Re: BIND/Control Panel/FreeBSD
We are planning to run BIND on a FreeBSD server. We planned to use CPANEL but is no longer available for FreeBSD. Do you have any other recommendation? have you tried pfsense? Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: authority
named virtual hosts anybody - you can run thousands of domains on a single IP understood Harld :) cheers Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: authority
so what are your real questions? P.S.: you need more than one DNS server for a public domain which must not run on the same network I have to register some domains: example.com, example.ue, example.net, exampe.org, etc. on my server I've also apache web and I'd like have internet site based on that domains but each domain must have a unique IP (or not?) my ISP supplies only one IP. the question is: can I handles several internet site using local bind? thanks Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
authority
Hello all, after weeks studying bind I'm here with a question: I'd like have my own bind authority server for some domains. I just configured my first zone (ie: www.example.org) with static IP of my DSL. Everything works :-) If I register another FQDN (ie: www.example.com) how can I set my second zone? Which IP should be use? thanks for help Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: view problem
If there are zones that both sets of clients should see, you have to duplicate them in both views. Overlapping views don't do this automatically. solved thanks your advice cheers! Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: view problem
Please be aware that only one view is visible for any client. mhmh... how I can solve my problem? all clients need to access to my zones but mobile clients (don't have vpn client) needs to access to all zones exception vpn (but can use FQDN) any idea? thanks POl ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
view problem
Hi all :-)
I've two zones: zone1 is an internal zone and another zone: vpn.
I need that acl1 can "see" internal vpn zone, the problem is that acl1
"see" vpn zone as external zone because this zone is a FQDN, while
should see vpn as vpn.db.
192.168.1.0/24 are clients with also openvpn clients, while
192.168.2.0/24 are not vpn clients.
sorry but I can't simplify :-/
acl1 {192.168.1.0/24; };
acl2 {192.168.2.0/24; };
// zone1
view "internal_lan" {
match-clients { acl1; acl2; };
include "/etc/bind/named.conf.default-zones";
zone "zone1" {
type master;
file "/etc/bind/zones/zone1.db";
};
// vpn
view "vpn" {
match-clients { acl1; };
zone "vpn_zone" {
type master;
file "/etc/bind/zones/vpn.db";
};
};
Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: defines ip to acl
And don't forget the copious comments in named.conf, so that your successor can easily see, at a glance, what start/end addresses those clusters of ACL elements represent. sure! :-) thanks Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: defines ip to acl
Acls don’t support ranges, only prefixes. You don’t want the whole /24. I
think you want:
acl net1 {192.168.1.0/26; 192.168.1.64/27; 192.168.1.96/30; }
acl net2 {192.168.1.100/30; 192.168.104/29; 192.168.1.112/28; 192.168.1.128/26;
192.168.1.192/29; }
thanks guys :-)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
defines ip to acl
Hello all :-)
I need to setup 2 kind of acl on same network, ie:
ip from 192.168.1.1 to 192.168.1.99 belongs to acl1
and ip from 192.168.1.100 to 192.168.1.199 to acl2
acl net1 { 192.168.1.1-99/24 };
acl net1 { 192.168.1.99-199/24 };
what's the correct way? I didn't find nothing :-/
thanks for help
Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: acl
192.168.1/24 is not a valid netmask huh? In linux and BSD I always use 192.168.1/24 (how shortcut of 192.168.1.0/24) and so on... hint: using /24 everywhere is nonsense why? My goal is allow 192.168.1.0/24 (net) and deny 192.168.1.50 (host) thanks Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
acl
Hi all :-)
can someone advice me about a fully howto / handbook to understand ACL?
I need to permit all network 192.168.1/24 and deny 192.168.1.50/24 host:
acl test0 { !192.168.1.50/24; 192.168.1/24;};
thanks for help!
Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
different zone depends clients IP
Hi all :-) can someone tell me how to configure (view?) to allow some clients (192.168.1/24) to see a BIND internal zone and other clients (192.168.2/24) see REAL zone on internet? thanks for help! Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
add a domain to zone
Hi folks :-) I've a vpn network on 10.10.10.0/24 and BIND on 192.168.1/24. I'd like add to my zone a domain as: myvpn1.org. A 10.10.10.1 to my zone file. 10.10.10.1 is a vpn client connected to my server (I can ping it). What's the correct way to add a remote domain to BIND? Thanks for help! Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
root.hind or named.hint file update
Hello all :-) is it recommend put a cron script for auto-update root.hind and named.hint db? wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /etc/bind/db.root dig +bufsize=1200 +norec NS . @a.root-servers.net > /var/named/named.root using debian there isn't any cron script thanks! Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Fwd: Re: adding second zone
2 zone on same network (192.168.1.0/24) thanks 1.168.192.in-addr.arpa is on primary zone, if I add second zone I've this error you apparently have 1.168.192.in-addr.arpa defined two times what are you trying to do? -- Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
adding second zone
Hi all I searching for about add a second zone to BIND but I didn't find how :-/ I've a standard zone: example1 IN SOA with record A 192.168.1.212 this zone works perfectly I'd like add a second zone to network 192.168.10.0/24, the problem is that my server has 1NIC and is connect to hardware firewall with some NICS, so: WAN<-->LAN1 - 192.168.1.0/24 <---> BIND+DHCP server (works) LAN2 - 192.168.10.0/24 <---> DHCP only LAN3 [...] LAN4 [...] routing and NAT works between LAN1 and LAN2 so, firewall will assign dhcp lease inside LAN2 with BIND on LAN1 any idea? thanks for help! Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarder (YES/NO)
hello again!
