Re: Reverse Policy Zone to make MS Azure stuff work?
Another thing I forgot to mention, is the need to express these parameters in the options clause in named.conf: options { // RPZ zone // Source: https://deteque.com/m3aawg-bind-training/named.conf response-policy { zone "rpz.local"; }; }; My apologies for not double-checking earlier, but I think this should be everything. -- Met vriendelijke groet / Best regards, Michael De Roover signature.asc Description: This is a digitally signed message part. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse Policy Zone to make MS Azure stuff work?
On Friday, 14 April 2023 00:28:24 CEST John Thurston wrote: > Due to a requirement to use something Microsoft crafted, we are being > asked to assert (internally) authority over 3rd-level names under > appserviceenvironment.net > > I've pushed back on this, because I don't think it's nice to publish > "authoritative" answers in domains we have not been delegated. But I'm > told it's all ok, because Microsoft says its ok* Having accepted that > the ship has sailed, it's now a question of how to deliver such answers. > > One obvious way is to define a zone for each 3rd level under > appserviceenvironment.net, and publish them in a way our resolvers can > find them. In the absence of catalog-zones, this could be a lot of > additional work (for me). > > Then I wondered if adding these 'hijacked' names to our RPZ would meet > the need. I first thought, "Yeah. It'll work.", but then I re-read the > statement from MS saying each 3rd level was going to need to have a 4th > level zone defined. A zone definition requires at least an SOA and NS > record . . and last time I checked, an RPZ would not deliver an NS > record. So it seems that idea may be squashed. > > Who else has need to publish locally-defined appserviceenvironment.net > names? Were you able to do it with your RPZ? > > * > https://learn.microsoft.com/en-us/azure/app-service/environment/create-ilb-a > se Hello John, For what it's worth, I've been working on Microsoft related domains in an RPZ recently as well. The way I've done this is by defining a zone "rpz.local" in my named.conf, as shown below. // Response Policy Zone zone "rpz.local" { type master; file "/etc/bind/zones/rpz.local.db"; allow-update { none; }; allow-transfer { internal; }; allow-query { localhost; }; }; Then I define in this rpz.local.db file, entries like the ones below. $TTL 300 @ IN SOA localhost. need.to.know.only. ( 202303131 ; Serial number 60 ; Refresh every minute 60 ; Retry every minute 43200 ; Expire in 5 days 60 ); Negative cache TTL 1 minute IN NS LOCALHOST. ; Examples block.example.com IN CNAME . passthrough.example.com IN CNAME rpz-passthru. redirect.example.comIN CNAME example.com. Pay special attention to the lack of a final dot in the records themselves, this is important. As far as I understand, this makes them relative to your rpz.local zone, not the actual domain on the internet. The only major issue I've been facing with this so far, is that AXFR to secondary and tertiary name servers has some issues, and at least Windows 10 Home will query those when the primary name server does not give a satisfactory answer. -- Met vriendelijke groet / Best regards, Michael De Roover -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do subdomains get discovered by adversaries?
On Thu, 2022-12-22 at 05:19 +, Michael De Roover wrote: > Hello, > > I have been running BIND 9 on my external and internal networks for a > few years now -- as such I have a basic understanding of the most > common RR types and activities such as zone transfers. However, I > have been seeing something that's been baffling me for quite a while > now. Somehow there are services like c99.nl [1] and Criminal IP [2], > which can enumerate various subdomains on a given target domain. I am > confused as to how they can enumerate this information. > > As far as I know, a NS record returns the name servers authoritative > for a domain. Alright, now you've got authoritative information when > querying these domains. No useful information about the zone data > they are responsible for though. > > Then there is an A record, which returns an IPv4 address of a server > responsible for a domain. Alright, now you can talk to a server. > Maybe that would be a webserver, and now you may perform a HTTP > exchange to that server (GET /whatever, with a given Host header). > You still have to guess what the Host: header would have to be. > > Maybe it would be an MX record. Brilliant, now you could talk to a > mail server. Its EHLO message (sometimes called a "banner" in > security circles) would contain a domain, alright. It would also only > be one of them -- AFAICT only one domain that the organization wants > to actually primarily send from. > > Another interesting record would be the CNAME record. As far as I > know, this is used to redirect to another domain from within the DNS, > with its own bespoke entries (bringing us back to A records). Getting > from a CNAME to an A record seems easy enough, but what about getting > these CNAME records in the first place? > > This is what I am thinking of so far, but it may well be that I've > been talking crap in all of the above and know nothing about the DNS. > That's fine, and in that case please correct me where necessary. > Either way, I'm very confused on how these services can actually > enumerate these subdomains, and find most -- if not all -- reliably. > This seems a bit concerning to me with regards to unwanted > information disclosure, hence my curiosity. If it is at all possible > to mitigate, I would of course also appreciate discourse on this > matter. Thank you! > > [1] https://subdomainfinder.c99.nl > [2] https://criminalip.io/domain > > Best regards, > Michael > On an unrelated note, I found that Apple Mail (which I checked for on various ISC employees' email headers in the past due to curiosity, several seem to use it) is unable to deal very well with text emails and its formatting (particularly regarding new lines). Which format is preferred on this list? For now, I have set my email client to default to HTML messages, and edited my original message to remove these newlines. Chances are that it would send a text-only message too. But in modern clients, I find text-only emails to insert a lot of unwanted newlines, going back to the 80-column terminals which I don't think anyone uses anymore (though I most certainly approve of the efficiency- driven sentiment these people tend to hold). Back on topic, I forgot about PTR records. But at least in a VPS instance (or a multiple thereof), it would only be configurable to one domain in the hosting provider's configuration panel, no? I am aware of PTR delegation, but that seems to be only for entire public network ranges (which at this point are only /24 and beyond in IPv4 afaict). While my hosting provider is very friendly to me, I certainly do not consider them a party who's willing to delegate it to me. With that tangent out of the way -- one record, configured by them on my behalf. And that's it. Not much information to get subdomains from there. Meanwhile, larger organizations are very likely to delegate every service that cares about PTR records to others. Their PTR records would just point to those instead. So PTR records don't seem to be very useful in getting this information either. As such, I am still stranded. Thanks again for your attention, Michael -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How do subdomains get discovered by adversaries?
Hello, I have been running BIND 9 on my external and internal networks for a few years now -- as such I have a basic understanding of the most common RR types and activities such as zone transfers. However, I have been seeing something that's been baffling me for quite a while now. Somehow there are services like c99.nl [1] and Criminal IP [2], which can enumerate various subdomains on a given target domain. I am confused as to how they can enumerate this information. As far as I know, a NS record returns the name servers authoritative for a domain. Alright, now you've got authoritative information when querying these domains. No useful information about the zone data they are responsible for though. Then there is an A record, which returns an IPv4 address of a server responsible for a domain. Alright, now you can talk to a server. Maybe that would be a webserver, and now you may perform a HTTP exchange to that server (GET /whatever, with a given Host header). You still have to guess what the Host: header would have to be. Maybe it would be an MX record. Brilliant, now you could talk to a mail server. Its EHLO message (sometimes called a "banner" in security circles) would contain a domain, alright. It would also only be one of them -- AFAICT only one domain that the organization wants to actually primarily send from. Another interesting record would be the CNAME record. As far as I know, this is used to redirect to another domain from within the DNS, with its own bespoke entries (bringing us back to A records). Getting from a CNAME to an A record seems easy enough, but what about getting these CNAME records in the first place? This is what I am thinking of so far, but it may well be that I've been talking crap in all of the above and know nothing about the DNS. That's fine, and in that case please correct me where necessary. Either way, I'm very confused on how these services can actually enumerate these subdomains, and find most -- if not all -- reliably. This seems a bit concerning to me with regards to unwanted information disclosure, hence my curiosity. If it is at all possible to mitigate, I would of course also appreciate discourse on this matter. Thank you! [1] https://subdomainfinder.c99.nl [2] https://criminalip.io/domain Best regards, Michael -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse lookups not working when Internet connection failed.
Thank you all for the replies. For what I understand after reading your replies (I might be wrong :) ), reverse lookups fail when I have no outgoing connection because some caching or or transfer is needed from 66.136.193.in-addr.arpa. , wich I don't control. This is divided in several networks, 2 of them under my control. I'll have to read more carefully your suggestions to see if I find an alternative way to achieve this only by modifying my zone files, without messing up my current setup. I'll let you know how it goes. Thanks once again. David > On 11/4/22 2:07 PM, Mark Andrews wrote: >> Any ISP that offers these delegations should be allowing their >> customers to transfer the zone that contains the CNAMEs for the >> customer address space by default. > > I've had enough trouble getting ISPs to support 2317 delegation period. > I think that asking them to allow me to do a zone transfer would have > been a hard no. > > I certainly don't think this would be allowed /by/ /default/. > > I just checked and § 5.1 of RFC 2317 mentioned having the parent do a > secondary zone transfer of the child zone. But I don't see any mention > of the child doing a secondary zone transfer of the parent zone. > > I think that would be a good idea. > > > > -- > Grant. . . . > unix || die > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ > for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone transfer over VPN
On Wednesday, September 7, 2022 1:14:00 AM WEST John Thurston wrote: > If you are dealing with two totally private networks, do you even need > the ACL? > > But if you do need to limit access, then I suggest using TSIG to > identify and authorize. This avoids the whole question of > source/destination IP addresses. If the transfer request is made using > the correct key, it will work. > > I do this by defining a specific key for each secondary server. Then, in > the appropriate view on the hidden primary, I use: > >match-clients { none; }; >allow-transfer { key nameofkeyhere; }; > > and on each secondary, I define a 'primaries' and use that in the zone > definitions: > >primaries hiddenprimary { 10.20.30.40 key nameofkeyhere; }; >zone "foo.bar.com" { type secondary; primaries { hiddenprimary; }; }; > > The address of the secondary does not matter. As long as it makes the > connection to the primary using the key 'nameofkeyhere', it can do the > zone transfers. Hi John, Thank you so much for getting back to me, I really appreciate it. I have used your advice and looked further into how to configure TSIG, and came across this article on nixCraft [1]. However, while the setup seems like it is fairly straightforward, the usage of HMAC-MD5 they mention seems to be deprecated. I have checked which ciphers dnssec-keygen supports in 9.18.5 (I have taken the time to upgrade the Alpine boxes while I was at it) and it seems like ED25519 is supported, which I like and use extensively in SSH already. But when using the command below, it doesn't seem to work properly, exiting with the error message below that. ns1:~# cd /etc/bind ns1:/etc/bind# dnssec-keygen -a ED25519 -n HOST rndc-key dnssec-keygen: fatal: invalid DNSKEY nametype HOST Using this command without the -n parameter works fine, but (as per defaults) generates a zone key instead. Is ED25519 supported for host keys? If not, what would be the best current practice algorithm to generate a key of this type? Apparently the options in my installation of BIND are among these: -a : RSASHA1 | NSEC3RSASHA1 | RSASHA256 | RSASHA512 | ECDSAP256SHA256 | ECDSAP384SHA384 | ED25519 | ED448 | DH -b : RSASHA1:[1024..4096] NSEC3RSASHA1: [1024..4096] RSASHA256: [1024..4096] RSASHA512: [1024..4096] DH: [128..4096] ECDSAP256SHA256:ignored ECDSAP384SHA384:ignored ED25519:ignored ED448: ignored (key size defaults are set according to algorithm and usage (ZSK or KSK) [1] https://www.cyberciti.biz/faq/unix-linux-bind-named-configuring-tsig/ Thanks again for your time to read this email, and for your insights. -- Met vriendelijke groet / Best regards, Michael De Roover -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Zone transfer over VPN
