Re: RPZ help on BIND
Dear Martin, I really appreciate your response on my query. Actually i would like to implement RPZ in my BIND caching DNS server. I sent email to Spamhaus to add my DNS server for RPZ lookup in Spamhaus database and got a response from Spamhaus that i need to use 199.168.90.51; 199.168.90.52; 199.168.90.53 IP address for RPZ lookup. So i need to implement RPZ configuration in my BIDN DNS server with below configuration. Since i am not well familiar with BIND, i am expecting help from BIND forum. Below is the configuration file which i need to add /etc/named.conf file. zone rpz.spamhaus.org { type slave; file dbx.rpz.spamhaus.org; masters { 199.168.90.51; 199.168.90.52; 199.168.90.53; }; allow-transfer { none; }; allow-query { none; }; }; But i want to direct malware domain lookup to one IP address (for example 10.0.0.1). So would like to know how to create a location zone file to create customized IP address for malware domain? Need your valuable help on my query. Regards Babu On Thursday, 2 January 2014 2:03 PM, Steven Carr sjc...@gmail.com wrote: On 2 January 2014 10:47, babu dheen babudh...@yahoo.co.in wrote: Kindly help me on my requirement. What exactly are you wanting to do? There is lots of information on the Internet already about implementing RPZ (Google is your friend) and configuration examples in the BIND9.9 ARM (chapter 6.2.16.20). If you can show us what you have implemented so far and what is/isn't working then we can see if we can assist you with the configuration, but we can't just tell you the exact configuration that you need for your own particular setup. Steve___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ help on BIND
Dear All, Kindly help me on my requirement. Regards Papdheen M On Sunday, 29 December 2013 12:13 PM, babu dheen babudh...@yahoo.co.in wrote: Thanks Chris. Actually I am using latest version of BIND in RPM format downloaded from RHN. I just need to configure RPZ with customized blackhole IP address (manually defined) for domain accessing malware domain. Regards Babu On Saturday, 28 December 2013 11:12 PM, Chris Buxton cli...@buxtonfamily.us wrote: Babu Dheen, The stanza you quoted will get you the zone. It appears to be correct syntax. If you’re using views, put this inside a view; otherwise, put it at the global level. It will not create a response policy based on the zone. You have to do that yourself. Examples are in the BIND v9 Administrator Reference Manual, assuming your copy of the ARM is up to date and you’re using a relatively recent version of BIND. The file ‘dbx.rpz.spamhaus.org' will contain a copy of the response policy zone. Again, configuring named to use this as the basis for a response policy requires extra configuration. I don’t know the purpose of this RPZ, so I can’t give you the exact syntax. Perhaps someone from Spamhaus can help you with that. I don’t have enough context to answer your question about a whitelist. Perhaps someone else can help you with that. Regards, Chris Buxton On Dec 23, 2013, at 5:11 AM, babu dheen babudh...@yahoo.co.in wrote: Dear All, My BIND DNS server is authorized to use spamhaus RPZ service and spamhaus official team requested me to paste below configuration line in /etc/named.conf file. Since i am new to RPZ and BIND, kindly help me to enable this feature. zone rpz.spamhaus.org { type slave; file dbx.rpz.spamhaus.org; masters { 199.168.90.51; 199.168.90.52; 199.168.90.53; }; allow-transfer { none; }; allow-query { none; }; }; My question is: 1. If i paste the above line alone in /etc/named.conf file will work? 2. What will be the content of dbx.rpz.spamhaus.org file ? 3. How to maintain the local whitelist policy? Regards Babudheen___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ help on BIND
Thanks Chris. Actually I am using latest version of BIND in RPM format downloaded from RHN. I just need to configure RPZ with customized blackhole IP address (manually defined) for domain accessing malware domain. Regards Babu On Saturday, 28 December 2013 11:12 PM, Chris Buxton cli...@buxtonfamily.us wrote: Babu Dheen, The stanza you quoted will get you the zone. It appears to be correct syntax. If you’re using views, put this inside a view; otherwise, put it at the global level. It will not create a response policy based on the zone. You have to do that yourself. Examples are in the BIND v9 Administrator Reference Manual, assuming your copy of the ARM is up to date and you’re using a relatively recent version of BIND. The file ‘dbx.rpz.spamhaus.org' will contain a copy of the response policy zone. Again, configuring named to use this as the basis for a response policy requires extra configuration. I don’t know the purpose of this RPZ, so I can’t give you the exact syntax. Perhaps someone from Spamhaus can help you with that. I don’t have enough context to answer your question about a whitelist. Perhaps someone else can help you with that. Regards, Chris Buxton On Dec 23, 2013, at 5:11 AM, babu dheen babudh...@yahoo.co.in wrote: Dear All, My BIND DNS server is authorized to use spamhaus RPZ service and spamhaus official team requested me to paste below configuration line in /etc/named.conf file. Since i am new to RPZ and BIND, kindly help me to enable this feature. zone rpz.spamhaus.org { type slave; file dbx.rpz.spamhaus.org; masters { 199.168.90.51; 199.168.90.52; 199.168.90.53; }; allow-transfer { none; }; allow-query { none; }; }; My question is: 1. If i paste the above line alone in /etc/named.conf file will work? 2. What will be the content of dbx.rpz.spamhaus.org file ? 3. How to maintain the local whitelist policy? Regards Babudheen___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Initial BIND 9.9.2 RPZ xfr (spamhaus) failing with failed to connect: timed out ?
Dear All, My BIND DNS server is authorized to use spamhaus RPZ service and spamhaus official team requested me to paste below configuration line in /etc/named.conf file. Since i am new to RPZ and BIND, kindly help me to enable this feature. zone rpz.spamhaus.org { type slave; file dbx.rpz.spamhaus.org; masters { 199.168.90.51; 199.168.90.52; 199.168.90.53; }; allow-transfer { none; }; allow-query { none; }; }; My question is: 1. If i paste the above line alone in /etc/named.conf file will work? 2. What will be the content of dbx.rpz.spamhaus.org file ? 3. How to maintain the local whitelist policy? Regards Babudheen On Friday, 8 March 2013 3:03 AM, pgbi...@ml1.net pgbi...@ml1.net wrote: hi, i've installed named -v BIND 9.9.2-rpz+rl.028.23-P1 i've registered my nameserver IP with spamhaus for use of its RPZ list; i've been approved for access. i've setup my bind9 conf for slave access to a spamhaus RPZ ... acl rpz4_spamhaus { 199.168.90.51; 199.168.90.52; 199.168.90.53; }; masters rpz4_spamhaus { 199.168.90.51; 199.168.90.52; 199.168.90.53; }; ... channel bind_rpzlog { file /var/log/bind-rpz.log versions 10 size 5m; print-time yes; print-category yes; print-severity yes; severity debug; }; ... category rpz { bind_rpzlog; }; ... view internal { ... response-policy { zone drop.rpz.spamhaus.org; }; ... zone drop.rpz.spamhaus.org IN { type slave; file /namedb/slave/drop.rpz.spamhaus.org.zone; masters { rpz4_spamhaus; }; allow-query { localhost; }; allow-transfer { rpz4_spamhaus; }; request-ixfr yes; notify no; }; ... Bind launches initially with no errors, but xfer log eventually reports: ... 07-Mar-2013 13:26:25.657 xfer-in: error: transfer of 'drop.rpz.spamhaus.org/IN/internal' from 199.168.90.51#53: failed to connect: timed out 07-Mar-2013 13:26:25.657 xfer-in: info: transfer of 'drop.rpz.spamhaus.org/IN/internal' from 199.168.90.51#53: Transfer completed: 0 messages, 0 records, 0 bytes, 7.010 secs (0 bytes/sec) 07-Mar-2013 13:27:17.673 xfer-in: error: transfer of 'drop.rpz.spamhaus.org/IN/internal' from 199.168.90.52#53: failed to connect: timed out 07-Mar-2013 13:27:17.673 xfer-in: info: transfer of 'drop.rpz.spamhaus.org/IN/internal' from 199.168.90.52#53: Transfer completed: 0 messages, 0 records, 0 bytes, 7.014 secs (0 bytes/sec) 07-Mar-2013 13:28:09.689 xfer-in: error: transfer of 'drop.rpz.spamhaus.org/IN/internal' from 199.168.90.53#53: failed to connect: timed out 07-Mar-2013 13:28:09.689 xfer-in: info: transfer of 'drop.rpz.spamhaus.org/IN/internal' from 199.168.90.53#53: Transfer completed: 0 messages, 0 records, 0 bytes, 7.014 secs (0 bytes/sec) ... the RPZ log @ /var/log/bind-rpz.log is created on bind start, but is completely empty. if i rndc -k /usr/local/etc/named/keys/rndc-key retransfer drop.rpz.spamhaus.org logs show only == /var/log/bind-main.log == 07-Mar-2013 13:58:43.576 general: info: received control channel command 'retransfer drop.rpz.spamhaus.org' but nothing improves/changes. I've no idea as to why the 'failed to connect' message. As an obvious result, no local zone file is created/written. Where should I start looking/debugging for the cause of this failed transfer? Any other hints? Thanks! -pg ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RPZ help on BIND
Dear All, My BIND DNS server is authorized to use spamhaus RPZ service and spamhaus official team requested me to paste below configuration line in /etc/named.conf file. Since i am new to RPZ and BIND, kindly help me to enable this feature. zone rpz.spamhaus.org { type slave; file dbx.rpz.spamhaus.org; masters { 199.168.90.51; 199.168.90.52; 199.168.90.53; }; allow-transfer { none; }; allow-query { none; }; }; My question is: 1. If i paste the above line alone in /etc/named.conf file will work? 2. What will be the content of dbx.rpz.spamhaus.org file ? 3. How to maintain the local whitelist policy? Regards Babudheen___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Refreshing cache in other DNS servers
Hi, I am running BIND caching DNS server in Redhat Linux. This DNS server is used as name server for other DNS servers which are running in Windows 2003. Whenever I modify a existing record in BIND DNS caching server zone, its not immediately taking affect in my Windows DNS servers. But if I clear the Windows DNS server DNS cache, its taking affect. Is it possible to enforce/refresh cache of other DNS server through BIND DNS server once modification is done in zone file? Regards Babu___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Refreshing cache in other DNS servers
Hi Matus, The standard way to handle this situation is, when you know you are going to make a change, to lower TTL of a particular RR to a small value (e.g. 300) and after change to restore the TTL to sane standard value (e.g. 43200). I just need clarification on your above update. If I change the TTL value on the particular zone after modifying a record in Redhat Linux BIND Caching DNS server, My Redhat bind Caching DNS server cache would be refreshed after 300 seconds but what if my backend windows DNS server is still responding to end user old record from from its cache? So my backend windows DNS server can get the newly modified record from DNS only when its contacting Redhat DNS server for the newly added date once Windows DNS cache is refreshed? Regards Babu On Tuesday, 15 October 2013 3:04 PM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 15.10.13 19:38, babu dheen wrote: I am running BIND caching DNS server in Redhat Linux. This DNS server is used as name server for other DNS servers which are running in Windows 2003. Whenever I modify a existing record in BIND DNS caching server zone, its not immediately taking affect in my Windows DNS servers. But if I clear the Windows DNS server DNS cache, its taking affect. Is it possible to enforce/refresh cache of other DNS server through BIND DNS server once modification is done in zone file? No. Only server admins can maintain caches. Your job is to set TTL high enough not to cause you big load and not to time out when your servers fail, but low enough to refresah when needed. The standard way to handle this situation is, when you know you are going to make a change, to lower TTL of a particular RR to a small value (e.g. 300) and after change to restore the TTL to sane standard value (e.g. 43200). You may ask for access to win2003 servers to manipulate their caches, or configure your zone as slave on them and send notifies to them, so they notice as soon as possible. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 2B|!2B, that's a question! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Refreshing cache in other DNS servers