try running dig +trace and see how fast it runs. It should return
in about same time as BIND does (when it doesn't have anything in cache).
; <<>> DiG 9.10.3-P4-Debian <<>> +trace @192.168.1.212 yahoo.it
; (1 server found)
;; global options: +cmd
. 518367 IN NS d.root-servers.net.
. 518367 IN NS g.root-servers.net.
. 518367 IN NS e.root-servers.net.
. 518367 IN NS h.root-servers.net.
. 518367 IN NS b.root-servers.net.
. 518367 IN NS c.root-servers.net.
. 518367 IN NS a.root-servers.net.
. 518367 IN NS l.root-servers.net.
. 518367 IN NS i.root-servers.net.
. 518367 IN NS m.root-servers.net.
. 518367 IN NS k.root-servers.net.
. 518367 IN NS j.root-servers.net.
. 518367 IN NS f.root-servers.net.
. 518396 IN RRSIG NS 8 0 518400
2016100417 2016092116 46551 .
tZptpyBClVtkAbyo4NOR2MgHDoq67TlImcBVzZORhn7C2c557prmG42J
sSPD8aZmisk3bbUJbmqFVFB/M2y/O4zjw3jBf42ujHce99VD3xCeJuk7
boGW356J6c7JaApB02GRf3SGQIv7x6MVyBmGeKxAosEePlbfjg/8NPEY +y0=
;; Received 397 bytes from 192.168.1.212#53(192.168.1.212) in 2 ms
it. 172800 IN NS a.dns.it.
it. 172800 IN NS m.dns.it.
it. 172800 IN NS r.dns.it.
it. 172800 IN NS dns.nic.it.
it. 172800 IN NS nameserver.cnr.it.
it. 86400 IN NSECitau. NS RRSIG NSEC
it. 86400 IN RRSIG NSEC 8 1 86400
2016100417 2016092116 46551 .
LL0eXWf22Lhhi5C0P+PX446JQH+GwCFhxU7tkUUF9wyG+pQ0eDCnpTu0
vm0ww/3YycmNJwlF3IHJmLIh2l7htSW6G/o2/ozNbZU6RF9pMhKxQNrJ
aE6hf4L+Ka1N5uNstgJzrE6pV9ouXOJmL0Epoa3gUnbSZcFHH5QrKbu6 AfQ=
;; Received 545 bytes from 192.58.128.30#53(j.root-servers.net) in 577 ms
yahoo.it. 10800 IN NS ns2.yahoo.com.
yahoo.it. 10800 IN NS ns1.yahoo.com.
yahoo.it. 10800 IN NS ns5.yahoo.com.
yahoo.it. 10800 IN NS ns7.yahoo.com.
yahoo.it. 10800 IN NS ns3.yahoo.com.
;; Received 136 bytes from 194.0.16.215#53(a.dns.it) in 136 ms
yahoo.it. 300 IN A 106.10.212.24
yahoo.it. 300 IN A 98.137.236.24
yahoo.it. 300 IN A 77.238.184.24
yahoo.it. 300 IN A 212.82.102.24
yahoo.it. 300 IN A 74.6.50.24
yahoo.it. 86400 IN NS ns3.yahoo.com.
yahoo.it. 86400 IN NS ns2.yahoo.com.
yahoo.it. 86400 IN NS ns1.yahoo.com.
yahoo.it. 86400 IN NS ns4.yahoo.com.
yahoo.it. 86400 IN NS ns5.yahoo.com.
;; Received 380 bytes from 68.180.131.16#53(ns1.yahoo.com) in 173 ms
same problem... bind is too slow...
the situation change (very fast) if I use bind like resolver
forwarders {
8.8.8.8;
}
I don't understand why without resolver my bind is so slow... how I can
audit the problem?
thanks! :-)
but testing 127.0.0.1, bind keep also 4000/5000ms to resolve a query
forwarders {
127.0.0.1;
}
do you forward to yourself???
unfortunately looking for bind on internet there're many wrong howto :-/
Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarder (YES/NO)
so simply leave BIND running and see if it's better tomorrow...
hello,
seems better today, but how I realize if bind runs correclty? I mean: if
the speed of it is normal or if there are lags?