Hello everyone, I have currently 2 internal networks under my control, both of which have BIND name servers in them. The "main" network uses the 192.168.10.0/24 subnet, while the "satellite" network uses the 192.168.20.0/24 subnet. Following this, I will refer to these as main and satellite. You may consider the satellite network sort of like a road warrior setup, though both are fully-fledged networks with hosts in them. The main network has a set of two gateways with IP addresses 192.168.10.51, and 192.168.10.52. They perform VRRP to each other, with floating IP 192.168.10.9. Both of them make a VPN connection to two VPS's using WireGuard. The VPS's have IP ranges 10.8.2.0/24 and 10.8.3.0/24 respectively. Pretty much all traffic that's relevant here (AXFR/IXFR on TCP 53) goes through the former. The satellite network does the same thing, it also connects to the VPS's but does not perform VRRP with another node. The gateway on the satellite network uses IP address 192.168.20.1. The name servers on these networks are 192.168.10.4, 192.168.10.5 and 192.168.10.6 on the main network, and 192.168.20.3 on the satellite network. This is running on BIND 9.16.25 for Alpine on the main network, and BIND 9.11.5-P4-5.1+deb10u7-Debian for Debian on the satellite network. All of them are running in LXC with bridged networking. Now I would like to get both of these networks to share their local zones. So in the name servers' configs I would initially declare an ACL for this and add that to the zone entries, on the main network. This worked fine for those, being in the same subnet. But once I tried to do the same on the satellite network, BIND on the main network would see the zone transfer as coming from 192.168.10.51 or 192.168.10.52 -- instead of coming from 192.168.20.3 -- and refuse it. The same is true the other way around, where the name server on the satellite network sees zone transfers from the main network as coming from 192.168.20.1 instead. In other words, only the first hop (or the last, depending on how you look at it) is being considered, with zone transfers seemingly being expected to occur from within the same subnet. Surely I'm not the only one who dealt with this? If anything, I consider myself still a newbie. Is it possible to get BIND to consider the original source of the zone transfer instead? For now I have added an "external" ACL to these networks, and made the respective local zones authorized to transfer from this ACL, which has the gateways of their local networks in there. However, this means that anything on the main network can transfer from the satellite network, and anything from the satellite network can transfer from the main network. After all, the name servers have no way to tell where it's really coming from. While everything on these networks is owned or otherwise controlled to a reasonable extent by me, I don't like this. In my book, this is a security issue. I think I need a better solution for this. Configuration-wise, this would be a snippet from ns1.lan on the main network with the relevant bits. acl external { admin; 192.168.10.9; 192.168.10.51; 192.168.10.52; }; ; ... zone "lan" { type master; file "/etc/bind/zones/fwd.lan.db"; allow-transfer { internal; external; }; }; zone "10.168.192.in-addr.arpa" { type master; file "/etc/bind/zones/rev.lan.db"; allow-transfer { internal; external; }; }; The satellite network's name server has a similar configuration to this, but the other way around. I have skimmed over these articles so far, but couldn't find anything relevant in them. - https://kb.isc.org/docs/aa-00726 - https://www.zytrax.com/books/dns/ch7/xfer.html Thank you so much for taking your time to read this, and thanks in advance for any insights. -- Met vriendelijke groet / Best regards, Michael De Roover -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Stopping ddos
For my servers I'm using iptables rules to achieve ratelimiting. They look as follows: -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent -- update --seconds 600 --hitcount 4 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource It should be fairly trivial to convert these to use UDP 53, and tweak the timings you want. These rules are intended to allow 4 connections (which normally should be entire SMTP transactions) every 10 minutes. Since I have 2 edge nodes with these rules, that is doubled to 8 connections total. If you're an authoritative name server only, realistically mostly recursors / caching servers would query your servers and not too often. You can easily restrict traffic here. If you're a recursor too, this becomes a bit more complicated. Regarding the legitimate queries, it would be prudent to allow common recursors (Google, Cloudflare, Quad9 etc) to have exceptions to this rule. Just allow their IP addresses to send traffic either unrestricted, or using a more relaxed version of the above. HTH, Michael On Tue, 2022-08-02 at 16:02 -0400, Robert Moskowitz wrote: > Recently I have been having problems with my server not responding to > my > requests. I thought it was all sorts of issues, but I finally looked > at > the logs and: > > Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 > 114.29.194.4#11205 > (.): view external: query (cache) './A/IN' denied > Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 > 114.29.216.196#64956 (.): view external: query (cache) './A/IN' > denied > Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 > 64.68.114.141#39466 > (.): view external: query (cache) './A/IN' denied > Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 > 209.197.198.45#13280 (.): view external: query (cache) './A/IN' > denied > Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 > 114.29.202.117#41955 (.): view external: query (cache) './A/IN' > denied > Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 > 62.109.204.22#4406 > (.): view external: query (cache) './A/IN' denied > Aug 2 15:47:49 onlo named[6155]: client @0xa9420720 > 64.68.104.9#38518 > (.): view external: query (cache) './A/IN' denied > Aug 2 15:47:50 onlo named[6155]: client @0xaa882dc8 > 114.29.202.117#9584 > (.): view external: query (cache) './A/IN' denied > > grep -c denied messages > 45868 > > And that is just since Jul 31 3am. > > This is fairly recent so I never looked into what I might do to > protect > against this. I am the master for my domain, so I do need to allow > for > legitimate queries. > > Any best practices on this? > > I am running bind 9.11.4 > > thanks > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Possibly stupid Q
If the chroot location is set to /var/named/chroot, then this should be the case yes. As far as the software running in the chroot is concerned, the chroot directory is its rootfs at /. It does not have access to anything above that. On Wed, 2021-01-20 at 16:42 -0500, Rick Dicaire wrote: > On Wed, Jan 20, 2021 at 2:19 PM Bruce Johnson < > john...@pharmacy.arizona.edu> wrote: > > channel default_log { > > file "/var/named/log/default" versions 3 size 20m; > > print-time yes; > > print-category yes; > > print-severity yes; > > severity info; > > }; > > > > in named-chroot do these go to the actual system /var/named/log or > > does the named-chroot process put them in /var/named/chroot/var > > directory? > > > > The path should be inside the chroot. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I launch a private Internet DNS server?
On Thu, 2020-11-05 at 11:27 -0600, Chuck Aurora wrote: > On 2020-11-05 07:36, Bob Harold wrote: > > You appear to have confused 'secondary' authoritative servers with > > a > > second 'resolver'. > > Authoritative servers - listed in the NS records - are used by > > other > > DNS servers, not by end users, and they will get used equally with > > the > > slaves, if your parent zone has the right NS records also. Those > > are > > good to outsource the secondaries. > > It should perhaps be pointed out here that the DNS protocol has no > means to distinguish among different types of NS host. (Yes, there > is > the SOA MNAME, but that is not used by resolvers.) One NS is as good > as any other NS. These (SOA and behavior for resolvers) probably describe where I got confused, thanks for the explanations! -- Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I launch a private Internet DNS server?
On Thu, 2020-11-05 at 11:31 +0100, Alessandro Vesely wrote: > A good secondary offloads your server > noticeably, and > keeps the domain alive in case of temporary failures. AFAIK, authoritative slave servers are only used when the master is confirmed to be down. Lookups take significantly longer in such cases since for every request, the master will be asked first. This can take between 2-4s. There are no performance benefits to running multiple name servers as master-slave, though it's fairly easy and offers good redundancy (a slow lookup is still better than no lookup). A commercial service will have to support zone transfer from your master, and said master has to have that commercial service authorized to pull your zone(s). I haven't personally heard of such services, and would probably just run another BIND box somewhere else (different hosting provider or something like that). -- Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I launch a private Internet DNS server?
Interesting article, thanks for sharing this! I'm slightly confused about some things in it though. Does this mean that any traffic will be put on the connection tracker and be treated as stateful unless we use CT --notrack, or can the kernel make a heuristic based on what's in the iptables rule (i.e. if it only covers a port or a network range, it must be stateless)? What constitutes a busy server? For a recursor it'd be easy to achieve high throughput, but does an authoritative name server for a single website need it? On Thu, 2020-10-15 at 20:42 -0500, Chuck Aurora wrote: > Absolutely right; I wrote this Linux-centric article about it: > > https://kb.isc.org/docs/aa-01183 > > It has not been updated to cover nftables. > > Note also that this is a good reason NOT to use the NAT that > other posters have encouraged. -- Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [External] Re: How can I launch a private Internet DNS server?
Simply stateless. Something along the lines of this (iptables): # SSH may be internal only or moved to a different port iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT # Enable DNS on both TCP and UDP iptables -A INPUT -m tcp -p tcp --dport 53 -j ACCEPT iptables -A INPUT -m udp -p udp --dport 53 -j ACCEPT # Allow ping iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT # Allow internal network traffic iptables -A INPUT -s $internal -j ACCEPT # Set the general input policy to drop traffic. iptables -P INPUT DROP What I'm concerned with security-wise is that if BIND has an RCE vulnerability, an unprivileged user might be able to "upload a shell" that gets executed and listens on another port. With all other ports closed, this can be prevented. It does not prevent against privilege escalation vulnerabilities though, as root can of course adjust the firewall at will. But I wouldn't consider security as "being unhackable", rather making it as hard as possible to get in. A firewall is a good starting point for that. On Thu, 2020-10-15 at 21:38 +0200, sth...@nethelp.no wrote: > > I would run a firewall even for BIND alone on a box in case the box > > gets compromised through BIND. Allowing remote access and DNS, then > > dropping everything else as the general firewall policy should be > > pretty straightforward. But with the IP on this particular BIND box > > being public, it's really like any other server on the internet. > Port > > forwarding or NAT in that case would be unnecessary. > > Do you mean a simple stateless ACL, or a stateful firewall? If you > really mean a stateful firewall: Think about the effect of DNS > queries - they are usually UDP based, and every new query is going > to create state. Read up on state table exhaustion. > > Steinar Haug, Nethelp consulting, sth...@nethelp.no -- Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [External] Re: How can I launch a private Internet DNS server?
I would run a firewall even for BIND alone on a box in case the box gets compromised through BIND. Allowing remote access and DNS, then dropping everything else as the general firewall policy should be pretty straightforward. But with the IP on this particular BIND box being public, it's really like any other server on the internet. Port forwarding or NAT in that case would be unnecessary. On Thu, 2020-10-15 at 21:01 +0200, Stephane Bortzmeyer wrote: > On Thu, Oct 15, 2020 at 02:03:52PM -0400, > Kevin A. McGrail wrote > a message of 8 lines which said: > > > Firewalls are cheap and the level of effort to run a bastion host > > are > > significant. > > Firewalls are useful when you want to protect unamanaged printers and > Windows boxes (or Web servers with a lot of crappy PHP) but a BIND > server on a reasonably managed Unix box do not need them. > -- Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I launch a private Internet DNS server?
Are these static IP's local or public? If local, you can instruct your router to port forward to these. If these are public, I guess these machines make a direct connection to the internet with a public IP on their interface then? In that case you can omit any port forwarding. The secondary DNS server is for redundancy. You can omit any instructions regarding it when following the tutorial if you intend to only make one. The server type would indeed be authoritative - the other type would be recursive which is generally what ISP's have for their customers, but I would avoid that because they can be used for DNS amplification attacks (the authoriative ones can too but it's less of an issue with those). On Thu, 2020-10-15 at 16:57 +, Jason Long wrote: > Yes, I have two static IP addresses. One is for DNS server and one is > for my website. > Excuse me, I just have one server for DNS and that tutorial is about > secondary DNS server too. Can you show me another tutorial with one > server and same goal? > The Internet DNS server for my goal is "Authoritative DNS" ? -- Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I launch a private Internet DNS server?