Thanks a lot . Now its very clear. Regards Babu On Tuesday, 15 October 2013 6:28 PM, Steven Carr sjc...@gmail.com wrote: On 15 October 2013 15:53, babu dheen babudh...@yahoo.co.in wrote: If I change the TTL value on the particular zone after modifying a record in Redhat Linux BIND Caching DNS server, My Redhat bind Caching DNS server cache would be refreshed after 300 seconds but what if my backend windows DNS server is still responding to end user old record from from its cache? You need to reduce the TTL with enough time in advance to allow the entry in the Windows DNS server to have fallen out of the cache and been replaced with the lower TTL record. For example, if my zone has a TTL of 8 hours and I am planning on making a change tomorrow, then today (or even yesterday) I would have reduced the TTL on the zone to 15 mins. This will increase the DNS traffic as the records will be requested more frequently. But it will also mean that when I make the change tomorrow the Windows DNS server will only have a maximum of 15 mins with the old records. After the change has been made and everything is OK you can then increase the TTL back to the original 8 hours. Alternatively as part of the change process, ask your Windows Server team to restart the DNS service after you have made your changes which will cause the cache to be flushed. Steve___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS traffic
Dear Matus, I think you got my point. Yes. I am using Stateful Firewall and not sure my DNS server connecting to remote DNS on non standard port? So where i need to now look? Regards Papdheen M From: Matus UHLAR - fantomas uh...@fantomas.sk To: bind-users@lists.isc.org Sent: Monday, 25 March 2013 7:46 PM Subject: Re: Suspecious DNS traffic On 26.03.13 00:21, babu dheen wrote: Hi Matus, please, skip personal replies. this is mailing listand issued should be discussed here. Still not convinced because if i need to allow 1024 port from our DNS server to external world(internet).. where is the security? If you have statefull firewall, you simply need to allow open connections (statefull firewalls can track outgoing UDP packets and match the replies). If not, you have to allow all traffic from port 53 on remote DNS servers to your DNS server. Since you can't know all DNS servers, you have to allow all incoming traffic to your DNS server where source port is 53. all the security is useless if blocks your service. Luckily, most of firewalls can track the connection state. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS traffic
Dear Brown, I am using Stateful firewall from leading vendor company. So let me know why still my server initiate connection to remote DNS server on non standard destination port? Regards Babu From: wbr...@e1b.org wbr...@e1b.org To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org bind-users@lists.isc.org Sent: Monday, 25 March 2013 7:48 PM Subject: Re: Suspecious DNS traffic babu dheen wrote on 03/25/2013 12:21:30 PM: Still not convinced because if i need to allow 1024 port from our DNS server to external world(internet).. where is the security? Total security requires total isolation. It is a matter of accepting some risks to perform the needed task. I beleive we just need to allow TCP and UDP 53 from our DNS server to internet(any) which is already done. Not sure why we have to open non standard port from our DNS server to internet? Kindly provide some details. You send request via UDP from random high port to an authoritative server. Answer is too large to fit in UDP packet, so it responds via TCP to the source port of the request (random high port from above). If you block that TCP connection, you cannot receive answer to your query. Another reason for TCP replies is DNS Response Rate Limiting (RRL). Some modern stateful firewalls understand DNS and if there is a UDP packet sent to port 53, it will accept TCP connections back from the destination address on port 53 to the source address/port. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS traffic
Dear Vernon, Thanks for your wonderful and detailed reply. I read the update given by you as below. Many stateful firewalls can also record the source and destination IP addresses and port numbers of outgoing UDP packets and allow subsequent incoming UDP packets with source and destination reversed. This has nothing to do with TCP. I am using stateful firewall and still why my BIND DNS server connection iniated using source port 53 to remote DNS server on non standard destination port is getting blocked? Not sure why my DNS server is initiating the connection to remote DNS server on non standard destination Port? Regards Babu From: Vernon Schryver v...@rhyolite.com To: bind-users@lists.isc.org Sent: Monday, 25 March 2013 8:40 PM Subject: Re: Suspecious DNS traffic Still not convinced because if i need to allow 1024 port from our DNS server to external world(internet).. where is the security? Every UDP and TCP packet has two port numbers, the source port and the destination port. When a resolver sends a request to a distant DNS authority, it sends to destination port 53 with a random local source port number. When the distant resolver responds, it will send a UDP packet with source port 53 and with destination port equal to the source port number in the request. If you block all packets from port 53 to local ports other than 53, then you will block all response to your resolver's requests. Some DNS resolver software in ancient days sent requests to distant authorities with source port 53, so that both the source and destination port numbers in DNS/UDP packets were 53. There are many reasons why that was a bad idea. For one modern reason, see https://www.google.com/search?q=cache+poisoning+attack and https://www.google.com/search?q=dns+source+port+randomization Contrary to claims in this thread, that source port need not be greater than 1024 except on some operating systems. The notion of privileged ports smaller than 1024 is an ancient BSDism that many consider a mistake. However, the source ports in DNS/UDP requests (as well as DNS/TCP) are likely to be restricted to parts of the complete [1,65535] range of port nubmers, but those partial ranges depend on the operating system, operating system configuration, DNS resolver software, and the resolvers configuration. For TCP and stub DNS resolvers, see https://www.google.com/search?q=ephemeral+port For DNS/UDP and BIND as a resolver, see the BIND Administrators Reference Manual (ARM) including the query-source,use-v4-udp-ports, use-v6-udp-ports, avoid-v4-udp-ports, and avoid-v6-udp-ports options. You send request via UDP from random high port to an authoritative server. Answer is too large to fit in UDP packet, so it responds via TCP to the source port of the request (random high port from above). If you block that TCP connection, you cannot receive answer to your query. No, a distant DNS authority certainly does not respond via TCP after a UDP response fails to fit in a DNS/UDP packet. Instead, the distant authority responds with a DNS/UDP packet with the TC or truncated error bit. A resolver will react to TC bits or truncation errors by making the same request with TCP unless it has already received the required data from some other DNS authority. This can happen after the local resolver has tired of waiting for an answer from one authority and sent the request to some other authority. Making a request via TCP consists of sending a TCP segment (or packet) with SYN bit sent to port 53 at the distant authority and with yet another random source port number. The distant authority will respond with a TCP segment with both the SYN and ACK bits set. The local resolver will respond with another TCP segment with both the SYN and ACK bits set. This is the famous 3-way handshake that establishes a TCP connection. Only after the TCP connection is established does the local resolver send the DNS request through the TCP connection. Another reason for TCP replies is DNS Response Rate Limiting (RRL). Not exactly. Some modern stateful firewalls understand DNS and if there is a UDP packet sent to port 53, it will accept TCP connections back from the destination address on port 53 to the source address/port. That is wrong. UDP packets have nothing to do with telling reasonable firewalls to allow TCP. Firewalls for more than 10 years have automatically dealt with TCP in at least two ways. One is to notice and remember (i.e. save state) the initial TCP SYN segment 3-way handshake and allow the later predictaBle TCP segments. Another mechanism is to blindly block incoming TCP segments with SYN but without ACK. The first mechanism requires saving state or memory for every established TCP connection, and so can be vulnerable to some kinds of state exhaustion attacks. The second mechanism prevents outsiders from originating TCP connections, but does not protect against
Re: Suspecious DNS traffic
Hi, I am able to query one of the PTR record available in my company BIND caching DNS server from internet(ANY IP address) successfully. As per your statement, If I am denying the response, how could I get response successfully? Regards Babu From: Mark Andrews ma...@isc.org To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org bind-us...@isc.org Sent: Monday, 25 March 2013 12:33 AM Subject: Re: Suspecious DNS traffic In message 1364140396.42023.yahoomail...@web190806.mail.sg3.yahoo.com, babu d heen writes: Dear, We have Caching DNS server and certain PTR record(reverse entry verification purpose) only is allowed from internet. But I am observing suspicious DNS traffic from my BIND caching DNS server towards 67.215.80.15,67.215.80.13,207.192.69.4,67.227.239.85 IP address on destination port 1033,1090,1743, etc. Since we haven't allowed non standard port from our DNS server to public DNS server, its dropped in firewall. Any idea as to why our company DNS server is contacting external IP on non standard port? It's contacting it on port 53. You are allowing the query out but denying the response. Below is the logs taken from DNS server on one of the destination IP address. ## ## client 67.215.80.15#58230: view localhost_resolver: query (cache) '109.232.12.217.in-addr.arpa/PTR/IN' denied client 67.215.80.15#18395: view localhost_resolver: query (cache) '86.232.12.217.in-addr.arpa/PTR/IN' denied client 67.215.80.15#34068: view localhost_resolver: query (cache) '114.232.12.217.in-addr.arpa/PTR/IN' denied client 67.227.239.85#20915: view localhost_resolver: query (cache) '150.232.12.217.in-addr.arpa/PTR/IN' denied client 67.227.239.85#64724: view localhost_resolver: query (cache) '232.12.217.in-addr.arpa/NS/IN' denied client 67.227.239.85#16374: view localhost_resolver: query (cache) '150.232.12.217.in-addr.arpa/PTR/IN' denied client 67.227.239.85#30391: view localhost_resolver: query (cache) '232.12.217.in-addr.arpa/NS/IN' denied client 67.227.239.85#17745: view localhost_resolver: query (cache) '150.232.12.217.in-addr.arpa/PTR/IN' denied client 67.227.239.85#36163: view localhost_resolver: query (cache) '232.12.217.in-addr.arpa/NS/IN' denied client 67.227.239.85#6391: view localhost_resolver: query (cache) '232.12.217.in-addr.arpa/NS/IN' denied client 67.227.239.85#37586: view localhost_resolver: query (cache) '150.232.12.217.in-addr.arpa/PTR/IN' denied client 67.227.239.85#55208: view localhost_resolver: query (cache) '232.12.217.in-addr.arpa/NS/IN' denied client 67.227.239.85#40076: view localhost_resolver: query (cache) '232.12.217.in-addr.arpa/NS/IN' denied Below is the firewall logs: # action=Deny sent=0 rcvd=112 src=our_company_DNS_server_ip dst=67.215.80.15 src_port=53 dst_port=16529 action=Permit sent=0 rcvd=0 src=67.215.80.15 dst=our_company_DNS_server_ip src_port=52370 dst_port=53 Regards Babu -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS traffic
Hi Matus, Still not convinced because if i need to allow 1024 port from our DNS server to external world(internet).. where is the security? I beleive we just need to allow TCP and UDP 53 from our DNS server to internet(any) which is already done. Not sure why we have to open non standard port from our DNS server to internet? Kindly provide some details. Regards Babu From: Matus UHLAR - fantomas uh...@fantomas.sk To: bind-users@lists.isc.org Sent: Monday, 25 March 2013 3:30 PM Subject: Re: Suspecious DNS traffic On 25.03.13 16:59, babu dheen wrote: I am able to query one of the PTR record available in my company BIND caching DNS server from internet(ANY IP address) successfully. As per your statement, If I am denying the response, how could I get response successfully? you must allow the packets from TCP+UDP port 53 coming to any =1024 port on your nameserver. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The only substitute for good manners is fast reflexes. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Suspecious DNS traffic
