Re: Microsoft's nslookup Implementation Problems

2010-06-15 Thread Steve Shockley 

On 6/13/2010 4:00 PM, Merton Campbell Crockett wrote:

Inspecting the query log on the name server indicates that BIND never
services a request from the system running Microsoft's nslookup tool. In
addition, using tcpdump in controlled tests, I find that Microsoft's
nslookup implementation never sends any requests to any name server that
is designated in a "server" command unless it is one of the default name
servers that the system would normally use.


WinXP and newer sometimes cache results in unexpected ways, including 
caching failed lookups.  Perhaps flushing the DNS cache will help.


With that said, I could not duplicate the problem on Win7's nslookup:

> foo.shockley.net
Server:  server2003.internal.corporate
Address:  192.168.x.x

*** server2003.internal.corporate can't find foo.shockley.net: 
Non-existent domain


> server 208.67.222.222
Default Server:  resolver1.opendns.com
Address:  208.67.222.222

> foo.shockley.net.
Server:  resolver1.opendns.com
Address:  208.67.222.222

Non-authoritative answer:
Name:foo.shockley.net
Address:  67.215.65.132

(foo.shockley.net does not exist, that result is an opendns ad page.)
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Using bind to provide a dns redirector

2010-03-06 Thread Steve Shockley 

On 3/5/2010 12:23 PM, Alex Sharaz wrote:

1). We want  users to  have access to windows update and app update sites
even from the unauth VLAN
2). Whatever else they try and get to via a browser, the host address gets
resolved to a Hull IP address. The browser therefore connects to a local web
server which hands out a page saying "You need to configure your machine in
order to access the Internet ..."


It seems like this is more a job for a transparent proxy than DNS.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: can bind filter the result

2009-04-20 Thread Steve Shockley 

On 4/20/2009 2:55 AM, Ken Lai wrote:

normally, the client sent the query to SrvA, and SrvA forwards it to
SrvB. and SrvA return a result which came from SrvB to the client.
unfortunately the SrvB sometimes will return a A record that is a
advertisement site ip to SrvA. so i dont want to respond  to client if
the returned IP address is the Advertisement site address.


It sounds like SrvB is intentionally badly broken.  From your 
description, at best it's returning advertising sites for non-existing 
domains, at worst it just returns ad sites at random for any query.


You'd probably be better off just resolving the addresses yourself (on 
SrvA) rather than forwarding your requests upstream.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Windows servers triying to update my zone

2009-04-07 Thread Steve Shockley 

On 4/7/2009 8:28 PM, joans4nz wrote:

Apr 7 20:04:54 myserver named[67312]: client 172.16.0.146#2186: view
interna: update 'mydomain.com/IN ' denied



How fix this problem?


Either don't use your Windows domain name externally, or ignore the 
messages.  The update is denied, so at worst the message is annoying.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named-checkconf error

2009-03-24 Thread Steve Shockley 

On 12/8/2008 11:00 AM, Chris Thompson wrote:

In message <493b2b5d.40...@shockley.net>, Steve Shockley wrote:


I'm running BIND 9.4.2 on OpenBSD 4.3. I'm getting some errors with
named-checkconf I don't really understand. I'm running:

named-checkzone -t /var/named capmarksecurities.com
/master/db.capmarksecurities.com

and I get:

zone capmarksecurities.com/IN: getaddrinfo(quarantine1.capmark.com)
failed: non-recoverable failure in name resolution

[etc.]

This appears to happen with all zones with MX records that are in a
different zone. The zone loads and seems to work as expected. What's
going wrong?


Something is wrong with the configuration of the host on which you
ran named-checkzone. Either its resolver configuration is screwed,
or getaddrinfo() isn't getting as far as using the resolver. Can
you do host address lookups at all there?

You can suppress the check by using "-i local" on named-checkzone
(see the man page). But it would be better to fix the configuration
problem, of course.


For the archives, this error turned out to be because BIND is chrooted, 
and there was no hosts or resolv.conf in /var/named/etc.  I copied those 
two files from /etc to /var/named/etc and the output came up with no errors.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND Security Advisory (CVE-2009-0025; Severity: Low)

2009-01-09 Thread Steve Shockley 

On 1/8/2009 9:10 AM, David Coulthart wrote:

Would someone be able to provide some more details as to what particular
configurations of BIND this affects? My interpretation is it only
impacts recursive nameservers that have DNSSEC validation enabled.
Speaking in terms of BIND config options, the dnssec-validation option
would need to be set to yes (so just having the default of dnssec-enable
set to yes isn't enough to make the server vulnerable). Is this a
correct interpretation?


The OpenSSL vulnerability affects DSA and ECDSA certificates; an 
attacker is able to bypass validation of the certificate.  Since DNSSEC 
uses ECDSA, this means an attacker could use a forged certificate in a 
man-in-the-middle attack.


If you're not using DNSSEC, then this vulnerability doesn't really 
affect you, since you already have no way of knowing if a MITM attack is 
occurring.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

named-checkconf error

2008-12-06 Thread Steve Shockley 
I'm running BIND 9.4.2 on OpenBSD 4.3.  I'm getting some errors with 
named-checkconf I don't really understand.  I'm running:


named-checkzone -t /var/named capmarksecurities.com 
/master/db.capmarksecurities.com


and I get:

zone capmarksecurities.com/IN: getaddrinfo(quarantine1.capmark.com) 
failed: non-recoverable failure in name resolution
zone capmarksecurities.com/IN: getaddrinfo(quarantine2.capmark.com) 
failed: non-recoverable failure in name resolution
zone capmarksecurities.com/IN: getaddrinfo(mailhost3.capmark.com) 
failed: non-recoverable failure in name resolution
zone capmarksecurities.com/IN: getaddrinfo(mxo1.capmark.com) failed: 
non-recoverable failure in name resolution
zone capmarksecurities.com/IN: getaddrinfo(mxo2.capmark.com) failed: 
non-recoverable failure in name resolution

zone capmarksecurities.com/IN: loaded serial 235310359
OK

The zone file:

$ORIGIN .
$TTL 86400  ; 1 day
capmarksecurities.com   IN SOA  ns1.capmark.com. dnsadmin.capmark.com. (
235310359  ; serial
10800  ; refresh (3 hours)
3600   ; retry (1 hour)
604800 ; expire (1 week)
86400  ; minimum (1 day)
)
$TTL 300; 5 minutes
NS  ns1.capmark.com.
NS  ns2.capmark.com.
$TTL 900; 15 minutes
MX  10 quarantine1.capmark.com.
MX  10 quarantine2.capmark.com.
MX  20 mailhost3.capmark.com.
MX  200 mxo1.capmark.com.
MX  200 mxo2.capmark.com.
$ORIGIN capmarksecurities.com.
$TTL 7200   ; 2 hours
defeasance  CNAME   idealweb.capmark.com.
investorguide   A   70.60.19.129
$TTL 86400  ; 1 day
www CNAME   www.capmark.com.

This appears to happen with all zones with MX records that are in a 
different zone.  The zone loads and seems to work as expected.  What's 
going wrong?




___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users