Assuming that this is running off a home network, yes you could technically do it. Probably the registrar's name servers will be more reliable however. I'll also assume that your public IP is static. Otherwise it may only be suitable for the website, with a Dynamic DNS service that can regularly update the records as your IP changes. This means that you'll have to use someone else's DNS servers to host your records. You can run BIND locally and make it an authoritative name server. Your router can port forward traffic to port 53/udp to your local IP that your DNS server is on. There are various tutorials online for making authoritative DNS servers, such as this one: https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-an-authoritative-only-dns-server-on-ubuntu-14-04 . At the registrar you'll need to select "custom name server" or something along those lines. Then you have to insert NS records there that point to the nameserver addresses for your domain(s). Check your registrar's documentation for instructions on how to add NS records. On Thu, 2020-10-15 at 16:36 +, Jason Long via bind-users wrote: > Hello, > I have a question about launching a DNS server with CentOS for > hosting a web server. Excuse me, if my question is so basic and > funny. I need expert advice about it. > I registered a domain name for my web site and in the panel of it, I > can enter my DNS server IP addresses. I want to launch a CentOS DNS > server that my Web site using it and users can visit my website from > the Internet. These two servers (DNS and Web server) are in a local > network and connected to the Internet with a Gateway. Each server has > an internal and a public IP address. > I want to enter my DNS server IP address in my website panel and > after it, users can visit my website from the Internet. I'm thankful > if anyone show me a tutorial to launch my DNS server for this goal. > All tutorials that I found on the internet are about internal DNS > servers, but I want to launch a DNS server for hosting my website. > Is Internet DNS server just possible for providers? > > Thank you. > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: It is too hard for me to read from this mailing list
On Mon, 2020-09-21 at 16:15 -0400, Allen Chen wrote: > I am using Thunderbird to read the emails. Should I use something > else > to read it? Any suggestions are welcome. Here I use Evolution these days, since it does a lot of "stuff" that Thunderbird can't or needs add-ons to do. Especially mailing lists ended up being so underwhelming in Thunderbird, while in Evolution I find them pretty straightforward to browse. Also GPG integration in Evolution (actually integrates with the system keyring without needing add-ons etc) and how it shows you which parts of an email are signed by putting a green square around it (useful for signed emails from e.g. security mailing lists), and so on. Definitely recommended! -- Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keygen getting dates wrong
Le dimanche 30 août 2020 à 12:58 +0200, Mark Elkins a écrit : > Running BIND.. 9.16.6 on a Gentoo machine - so BIND is kept very much > up to date. > dnssec-keygen - Version: 9.16.6 > > I create DNSSEC Keys in a manual process and in order to see when a > Key was created (so I can rotate them - etc..) I look at the Creation > date inside the 'key' file > # dnssec-keygen -a RSASHA256 fubar.com > # cat Kfubar.com.+008+21010.key > ; This is a zone-signing key, keyid 21010, for fubar.com. > ; Created: 20200830105653 (Sun Aug 30 12:56:53 202) > ; Publish: 20200830105653 (Sun Aug 30 12:56:53 202) > ; Activate: 20200830105653 (Sun Aug 30 12:56:53 202) > > Can anyone spot an issue? Look carefully at the creation date, the > year in particular! Hi it looks like a pretty printing issue. # dnssec-settime -p all Kfubar.com.+008+21010.key should give you the correct timestamp. -- Marcel de Riedmatten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: distribution of Bind software through our website
The BIND software is released under the Mozilla Public License 2.0. You can refer to the LICENSE file to learn about your rights in BIND or most other open source projects. The only exception to my knowledge would be projects with no license - those are all rights reserved by default to protect authors who do not wish to grant additional rights for their software. I'm also hosting a mirror of BIND at git.ghnou.su/mir/bind without issues. On Mon, 2020-08-24 at 10:28 +0530, ShubhamGoyal wrote: > > > >Dear All , > > > >We host a public DNS Recursive Resolver and also cater training on > hosting the same using Bind. > > > >Kindly let us know if we can host and distribute a version of bind > software in our own website in order to facilitate our training > process. > > > > > > > > > > > >Best Regards, > > Shubham Goyal > > Cyber Security Group > > Centre for Development of Advanced Computing > > Bangalore > > > > > > > > > > --- > - > > [ C-DAC is on Social-Media too. Kindly follow us at: > > Facebook: https://www.facebook.com/CDACINDIA & Twitter: @cdacindia ] > > > > This e-mail is for the sole use of the intended recipient(s) and may > > contain confidential and privileged information. If you are not the > > intended recipient, please contact the sender by reply e-mail and > destroy > > all copies and the original message. Any unauthorized review, use, > > disclosure, dissemination, forwarding, printing or copying of this > email > > is strictly prohibited and appropriate legal action will be taken. > > --- > - > > ___Please visit > https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > bind-users mailing listbind-us...@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to revert signed db zone file to unsgined plain text (remove dnssec keys)
On 2020-08-09 04:51, Evan Hunt wrote: On Sat, Aug 08, 2020 at 09:17:09PM +0200, Jelle de Jong wrote: This will sound counter intuitive but I want to convert a db.powercraft.nl.signed file to db.powercraft.nl (unsigned without keys). I do have the keys used, but not the original file that got singed. I know I can convert the raw format to text but the zone file is rather big and i want to get rid of all the sign keys. named-compilezone -f raw -F text -o powercraft.nl.text powercraft.nl /var/cache/bind/db.powercraft.nl.signed named-checkzone -D -f raw powercraft.nl /var/cache/bind/db.powercraft.nl.signed You can just regex out all the DNSSEC-related types. Something like this ought to work: $ named-compilezone -f raw -F text -s full -o - powercraft.nl | \ awk '$4 ~ /(DNSKEY|DS|RRSIG|NSEC|NSEC3|NSEC3PARAM)/ {next} {print}' Thank you for your reply, there are still a lot of ; resign=20200802123322 lines, but it does clean up a lot better, sorted on record type it would become useful, ideas? Is there no clean named command to do this output? Kind regards, Jelle de Jong ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
how to revert signed db zone file to unsgined plain text (remove dnssec keys)
Hello everybody, This will sound counter intuitive but I want to convert a db.powercraft.nl.signed file to db.powercraft.nl (unsigned without keys). I do have the keys used, but not the original file that got singed. I know I can convert the raw format to text but the zone file is rather big and i want to get rid of all the sign keys. named-compilezone -f raw -F text -o powercraft.nl.text powercraft.nl /var/cache/bind/db.powercraft.nl.signed named-checkzone -D -f raw powercraft.nl /var/cache/bind/db.powercraft.nl.signed Kind regards, Jelle de Jong ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND, nsupdate and acme.sh DNS authentication
On 7/23/20 9:13 PM, Brett Delmage wrote: To get this topic back on topic for this list: When you are creating Let's Encrypt wildcard certificates you must use a DNS authenticiation protocol with letsencrypt. I am using the acme.sh client which was recommended for wildcard certificates. https://github.com/acmesh-official/acme.sh If you are running your own nameserver you also need to enable dynamic updates so that the acme.sh client can create TXT records during certificate acqusition and renewal. However I have found that getting zone dynamic updates (authentication, specifically) working with nsupdate (which acme.sh uses) and BIND have been a PITA. I haven't been overly impressed with the debug capabilities to help get nsupdate working properly. Interesting, I wasn't aware of this. Looking at Manjaro's site again, I found that their main website indeed uses a wildcard certificate while the forum (which was affected by the certificate renewal issues if memory serves me right) uses its own dedicated cert. Granted these renewal issues were already a few years ago so perhaps they changed some things here and there by now. I had heard of Let's Encrypt's wildcard certs but never looked further into it. Would certainly be useful though, as subdomains are an easy way to separate services. Unfortunately bacme (which I currently use) doesn't seem to support the DNS-based ACME challenges. I've cloned the acme.sh repository and will look further into it. -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?
The idea is pretty interesting, seems like they provide a repository with packages compiled with their own compiler that changes various memory-related elements. It is true that memory is usually the culprit behind security flaws. According to their page at https://polyverse.com/products/polymorphing-linux-security/ : "Polymorphing takes source code and runs it through a polymorphic compiler, changing register usage, function locations, import tables and other targets. This produces individually unique binaries that are semantically equivalent to the source. Polymorphing applies the compiler to the totality of the Linux stack." For this to work at all though, they'd have to provide all packages simply as source code (why not use the distribution's own source repositories?) and compile it on the target. But even then I think it's more of a security by obscurity thing. Sure it makes it more difficult to exploit a memory flaw by means of automated exploits and other such scripts. But nothing stops you from taking the unmodified source code, the binary and a disassembler to find out how exactly the resulting binary has been changed / polymorphed. I'm not very familiar with reverse engineering and disassemblers but I don't think there's much more to it than that, at least to thwart this defense. All of it is possible if an attacker can read, retrieve and execute a binary on the affected server. The flaws are still there, only their memory locations have changed. It would probably defend against script kiddies, but I doubt it would keep out a determined attacker. Personally I prefer Google's approach to this for Chromium. They documented it at https://chromium.googlesource.com/chromium/src/+/master/docs/security/rule-of-2.md . Implementing programs in memory safe languages where possible is something I believe to be a more solid long-term solution. Additionally Google's Project Zero team is behind a lot of the security research and disclosures. They audit the actual code instead, which I believe to be far more suitable. While the idea is valid to some extent (and could be worth it in highly confidential environments), I wouldn't consider it worth compiling everything from source for, with a nonstandard compiler no less. If servers would just be updated more often and (security) bug fixes actually make their way through to the distribution releases reliably, we'd already go a long way I think. Of course there are also configuration mistakes that could compromise a network component. From what I've seen so far, this seems to be more often the case with those leaked databases and whatnot. On 7/23/20 2:39 PM, Fred Morris wrote: Perhaps slightly OT, but here's a company which has a whole business model based on one nonobvious (?) reason to compile from source: https://polyverse.com/ -- Fred Morris -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?
o turn into a Gentoo for increased merit or reasons like that. If the distro makes compiling from source (be it upstream or their downstream version) easy, either to compare or to actually put it to use, all the better. (My preferred term for for crashing and burning servers would probably not be suitable for this list) -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Debian/Ubuntu: Why was the service renamed from bind9 to named?
On 7/23/20 6:28 AM, Ted Mittelstaedt wrote: Linux is 10 times worse because they aren't even including the c compiler or development tools anymore. Every distribution I've laid my hands on so far has GCC packages and most development packages affixed with either -dev or -devel (most of the time). But many "systemadmins" out there think they are Unix admins yet are afraid to compile programs. They will go to the FreeBSD port or the Linux precompiled apt-get stuff. The reason is more and more non-technical people are getting their hands on this stuff. I don't disagree with this but I also think there's more to it than that. For me personally I avoid compiling from source when I can get away with it - not because I can't run make - but simply because binary packages are convenient. Having a package manager take care of updates in the whole system is convenient. Having distribution maintainers that say "okay we are going to go stable, bleeding edge or whatever with the whole project" is useful when they can spend the time looking at the upstream projects, and choose the most fitting software versions and such to suit that goal. And when there's billions of machines running very similar architectures, there is an argument to be made that making every single one of them compile everything from source is rather pointless. Why should every machine in existence be tasked with CPU-intensive compilation workloads when a handful of dedicated compilation servers can do exactly that, and a million times better? -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AW: Debian/Ubuntu: Why was the service renamed from bind9 to named?
Sorry about that, the email might've been a bit too emotionally loaded. The issues pile up.. and that's eventually the result. I'm not using FreeBSD anywhere anymore but found some resources online suggesting that the package name is bind916. The closest I could find to unwinded is Unbound which apparently is what replaced BIND in FreeBSD and OpenBSD. Is this the case? Generally speaking all I'd ask for is consistency. Currently that does not appear to be present anywhere. Everyone gives things their own (new) names even if they're supposed to describe the same thing. It's extremely confusing. On 7/20/20 9:05 PM, Ted Mittelstaedt wrote: On 7/20/2020 11:23 AM, Michael De Roover wrote: If that is true, I hereby lost all faith in humanity.. well whatever faith I had left. This has been going on for like half a decade now. Nobody ever went broke catering to the human desire for ease ___ -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AW: Debian/Ubuntu: Why was the service renamed from bind9 to named?