Dear, We have Caching DNS server and certain PTR record(reverse entry verification purpose) only is allowed from internet. But I am observing suspicious DNS traffic from my BIND caching DNS server towards 67.215.80.15,67.215.80.13,207.192.69.4,67.227.239.85 IP address on destination port 1033,1090,1743, etc. Since we haven't allowed non standard port from our DNS server to public DNS server, its dropped in firewall. Any idea as to why our company DNS server is contacting external IP on non standard port? Below is the logs taken from DNS server on one of the destination IP address. client 67.215.80.15#58230: view localhost_resolver: query (cache) '109.232.12.217.in-addr.arpa/PTR/IN' denied client 67.215.80.15#18395: view localhost_resolver: query (cache) '86.232.12.217.in-addr.arpa/PTR/IN' denied client 67.215.80.15#34068: view localhost_resolver: query (cache) '114.232.12.217.in-addr.arpa/PTR/IN' denied client 67.227.239.85#20915: view localhost_resolver: query (cache) '150.232.12.217.in-addr.arpa/PTR/IN' denied client 67.227.239.85#64724: view localhost_resolver: query (cache) '232.12.217.in-addr.arpa/NS/IN' denied client 67.227.239.85#16374: view localhost_resolver: query (cache) '150.232.12.217.in-addr.arpa/PTR/IN' denied client 67.227.239.85#30391: view localhost_resolver: query (cache) '232.12.217.in-addr.arpa/NS/IN' denied client 67.227.239.85#17745: view localhost_resolver: query (cache) '150.232.12.217.in-addr.arpa/PTR/IN' denied client 67.227.239.85#36163: view localhost_resolver: query (cache) '232.12.217.in-addr.arpa/NS/IN' denied client 67.227.239.85#6391: view localhost_resolver: query (cache) '232.12.217.in-addr.arpa/NS/IN' denied client 67.227.239.85#37586: view localhost_resolver: query (cache) '150.232.12.217.in-addr.arpa/PTR/IN' denied client 67.227.239.85#55208: view localhost_resolver: query (cache) '232.12.217.in-addr.arpa/NS/IN' denied client 67.227.239.85#40076: view localhost_resolver: query (cache) '232.12.217.in-addr.arpa/NS/IN' denied Below is the firewall logs: # action=Deny sent=0 rcvd=112 src=our_company_DNS_server_ip dst=67.215.80.15 src_port=53 dst_port=16529 action=Permit sent=0 rcvd=0 src=67.215.80.15 dst=our_company_DNS_server_ip src_port=52370 dst_port=53 Regards Babu ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Name Resolution issue with one domain
Dear All, Thanks alot for helpming to identify the exact problem. Now my problem has been solved once i chang the source port from 53 to empherial port. Regards Babudheen From: Matus UHLAR - fantomas uh...@fantomas.sk To: bind-users@lists.isc.org Sent: Thursday, 22 March 2012 12:46 PM Subject: Re: Name Resolution issue with one domain On 21/03/2012 09:41, Matus UHLAR - fantomas wrote: maybe the admin set that up to force local servers using random ports, instead of 53, for outgoing requests. Nobody should use port 53 for _ougtoing_ requests. On 21.03.12 23:41, Anand Buddhdev wrote: You're wrong. A name server can use any source port from 1 up to 65535 for an outgoing query, as long as that port is not in use by any other process on the system. well, it _can_ but because ports 1024 are undesrtood as privileged, it should not use them. In fact, up until Kaminsky's revelation, many BIND servers used a fixed source port of 53. yes, but because of Kaminsky's revelation, servers should not use that port anymore. While it's of up to the the admin of resolving server, it's possible that FW admin at dubai airport had reason to block ports1024. Maybe they got attack from enabled chargen or echo UDP services from somewhere. We do not knot that. But we surely know that OP's nameservers use port 53 which they should not use... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Name Resolution issue with one domain
Dear All, When i executed #dig www.dubaiairport.com, i am getting bleow response ; DiG 9.3.4-P1 www.dubaiairport.com ;; global options: printcmd ;; connection timed out; no servers could be reached When i checked the firewall logs, as you all confirmed, traffic is leaving from both non standard and standard port. But firewall logs clearly shows that traffic from source port =53 and its getting dropped. But other DNS traffic towards various domains also going with source port 53 for which we have no issue. Is this port restriction done at remote domain firewall? Is there any way to enforce non standard port for this domain query at our BIND level from our side? Mar 21 21:50:26 start_time=2012-03-21 21:47:54 duration=151 policy_id=20 service=dns proto=17 src zone=Inter-Connect dst zone=External action=Permit sent=403 rcvd=0 src=10.1.1.1 dst=213.42.52.75 src_port=53 dst_port=53 src-xlated ip=10.1.1.1 port=53 dst-xlated ip=213.42.52.75 port=53 session_id=512159 reason=Close - AGE OUT Mar 21 21:50:46 start_time=2012-03-21 21:49:15 duration=90 policy_id=24 service=dns proto=17 src zone=Inter-Connect dst zone=External action=Permit sent=927 rcvd=0 src=10.1.1.1 dst=213.42.52.79 src_port=53 dst_port=53 src-xlated ip=10.1.1.1 port=53 dst-xlated ip=213.42.52.75 port=53 session_id=451904 reason=Close - AGE OUT Regards Babu From: Matus UHLAR - fantomas uh...@fantomas.sk To: bind-users@lists.isc.org Sent: Wednesday, 21 March 2012 11:41 AM Subject: Re: Name Resolution issue with one domain On 21.03.12 09:23, Mark Andrews wrote: Stupid firewall rules in front of the nameservers. They block traffic sent from port 53 which is the port lots of nameservers used to send query traffic. When will firewall administrators learn that the source ports can be anything, that they are not significant, and that blocking traffic based on the source port is stupid. maybe the admin set that up to force local servers using random ports, instead of 53, for outgoing requests. Nobody should use port 53 for _ougtoing_ requests. bsdi# dig -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com 09:13:17.909493 211.30.172.21.53 213.42.52.75.53: 18071+$ [1au] A? www.dubaiairport.com. ar: OPT UDPsize=4096 (49) 09:13:22.918018 211.30.172.21.53 213.42.52.75.53: 18071+$ [1au] A? www.dubaiairport.com. ar: OPT UDPsize=4096 (49) 09:13:27.928099 211.30.172.21.53 213.42.52.75.53: 18071+$ [1au] A? www.dubaiairport.com. ar: OPT UDPsize=4096 (49) ; DiG 9.9.0rc2 -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com ;; global options: +cmd ;; connection timed out; no servers could be reached bsdi# -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Name Resolution issue with one domain
Dear Michael, If its related remote domain NS issue, i shouldn't be able to resolve the domain from anywhere continously. But i am able to resolve it from internet without any issue. Problem is with only from our company BIND DNS server only. Below is the BIND GW Logs: client 10.1.1.3#63581: view localhost_resolver: query: www.dubaiairport.com IN A +E client 10.1.1.3#63836: view localhost_resolver: query: www.dubaiairport.com IN A + client 10.1.1.3#62249: view localhost_resolver: query: www.dubaiairport.com IN A +E client 10.1.1.3#64215: view localhost_resolver: query: www.dubaiairport.com IN + Below is the sniffer logs: 3.351081 10.0.0.1 -- 213.42.52.75 DNS Standard Query A www.dubaiairport.com 10.761810 10.0.0.2 -- 213.42.75.79 DNS Standard Query A www.dubaiairport.com Above sniffer logs clearly shows that we are not getting response packet from www.dubaiairport.com NS. Regards Papdheen M From: Michael Sinatra mich...@rancid.berkeley.edu To: babu dheen babudh...@yahoo.co.in Cc: Bind Users Mailing List bind-users@lists.isc.org Sent: Monday, 19 March 2012 11:43 PM Subject: Re: Name Resolution issue with one domain On 03/19/12 13:28, babu dheen wrote: Dear Support, I am trying to resolve www.dubaiairport.com http://www.dubaiairport.com from my GW BIND server as below. But not getting any output $ dig A www.dubaiairport.com http://www.dubaiairport.com ; DiG 9.3.4-P1 A www.dubaiairport.com http://www.dubaiairport.com ;; global options: printcmd ;; connection timed out; no servers could be reached Whereas, when i try through dubaiairport.com NS, i am getting the response as below. What could be the problem. Any idea? $ dig @213.42.52.79 A www.dubaiairport.com http://www.dubaiairport.com ; DiG 9.3.4-P1 @213.42.52.79 A www.dubaiairport.com http://www.dubaiairport.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 48514 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.dubaiairport.com. IN A ;; ANSWER SECTION: www.dubaiairport.com http://www.dubaiairport.com. 7200 IN A 213.42.55.169 ;; Query time: 127 msec ;; SERVER: 213.42.52.79#53(213.42.52.79) ;; WHEN: Mon Mar 19 23:25:35 2012 ;; MSG SIZE rcvd: 54 When you see this sort of situation, a good guess is that there is an authority mismatch and some/all of the authoritative NS records listed in the child zone are not responding. In this case, there is an authority mismatch: dig +trace ns dubaiairport.com [skip root response] dubaiairport.com. 172800 IN NS dcaowa01.dubaiairport.com. dubaiairport.com. 172800 IN NS svr-b003.dubaiairport.com. [RRSIG deleted] ;; Received 608 bytes from 192.12.94.30#53(192.12.94.30) in 724 ms dubaiairport.com. 7200 IN NS secdns.dubaiairport.com. dubaiairport.com. 7200 IN NS auhans2.ecompany.ae. dubaiairport.com. 7200 IN NS dxbans2.ecompany.ae. dubaiairport.com. 7200 IN NS dxbans1.ecompany.ae. dubaiairport.com. 7200 IN NS dcaowa01.dubaiairport.com. dubaiairport.com. 7200 IN NS auhans1.ecompany.ae. dubaiairport.com. 7200 IN NS svr-b003.dubaiairport.com. ;; Received 323 bytes from 213.42.52.79#53(213.42.52.79) in 279 ms One of the above DNS servers, secdns.dubaiairport.com, isn't responding for me. Sometimes that's enough to cause intermittent timeouts for dig. dig +nssearch dubaiairport.com SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 86400 7200 from server 213.42.52.79 in 278 ms. SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 86400 7200 from server 195.229.237.52 in 278 ms. SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 86400 7200 from server 194.170.1.99 in 282 ms. SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 86400 7200 from server 213.42.52.75 in 288 ms. SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 86400 7200 from server 194.170.1.6 in 289 ms. SOA dcaowa01.dca.com. administrator.dubaiairport.com. 2005061961 900 600 86400 7200 from server 194.170.1.7 in 293 ms. ;; connection timed out; no servers could be reached [referring to secdns.dubaiairport.com] michael___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Name Resolution issue with one domain
Dear Anad, Thanks for the advise. Will follow these guidelines in future for sure. Kindly let me know how can i fix this problem? If its related remote domain NS issue, i shouldn't be able to resolve the domain from anywhere continously. But i am able to resolve it from internet without any issue. Problem is with only from our company BIND DNS server only. Below is the BIND GW Logs: client 10.1.1.3#63581: view localhost_resolver: query: www.dubaiairport.com IN A +E client 10.1.1.3#63836: view localhost_resolver: query: www.dubaiairport.com IN A + client 10.1.1.3#62249: view localhost_resolver: query: www.dubaiairport.com IN A +E client 10.1.1.3#64215: view localhost_resolver: query: www.dubaiairport.com IN + Below is the sniffer logs: 3.351081 10.0.0.1 -- 213.42.52.75 DNS Standard Query A www.dubaiairport.com 10.761810 10.0.0.2 -- 213.42.75.79 DNS Standard Query A www.dubaiairport.com Above sniffer logs clearly shows that we are not getting response packet from www.dubaiairport.com NS. Regards Babudheen From: Anand Buddhdev ana...@ripe.net To: babu dheen babudh...@yahoo.co.in Cc: Bind Users Mailing List bind-users@lists.isc.org Sent: Monday, 19 March 2012 11:47 PM Subject: Re: Name Resolution issue with one domain On 19/03/2012 21:28, babu dheen wrote: Babu, Dear Support, I am trying to resolve www.dubaiairport.com from my GW BIND server as below. But not getting any output $ dig A www.dubaiairport.com ; DiG 9.3.4-P1 A www.dubaiairport.com ;; global options: printcmd ;; connection timed out; no servers could be reached Whereas, when i try through dubaiairport.com NS, i am getting the response as below. What could be the problem. Any idea? It could be any number of things, and your vague question doesn't provide any useful information for anyone to even begin guessing at the problem. First of all, learn how to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html Next, try looking at the logs of your BIND server; perhaps it has logged the reason for this resolution failure. Regards, Anand Buddhdev RIPE NCC___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Name Resolution issue with one domain