Now I tested some domains, almost all are ok but 2 of these are slow...
using @8.8.8.8 with these two are fast
Actually I commented:
// forwarders {
// 8.8.8.8; 8.8.4.4;
//}
but testing 127.0.0.1, bind keep also 4000/5000ms to resolve a query
forwarders {
127.0.0.1;
}
tcp0 0 127.0.0.1:953 0.0.0.0:*
LISTEN 14163/named
tcp0 0 192.168.1.212:530.0.0.0:*
LISTEN 14163/named
tcp0 0 127.0.0.1:530.0.0.0:*
LISTEN 14163/named
tcp6 0 0 ::1:953 :::*
LISTEN 14163/named
udp0 0 192.168.1.212:530.0.0.0:*
14163/named
udp0 0 127.0.0.1:530.0.0.0:*
14163/named
allow-query {
192.168.1.0/24; 127.0.0.1;
};
thanks for help!
Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarder (YES/NO)
just leave bind running for some time. :-) with 9.10, leave prefetch on and see... I've 9.9.5 version on debian stable :-/ thanks Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarder (YES/NO)
what happend if you leave it working (without forwarders) for some time? BIND should cache frequently used data and provide them quickly. I don't know. I start now testing without forwarders and tonight I see when you use google forwarder, the main difference is that most of those data are probably already cached. How can I replicate same thing? thanks for help! Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
forwarder (YES/NO)
Hi all :-)
I've a quad core 2.4Ghz with standard italian DSL
I tested BIND with either forwarder activated and disactivated
forwarders {
8.8.8.8; 8.8.4.4;
};
without forwarder, using dig command, "query time" only on some domains
(I tested italian domains - I live in Italy) is 350-800ms, with
forwarder almost always is less 100ms (!)
I'd like have my BIND (no forwarder) that works for my lan :-)
how can I optimize BIND speed? (or maybe I've a wrong config?)
thanks for any help
Pol
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: about "query time" (caching)
not sure hwat you mean but likely https://kb.isc.org/article/AA-01315/0/prefetch-performance-in-BIND-9.10.html exactly what I looking for! cheers! Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about "query time" (caching) +plus
how I audit if a query is resolved from my local DNS or by external DNS? cheers! Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about "query time" (caching)
In the third case, the A records had expired from the cache (since the TTL on those records is 300 seconds = 5 minutes), so your resolver needed to fetch a fresh set from the yahoo.it nameservers -- the NS records of which were most likely cached from the first lookup -- but it didn't need to follow the referral chain all of the way down from the root. 19 msec. thanks Kevin, now it's clear is there a way to keep update cache of queries users will do? Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
about "query time" (caching)
Hi all, I'm struggling about "query time" :-/ Using bind 9.9.5, I configurated it as caching proxy: dig yahoo.it @192.168.1.212 [...] 96msec second time: dig yahoo.it @192.168.1.212 [...] 1msec seems it works but: if I waiting (ie 5 minutes) and I re-run same command, "query time" was increased: 19msec why? If the record "yahoo.it" is inside cache why after 5 minutes "query time" is 19msec? thanks all for help! Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: replicate a whole master
Huh? are you sure you want to replicate whole server? Are you sure you know what that means? mhmh... now I'm not sure :-' what does entail this? thanks Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
replicate a whole master
Hi all :-) dig yahoo.it @192.168.1.212 query is 38ms, second query is 1msec Can I replicate a whole internet primary dns to have on my bind in local network all domains name updated? Is 38ms an acceptable results? thanks for help Pol dig yahoo.it @192.168.1.212 ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> yahoo.it @192.168.1.212 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38206 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 5, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;yahoo.it. IN A ;; ANSWER SECTION: yahoo.it. 126 IN A 77.238.184.24 yahoo.it. 126 IN A 106.10.212.24 yahoo.it. 126 IN A 212.82.102.24 yahoo.it. 126 IN A 74.6.50.24 yahoo.it. 126 IN A 98.137.236.24 ;; AUTHORITY SECTION: it. 161844 IN NS nameserver.cnr.it. it. 161844 IN NS a.dns.it. it. 161844 IN NS m.dns.it. it. 161844 IN NS dns.nic.it. it. 161844 IN NS r.dns.it. ;; ADDITIONAL SECTION: a.dns.it. 161844 IN A 194.0.16.215 a.dns.it. 161844 IN 2001:678:12:0:194:0:16:215 m.dns.it. 161844 IN A 217.29.76.4 m.dns.it. 161844 IN 2001:1ac0:0:200:0:a5d1:6004:2 r.dns.it. 161844 IN A 193.206.141.46 r.dns.it. 161844 IN 2001:760::::ca dns.nic.it. 161844 IN A 192.12.192.5 nameserver.cnr.it. 161844 IN A 194.119.192.34 ;; Query time: 38 msec ;; SERVER: 192.168.1.212#53(192.168.1.212) ;; WHEN: Mon Sep 19 15:49:17 CEST 2016 ;; MSG SIZE rcvd: 384 Pol ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