If that is true, I hereby lost all faith in humanity.. well whatever faith I had left. This has been going on for like half a decade now. A few weeks ago I saw here on the list someone suggesting that BIND is a reference to bondage in BDSM, so perhaps it has to do with that... Lest we forget that BIND is an abbreviation for Berkeley Internet Name Domain. Software made at Berkeley, to serve domain names on the internet. The name is pretty descriptive about its intended purpose I would say. Perfectly fine! Just because an abbreviation coincidentally becomes the same as a word in another context doesn't mean that it suddenly /became/ that word. Western languages simply don't have enough characters and words to make everything unique and special. And the best part is.. banning certain words from general usage (for rather odd reasons) only exacerbates that problem. But with that said, if BSD thinks that BIND stands for bondage, I suggest that BSD drops the D because it's clearly a reference to criminally masculine dicks. Everything else is bullshit. (My apologies if bad words are disallowed here, but I had to get this off my chest) Back to the thread's original topic, I happened to be configuring BIND on Alpine yesterday. I was pleased to see that the package in Alpine is simply called "bind". The service file in /etc/init.d is called "named". While those decisions are entirely up to the distribution vendors, I also think that version numbers don't really belong in the name of a piece of software. However even upstream the repository is called "bind9"... The branch name has already changed, so perhaps the same could be done for the repository name? On 7/17/20 8:35 PM, John W. Blue wrote: Speaking about things to be annoyed over .. I am still ticked that FreeBSD dropped BIND from the distribution for something called unwinding or whatever it is. John -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: issue of Amplification attack
There was a very interesting conversation about this last week. See https://www.mail-archive.com/bind-users@lists.isc.org/msg29187.html. On 7/12/20 6:23 AM, ShubhamGoyal wrote: Dear sir, Thank you for give me answer for my previous question, Sir now we are suffer from amplification attack so is there any method in bind to stop DNS Amplification attack. I am thinking to stop or drop ANY type queries from our DNS Recursive resolver , so please tell me how can we drop or stop ANY type queries from bind. -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [DoD Source -- ssshhhh Top Secret] Re: Dumb Question is an A or AAAA record required?
On 7/9/20 5:03 PM, Reindl Harald wrote: but it still has nothing to do with your domain by definition, the PTR could be anything Of course it can be, they're completely separate name spaces. However would it make any sense in practice to point it somewhere else entirely? You'd probably be better off not setting it at all then. I'd argue that they're meant to match each other. but how does that change anything in the simple fact that "Would the lack of A records affect pointer records? Seems like it would" given that the PTR zone is a dns zone like anything else while it's smart (at least when you want to send mails) that your IP has a sane PTR and that the name maps back to the IP the dns system couldn't care less My thoughts exactly. They can technically be different and the DNS itself indeed couldn't care less (but applications checking for that might).. but would it make sense to? I mean yeah I suppose that they can exist without the other. Not uncommon for A records to be without PTR records, and I guess that a PTR record without an A record could work too..? But again, aside from the theoretical possibility, why would you want to set your PTR records to not match at least one of your A records? -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [DoD Source -- ssshhhh Top Secret] Re: Dumb Question is an A or AAAA record required?
You do have control over that.. kind of. As far as I'm aware hosting providers generally offer control over PTR records in their admin panels. However delegation of them to your own authoritative name servers is.. complicated. A lot more so than delegation of forward lookups would be anyway (A, , MX, yada yada). Apparently the hosting provider would have to delegate (as far as I understand it's like sharing?) control over just that/those IP(s), and remember to revoke it after you leave their hosting services too. See https://www.arin.net/resources/manage/reverse or https://www.ripe.net/manage-ips-and-asns/db/support/configuring-reverse-dns for more information... But I don't understand this part very well myself. On my own hosting provider it appears that I can adjust the PTR records on their admin interface, however I can't delegate it to my own name servers.. since it's apparently a rather manual process. And I'm probably not paying my hosting provider enough for that. Whichever methods are available, for email in particular it's advisable to publish a PTR record of some kind. IRC networks may also ask to do this before they apply your domain as your vhost (and A and PTR have to match). On Freenode at least they do. On 7/9/20 3:36 PM, Reindl Harald wrote: and typically you have no control over PTR records at all given that they have nothing to do with your domain while it's smart (at least when you want to send mails) that your IP has a sane PTR and that the name maps back to the IP the dns system couldn't care less -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS security, amplification attacks and recursion
On 7/7/20 4:06 PM, Tony Finch wrote: An auth-only server can also be used for amplification attacks that use its authoritative zones - these attacks don't have to use recursion. There are a few ways to mitigate auth-only amplification attacks. Response rate limiting is very effective. Start off by putting the following in your options{} section, and look in the BIND ARM for other directives you can put in the rate-limit{} section. rate-limit { responses-per-second 10; }; That's a really useful option to have, I didn't know about this yet. It seems like that could take care of the brunt of amplification attacks already. Definitely going to add this in, thanks! Set a maximum UDP packet size, to suppress fragmented packets. The DNS flag day 2020 campaign will make this a standard setting. For a long time I have used: max-udp-size 1420; https://dnsflagday.net/2020/ A downside of small UDP responses is more truncated packets and more queries over TCP, but there are still more ways to reduce response size which also reduce truncation. Interesting, I wasn't aware of this campaign. I don't know if I'm knowledgeable enough on UDP to be able to make educated decisions on this myself but I look forward to its eventual release. Reduce the size of responses to ANY queries, which are a favourite tool of amplification attacks. There's basically no downside to this one, in my opinion, but I'm biased because I implemented it. minimal-any yes; I've heard of these ANY queries being preferred for amplification attacks as well, since the responses are often so large... I don't think that there would be any downsides to this either, in fact I've never actually seen a legitimate application use it... Probably best to lock down indeed. You can also reduce the size of other answers. In theory this option might force resolvers to make more queries to get records that by default would appear in the additional section, but I think in practice resolvers make these queries anyway because of RFC 2181 trustworthiness logic, and because applications (such as SMTP servers) find it easier to query directly than use additional records. So on my auth servers I set: minimal-responses yes; Hmm, for the authoritative name servers this might be a good idea yeah.. Those are authoritative only (i.e. `recursion no`). So for clients querying those, the NS records served in the additional section at least should already be known to the client anyway... I mean that's why they're there to begin with, so they must already know that information from the DNS servers higher up the chain. And another query if needed, saves traffic either way I suppose. Thanks a lot for the detailed reply, I really appreciate it :) -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS security, amplification attacks and recursion
Hello, Recently I discussed with a friend of mine the idea of NTP and DNS in the context of denial of service attacks. In NTP this amplification attack is done with the monlist command (that should honestly never have been publicly available due to its purpose being pretty much entirely debugging-related). The DNS version was rather unclear to me however. Said friend said to me that he tested my authoritative name servers and found them to be not vulnerable. I don't run the latest and greatest of BIND at all, I mean it's Debian distribution packages we're talking about there... But they were set up to be exclusively authoritative. They do not respond to recursive queries. It appears that the test of whether a server is "vulnerable" or not has to do with this. The command used to test this was apparently "dig +short test.openresolver.com TXT @your.name.server". That's simply a recursive query of what appears to be an arbitrary record to me. This also meant that supposedly the recursive DNS servers from Google, Cloudflare and Quad9 were all considered vulnerable. I find this very hard to believe. Authoritative name servers may not need a huge DNS infrastructure for a small-ish zone (say under 1k records), but recursors on the scale of Google and Cloudflare in particular (not sure how popular Quad9 is so far).. those use massive infrastructure including anycast and everything! I'd consider it safe to assume that their servers are at least on the order of 100Gbps cumulatively, if not more. If these would be vulnerable to amplification attacks just because they allow recursion, wouldn't skids be jumping on this like there's no tomorrow? It doesn't make any sense to me. This seems to be not very well documented online (or more likely my search terms aren't right), so yeah... I wonder why the idea of recursion became associated with a vulnerable server in the first place. -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:
I just tried to make an exception like this in /etc/bind/named.conf.local for .oss (at least its lack of ICANN accreditation is useful for something now) and it did indeed use the other name server (theirs rather than my usual Cloudflare). On 6/28/20 6:43 AM, baalchina wrote: Hi all, I had a bind 9.16.4 as recursive name server. I want to forward all queries to a specific dns server out of my net such as 8.8.8.8. While I have a new domain( such as abc.com <http://abc.com>) I want to forward to a new dns server such as 9.9.9.9. Here is my named.conf: options { listen-on port 53 {192.168.1.1;}; recursion yes; allow-recursion {any;}; forwarders { 8.8.8.8; }; }; zone "abc.com <http://abc.com>" { type forward; forwarders {1.1.1.1;}; }; So, in this configuration, the abc.com <http://abc.com> will be forward to 8.8.8.8 or 1.1.1.1? Thanks. -- from:baalchina ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Masters and slaves
ode for years (I'm not there yet, and I have not) how am I going >> to communicate this to people? >> How will I be able to master anything technical anymore? Should I just >> stop trying? >> Thesaurus.com suggests that one could call one type of DNS server the >> "crackerjack" server instead. I guess that's an improvement over >> "cracked". "Ace" server is a suggested alternative too, and it's >> nicely terse. *>> https://www.thesaurus.com/browse/master?s=t <https://www.thesaurus.com/browse/master?s=t> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Masters and slaves
Completely aside from the topic at hand, I often like to think that after a few years I mastered something. System administration, electronics, programming, whatever has piqued my interest for several years already and got me to invest in it. It is never true. The first profession I pursued was system administration and Linux in general. Even today I still learn so much on the daily. Mastery? I may be experienced with Linux but mastery is still far ahead... It's quite interesting how deep the rabbit hole can go. What matters is how deep we want it to go I guess. Crackerjack is an interesting name, if anything I'd just want it for shits and giggles :D On 6/15/20 9:07 PM, Brett Delmage wrote: After I feel I have mastered DNS and BIND after slaving over the docs and code for years (I'm not there yet, and I have not) how am I going to communicate this to people? How will I be able to master anything technical anymore? Should I just stop trying? Thesaurus.com suggests that one could call one type of DNS server the "crackerjack" server instead. I guess that's an improvement over "cracked". "Ace" server is a suggested alternative too, and it's nicely terse. https://www.thesaurus.com/browse/master?s=t -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [Non-DoD Source] Re: BIND Masters and slaves
Of course I could, but I do not feel like the effort to change nomenclature is either beneficial or worth taking for granted the requests of some people on Twitter - as the slave to peer authority I am - given how much it affects documentation, code, comments, general environment of the projects themselves. I enjoy being surrounded by people much smarter than I am when it comes to the mailing list here. Let's keep it that way and not derange ourselves into meaningless blabber from social media. What I did notice over time however that most of the projects affected are also those who do have to maintain a good public image, usually corporations. Meanwhile projects such as Opal <https://github.com/opal/opal/issues/941> and recently Rubocop <https://github.com/rubocop-hq/rubocop/issues/8091> as well were not. The latter one I'd like to draw attention to. The maintainer clearly didn't ask for this and asked everyone who shamed him, why are you doing this? None of the complainers were affiliated to the project at all. Chances are that they weren't even using it and just searched for projects with the name "cop" in it instead. These are not the people I want to support in my effort to end racism, which I /do/ support, and quite heavily so. On 6/15/20 8:00 PM, DeCaro, James John (Jim) CIV DISA FE (USA) wrote: Or you can call the slave servers 'secondary' servers. -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Masters and slaves