Dear Support, I am trying to resolve www.dubaiairport.com from my GW BIND server as below. But not getting any output $ dig A www.dubaiairport.com ; DiG 9.3.4-P1 A www.dubaiairport.com ;; global options: printcmd ;; connection timed out; no servers could be reached Whereas, when i try through dubaiairport.com NS, i am getting the response as below. What could be the problem. Any idea? $ dig @213.42.52.79 A www.dubaiairport.com ; DiG 9.3.4-P1 @213.42.52.79 A www.dubaiairport.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 48514 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.dubaiairport.com. IN A ;; ANSWER SECTION: www.dubaiairport.com. 7200 IN A 213.42.55.169 ;; Query time: 127 msec ;; SERVER: 213.42.52.79#53(213.42.52.79) ;; WHEN: Mon Mar 19 23:25:35 2012 ;; MSG SIZE rcvd: 54 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Name resolution issue on one domain
Dear Lyle, Yes you are correct. problem with my side. I took care by removing this domain from sinkhole. Regards Babu --- On Fri, 13/1/12, Lyle Giese l...@lcrcomputer.net wrote: From: Lyle Giese l...@lcrcomputer.net Subject: Re: Name resolution issue on one domain To: bind-users@lists.isc.org Cc: babu dheen babudh...@yahoo.co.in Date: Friday, 13 January, 2012, 8:33 PM With dig, you ARE getting a result. Just not the result that is expected. nslookup gives you no clues as to the issue, but this output does once you learn how to read it. Do this: dig @ns1.google.com soa fpdns.googlecode.com and compare. I think you need to carefully review your named.conf on that server. Dig is providing additional information that nslookup doesn't. The SOA line is bogus and the appearance of localhost in there makes me think you have a mistake in your named.conf or someone has poisoned your cache(unlikely as this answer does not give the bad guy anything, they usually try to redirect queries to their servers and this won't). Lyle Giese LCR Computer Services, Inc. On 01/12/12 23:15, babu dheen wrote: Yes i did for ns1, ns2, ns3 ns4 as well. But when i do dig @127.0.0.1 i am not getting any result. Below is the output Really i dont have any idea why? $ dig @127.0.0.1 fpdns.googlecode.com ; DiG 1-RedHat-9.3.6-16.P1.el5_7.1 @127.0.0.1 fpdns.googlecode.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 37398 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;fpdns.googlecode.com. IN A ;; AUTHORITY SECTION: googlecode.com. 600 IN SOA localhost.googlecode.com. root.localhost. 2 10800 900 604800 86400 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jan 13 08:12:21 2012 ;; MSG SIZE rcvd: 98 --- On Fri, 13/1/12, Lyle Giese l...@lcrcomputer.net wrote: From: Lyle Giese l...@lcrcomputer.net Subject: Re: Name resolution issue on one domain To: Cc: bind-users@lists.isc.org Date: Friday, 13 January, 2012, 1:05 AM I am going to 'assume' that you also did a dig query against the other three google.com servers and they all answered satisfactorily. But if you did not, you need to query ns3 ns4, you already got good answer from ns1 and ns2 try: dig @127.0.0.1 fpdns.googlecode.com What program is running on 127.0.0.1 udp port 53? On 01/12/12 12:54, babu dheen wrote: Dear Lyle, Below method works fine but when i give again nslookup fpdns.googlecode.com , i am not getting any response. What could be the issue? Below is the complete result output ]$ dig +trace fpdns.googlecode.com ; DiG 1-RedHat-9.3.6-16.P1.el5_7.1 +trace fpdns.googlecode.com ;; global options: printcmd . 454976 IN NS b.root-servers.net. . 454976 IN NS c.root-servers.net. . 454976 IN NS d.root-servers.net. . 454976 IN NS e.root-servers.net. . 454976 IN NS f.root-servers.net. . 454976 IN NS g.root-servers.net. . 454976 IN NS h.root-servers.net. . 454976 IN NS i.root-servers.net. . 454976 IN NS j.root-servers.net. . 454976 IN NS k.root-servers.net. . 454976 IN NS l.root-servers.net. . 454976 IN NS m.root-servers.net. . 454976 IN NS a.root-servers.net. ;; Received 272 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. ;; Received 498 bytes from 192.228.79.201#53(b.root-servers.net) in 262 ms googlecode.com. 172800 IN NS ns2.google.com. googlecode.com. 172800 IN NS ns1.google.com. googlecode.com. 172800 IN NS ns3.google.com. googlecode.com. 172800 IN NS ns4.google.com. ;; Received
Name resolution issue on one domain
Dear, We have two gateway DNS server running in BIND. One DNS is using one ISP link and another DNS server is using another ISP link. Today i tried to resolve below URL from one DNS its not working whereas the same lookup is working fine another DNS. Non-authoritative answer: Name: googlecode.l.google.com Address: 173.194.69.82 Aliases: fpdns.googlecode.com Any idea as to why one GW DNS is not giving result. Except this domain, all other domain name lookup happening on the same DNS server. How can i find out the exact reason? Regards Babu___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Name resolution issue on one domain
Hi, I can see only below line in the logs which is no more useful. Actully i would like to find out where exactly DNS query is blocked during query process client 127.0.0.1#46547: view localhost_resolver: query: fpdns.googlecode.com IN A + Regards babu --- On Thu, 12/1/12, Matus UHLAR - fantomas uh...@fantomas.sk wrote: From: Matus UHLAR - fantomas uh...@fantomas.sk Subject: Re: Name resolution issue on one domain To: bind-users@lists.isc.org Date: Thursday, 12 January, 2012, 4:00 PM On 12.01.12 15:37, babu dheen wrote: We have two gateway DNS server running in BIND. One DNS is using one ISP link and another DNS server is using another ISP link. Today i tried to resolve below URL from one DNS its not working whereas the same lookup is working fine another DNS. Non-authoritative answer: Name: googlecode.l.google.com Address: 173.194.69.82 Aliases: fpdns.googlecode.com Any idea as to why one GW DNS is not giving result. Except this domain, all other domain name lookup happening on the same DNS server. How can i find out the exact reason? Start with searching in logs of the second server. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fighting for peace is like fucking for virginity... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Name resolution issue on one domain
Yes i did for ns1, ns2, ns3 ns4 as well. But when i do dig @127.0.0.1 i am not getting any result. Below is the output Really i dont have any idea why? $ dig @127.0.0.1 fpdns.googlecode.com ; DiG 1-RedHat-9.3.6-16.P1.el5_7.1 @127.0.0.1 fpdns.googlecode.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 37398 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;fpdns.googlecode.com. IN A ;; AUTHORITY SECTION: googlecode.com. 600 IN SOA localhost.googlecode.com. root.localhost. 2 10800 900 604800 86400 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Jan 13 08:12:21 2012 ;; MSG SIZE rcvd: 98 --- On Fri, 13/1/12, Lyle Giese l...@lcrcomputer.net wrote: From: Lyle Giese l...@lcrcomputer.net Subject: Re: Name resolution issue on one domain To: Cc: bind-users@lists.isc.org Date: Friday, 13 January, 2012, 1:05 AM I am going to 'assume' that you also did a dig query against the other three google.com servers and they all answered satisfactorily. But if you did not, you need to query ns3 ns4, you already got good answer from ns1 and ns2 try: dig @127.0.0.1 fpdns.googlecode.com What program is running on 127.0.0.1 udp port 53? On 01/12/12 12:54, babu dheen wrote: Dear Lyle, Below method works fine but when i give again nslookup fpdns.googlecode.com , i am not getting any response. What could be the issue? Below is the complete result output ]$ dig +trace fpdns.googlecode.com ; DiG 1-RedHat-9.3.6-16.P1.el5_7.1 +trace fpdns.googlecode.com ;; global options: printcmd . 454976 IN NS b.root-servers.net. . 454976 IN NS c.root-servers.net. . 454976 IN NS d.root-servers.net. . 454976 IN NS e.root-servers.net. . 454976 IN NS f.root-servers.net. . 454976 IN NS g.root-servers.net. . 454976 IN NS h.root-servers.net. . 454976 IN NS i.root-servers.net. . 454976 IN NS j.root-servers.net. . 454976 IN NS k.root-servers.net. . 454976 IN NS l.root-servers.net. . 454976 IN NS m.root-servers.net. . 454976 IN NS a.root-servers.net. ;; Received 272 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. ;; Received 498 bytes from 192.228.79.201#53(b.root-servers.net) in 262 ms googlecode.com. 172800 IN NS ns2.google.com. googlecode.com. 172800 IN NS ns1.google.com. googlecode.com. 172800 IN NS ns3.google.com. googlecode.com. 172800 IN NS ns4.google.com. ;; Received 181 bytes from 192.35.51.30#53(f.gtld-servers.net) in 217 ms fpdns.googlecode.com. 86400 IN CNAME googlecode.l.google.com. googlecode.l.google.com. 300 IN A 173.194.67.82 ;; Received 88 bytes from 216.239.34.10#53(ns2.google.com) in 130 ms # $ dig @ns1.google.com fpdns.googlecode.com ; DiG 1-RedHat-9.3.6-16.P1.el5_7.1 @ns1.google.com fpdns.googlecode.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24193 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;fpdns.googlecode.com. IN A ;; ANSWER SECTION: fpdns.googlecode.com. 86400 IN CNAME googlecode.l.google.com. googlecode.l.google.com. 300 IN A 173.194.67.82 ;; Query time: 123 msec ;; SERVER: 216.239.32.10#53(216.239.32.10) ;; WHEN: Thu Jan 12 21:50:11 2012 ;; MSG SIZE rcvd: 88 #3 ]$ nslookup fpdns.googlecode.com Server: 127.0.0.1 Address: 127.0.0.1#53 ** server can't find fpdns.googlecode.com: NXDOMAIN exit --- On Thu, 12/1/12, Lyle
Re: huge count of DNS deny hits
Thanks Fajr. I will handle it further. Regards Babu --- On Wed, 11/1/12, Fajar A. Nugraha w...@fajar.net wrote: From: Fajar A. Nugraha w...@fajar.net Subject: Re: huge count of DNS deny hits To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org Date: Wednesday, 11 January, 2012, 1:59 PM On Wed, Jan 11, 2012 at 1:27 PM, babu dheen babudh...@yahoo.co.in wrote: Dear Fajar, Below logs taken from Internal DNS server running in Microsoft DNS. Then why did you ask this list instead of contacting MS support? I checked with client AV status, everything is fine( system is up to date with DAT from Mcafee AV and no threat found in the complete scan output). But really no idea.. why it happens.. Client is pointed to use different DNS server but DNS flood query is being sent to another DNS server AV doesn't catch all threats. Anyway, from bind's perspective, a dns query asking for bind version is a valid TXT query. But the query can be used by malware, vulnerability scanners, or hackers looking for vulnerable bind versions. In a way, it's similar to ICMP echo (i.e. ping) packets. It's a valid packet, but a lot of virus/malware is using it to determine which neighbour hosts to attack. How do you handle ICMP flood cases? The same mechanism should be applicable in this case. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: huge count of DNS deny hits
Hi, I enabled the logs in DNS server and i found below lines from this client continiously.. 1/10/2012 9:14:30 AM 0FDC PACKET 05B489B0 UDP Snd Client IP 1f23 Q [0005 A D NOERROR] TXT (7)version(4)bind(0) 1/10/2012 9:14:30 AM 0FDC PACKET 07342360 UDP Rcv Client IP c63c Q [0005 A D NOERROR] TXT (7)version(4)bind(0) 1/10/2012 9:14:30 AM 0FDC PACKET 07342360 UDP Snd Client IP c63c Q [0005 A D NOERROR] TXT (7)version(4)bind(0) 1/10/2012 9:14:30 AM 0FDC PACKET 04D728F0 UDP Rcv Client IP a96a Q [0005 A D NOERROR] TXT (7)version(4)bind(0) Is it something to do with Malticast DNS. Can you give me more details about Multicast DNS Regards Papdheen M --- On Mon, 9/1/12, Fajar A. Nugraha w...@fajar.net wrote: From: Fajar A. Nugraha w...@fajar.net Subject: Re: huge count of DNS deny hits To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org Date: Monday, 9 January, 2012, 12:16 PM On Mon, Jan 9, 2012 at 1:37 PM, babu dheen babudh...@yahoo.co.in wrote: Unfortunately, i have not enabled logs in my internal DNS server. You just dismissed the only reliable source of information Any idea .. Without logs, you only have assumptions. The best assumption at this point is that the client probably has a virus/malware, whose activity (one of them anyway) is to look for vulnerable DNS servers. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: huge count of DNS deny hits
