpose software still showed the same vulnerability. Anybody has some issue ? Anybody can help me ? Is your resolving server behind firewall? Does the firewall change source port? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users