I concur with this. I'm still fairly new to BIND and DNS myself. I maintain 7 name servers (3 internal, 4 external) and master does signify to me that this is the server in control of the zone files for the other ones in that pool. The slaves are pretty much that to me, they take the zone files and apply them while not having any further control over the zone files themselves. In my external name servers it also goes paired with authority - slave authorities that are authoritative to the internet but slaves in that they replicate from an internal master. This is not something you'd see in real slavery, signifying that this is mere technical jargon. Is it a heavy term? Yes. Should we support "black lives matter" and condemn the completely egregious actions committed by the police officers towards George Floyd? Absolutely, and I hope that the former officers get convicted for not just manslaughter but murder, and that more protests will emerge (minus the plundering which was the case here in Brussels). However, changing a name and going for censorship of technical jargon which will only confuse newcomers who will now face duplicate nomenclature changes NOTHING. George Floyd wouldn't have been able to survive just because we give things a different name. Instead we'd border closer to censorship which we had during the wars, and still do in heavily oppressed countries like North Korea, China etc. It's ironic that what these people are pushing for in practice is exactly the thing they seemingly seek to eradicate. There is another relevant case where GitHub will apparently replace master branches in all their repositories. I'm really glad to be unaffected with my Gitea server. I may have to adjust my repository mirrors from GitHub however. For GitHub users, that change will likely break every one of their repositories that defaults to master and require adjustments from GitHub users of which many might not even know what branches are. That's the real impact of that and I find it deeply worrying. I do not want such a thing to happen to BIND just to please some people with large followings on Twitter who other than that, often have no affiliation with the project whatsoever. On 6/15/20 12:53 AM, Vinícius Ferrão via bind-users wrote: ISC had a statement about it a time ago: https://twitter.com/ISCdotORG/status/942815837299253248 You can now call primary and secondary zones. But the prevalence of terms are still master and slave. And I really hope this thing of changing nomenclatures doesn’t go any further due to political correctness. For the newcomers it’s not OK to break years of terms, software and documentation just because some people can’t handle terms like master and slave. Slavery still exists today and making the word disappear will not solve the issue. And you’re correct about the BDSM thing. It’s a waste of time, efforts and lines of code. -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Misconfiguration on- http://cyberia.net.sa/
Wholeheartedly agreed. Not to mention that it's extremely rude to demand fame/money like that. These are not security researchers, they're skids. (Please disregard the previous email, pressed the wrong reply button and realized it too late..) On 6/5/20 11:53 AM, Ondřej Surý wrote: The localhost. is not scam, but the „I found this on HackerOne and I now want money“ is scam. Remove the localhost entry from the zone, but you should not pay money for issues that can be produced by automated scanners. HackerOne is doing everyone disfavor by paying nonsensical amounts of money[*] for small issues like this. They (and other wealthy companies) should be paying money only for original security research and not this nonsense. * $100 is a helluva money in some economies... Ondrej -- Ondřej Surý ond...@isc.org -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: install issue with bionic packaging -- bind9/bionic 1:9.16.3-1+ubuntu18.04.1+isc+2
Le mercredi 20 mai 2020 à 13:39 +0200, Ondřej Surý a écrit : > Hi Marcel, > > I think I figured it out how to build without any additional extra > dependencies, > so the next update of the bind9 package for Ubuntu will not require > to have > -backports enabled. I can confirm that i have been able to install 1:9.16.3-1+ubuntu18.04.1+isc+3 without bionic-backports enabled. Case closed !-) -- Marcel de Riedmatten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: install issue with bionic packaging -- bind9/bionic 1:9.16.3-1+ubuntu18.04.1+isc+2
Le mercredi 20 mai 2020 à 12:42 +0200, Ondřej Surý a écrit : > Hi Marcel, > Let me try if I can tweak the dependencies, so I can build with a > default set > of dependencies. Meanwhile you can add bionic-backports to your apt > sources.list > to solve the missing dependency. > yes it works now: 1) add bionic-backports 2) apt update 3) apt install -t bionic-backports init-system-helpers # 1.56 is installed 4) business as usual As a user i am very happy with that. Thanks for all your involvement. I wouldn't be hurt if you had better things to do than to fight a packaging infrastructure. -- Marcel de Riedmatten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
install issue with bionic packaging -- bind9/bionic 1:9.16.3-1+ubuntu18.04.1+isc+2
Hi all Can't seems to find a better place to voice an issue with the installation of the latest packaging for ubuntu bionic which has home at https://launchpad.net/~isc/+archive/ubuntu/bind. I meet a dependency issue concerning init-system-helpers which is currently 1.51 and is asked to be 1.54. Can somebody confirms that ? screen copy === root@slavedns:~# apt install bind9 Reading package lists... Done Building dependency tree Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: bind9 : PreDepends: init-system-helpers (>= 1.54~) but 1.51 is to be installed E: Unable to correct problems, you have held broken packages. -- Marcel de Riedmatten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
Interesting, I wasn't aware of that. Until now I subscribed to the whole business-only IP idea the whole time. I never thought that ISP's or other mail servers would allow this (though granted, mine doesn't discriminate either). Meanwhile Microsoft still blocks one of my sender IP's (e3.nixmagic.com which was the last one to enter the set of edge servers). Maybe phasing out my edge servers wouldn't be a bad idea then, at least in the long run. My ISP doesn't change the IP address for my residential connection as long as I don't reboot my router anyway. Assuming that I check whether my ISP allows 25 in- and outbound first, that could work. On 5/2/20 6:25 PM, Brett Delmage wrote: On Sat, 2 May 2020, Michael De Roover wrote: Even if your ISP allows it, chances are that other mail servers will reject it Nope, not always. My residential-class static IP mail server has never had problems delivering mail. I've checked it many times over the years on many blacklist checkers and never had anything but green lights. Of course I have met all the email best practices for years: SPF, DKIM, reverse pointer, etc. Even though email is not secure, I still feel better knowing that emails end up in MY server via opportunistic TLS transport. and not in some Yahoo's or surveillance capitalist's data store. Underlying all this are my own DNSSEC-enabled BIND servers, of course. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
I'm sure that most of the list members here are aware of how net neutrality and the internet in general works - we're internet operators after all. What we're here for is ports and protocols, not policy or internet culture. On that subject, we are not policy makers. Let's leave that to politicians who studied for it. Vote some technical people in government while we're at it, but I digress. The DoT/DoH argument or what a mail server could be operated from is not one of policy.. well maybe mail servers are, to some extent. Perhaps there's some ISP employees here too. Those are in power to allow or disallow things on their network. But DoT/DoH certainly isn't. What are we supposed to worry about? How do we implement this new encrypted DNS. Do we piggyback off an existing port and rely on its ubiquitous allowance on the internet or do we create a new port for it, where we can make a dedicated new protocol suite? On 5/2/20 5:03 PM, Reindl Harald wrote: Am 02.05.20 um 16:39 schrieb Paul Kosinski via bind-users: I wasn't complaining about port 25, I was just citing it as a counterexample to the claim that ISPs "must" pass all traffic. https://en.wikipedia.org/wiki/Net_neutrality I think that most ISPs tell customers how to set up their email clients (NUAs) including what port to use. Of course it seems that now most people use Web based email like Gmail, Yahoo (and even Comcast/Xfinity) so they never see port numbers. On Sat, 2 May 2020 15:51:58 +0200 Reindl Harald wrote: Am 02.05.20 um 15:41 schrieb Michael De Roover: In my experience and from what I've heard, very few. if that would be true how comes that most mail clients still default to 25 for submission and years after closing port 25 on our mailserver i still struggle with customers smartphones still not using 587? in fact 10 years ago some ISP's *tried* to kill outbound port 25 because there is no point in using it from a homemachine and at that time we struggeled also to explain our customers that 25 is plain wrong finally they gave up because the damage of open port 25 is killed with dnsbl but the customer support went crazy with "why can't i send email with my internet connection" Even if your ISP allows it, chances are that other mail servers will reject it that's a completl different story On 5/2/20 3:30 PM, Paul Kosinski via bind-users wrote: How many ISPs allow traffic on port 25? My impression is that even many (non-enterprise) business customers can't use port 25 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
To put it very simply, I consider myself very lucky that I have control over every mail client that interfaces with my mail server. Most of them are well-behaved and use 587 for submission. My mail server has also disabled it on port 25 to reduce spam. Port 587 on my mail server is also only visible within my VPN's to allow submission only within. That is an edge case and a privilege since all the mail clients are local. If your mail clients go outside your network or VPN's, that's when you'll need to either expose 587 to the internet or allow it on 25, with all those related issues. Submission on port 25 is something I disabled on my mail server since it reduces the amount of spamhausen that try to submit email to my mail server, assuming that it's an open relay. It's purely traffic- and load-related. The reason why residential ISP's disallow it - to my knowledge which is admittedly limited - is because few postmasters consider the limitations that are applied to residential connections in general endurable. That includes dynamic IP's, down-/upload ratio, blocked ports, lack of SLA, and many other things. As far as the "completl different story" goes, it's part of a whole. Good luck getting deliverability to other mail servers from a residential range even if the ISP itself allows it. Mail servers are an inherently reputation-driven thing. Reputation of your sender IP addresses to be precise. Is it good? No, email sucks. If you can get away with not running a mail server, don't run one. They suck so much. But if you do, a home IP is not where you'll want to start regardless. Get a VPS if anything. On 5/2/20 3:51 PM, Reindl Harald wrote: Am 02.05.20 um 15:41 schrieb Michael De Roover: In my experience and from what I've heard, very few. if that would be true how comes that most mail clients still default to 25 for submission and years after closing port 25 on our mailserver i still struggle with customers smartphones still not using 587? in fact 10 years ago some ISP's *tried* to kill outbound port 25 because there is no point in using it from a homemachine and at that time we struggeled also to explain our customers that 25 is plain wrong finally they gave up because the damage of open port 25 is killed with dnsbl but the customer support went crazy with "why can't i send email with my internet connection" Even if your ISP allows it, chances are that other mail servers will reject it that's a completl different story On 5/2/20 3:30 PM, Paul Kosinski via bind-users wrote: How many ISPs allow traffic on port 25? My impression is that even many (non-enterprise) business customers can't use port 25 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
In my experience and from what I've heard, very few. Even if your ISP allows it, chances are that other mail servers will reject it, since residential areas aren't really suited for and aren't generally used for long-term mail servers. I would recommend against running your mail server (directly) on your home connection. Here I rent 3 VPS's as pretty much edge servers and connect my mail, web, Gitea and other servers from there (possibly my DoT service as well since almost everything is already reverse proxied with nginx from there). VPN connections are made from all of those local servers to there but it's far from ideal (70 servers x 3 VPN connections each and you've got 210 total.. and that's where I more or less screwed up). Nowadays I'd rather consider either making my VPS's connect to my home, or make a single server be the gateway at home that makes VPN connections to those VPS's instead. Probably the latter since home connections have dynamic IP's too.. that complicates things a bit. On 5/2/20 3:30 PM, Paul Kosinski via bind-users wrote: How many ISPs allow traffic on port 25? My impression is that even many (non-enterprise) business customers can't use port 25. -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