Dear Fajar, Below logs taken from Internal DNS server running in Microsoft DNS. I checked with client AV status, everything is fine( system is up to date with DAT from Mcafee AV and no threat found in the complete scan output). But really no idea.. why it happens.. Client is pointed to use different DNS server but DNS flood query is being sent to another DNS server Regards Babu --- On Wed, 11/1/12, Fajar A. Nugraha w...@fajar.net wrote: From: Fajar A. Nugraha w...@fajar.net Subject: Re: huge count of DNS deny hits To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org Date: Wednesday, 11 January, 2012, 10:55 AM On Wed, Jan 11, 2012 at 12:11 PM, babu dheen babudh...@yahoo.co.in wrote: Hi, I enabled the logs in DNS server and i found below lines from this client continiously.. 1/10/2012 9:14:30 AM 0FDC PACKET 05B489B0 UDP Snd Client IP 1f23 Q [0005 A D NOERROR] TXT (7)version(4)bind(0) 1/10/2012 9:14:30 AM 0FDC PACKET 07342360 UDP Rcv Client IP c63c Q [0005 A D NOERROR] TXT (7)version(4)bind(0) 1/10/2012 9:14:30 AM 0FDC PACKET 07342360 UDP Snd Client IP c63c Q [0005 A D NOERROR] TXT (7)version(4)bind(0) 1/10/2012 9:14:30 AM 0FDC PACKET 04D728F0 UDP Rcv Client IP a96a Q [0005 A D NOERROR] TXT (7)version(4)bind(0) What log is this? AFAIK BIND log does not look like this. Is this firewall log? Is it something to do with Malticast DNS. ... and how did you determine that? wild guess? Can you give me more details about Multicast DNS Try google, although I don't think that's your problem. It might simply be the case that the client is infected with virus/malware which targets vulnerability in certain versions of bind, so it'd make sense that it first sends out a DNS query that asks for bind version number (e.g. http://www.brandonhutchinson.com/Determining_hiding_BIND_version_number.html) Some things you might be able to do: - setup a firewall rule that can ratelimit udp packets from any client (e.g. iptables can do this) - make sure your bind versions is up-to-date (well, it's true for any other software) - configure named.conf not to show it's version (use Google or bind manual to find out how) With those three steps in place, it shouldn't matter what queries the client does, as the system will either ignore it, reply with useless information, or automatically block it. However, if it still cause problems (e.g. lots of UDP traffic eat up your bandwitdh), then simply block the client manually. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Help to identify Microsoft DNS version
Dear All, Can anyone help me how to find bind microsoft DNS software version using dig or nslookup command remotely? Regards Babu___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
huge count of DNS deny hits
Dear All, Today we have noticed one peculier issue in our firewall logs. We have internal DNS server running in bind which is protected by firewall. All clients are allowed to perform DNS lookup using our BIND internal DNS server( so only UDP 53 is allowed from LAN to DNS server in firewall) But we noticed many DNS deny hits from BIND internal server to one client server (hit count around 6,00,00,000) in a day and the same time we saw around 5,00,000 allowed DNS lookup hits from that particular client to Internal DNS server. Can you guide me in what situation this kind of problem can occur? Regards Babu ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: huge count of DNS deny hits
Dear Sebastian, Thanks for the update. I would like to inform you about another finding on this is that; my IPS report shows DNS version request from below said client to my DNS server more than 2000 times Unfortunately, i have not enabled logs in my internal DNS server. Any idea .. Regards Babu --- On Mon, 9/1/12, Sebastian Tymków sebastian.tym...@gmail.com wrote: From: Sebastian Tymków sebastian.tym...@gmail.com Subject: Re: huge count of DNS deny hits To: babu dheen babudh...@yahoo.co.in Date: Monday, 9 January, 2012, 1:39 AM Hello, Did you check, what kind of queries your client performed ? Sometimes I saw on my DNS servers hits like yours. When I've checked my logs I saw that most queries ask for the same internet address which quided me that client might have virus. Best regards, Shamrock On Sun, Jan 8, 2012 at 2:03 PM, babu dheen babudh...@yahoo.co.in wrote: Dear All, Today we have noticed one peculier issue in our firewall logs. We have internal DNS server running in bind which is protected by firewall. All clients are allowed to perform DNS lookup using our BIND internal DNS server( so only UDP 53 is allowed from LAN to DNS server in firewall) But we noticed many DNS deny hits from BIND internal server to one client server (hit count around 6,00,00,000) in a day and the same time we saw around 5,00,000 allowed DNS lookup hits from that particular client to Internal DNS server. Can you guide me in what situation this kind of problem can occur? Regards Babu ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS queries dropped by Firewall
In this case, do you think that internal users trying to send emails directly to internet? Email delivery is taken care by Email Gateway device, obviously, DKIM verification (if enabled) can only be done by Email gateway of my company... How does internal client make DKIM query which uses the TXT record in DNS ? Can you tell me list of URL which size exceed 514 bytes to verify whether my internal server truncate/return failure code when query such URL using UDP query? Regards Babu --- On Tue, 13/12/11, SM s...@resistor.net wrote: From: SM s...@resistor.net Subject: Re: Suspecious DNS queries dropped by Firewall To: bind-users@lists.isc.org Date: Tuesday, 13 December, 2011, 9:12 PM At 04:46 13-12-2011, babu dheen wrote: In what situation, DNS packet size can exceed more than 512 bytes. In fact, my gateway DNS TXT records used for DKIM, for example. Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Suspecious DNS queries dropped by Firewall
Hi, Our company users are using internal DNS servers for name resolution and internal DNS servers are configured to forward the DNS query to company gateway DNS servers for external queries User -- internal DNS server --- gateway DNS server --- internet But when i look at the firewall hit , i can see gateway DNS server is again sending DNS query to internal DNS server and the same is denied in firewall with below error Dropped UDP DNS reply from OUTSIDE:gateway-dns-ip/53 to DMZ50:internal-dns-ip/63953; packet length 526 bytes exceeds configured limit of 512 bytes Any idea? Regards Papdheen M ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS queries dropped by Firewall
Dear Anand, In what situation, DNS packet size can exceed more than 512 bytes. In fact, my gateway DNS server should not contact internal DNS server except internal domain name resolution if any user access any internal website through proxy. My proxy is using gateway DNS for name resolution. So if any users access internal website through proxy, proxy will send the name lookup to gateway DNS and gateway DNS will forward the request to internal DNS server. In this case, will the internal domain DNS query exceed 512 bytes? Regards papdheen M --- On Tue, 13/12/11, Anand Buddhdev ana...@ripe.net wrote: From: Anand Buddhdev ana...@ripe.net Subject: Re: Suspecious DNS queries dropped by Firewall To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org Date: Tuesday, 13 December, 2011, 5:39 PM On 13/12/2011 13:04, babu dheen wrote: Hi, Our company users are using internal DNS servers for name resolution and internal DNS servers are configured to forward the DNS query to company gateway DNS servers for external queries User -- internal DNS server --- gateway DNS server --- internet But when i look at the firewall hit , i can see gateway DNS server is again sending DNS query to internal DNS server and the same is denied in firewall with below error Dropped UDP DNS reply from OUTSIDE:gateway-dns-ip/53 to DMZ50:internal-dns-ip/63953; packet length 526 bytes exceeds configured limit of 512 bytes Your firewall is misconfigured. Who said DNS reply packets cannot be bigger than 512 bytes? You need to reconfigure your firewall, and remove that 512-byte limit for DNS queries and responses. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
undefined ACL error while running named-checkconf file
Hello, I am running slave DNS server using BIND. Today when try to run named-checkconf file as below , i am getting highlighted error. Kindly assist me [root@server]# named-checkconf /etc/named.rfc1912.zones /etc/named.rfc1912.zones:78: undefined ACL 'redhat' /etc/named.rfc1912.zones:85: undefined ACL 'redhat' /etc/named.rfc1912.zones:92: undefined ACL 'redhat' /etc/named.rfc1912.zones:100: undefined ACL 'redhat' My /etc/named.rfc1912.zones file is given below zone . IN { type hint; file named.ca; }; zone 227.18.217.in-addr.arpa IN { type slave; file slaves/svns.company.db ; allow-query { redhat; }; masters { 10.0.0.1; }; }; zone 226.18.217.in-addr.arpa IN { type slave; file slaves/MX.db ; allow-query { redhat; }; masters { 10.0.0.1; }; }; zone 225.18.217.in-addr.arpa IN { type slave; file slaves/VPN.db ; allow-query { redhat; }; masters { 10.0.0.1; }; }; zone 232.18.217.in-addr.arpa IN { type slave; file slaves/drns.company.db ; allow-query { redhat; }; masters { 10.0.0.1; }; }; 2. My /etc/named.caching-nameserver.conf file content acl redhat { any; }; options { listen-on port 53 { 127.0.0.1; 10.0.0.2; }; directory /var/named; dump-file /var/named/data/cache_dump.db; statistics-file /var/named/data/named_stats.txt; memstatistics-file /var/named/data/named_mem_stats.txt; query-source port 53; logging { channel default_debug { file data/named.run; severity dynamic; }; channel my_file { file data/log.msgs; severity dynamic; }; category queries { my_file; }; }; view localhost_resolver { match-clients { localhost; 10.0.0.1/23; any; }; match-destinations { localhost; }; recursion yes; include /etc/named.rfc1912.zones; Regards Papdheen M ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: undefined ACL error while running named-checkconf file
Dear Anand, Yes, both primary and slave running with different version. Will it cause any problem if both are running with different version? --- On Sat, 3/12/11, Anand Buddhdev ana...@ripe.net wrote: From: Anand Buddhdev ana...@ripe.net Subject: Re: undefined ACL error while running named-checkconf file To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org Date: Saturday, 3 December, 2011, 5:26 PM On 03/12/2011 12:44, babu dheen wrote: Babu, I am maintaining the same configuration on primary server but when i execute the same command refering /etc/named.rfc1912.zones file, i am not getting any error. Are the files identical? Are the versions of BIND on both servers the same? Obviously, there must be something different, which results in the error message. But when i execute the same command in my slave server, i am getting this error. Can you tell me how to enable the debug logs in bind? Try reading the BIND manual first. If you don't understand something specific, ask about it on the bind-users mailing list. Regards, Anand ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Configuration RPZ using BIND RPM package
Hello All, I am running BIND caching name server in my company and I installed caching name server RPM package(caching-nameserver-9.3.6-16.P1.el5_7.1) through Redhat network directly through YUM. Now i would like to include RPZ(Response Policy Zone) funtionality with BIND caching server but this RPZ funtionality is not yet included in BIND caching-nameserver RPM package. Is it possible in configure RPZ by download Bind.tar.gz file from isc website. if yes, do i need to remove completely all running configuration including /etc/named.rfc1912.zones and /etc/named.caching-nameserver.conf files? Kindly suggest. Regards Babu___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
(Non existing domain) query lookup logs in a seperate log file
Dear Support, Can anyone help me how to enable a seperate log file for NXDOMAIN(Non exististance) DNS query lookup in BIND? Regards Papdheen M___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Sinkhole in BIND
YOu are obsolutely correct Chris.. I want to block/redirect all malware domain request intiated by clients by setting up DNS SINKHOLE in Redhat BIND server. --- On Mon, 17/10/11, Chris Thompson c...@cam.ac.uk wrote: From: Chris Thompson c...@cam.ac.uk Subject: Re: DNS Sinkhole in BIND To: Bind Users Mailing List bind-users@lists.isc.org Cc: babu dheen babudh...@yahoo.co.in Date: Monday, 17 October, 2011, 8:19 PM On Oct 16 2011, babu dheen wrote: Can anyone help me how to setup DNS Sinkhole in BIND on Linux 32 bit edition. All the replies to this so far seem to assume that he wants to block evil entities from using his nameservers. But Google seems to suggest that DNS Sinkhole usually refers to redirecting names that are being used for evil purposes to e.g. a local monitoring station - not the same thing at all. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS Sinkhole in BIND
Hi, Can anyone help me how to setup DNS Sinkhole in BIND on Linux 32 bit edition. Regards babu___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query regarding NS record
Hi, Once i delegated NS record in my ISP name server to my company name server for mail.myoffice.com website as below. Do i need to allow DNS port from ANY(INTERNET) to my DNS server in firewall or i just need to allow DNS traffic only from ISP DNS server ISP DNS server configuration mycompany-dns-server-ip INA 10.10.10.10 mail.myoffice.com INNSmycompany dns server ip Regards Papdheen M From: Kevin Darcy k...@chrysler.com To: bind-users@lists.isc.org Sent: Sunday, 18 September 2011 5:09 PM Subject: Re: Query regarding NS record Are you talking about recursive clients failing over? Or other nameservers trying to talk to yours, non-recursively? Recursive clients don't use NS records at all and you need to approach the failover problem in a completely different way (e.g. relying on the client failing over from one resolver IP address to another, or implementing an Anycast solution). If you're talking about nameserver-to-nameserver traffic, then just publish multiple NS records for the relevant zone(s) and the nameserver-selection algorithm embedded in every known iterative-resolver implementation will take care of the load-balancing and failover; to summarize, faster-responding nameservers will be chosen over slower-responding ones. - Kevin On 9/16/2011 11:17 AM, babu dheen wrote: Hi, Can anyone let me know how i can resolve the below requirement. Requirement: We have two offices. One is main office and another one is remote branch office. Now my company client requirement is that if main office DNS server is not reachable, all DNS query should be sent to branch office DNS server. How this can be acheived using BIND? For example, my company mail website is; mail.mycompany.com which is pointed as below in ISP name server. mail.mycompany.comINNSns1.mainoffice.com mail.mycompany.comINNSns1.branceoffice.com Is the above record is correct or not? Please suggest. Regards papdheen M ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query regarding NS record
thanks for your response. From: Matus UHLAR - fantomas uh...@fantomas.sk To: bind-users@lists.isc.org Sent: Sunday, 18 September 2011 7:50 PM Subject: Re: Query regarding NS record On 18.09.11 21:31, babu dheen wrote: Once i delegated NS record in my ISP name server to my company name server for mail.myoffice.com website as below. Do i need to allow DNS port from ANY(INTERNET) to my DNS server in firewall or i just need to allow DNS traffic only from ISP DNS server ISP DNS server configuration mycompany-dns-server-ip INA 10.10.10.10 mail.myoffice.com INNSmycompany dns server ip you must allow DNS traffic to your server, both TCP and UDP protocols from all world to port 53. Note that this way, when your NS is down, mail.myoffice.com won't work. I recommend tou to get your ISP slave your zone and create additional NS records pointing on your ISP's name severs for mail.myoffice.com. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query regarding NS record
Got your concern. Will change my setting accordingly. Thanks for your advise. Regards Babu From: Kevin Oberman kob6...@gmail.com To: babu dheen babudh...@yahoo.co.in Cc: Florian CROUZAT gen...@floriancrouzat.net; bind-users@lists.isc.org bind-users@lists.isc.org Sent: Saturday, 17 September 2011 9:26 AM Subject: Re: Query regarding NS record On Fri, Sep 16, 2011 at 6:57 PM, babu dheen babudh...@yahoo.co.in wrote: So when multiple DNS records are available, is it possible to direct all DNS queries to first (NS) record always? meaning, mail.myoffice.comINNS20.20.20.20 mail.myoffice.comINNS30.30.30.30 In the above, is it possible to direct all DNS queries only to 20.20.20.20 and if this fails, is it possible to direct dns queries to next NS server(30.30.30.30)? I'm not aware of a direct way to do this, but you could do by adding the address listed in the NS record for the backup server to its interface only when the primary stops responding. The backup would need to send a regular query to the primary to know when to add the address. I really don't understand why you would want to do this.It mostly complicates things and reduces robustness. A key in the operation of DNS is to have multiple servers, all answering and all having identical data for queries from any particular source. Kevin Oberman Network Engineer -- Retired kob6...@gmail.com___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
how to add NS record in Windows DNS?
Hi, I know that this forum is not meant for windows DNS environement. but if you can let me know some website or guide to add customer NS record in windows DNS environement, will be much helpful. Regards Babu___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Query regarding NS record
Hi, Can anyone let me know how i can resolve the below requirement. Requirement: We have two offices. One is main office and another one is remote branch office. Now my company client requirement is that if main office DNS server is not reachable, all DNS query should be sent to branch office DNS server. How this can be acheived using BIND? For example, my company mail website is; mail.mycompany.com which is pointed as below in ISP name server. mail.mycompany.comINNSns1.mainoffice.com mail.mycompany.comINNSns1.branceoffice.com Is the above record is correct or not? Please suggest. Regards papdheen M___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query regarding NS record
So when multiple DNS records are available, is it possible to direct all DNS queries to first (NS) record always? meaning, mail.myoffice.comINNS20.20.20.20 mail.myoffice.comINNS30.30.30.30 In the above, is it possible to dirct all DNS queries only to 20.20.20.20 and if this fails, is it possible to direct dns queries to next NS server(30.30.30.30)? Regards Babu From: Kevin Oberman kob6...@gmail.com To: Florian CROUZAT gen...@floriancrouzat.net Cc: bind-users@lists.isc.org Sent: Friday, 16 September 2011 8:32 PM Subject: Re: Query regarding NS record On Fri, Sep 16, 2011 at 8:52 AM, Florian CROUZAT gen...@floriancrouzat.net wrote: babu dheen wrote on 2011-09-16: Hi, Can anyone let me know how i can resolve the below requirement. Requirement: We have two offices. One is main office and another one is remote branch office. Now my company client requirement is that if main office DNS server is not reachable, all DNS query should be sent to branch office DNS server. How this can be acheived using BIND? For example, my company mail website is; mail.mycompany.com which is pointed as below in ISP name server. mail.mycompany.com IN NS ns1.mainoffice.com mail.mycompany.com IN NS ns1.branceoffice.com Is the above record is correct or not? Please suggest. Regards papdheen M Babu, Your example isn't failover, this is load balancing. That's two different concepts. Actually, I would not describe it as either fail-over or load balancing. It's probably closer to fail-over or the people at the man office, but not for those at the branch. I believe that when multiple NS records are available, BIND will direct queries to the fastest responding server. It does not round-robin queries or anything like that. So, people at the main office will usually get response from that system and people at the branch office will usually get responses from that server. But, if the servers are configured properly, they will always be in sync withing seconds of any change. -- R. Kevin Oberman, Network Engineer - Retired E-mail: kob6...@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
What is DNS Tunneling
Hi, Can anyone explain what is DNS tunneling because i am seeing large number of DNS tunneling attack in IPS from one machine in the LAN. Regards Babu___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Restoring BIND DNS configuration from TAR command
Hi, I have a DNS server running in BIND. I executed to take backup of configuration and zone files as below and its working fine. # /bin/tar -pczvf named.tar.gz /etc/ /var/named --exclude='/var/named/chroot/var/named/data' --exclude='/var/named/chroot/proc' But what happens is when i executed below command to restore the backup on the freshly OS installed machine under /root directory, command is excecuted successfully but what i found that there is a directory called /etc and /var created under /root as below drwxr-xr-x 91 root root 12288 Jun 18 07:50 etc -rw-r--r-- 1 root root 7390955 Jun 19 05:04 named.tar.gz drwxr-xr-x 3 root root 4096 Jun 19 15:54 var Can anyone let me know how can i restore all the files into its original location? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Split DNS Configuration in BIND
Dear Doug, Appreciate your quick response. Actually this setup is very much required for us. Let me tell you the scenario: We have DNS record called mail.company.com which is hosted in internal company LAN network. When any users try to access mail.company.com in browser, they will get private IP address and immediately they will get mail.company.com website home page whereas if any of my company users try to access the mail.company.com website from internet(outside company), they should get public IP address which should be pointed to mail.company.com website. Kindly let me know solution for the same. Regards Babu --- On Mon, 30/5/11, Doug Barton do...@dougbarton.us wrote: From: Doug Barton do...@dougbarton.us Subject: Re: Split DNS Configuration in BIND To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org Date: Monday, 30 May, 2011, 11:15 AM On 05/29/2011 21:59, babu dheen wrote: Hi, Would like to know how to configure split DNS in BIND running in RHEL 5.0 version. Below is our setup and requirement. We have a zone called mycompany.com . So whenever my company users sitting in LAN try to access mycompany.com domain in explorer, they should get internal IP address(private IP address) whereas whenever users from internet should get public IP for mycompany.com domain Better yet, re-examine the reasons you want to do this, and consider not doing it. It's incredibly rare that using split DNS is a solution to a real problem, it's almost always something that people do because they think they need to. On the other hand, if you really need/want to have internal addresses to access company resources, consider placing them in a separate zone. Something like int.mycompany.com. You have to put these addresses in a separate zone _file_ anyway, why not make it a separate zone? It will reduce complexity for you in the long run. hth, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Hosting my company DNS server in Internet
Dear Olsen, thanks for the update. I can follow all the steps but i couldn't understand below two points - register/buy the domain name(s) if you haven't already done so. - tell your registrar to configure your parent domain so it'll delegate your domain to your nameservers My concern if i want to host my own website, do i need to pay to my ISP? and please suggest me that if we want to host our parent domain (company.com) also in our own DNS server. Regards Babu --- On Mon, 30/5/11, Eivind Olsen eiv...@aminor.no wrote: From: Eivind Olsen eiv...@aminor.no Subject: Re: Hosting my company DNS server in Internet To: bind-users@lists.isc.org Date: Monday, 30 May, 2011, 12:18 PM babu dheen wrote: Can anyone have any idea as to how we can host our own autherative DNS server for my company. For example if my company domain is mycompany.com, we want to maintain our own DNS server so that users across world should contact our DNS server for name resolution for mycompany.com domain. The most basic way would be: - install a nameserver (BIND) somewhere, and make sure it's reachable on tcp+udp port 53 from the entire world - set up one or more zonefile, configure domain(s) in named.conf - configure one or more external slave servers to _also_ be authoritative for your domain(s), fetching updates from your master DNS server. - make sure your slave server(s) can actually do a zone transfer from your master. You might also want to prevent others (anyone except your slave servers) from doing this. - register/buy the domain name(s) if you haven't already done so. - tell your registrar to configure your parent domain so it'll delegate your domain to your nameservers. Regards Eivind Olsen eiv...@aminor.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Hosting my company DNS server in Internet