I don't live in the US myself, but from what I've heard it's actually among the least censored countries out there at the DNS level. Again, I don't consider it right to block content, at least if said content doesn't break local laws. If anything I'd like to actually retain my ability to bypass DNS blocks by simply changing my DNS server to a more favorable one. With DoH that would likely become much harder. Not to mention that HTTPS isn't the holy grail for bypassing that either. The Facebooks and Googles out there use HSTS to mitigate TLS stripping but that requires a list to be hardcoded in every web browser that supports it. It doesn't scale up at all. At that point we might as well go back to hosts files. On 5/2/20 9:28 AM, Reindl Harald wrote: Am 02.05.20 um 09:00 schrieb Michael De Roover: That's actually my biggest concern with DoH, ISP blocking. It doesn't seem as obvious as it is with DoT, but deep packet inspection (DPI) is already a thing. Don't expect an ISP that wants to block DoT to not (want to) block DoH either. The crux of the problem at that point is not the technology, it is the ISP's incentives. If the ISP wants to block DoT for whatever reason, personally I'd consider it.. not exactly fine but at least their right to do so. That's their decision to make. seriously? that seems to be some US attitude, no wonder what happens there with user attitudes like "but at least their right to do so" the ISP by definition has exactly one right: get money for his service which is described as "route and transfer every package, don't look at it, don't mangle it, you have no business about the content of my traffic" ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
That's actually my biggest concern with DoH, ISP blocking. It doesn't seem as obvious as it is with DoT, but deep packet inspection (DPI) is already a thing. Don't expect an ISP that wants to block DoT to not (want to) block DoH either. The crux of the problem at that point is not the technology, it is the ISP's incentives. If the ISP wants to block DoT for whatever reason, personally I'd consider it.. not exactly fine but at least their right to do so. That's their decision to make. The problem is that if they want to block DoH too, they'd more or less have to break HTTPS altogether. And at that point, I'd expect them already more than willing to do so. As far as content blocking goes, currently DNS is used for that too. In my country that is mainly Torrent sites, which are illegal. In workplaces it'd be for websites employees aren't allowed to visit at work. Most users use their ISP's / workplace's DNS servers and thus a simple DNS block ended up being fine. If that wasn't the case, more invasive methods would've been necessary. DNS blocking is easy to bypass but not many people do it. Personally I'd much rather keep technology away from policy. Encrypting DNS is important and both methods are fine for their own reasons, but policy is something that ISP's and workplaces will enforce regardless. Making this harder with technology could very well have adverse effects in the long run. On 5/1/20 11:51 PM, @lbutlr wrote: On 29 Apr 2020, at 14:19, Tony Finch wrote: DoT is easier since you only need a raw TLS reverse proxy, and there are lots of those, for example, nginx: DOH is better because it cannot be blocked without blocking all https traffic. (FSVO of better, of course. I am sure there is a vi/emacs space/tab trek/wars religious canonical war here, but being able to guarantee access to secure DNS is definitely better for users). All that its need to subvert DoT is to block port 853. If DoT takes off, I expect all US ISPs to block port 853 universally. There’s nothing they can do about DoH. Not that it is all sunshine and rainbows in DoH-land, of course. Use of cookies is “discouraged” but not prevented, most obviously. -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
Thanks a lot for the detailed reply. That should be pretty straightforward to set up then, as I'm already using nginx for some other things and Debian appears to be using BIND 9.11.5 now. Until BIND gets native DoT/DoH support I'll probably run it behind nginx as well then. On 4/29/20 10:19 PM, Tony Finch wrote: Michael De Roover wrote: On that subject, how about DoT? DoT is easier since you only need a raw TLS reverse proxy, and there are lots of those, for example, nginx: http://dotat.at/cgi/git/doh101.git/blob/HEAD:/roles/doh101/files/nginx.conf#l48 Note that if you enable DoT on port 853 on your normal DNS resolvers then Android devices will use it automatically. (I get a lot more DoT traffic than DoH traffic!) So it's worth tuning timeouts to control the number of concurrent TLS and TCP sessions on your server. Android's DoT client is very well-behaved so the server-side configuration knobs work nicely. Use BIND 9.11 or newer so you can support concurrent queries on one connection. As well as the nginx timeouts you can see at the link above, my named.conf has: tcp-clients 1234; tcp-idle-timeout 50; # 5 seconds tcp-initial-timeout 25; # 2.5s minimum permitted tcp-keepalive-timeout 50; # 5 seconds tcp-advertised-timeout 50; # 5 seconds The timeouts are short because they don't need to allow for much slowness on our metropolitan-area fibre network. 5 seconds is based on my rough eyeball assessment of when typical DoT connections are unlikely to be re-used. The number of TCP clients is a guess. Tony. -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
On that subject, how about DoT? I have mixed feelings about using 443 as a kitchen sink port but encrypting DNS seems like a good idea. On 4/29/20 9:40 AM, Evan Hunt wrote: Does BIND have a DoH plugin official? Or is there any guide to customize that one? Not yet, but we plan to have a DoH implementation in named by the end of this year. In the meantime, there are DoH proxies that can run BIND as the back-end. -- Met vriendelijke groet / Best regards, Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[Fwd: dnssec-signzone]
Hi again. So finally i was able to sign my zone thanks to a different (older) tutorial. I specified dnssec-signzone with flags -o and -S and it worked! If anyone could please answer these questions, I would appreciate it 1) do I need to generate those 2 .key and .private files if I intend to sign my several reverse zones? - I think so. 2) What happens if I need to change a record in my zone.signed file? Do I need to sign it again? Please remember my bind version is 9.8.2 so I have to automatic mechanisms. Thank you very much! - Mensagem Original -- Assunto: dnssec-signzone De: "David Alexandre M. de Carvalho" Data:Seg, Abril 6, 2020 4:05 pm Para:bind-users@lists.isc.org -- Hi all. So I'm still fighting with dnssec in BIND 9.8.2 (oracle linux 6). Unfortunately no automatic sigining before Bind 9.9, from what I read. I can't sign my zone, I keep getting "dnssec-signzone: fatal: No signing keys specified or found." By now I've tried to move the files generated with dnssec-keygen but no success. I'm using bind-chroot and created a temp folder /var/named/my_keys. Here, I've created the 2 .key and .private files. Since dnssec-signzone couldn't find the keys (even specifying -k or -K), I've copied them to /etc/pki/dnssec-keys and run the command with the same result. Now, I've copied all the key and private files to /var/named/chroot/var/named where my zone file exists (di.hosts) running from there, I also get "dnssec-signzone: fatal: No signing keys specified or found." I changed the owner and group to "named", and they are both readable. Could anyone please tell me what am I doing wrong? also, do I need to generate those 2 .key and .private files if I intend to sign my several reverse zones? Thank you very much! Regards Os melhores cumprimentos David Alexandre M. de Carvalho --- Especialista de Informática Departamento de Informática Universidade da Beira Interior ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dnssec-signzone
Hi all. So I'm still fighting with dnssec in BIND 9.8.2 (oracle linux 6). Unfortunately no automatic sigining before Bind 9.9, from what I read. I can't sign my zone, I keep getting "dnssec-signzone: fatal: No signing keys specified or found." By now I've tried to move the files generated with dnssec-keygen but no success. I'm using bind-chroot and created a temp folder /var/named/my_keys. Here, I've created the 2 .key and .private files. Since dnssec-signzone couldn't find the keys (even specifying -k or -K), I've copied them to /etc/pki/dnssec-keys and run the command with the same result. Now, I've copied all the key and private files to /var/named/chroot/var/named where my zone file exists (di.hosts) running from there, I also get "dnssec-signzone: fatal: No signing keys specified or found." I changed the owner and group to "named", and they are both readable. Could anyone please tell me what am I doing wrong? also, do I need to generate those 2 .key and .private files if I intend to sign my several reverse zones? Thank you very much! Regards Os melhores cumprimentos David Alexandre M. de Carvalho ------- Especialista de Informática Departamento de Informática Universidade da Beira Interior ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[Fwd: Re: bind 9.11.2 - domain and subdomain with one zone does not work]
Thanks for the reply. Actually my setup is just like 1) zone delegation Am 03.04.20 um 15:20 schrieb David Alexandre M. de Carvalho: > Where can I find about alternatives to point 2? in the part you quoted from me > I have a windows subdomain configured in that way, never realized there was a > better way. > Thanks and regards. which way? a) zone-delegation, 192.168.196.1 is the nameserver responsible for whatever below subzone.example.com subzone IN A 192.168.196.1 subzone IN NS subzone b) records in the same main zone file subzone IN A 192.168.1.1 www.subzone IN A 192.168.196.10 mail.subzone IN A 192.168.196.11 >>>> why so much complexity to begin with? >>>> >>>> t1 A 127.0.0.3 >>>> sub.t30 A 127.0.0.2 >> >> On 03.04.20 11:53, mail-list-us...@materna.de wrote: >>> --- >>> Well, in first place to make it human readable, if needed to look into the >>> zone. >> >> well >> 1. the above is more readablt than whay you proposed. >> >> 2. delegating subdomain (sub) to other servers via NS records and setting >>any other records in the zone is a bad idea. >> >> 3. putting localhost into any domain is useless and I discourage you from >>doing that >> >>> For some subdomains we would have entries for the subdomain itself, like >>> couple NS,TXT,A,CNAME,SRV etc. >>> So with these thoughts, the documentation gives this as a valid option and >>> it >>> worked in small scale on the testsystem, so we decieded to go this way. >>> If this needs to be changed, I need a reason besides of 'that is this way >>> more easy', >>> because these zones get generated from an automated system and I need an >>> argument to get a permission for a change request. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.11.2 - domain and subdomain with one zone does not work
Hi! Where can I find about alternatives to point 2? I have a windows subdomain configured in that way, never realized there was a better way. Thanks and regards. Os melhores cumprimentos David Alexandre M. de Carvalho --- Especialista de Informática Departamento de Informática Universidade da Beira Interior >>> why so much complexity to begin with? >>> >>>t1 A 127.0.0.3 >>>sub.t30 A 127.0.0.2 > > On 03.04.20 11:53, mail-list-us...@materna.de wrote: >>--- >>Well, in first place to make it human readable, if needed to look into the >>zone. > > well > 1. the above is more readablt than whay you proposed. > > 2. delegating subdomain (sub) to other servers via NS records and setting >any other records in the zone is a bad idea. > > 3. putting localhost into any domain is useless and I discourage you from >doing that > >>For some subdomains we would have entries for the subdomain itself, like >>couple NS,TXT,A,CNAME,SRV etc. >>So with these thoughts, the documentation gives this as a valid option and it >>worked in small scale on the testsystem, so we decieded to go this way. >>If this needs to be changed, I need a reason besides of 'that is this way >>more easy', >>because these zones get generated from an automated system and I need an >>argument to get a permission for a change request. > > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Support bacteria - they're the only culture some people have. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC - many doubts
Hello, good afternoon. My first post in this list :) I'm running BIND Chroot for many years (currently version 9.8.2) on some old hardware running Oracle Linux 6. I believe it was last year when I was reading about implementing DNSSEC, and I think I've even tried to generate a keypair in the slowest server, which after more than a day, wasn't ready yet. Maybe I was doing something wrong, I honestly don't know. So now I had some time and reading about this again. If I query either of my servers about my domain: dig @dns di.ubi.pt DNSKEY I do get the DNSKEY, but I have no records when querying about +dnssec. My topdomain (ubi.pt) doesn't have DNSSEC yet either. my named.conf already has the following: dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; Outside the configuration file I also have a /etc/named.root.key My questions: 1) Will my old servers (1GB RAM) become much slower with DNSSEC? Is it worth it? 2) I have one global "hosts" file and 3 reverse zone files, each for the respective IP network. Can I use the same Keypair in all of them? 3) Are the files /etc/named.root.key file and /etc/named.iscdlv.key already being used? I compared them to the result of the DNSKEY dig query but they are different. Thank you so much for your time! Best regards Os melhores cumprimentos David Alexandre M. de Carvalho ------- Especialista de Informática Departamento de Informática Universidade da Beira Interior ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cloud DNS providers for secondary DNS
On Tue, Dec 29, 2015, at 04:40 PM, Diggins Mike wrote: > What happens if I do one without the other? I guess I don't fully > understand the relationship between the name servers listed in the zone > versus the ones found in my domain record. I'm running BIND locally, if > that matters. Hi Mike, I'm not sure I understand your question entirely; for a correct master/slave configuration you usually need: 1. the NS records have to point toward all the nameservers that are authoritative for your zone (primary and secondary/ies) 2. your slave nameserver(s) should be aware that they're slave for the specified zone and they need to know who the master is 3. your master nameserver should allow AXFR (zone transfer) toward the slave server(s) Generally speaking your master should never allow zone transfers, saved the explicitly defined slave server(s); also, in order to avoid unecessary polling, you may think of enabling the "notify" options from your master toward your slaves. An excellent tutorial might be found on [1]. I don't know whether this answers your questions.:) [1] http://www.microhowto.info/howto/configure_bind_as_a_slave_dns_server.html -- Bye, Michelangelo ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Replacing certain records in a zone