Dear Fajar, Wonderful response from you. Really appreciate. As you asked, below is my update on the checklist. I am not sure why i do need to pay money to my ISP for hosting my website on my company DNS server. If you have no idea what I'm talking about, here's a somewhat simple checklist you can look at before you decide whether to run your own DNS/web server: (1) Do you know which service you want to create? Is it a web server? Is it a mail server? Is it a DNS server? All of them? I just want to create DNS server for my website. Website is managed by me. (2) Do you know the difference between difference between the services you're trying to create? What it does? Which software to use? etc. I am using BIND in my DNS server (3) Do you know how they work? Can you setup a web server from scratch? Can you setup a DNS server from scratch? Do you know about DNS hierarchy? etc. Yes i know how to setup basic DNS server and know the DNS hierarchy. (4) Can you manage the servers/services? Do you know how to keep your system secure? Do you know how to update a web page or a DNS record? Do you need a HA setup? etc. Yes i know how to update DNS record and know how to configure primary and secondary DNS setup in BIND. If the answer to any one of them if NO, then just use a hosting provider and have them manage both your website and DNS. This list is about the DNS software BIND, not about creating your own website/DNS server. If you have a specific question about BIND, feel free to ask. --- On Mon, 30/5/11, Fajar A. Nugraha l...@fajar.net wrote: From: Fajar A. Nugraha l...@fajar.net Subject: Re: Hosting my company DNS server in Internet To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org Date: Monday, 30 May, 2011, 3:12 PM On Mon, May 30, 2011 at 3:45 PM, babu dheen babudh...@yahoo.co.in wrote: Dear Olsen, thanks for the update. I can follow all the steps but i couldn't understand below two points - register/buy the domain name(s) if you haven't already done so. - tell your registrar to configure your parent domain so it'll delegate your domain to your nameservers Have you EVER manage a domain before, whether hosted or not? If not, then I HIGHLY recommend you just use a hosting provider and have them manage both your website and DNS. Back to your original question: My concern if i want to host my own website, do i need to pay to my ISP? That depends. You obviously pay them for internet access. You MIGHT need to pay them if you also use other services, like - buy your domain from your ISP - use your ISP's name server for secondary name server - use your ISP's MX - use additional IP address for your website and please suggest me that if we want to host our parent domain (company.com) also in our own DNS server. Again, it depends. If you know how to set it up, then no, you don't need to pay additional money to your ISP. But it could be YES, if you use some of their services (see above). If you have no idea what I'm talking about, here's a somewhat simple checklist you can look at before you decide whether to run your own DNS/web server: (1) Do you know which service you want to create? Is it a web server? Is it a mail server? Is it a DNS server? All of them? (2) Do you know the difference between difference between the services you're trying to create? What it does? Which software to use? etc. (3) Do you know how they work? Can you setup a web server from scratch? Can you setup a DNS server from scratch? Do you know about DNS hierarchy? etc. (4) Can you manage the servers/services? Do you know how to keep your system secure? Do you know how to update a web page or a DNS record? Do you need a HA setup? etc. If the answer to any one of them if NO, then just use a hosting provider and have them manage both your website and DNS. This list is about the DNS software BIND, not about creating your own website/DNS server. If you have a specific question about BIND, feel free to ask. -- Fajar ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Hosting my company DNS server in Internet
Hi, My concern is not giving money to ISP and kindly please note that i am not going to host my website in DNS server whereas we are already managing the website in our network but using ISP DNS server for name resolution only for outside users(internet). In short, i can say that we just want to host authorative DNS server for my company website(company.com). Regards Babu --- On Mon, 30/5/11, Stephane Bortzmeyer bortzme...@nic.fr wrote: From: Stephane Bortzmeyer bortzme...@nic.fr Subject: Re: Hosting my company DNS server in Internet To: babu dheen babudh...@yahoo.co.in Cc: Fajar A. Nugraha l...@fajar.net, bind-users@lists.isc.org Date: Monday, 30 May, 2011, 5:38 PM On Mon, May 30, 2011 at 04:51:18PM +0530, babu dheen babudh...@yahoo.co.in wrote a message of 227 lines which said: I am not sure why i do need to pay money to my ISP for hosting my website on my company DNS server. This sentence seems to indicate that you know very little about Internet services (hosting a Web site on a DNS server...). In that case, it would be more careful, as suggested by Fajar A. Nugraha, to outsource the hosting (and then to spend time learning). Back to the specific question: if the IAP (Internet Access Provider, ISP is too vague) asks you money to authorize you to deploy a server on your own machine, switch to another IAP. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Split DNS Configuration in BIND
Its very simple, If you know basic firewall concept, we will configure source NATing from public IP address to original website private address in firewall. So when any users from internet access my company website, they should obviously get public IP of my company website and once they get the IP address from DNS, it can contact the website using source NATing in firewall. Here my concern is not with NATing or firewall. My basic requirement is how can i configure split DNS to maintain two different Ip address for a same website. Regards BaBU --- On Tue, 31/5/11, Doug Barton do...@dougbarton.us wrote: From: Doug Barton do...@dougbarton.us Subject: Re: Split DNS Configuration in BIND To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org Date: Tuesday, 31 May, 2011, 12:50 AM On 05/29/2011 23:17, babu dheen wrote: We have DNS record called mail.company.com which is hosted in internal company LAN network. When any users try to access mail.company.com in browser, they will get private IP address and immediately they will get mail.company.com website home page whereas if any of my company users try to access the mail.company.com website from internet(outside company), they should get public IP address which should be pointed to mail.company.com website. It's not clear to me from this description why you need 2 different IP addresses for the same resource. -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Split DNS Configuration in BIND
Hi, Would like to know how to configure split DNS in BIND running in RHEL 5.0 version. Below is our setup and requirement. We have a zone called mycompany.com . So whenever my company users sitting in LAN try to access mycompany.com domain in explorer, they should get internal IP address(private IP address) whereas whenever users from internet should get public IP for mycompany.com domain Kindly let me know the guide or procedure for configuring it. Regards Babu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Hosting my company DNS server in Internet
Hi, Can anyone have any idea as to how we can host our own autherative DNS server for my company. For example if my company domain is mycompany.com, we want to maintain our own DNS server so that users across world should contact our DNS server for name resolution for mycompany.com domain. Regards babu___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: continous DNS query to ROOT DNS server
Hi, I understand that my system contacts AS112 server but not sure why my system is contacting AS112 ROOT servers Can you tell me what i need to do at server level to stop this. I read the RFC but no where it clearly mentioned why this is happening. I have already configured forwarders in my system to send query to my gateway DNS server(running in BIND). then why my system is not using gateway DNS either for reverse DNS query mapping? Regards babu --- On Tue, 26/4/11, Kevin Darcy k...@chrysler.com wrote: From: Kevin Darcy k...@chrysler.com Subject: Re: continous DNS query to ROOT DNS server To: bind-users@lists.isc.org Date: Tuesday, 26 April, 2011, 12:32 AM On 4/25/2011 2:33 PM, babu dheen wrote: Dears, I have DHCP server running in Windows Operating System(Windows 2003), i have configured forwarder towards gateway DNS server(running in redhat). When i check the firewall hits for DHCP server i can see, my DHCP server is sending too many DNS query towards ROOT DNS servers(192.175.48.1, 192.175.48.6, 192.175.48.42 and etc) Please guide us to stop this query at server level. Regards BabuThis is not a DHCP list. This is not a Microsoft list. Those aren't root nameserver addresses, they are AS112 addresses, see http://public.as112.net/node/8 Apparently you didn't define your own RFC 1918 zones. - Kevin -Inline Attachment Follows- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: continous DNS query to ROOT DNS server
Dear Chris, Thanks for your quick response. But my concern is; why this query is actually started going to AS112 servers. Is it because my DHCP servers do not maintain PTR record zone for all internal IP address? I need to have a solution to stop this query at host level instead of adding entry in DNS server Regards papdheen M --- On Tue, 26/4/11, Chris Buxton chris.p.bux...@gmail.com wrote: From: Chris Buxton chris.p.bux...@gmail.com Subject: Re: continous DNS query to ROOT DNS server To: babu dheen babudh...@yahoo.co.in, bind-users@lists.isc.org, Kevin Darcy k...@chrysler.com Date: Tuesday, 26 April, 2011, 5:52 PM They're not root servers. Add this to your named.conf, alongside your 'forwarders' statement: forward only; Chris Buxton BlueCat Networks On 4/26/11, babu dheen babudh...@yahoo.co.in wrote: Hi, I understand that my system contacts AS112 server but not sure why my system is contacting AS112 ROOT servers Can you tell me what i need to do at server level to stop this. I read the RFC but no where it clearly mentioned why this is happening. I have already configured forwarders in my system to send query to my gateway DNS server(running in BIND). then why my system is not using gateway DNS either for reverse DNS query mapping? Regards babu --- On Tue, 26/4/11, Kevin Darcy k...@chrysler.com wrote: From: Kevin Darcy k...@chrysler.com Subject: Re: continous DNS query to ROOT DNS server To: bind-users@lists.isc.org Date: Tuesday, 26 April, 2011, 12:32 AM On 4/25/2011 2:33 PM, babu dheen wrote: Dears, I have DHCP server running in Windows Operating System(Windows 2003), i have configured forwarder towards gateway DNS server(running in redhat). When i check the firewall hits for DHCP server i can see, my DHCP server is sending too many DNS query towards ROOT DNS servers(192.175.48.1, 192.175.48.6, 192.175.48.42 and etc) Please guide us to stop this query at server level. Regards BabuThis is not a DHCP list. This is not a Microsoft list. Those aren't root nameserver addresses, they are AS112 addresses, see http://public.as112.net/node/8 Apparently you didn't define your own RFC 1918 zones. - Kevin -Inline Attachment Follows- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Sent from my mobile device ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: continous DNS query to ROOT DNS server