Hi Guys, I have a requirement to replace certain records in a zone, as e.g: To the public I want www.domain.com and mail.domain.com to resolve to 1.2.3.4 (Do note that I am not the SOA for domain.com) To my development environment I would like www.domain.com to resolve to 5.6.7.8, but I still want to be able to resolve mail.domain.com to 1.2.3.4. I have a DNS server in place at the development environment that I can control. I could have sworn that bind has an option to do this, I just can't recall where/how/what. Thanks, Pieter ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Replacing certain records in a zone
Add a www.domain.com zone to your local server. OMG - YES! Thanks ! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
1000's of zone using the same zone file in a blacklist
Hi List, We are currently looking at using Bind in a DNS blacklist setup to block adult content from a network. We can scale outwards as far as we want, but it's the up sizing that has me worried. Here is a sample of the zone definitions (names changed :) ): zone domain1 { type master; file blocked_domain.zone; }; zone domain2 { type master; file blocked_domain.zone; }; zone domain3 { type master; file blocked_domain.zone; }; repeat that about 475000 times (not joking) This causes named to use about 7gig of RAM and a reload time of about +30 seconds. The conf file is 42meg big. The zone that is loaded simply has the following: $TTL600 @ IN SOA dns.domain dns.domain. ( 2014091101 600 300 600 75 ) @ IN NS dns.domain. @ IN A 127.1.1.1 * IN A 127.1.1.1 We are using the stock bind built by Ubuntu for 14.04, version 9.9.5.dfsg-3 to be exact. Is there any way we can reduce the memory footprint/optimize this any more ? Look ups are really fast and not a problem, just reload time and memory used. Thanks, Pieter ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slave zone intermittently not refreshing
Hi Doug, Doug Barton do...@dougbarton.us writes: On 05/08/2014 05:53 AM, Mart van de Wege wrote: I have a couple, all of them 'retry limit for master $foo exceeded'. Only 2 hits for the master that's giving trouble though, and none of those around the time we had trouble. If you're seeing any of these errors the problem is worse than you think. Thankfully the errors I do have are known due to those masters having connectivity issues. Also, you haven't mentioned anything about the logs on the master. On the master for the domain that's intermittenly not refreshing I can't say a thing, as that is owned by our customer, and they haven't passed me any logs yet. Are you seeing any errors about the number of simultaneous transfers exceeded? IME if things work on the command line but the servers are not performing as expected this is usually the culprit. Also IME the default limits for simultaneous transfers and SOA queries are quite conservative. On a busy master I usually at least double them. You'll want to watch performance on the master to make sure it's not actually getting swamped of course. I see no errors about the number of transfers. The master is running on a rather healthily dimensioned VM, so if necessary I could increase the default limits, but that should not be necessary if I don't get any errors, correct? Overall the master is performing fine as master for its slave domains, and aside from 2 domains with known connectivity issues and this particular domain is also running just fine as a slave for the couple dozen slave domains hosted on it. The only difference I *can* see is that this particular slave zone occasionally gets a lot of updates in a single day, which is when this problem seems to be triggered. Regards, Mart ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slave zone intermittently not refreshing
On Mon, 12 May 2014 12:08:09 +0100 Tony Finch d...@dotat.at wrote: Mart van de Wege mvdw...@gmail.com wrote: The only difference I *can* see is that this particular slave zone occasionally gets a lot of updates in a single day, which is when this problem seems to be triggered. Is there an MTU problem between your slave and the master? Or a problem with fragmented UDP? Not that I know of, but that bears investigating. I will keep a tcpdump running along just to check. You could try setting request-ixfr no; to see if AXFR (over TCP) works better. Good idea. I'm still waiting for a recurrence, so this thread may go quiescent for a bit. Regards, Mart ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Slave zone intermittently not refreshing
Hi, I'm running a DNS server as master for our infrastructure, serving up several thousand zones. As a service to a few customers, this server also slaves for 19 zones. One of these zones intermittently fails to refresh when getting a notify, with the message 'refresh in progress, refresh check queued' in the logs. It finally refreshes hours later. Yesterday this became critical, as the customer was doing a new deployment, and couldn't have the server out of sync for hours. I tried to find out what went wrong, but although I'm pretty good at operating bind9, I couldn't for the life of me understand why this particular refresh kept hanging. Even an 'rdnc retransfer zone', which should do a forced refresh was completely ignored. How do I go about troubleshooting this issue to get a better idea of what is going on? Mart ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slave zone intermittently not refreshing
Tony Finch d...@dotat.at writes: Mart van de Wege mvdw...@gmail.com wrote: How do I go about troubleshooting this issue to get a better idea of what is going on? Are there any messages in your log containing the string refresh: ? (Apologies to Tony for getting this twice, I hadn't noticed my mail client wasn't defaulting to gmail) I have a couple, all of them 'retry limit for master $foo exceeded'. Only 2 hits for the master that's giving trouble though, and none of those around the time we had trouble. Regards, Mart ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slave zone intermittently not refreshing
Tony Finch d...@dotat.at writes: Mart van de Wege mvdw...@gmail.com wrote: Tony Finch d...@dotat.at writes: Mart van de Wege mvdw...@gmail.com wrote: How do I go about troubleshooting this issue to get a better idea of what is going on? Are there any messages in your log containing the string refresh: ? I have a couple, all of them 'retry limit for master $foo exceeded'. That implies that the SOA query (which checks if an XFR is necessary) is timing out. That was more or less the direction my thoughts were heading too. But I couldn't for the life of me find a way to debug that properly. Try running the following on the secondary to see what fails. If you have a TSIG key you will need to use the -k or -y options. dig soa $zone @$master dig +noedns soa $zone @$master dig +tcp soa $zone @$master dig axfr $zone @$master Ahah. My colleague was doing some 'dig'ging during the latest kerfluffle. I will check to see if he ran any of these. If not, I will have to wait until the lockup happens again. I do know that the first one worked normally during the latest incident, as I ran that myself. A lot of the refresh failure logging happens at debug level 1 so you can get more details by running `rndc trace 1`. Is there a way to filter that after setting it? Because as mentioned, this is also the master server for quite a few domains, so I expect lots of logging when I turn on debug tracing. Regards, Mart ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind 9.9.3b2
I want to test Bind 9.9.3b2. Why isn't there Bind 9.9.3b2 in download link on the ISC.org? Is there recommendation to use the version Bind 9.9.3b2? I look in http://www.isc.org/software/bind/security/matrix that there isn't bug in Bind 9.9.3b2. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A few conceptual question about dnssec.
On 02/18/12 00:36, Gaurav kansal wrote: Firstly, where do we get the public key for the DS records? Can you clarify your question??? Second, why do I get multiple DS records as response? -- You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256. I was reading the RFCs, but according to that, there's no provision of SHA-256. According to RFC 4034, 1 means MD5 and 2 means Diffie-Hellman (appendix A1) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A few conceptual question about dnssec.
On 03/03/12 12:47, dE . wrote: On 02/18/12 00:36, Gaurav kansal wrote: Firstly, where do we get the public key for the DS records? Can you clarify your question??? Second, why do I get multiple DS records as response? -- You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256. I was reading the RFCs, but according to that, there's no provision of SHA-256. According to RFC 4034, 1 means MD5 and 2 means Diffie-Hellman (appendix A.1) Oops... sorry about that, got it. It was A.2 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A few conceptual question about dnssec.
On 02/18/12 00:36, Gaurav kansal wrote: Firstly, where do we get the public key for the DS records? Can you clarify your question??? The DS record is a signature right? It has to be decrypted using a public key and the decrypted hash has to be compared to the DNSKEY's hash. So what I'm asking for here is, where do we get this public key from? Second, why do I get multiple DS records as response? -- You will always get a 2 DS Records in response. One for SHA-1 and second for SHA-256. dig +dnssec -t DS isc.org @b0.org.afilias-nst.org. ; DiG 9.8.1 +dnssec -t DS isc.org @b0.org.afilias-nst.org. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 32385 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;isc.org. IN DS ;; ANSWER SECTION: isc.org.86400 IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 isc.org.86400 IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 isc.org.86400 IN RRSIG DS 7 2 86400 20120309160141 20120217150141 55440 org. SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31XG4vFFQzq57RI q0hUkWZ0dR5oBCpRC15osOXSZEwVuz3LXXUd63GpI5aoGv/OtyPI/w4Y TedgweoE9PWovcx6Ahr2WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/v EjE= ;; Query time: 339 msec ;; SERVER: 199.19.54.1#53(199.19.54.1) ;; WHEN: Fri Feb 17 23:36:01 2012 ;; MSG SIZE rcvd: 283 Why do I get multiple RRSIG records from some servers? -- You will get single RRSIG per RR sets. dig +dnssec -t NS yahoo.com @g.gtld-servers.net. ; DiG 9.8.1 +dnssec -t NS yahoo.com @g.gtld-servers.net. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 35065 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;yahoo.com. IN NS ;; AUTHORITY SECTION: yahoo.com. 172800 IN NS ns1.yahoo.com. yahoo.com. 172800 IN NS ns5.yahoo.com. yahoo.com. 172800 IN NS ns2.yahoo.com. yahoo.com. 172800 IN NS ns3.yahoo.com. yahoo.com. 172800 IN NS ns4.yahoo.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK3O3O11OF9QR6F29BIIMK6FFD57PGE2 NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20120222012103 20120215001103 54350 com. gf6tXFAK2gwY3wjtBOuPN8Hai0kNguudAzewQLf3ZGxhbXxKoB0/+JvC yAjgBhMF9E1GIVVLmgjrkJXpMxL1n2PjAjBx/R8kZ+W+flKehXDBPmX9 TDnbrJ9EHytM6/JN4loGB1cAYeQXrN8TE3jNzWneiFYPFwgCIT21qo0l RE8= GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN NSEC3 1 1 0 - GPLVOUV0V27L8DPOOBNLQU1VHFRMMPUT NS DS RRSIG GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN RRSIG NSEC3 8 2 86400 20120224144059 20120217133059 54350 com. NiD8Fe9hm7I2mgfjoXph2yiODqiuS9t/ZSM9pEuZ6gP9/xM6odKAwFC+ 3egy+8F8yVjFth63MLIUOeCcwZBYKzymo4wJ2hddaddqBnNTYj0BAYXn YZdmf0OmCTvhDe5EXcIWH14DiCOjITeZR/CX3wfP8aUu9CGOYDAR8/1M /Ds= ;; ADDITIONAL SECTION: ns1.yahoo.com. 172800 IN A 68.180.131.16 ns5.yahoo.com. 172800 IN A 119.160.247.124 ns2.yahoo.com. 172800 IN A 68.142.255.16 ns3.yahoo.com. 172800 IN A 121.101.152.99 ns4.yahoo.com. 172800 IN A 68.142.196.63 ;; Query time: 386 msec ;; SERVER: 192.42.93.30#53(192.42.93.30) ;; WHEN: Fri Feb 17 23:40:26 2012 ;; MSG SIZE rcvd: 693 Do we get a RRSIG for each RR retrieved? If so, why does -- Not for each RR But for each RR sets. dig +dnssec -t NS com @a.root-servers.net. ; DiG 9.8.1 +dnssec -t NS com @a.root-servers.net. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 44852 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;com. IN NS ;; AUTHORITY SECTION: com.172800 IN NS a.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.
Re: A few conceptual question about dnssec.
On 02/18/12 02:41, Tony Finch wrote: dE .de.tec...@gmail.com wrote: Firstly, where do we get the public key for the DS records? A zone's DNSKEY RRset contains its public keys, and these are hashed to make its DS records. For example, $ dig +nottl +noall +answer DS isc.org | perl -pe 's/\s+(?!$)/ /g' isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 isc.org. IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 $ dig DNSKEY isc.org | dnssec-dsfromkey -f /dev/stdin isc.org isc.org. IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 isc.org. IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 Ok, so the DS record is not encrypted. Now, I got a feeling that this fact will add some major security implications. Why do I get multiple RRSIG records from some servers? - When you ask a GTLD server for the yahoo.com delegation NS records, you also get two NSEC3 records that bracket the yahoo.com delegation to prove it is insecure (no DS record), and an RRSIG record for each NSEC3 record. Do we get a RRSIG for each RR retrieved? No, one per RRset, where an RRset is all the records with the same name, class, and type. Lastly, what's the format for the output dis DNSSEC records? See RFC 4034. Tony. Thanks! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A few conceptual question about dnssec.
On 02/18/12 22:14, Axel Rau wrote: Am 18.02.2012 um 17:35 schrieb dE .: The DS record is a signature right? No its the hash of a DNSKEY (KSK) in the child zone. The DS is signed with a RRSIG. Axel --- PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius Thanks for the clarification. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A few conceptual question about dnssec.