Dear Chris, Actually this query is being sent by my DHCP server running in windows operating system. I have configured forwarders in DHCP towards my gateway DNS servers(running in Redhat BIND). --- On Tue, 26/4/11, Chris Buxton chris.p.bux...@gmail.com wrote: From: Chris Buxton chris.p.bux...@gmail.com Subject: Re: continous DNS query to ROOT DNS server To: babu dheen babudh...@yahoo.co.in, bind-users@lists.isc.org Date: Tuesday, 26 April, 2011, 9:17 PM Create RFC 1918 reverse zones for whatever parts of this address space you're using. Newer versions of BIND will do this automatically for you -- the zones are created without content. What version of BIND are you using? Chris Buxton BlueCat Networks On 4/26/11, babu dheen babudh...@yahoo.co.in wrote: Dear Chris, Thanks for your quick response. But my concern is; why this query is actually started going to AS112 servers. Is it because my DHCP servers do not maintain PTR record zone for all internal IP address? I need to have a solution to stop this query at host level instead of adding entry in DNS server Regards papdheen M --- On Tue, 26/4/11, Chris Buxton chris.p.bux...@gmail.com wrote: From: Chris Buxton chris.p.bux...@gmail.com Subject: Re: continous DNS query to ROOT DNS server To: babu dheen babudh...@yahoo.co.in, bind-users@lists.isc.org, Kevin Darcy k...@chrysler.com Date: Tuesday, 26 April, 2011, 5:52 PM They're not root servers. Add this to your named.conf, alongside your 'forwarders' statement: forward only; Chris Buxton BlueCat Networks On 4/26/11, babu dheen babudh...@yahoo.co.in wrote: Hi, I understand that my system contacts AS112 server but not sure why my system is contacting AS112 ROOT servers Can you tell me what i need to do at server level to stop this. I read the RFC but no where it clearly mentioned why this is happening. I have already configured forwarders in my system to send query to my gateway DNS server(running in BIND). then why my system is not using gateway DNS either for reverse DNS query mapping? Regards babu --- On Tue, 26/4/11, Kevin Darcy k...@chrysler.com wrote: From: Kevin Darcy k...@chrysler.com Subject: Re: continous DNS query to ROOT DNS server To: bind-users@lists.isc.org Date: Tuesday, 26 April, 2011, 12:32 AM On 4/25/2011 2:33 PM, babu dheen wrote: Dears, I have DHCP server running in Windows Operating System(Windows 2003), i have configured forwarder towards gateway DNS server(running in redhat). When i check the firewall hits for DHCP server i can see, my DHCP server is sending too many DNS query towards ROOT DNS servers(192.175.48.1, 192.175.48.6, 192.175.48.42 and etc) Please guide us to stop this query at server level. Regards BabuThis is not a DHCP list. This is not a Microsoft list. Those aren't root nameserver addresses, they are AS112 addresses, see http://public.as112.net/node/8 Apparently you didn't define your own RFC 1918 zones. - Kevin -Inline Attachment Follows- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Sent from my mobile device -- Sent from my mobile device ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
continous DNS query to ROOT DNS server
Dears, I have DHCP server running in Windows Operating System(Windows 2003), i have configured forwarder towards gateway DNS server(running in redhat). When i check the firewall hits for DHCP server i can see, my DHCP server is sending too many DNS query towards ROOT DNS servers(192.175.48.1, 192.175.48.6, 192.175.48.42 and etc) Please guide us to stop this query at server level. Regards Babu___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
multiple IP address in Address Record in BIND
Hi, we have internal domain called sva.com and address record for this sva.com is pointed to many IP addresses. When i do nslookup, i am getting below output. I would like to enable the same configuration in bind. Let us know how this can be acheived. #nslookup sva.com Name: sva.com Addresses: 10.10.10.10, 10.10.10.10, 10.10.10.10, 10.10.10.10,10.10.10.10 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Help to solve ROOT DNS query
Hi, We are using Microsoft AD server as DNS server for our company and we have configured FORWARDER to ISP DNS server for external domain queries. What we noticed that our internal DNS server is able to use FORWARDERS all time but firewall logs shows that internal AD servers is contacting root DNS servers parallelly. Please help us to resove this problem.___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help on DNS reporter
Hi, Actually i am looking for open source software which can be installed on redhat linux BIND server to geneerate report from the DNS logs. Regards Papdheen M --- On Sun, 20/3/11, Warren Kumari war...@kumari.net wrote: From: Warren Kumari war...@kumari.net Subject: Re: Need help on DNS reporter To: babu dheen babudh...@yahoo.co.in Cc: terry te...@list.dnsbed.com, bind-users@lists.isc.org Date: Sunday, 20 March, 2011, 8:10 PM Enable query logging, then: cat queries.log | grep 'query: example.com' | awk '{print $6}' | sed 's/#.*//' | sort -n | uniq -c | sort -rn | head -100 | more or something similar? W On Mar 20, 2011, at 10:09 AM, babu dheen wrote: Hi, I am getting below status on this command.. Only internal DNS servers are allowed to query our gateway DNS server as client. number of zones: 12 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON recursive clients: 1/1000 tcp clients: 0/100 server is up and running --- On Sun, 20/3/11, terry te...@list.dnsbed.com wrote: From: terry te...@list.dnsbed.com Subject: Re: Need help on DNS reporter To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org Date: Sunday, 20 March, 2011, 12:42 PM How will rndc status take something good for you? 2011/3/20 babu dheen babudh...@yahoo.co.in Hi, Can anyone let me know is there any open source software available to generate report for DNS service based on DNS BIND query logs. We have BIND DNS running RHEL 5.0. Would like to generate report based on its logs so that we can identify list of clients quering external domains and its query count. Many clients in our company infected with malware which thus send unnecessary query to remote external domain (non available domain). So if we have any software which can generate the report from DNS BIND logs, will be very helpful. Regards Babu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- www.DNSbed.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help to know about ROOT DNS query
Hi, Thanks for the response. But i read a article in sans.org website that internal DNS server should not respond to ROOT NS query. Please find the below URL for more information. http://isc1.sans.org/dnstest.html http://isc.sans.edu/diary.html?storyid=5713 Kindly help me. --- On Thu, 17/3/11, Warren Kumari war...@kumari.net wrote: From: Warren Kumari war...@kumari.net Subject: Re: Need help to know about ROOT DNS query To: babu dheen babudh...@yahoo.co.in Cc: bind-users@lists.isc.org bind-users@lists.isc.org Date: Thursday, 17 March, 2011, 8:50 PM Nah, that's fine (and normal). BIND comes configured with the roots so that it can start resolution. I guess I don't fully understand your concern here -- is it that you are worried that the root might see queries and so know your internal hostnames? W Warren Kumari --Please excuse typing, etc -- This was sent from a device with a tiny keyboard. On Mar 17, 2011, at 7:20 AM, babu dheen babudh...@yahoo.co.in wrote: Hi, We have two internal Windows DNS servers which answer all DNS query by forwarding it to gateway DNS server running in Redhat BIND. But i have a query regarding allowing ROOT DNS query on internal DNS server. Can anyone let me know whether company Internal DNS server should respond to ROOT DNS query. When i execute # dig . NS @my-company-name-server query I am getting complete response Let me know whether enabling ROOT DNS query is a security threat. For more informaton can you read and help us to securely configure our company internal Windows DNS server and its impact of disabling it. ; DiG 9.3.3rc2 . NS @10.0.0.1 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34899 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 10 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 49842 IN NS j.root-servers.net. . 49842 IN NS k.root-servers.net. . 49842 IN NS l.root-servers.net. . 49842 IN NS m.root-servers.net. . 49842 IN NS a.root-servers.net. . 49842 IN NS b.root-servers.net. . 49842 IN NS c.root-servers.net. . 49842 IN NS d.root-servers.net. . 49842 IN NS e.root-servers.net. . 49842 IN NS f.root-servers.net. . 49842 IN NS g.root-servers.net. . 49842 IN NS h.root-servers.net. . 49842 IN NS i.root-servers.net. ;; ADDITIONAL SECTION: j.root-servers.net. 49842 IN A 192.58.128.30 a.root-servers.net. 49842 IN A 198.41.0.4 b.root-servers.net. 49842 IN A 192.228.79.201 c.root-servers.net. 49842 IN A 192.33.4.12 d.root-servers.net. 49842 IN A 128.8.10.90 e.root-servers.net. 49842 IN A 192.203.230.10 f.root-servers.net. 49842 IN A 192.5.5.241 g.root-servers.net. 49842 IN A 192.112.36.4 h.root-servers.net. 49842 IN A 128.63.2.53 i.root-servers.net. 49842 IN A 192.36.148.17 ;; Query time: 34 msec ;; SERVER: 10.0.0.1#53(10.132.1.13) ;; WHEN: Thu Mar 17 17:16:18 2011 ;; MSG SIZE rcvd: 401 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Need help to know about ROOT DNS query
Hi, We have two internal Windows DNS servers which answer all DNS query by forwarding it to gateway DNS server running in Redhat BIND. But i have a query regarding allowing ROOT DNS query on internal DNS server. Can anyone let me know whether company Internal DNS server should respond to ROOT DNS query. When i execute # dig . NS @my-company-name-server query I am getting complete response Let me know whether enabling ROOT DNS query is a security threat. For more informaton can you read and help us to securely configure our company internal Windows DNS server and its impact of disabling it. ; DiG 9.3.3rc2 . NS @10.0.0.1 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34899 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 10 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 49842 IN NS j.root-servers.net. . 49842 IN NS k.root-servers.net. . 49842 IN NS l.root-servers.net. . 49842 IN NS m.root-servers.net. . 49842 IN NS a.root-servers.net. . 49842 IN NS b.root-servers.net. . 49842 IN NS c.root-servers.net. . 49842 IN NS d.root-servers.net. . 49842 IN NS e.root-servers.net. . 49842 IN NS f.root-servers.net. . 49842 IN NS g.root-servers.net. . 49842 IN NS h.root-servers.net. . 49842 IN NS i.root-servers.net. ;; ADDITIONAL SECTION: j.root-servers.net. 49842 IN A 192.58.128.30 a.root-servers.net. 49842 IN A 198.41.0.4 b.root-servers.net. 49842 IN A 192.228.79.201 c.root-servers.net. 49842 IN A 192.33.4.12 d.root-servers.net. 49842 IN A 128.8.10.90 e.root-servers.net. 49842 IN A 192.203.230.10 f.root-servers.net. 49842 IN A 192.5.5.241 g.root-servers.net. 49842 IN A 192.112.36.4 h.root-servers.net. 49842 IN A 128.63.2.53 i.root-servers.net. 49842 IN A 192.36.148.17 ;; Query time: 34 msec ;; SERVER: 10.0.0.1#53(10.132.1.13) ;; WHEN: Thu Mar 17 17:16:18 2011 ;; MSG SIZE rcvd: 401 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Multi language support in BIND
Hi, Can anyone tell me how to enable Arabic domain name query in BIND running Redhat RHEL 5. Actually we have many internal domain name zone configured in BIND running in Redhat 5 OS. Since i am from Middle east, users in my company wants to access their internal domain name through arabic name in Explorer. Is there any such option in BIND? Your response will help us to get customer satisfaction. Regards Papdheen M ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to allow set Host file dns query priorities in BIND
Hi, Our setup is; We have internal DNS server wherein BIND is configured in RHEL 5 and many internal zones are configured. if Internet connection is down, our Internal DNS severs are not able to get the DNS query from ISP DNS server. Because of this, all users are not able to access many critical application hosted in internet. Now we would like to add those critical applicaton DNS entries in our internal DNS server HOST file. So that if internet link is down, users will be able to get the IP address of the URL through host file. is there any option in BIND to give priority to HOST file before connecting it to internet ISP or local zone? Thanks. babu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users