On 02/18/12 22:55, Jeremy C. Reed wrote: I started writing a book introducing DNSSEC a few years ago. Would you like to read a draft of it? Book on DNSSEC? Ok. Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
A few conceptual question about dnssec.
Firstly, where do we get the public key for the DS records? Second, why do I get multiple DS records as response? -- dig +dnssec -t DS isc.org @b0.org.afilias-nst.org. ; DiG 9.8.1 +dnssec -t DS isc.org @b0.org.afilias-nst.org. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 32385 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;isc.org. IN DS ;; ANSWER SECTION: isc.org.86400 IN DS 12892 5 2 F1E184C0E1D615D20EB3C223ACED3B03C773DD952D5F0EB5C777586D E18DA6B5 isc.org.86400 IN DS 12892 5 1 982113D08B4C6A1D9F6AEE1E2237AEF69F3F9759 isc.org.86400 IN RRSIG DS 7 2 86400 20120309160141 20120217150141 55440 org. SHpqmMeBQAyBB5LgBcrR5FcZiWiEudop/fl7X1xgz31XG4vFFQzq57RI q0hUkWZ0dR5oBCpRC15osOXSZEwVuz3LXXUd63GpI5aoGv/OtyPI/w4Y TedgweoE9PWovcx6Ahr2WonckP2YqTsHqzxwr+VSiiMFMe2VVquTo4/v EjE= ;; Query time: 339 msec ;; SERVER: 199.19.54.1#53(199.19.54.1) ;; WHEN: Fri Feb 17 23:36:01 2012 ;; MSG SIZE rcvd: 283 Why do I get multiple RRSIG records from some servers? - dig +dnssec -t NS yahoo.com @g.gtld-servers.net. ; DiG 9.8.1 +dnssec -t NS yahoo.com @g.gtld-servers.net. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 35065 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 6 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;yahoo.com. IN NS ;; AUTHORITY SECTION: yahoo.com. 172800 IN NS ns1.yahoo.com. yahoo.com. 172800 IN NS ns5.yahoo.com. yahoo.com. 172800 IN NS ns2.yahoo.com. yahoo.com. 172800 IN NS ns3.yahoo.com. yahoo.com. 172800 IN NS ns4.yahoo.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK3O3O11OF9QR6F29BIIMK6FFD57PGE2 NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20120222012103 20120215001103 54350 com. gf6tXFAK2gwY3wjtBOuPN8Hai0kNguudAzewQLf3ZGxhbXxKoB0/+JvC yAjgBhMF9E1GIVVLmgjrkJXpMxL1n2PjAjBx/R8kZ+W+flKehXDBPmX9 TDnbrJ9EHytM6/JN4loGB1cAYeQXrN8TE3jNzWneiFYPFwgCIT21qo0l RE8= GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN NSEC3 1 1 0 - GPLVOUV0V27L8DPOOBNLQU1VHFRMMPUT NS DS RRSIG GP1945PGQIOH4O61BM3RUL2EVN04SPIA.com. 86400 IN RRSIG NSEC3 8 2 86400 20120224144059 20120217133059 54350 com. NiD8Fe9hm7I2mgfjoXph2yiODqiuS9t/ZSM9pEuZ6gP9/xM6odKAwFC+ 3egy+8F8yVjFth63MLIUOeCcwZBYKzymo4wJ2hddaddqBnNTYj0BAYXn YZdmf0OmCTvhDe5EXcIWH14DiCOjITeZR/CX3wfP8aUu9CGOYDAR8/1M /Ds= ;; ADDITIONAL SECTION: ns1.yahoo.com. 172800 IN A 68.180.131.16 ns5.yahoo.com. 172800 IN A 119.160.247.124 ns2.yahoo.com. 172800 IN A 68.142.255.16 ns3.yahoo.com. 172800 IN A 121.101.152.99 ns4.yahoo.com. 172800 IN A 68.142.196.63 ;; Query time: 386 msec ;; SERVER: 192.42.93.30#53(192.42.93.30) ;; WHEN: Fri Feb 17 23:40:26 2012 ;; MSG SIZE rcvd: 693 Do we get a RRSIG for each RR retrieved? If so, why does - dig +dnssec -t NS com @a.root-servers.net. ; DiG 9.8.1 +dnssec -t NS com @a.root-servers.net. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 44852 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;com. IN NS ;; AUTHORITY SECTION: com.172800 IN NS a.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.
Re: dig -- only RRSIG present.
On 02/13/12 11:00, Spain, Dr. Jeffry A. wrote: Using this DNS server, I'm still not getting the DNSKEY for any DNSSEC capable domain; infact this server has issues - dig +dnssec -t A dnssec.net @bind.odvr.dns-oarc.net. I'd be really happy if I could get some domains which are signed. Try this one: dig @bind.odvr.dns-oarc.net. isc.org +dnssec You should get an AD flag returned and a variety of RRSIG records. Jeff. I hope I'm not missing any concepts here, but there should be a public key to verify the RRSIG, where's that? Shouldn't the server return additional DNSKEY records? Also if I replace bind.odvr.dns-oarc.net. with one of the root nameservers, why is it that AD flag is not set? The root nameservers are DNSSEC capable. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig -- only RRSIG present.
On 02/13/12 18:16, Spain, Dr. Jeffry A. wrote: Try this one: dig @bind.odvr.dns-oarc.net. isc.org +dnssec You should get an AD flag returned and a variety of RRSIG records. Jeff. I hope I'm not missing any concepts here, but there should be a public key to verify the RRSIG, where's that? Shouldn't the server return additional DNSKEY records? The public key is the DNSKEY record whose private key was used to create the RRSIG. It's in the zone data but won't be returned in response to a query from dig unless you ask for it, e.g. 'dig @bind.odvr.dns-oarc.net. isc.org dnskey +dnssec'. That doesn't mean that the recursive resolver, in this case bind.odvr.dns-oarc.net, isn't looking at the DNSKEY records as part of its internal DNSSEC validation process. Also if I replace bind.odvr.dns-oarc.net. with one of the root nameservers, why is it that AD flag is not set? The root nameservers are DNSSEC capable. The AD flag is only set by recursive resolvers that are capable of validating a DNSSEC chain of trust. The root servers are DNSSEC-capable but are authoritative servers, i.e. they only return information from their own zone files and can't validate a chain of trust. Here's a possibly missing concept. There are three entities involved in your dig queries: 1. A stub resolver, which is your system running dig. 2. A recursive resolver, which is bind.odvr.dns-oarc.net, and which issues a series of queries on your behalf in order to get the answer you asked for and do DNSSEC validation on it. It does so without returning to you the internals of that process. 3. A series of authoritative name servers, which bind.odvr.dns-oarc.net queries to get the answer you want. Again you don't see this activity with dig. Jeffry A. Spain Network Administrator Cincinnati Country Day School Ok, thanks a lot. I thought it was a client process. Now I can query for the DS, DNSKEY records from isc.org. Final question -- bind.odvr.dns-oarc.net is a cache right? Does bind has such a caching program? Do we have a DNSSEC capable resolver in BIND? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig -- only RRSIG present.
On 02/13/12 18:41, Phil Mayers wrote: On 13/02/12 13:03, dE . wrote: Ok, thanks a lot. I thought it was a client process. Now I can query for the DS, DNSKEY records from isc.org. Final question -- bind.odvr.dns-oarc.net is a cache right? Does bind has such a caching program? Do we have a DNSSEC capable resolver in BIND? Bind *is* a caching program. I meant the bind package, named is the server. Yes, bind is a DNSSEC-capable resolver. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Thanks for the info! :-) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig -- only RRSIG present.
On 02/13/12 18:57, Spain, Dr. Jeffry A. wrote: Ok, thanks a lot. I thought it was a client process. Now I can query for the DS, DNSKEY records from isc.org. Final question -- bind.odvr.dns-oarc.net is a cache right? Does bind has such a caching program? Do we have a DNSSEC capable resolver in BIND? Bind *is* a caching program. Yes, bind is a DNSSEC-capable resolver. Given your interest in the internals of the DNSSEC validation process, you should consider building your own bind recursive resolver. You could use wireshark to see all the information flow between it and the various authoritative servers it queries following a 'dig @localhost ...' command. You could use 'rndc flush' between queries so that the cache does not obscure what is happening. Jeff. Yes, that's on the way. DNS server/cache using BIND tools. I already know how to do it with djbdns. Thanks for all the help!! :-) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig -- only RRSIG present.
On 02/12/12 23:13, Miek Gieben wrote: [ Quotingde.tec...@gmail.com at 23:10 on Feb 12 in dig -- only RRSIG pr... ] I'm trying to see DNSSEC response of various sites; my DNS server is 8.8.8.8 (google's public DNS service) Google's public resolvers don't handle DNSSEC very well... grtz Miek ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users They claim that they do support - http://code.google.com/speed/public-dns/faq.html#dnssec But, that's not apparent - dig +dnssec -t A yahoo.com @198.41.0.4 ; DiG 9.8.1 +dnssec -t A yahoo.com @198.41.0.4 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 47278 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 16 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;yahoo.com. IN A ;; AUTHORITY SECTION: com.172800 IN NS a.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com.86400 IN RRSIG DS 8 1 86400 2012021900 2012021123 51201 . lgz7WlGBmaimFXYL+W3TDqi0fFDZGyH2p2OunrTmx93yDdPatscOEm2c 19dxFFiZloABGT9fLrE+FYKmTtGUP/UFWdqfgX3MpTCJrJL2DeJ6m3q+ qMj+OOm+0RWi14jxnvLn8yLqwr5uwzvqpUBGBWJUBM/Qm07Bjg1Jr+pR Ibw= ;; ADDITIONAL SECTION: a.gtld-servers.net. 86400 IN 2001:503:a83e::2:30 a.gtld-servers.net. 86400 IN A 192.5.6.30 b.gtld-servers.net. 86400 IN 2001:503:231d::2:30 b.gtld-servers.net. 86400 IN A 192.33.14.30 c.gtld-servers.net. 86400 IN A 192.26.92.30 d.gtld-servers.net. 86400 IN A 192.31.80.30 e.gtld-servers.net. 86400 IN A 192.12.94.30 f.gtld-servers.net. 86400 IN A 192.35.51.30 g.gtld-servers.net. 86400 IN A 192.42.93.30 h.gtld-servers.net. 86400 IN A 192.54.112.30 i.gtld-servers.net. 86400 IN A 192.43.172.30 j.gtld-servers.net. 86400 IN A 192.48.79.30 k.gtld-servers.net. 86400 IN A 192.52.178.30 l.gtld-servers.net. 86400 IN A 192.41.162.30 m.gtld-servers.net. 86400 IN A 192.55.83.30 ;; Query time: 202 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Mon Feb 13 09:52:35 2012 ;; MSG SIZE rcvd: 733 dig +dnssec -t A yahoo.com @8.8.8.8 ; DiG 9.8.1 +dnssec -t A yahoo.com @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 33152 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;yahoo.com. IN A ;; ANSWER SECTION: yahoo.com. 1683IN A 98.137.149.56 yahoo.com. 1683IN A 98.139.183.24 yahoo.com. 1683IN A 209.191.122.70 yahoo.com. 1683IN A 72.30.2.43 ;; Query time: 53 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon Feb 13 09:53:26 2012 ;; MSG SIZE rcvd: 102 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig -- only RRSIG present.
On 02/13/12 08:29, Spain, Dr. Jeffry A. wrote: As Tony Finch pointed out to me a few days ago, the Google public servers don't understand that fact about DS records, and don't know to ask for them in the parent. But here's something interesting - as of my testing just now, they *do* respond with DS records This thread has been kind of confusing, but looking again at the original post (https://lists.isc.org/pipermail/bind-users/2012-February/086586.html), the author was concerned about the lack of DS records in response to his queries. Those two queries, directed to Google's server at 8.8.8.8, were: dig +dnssec -t SOA org dig +dnssec -t SOA org 198.41.0.4 I don't think any DS records should have been provided in the answers since SOA records were being requested. Your query: dig isc.org @8.8.8.8 ds +dnssec is requesting and receiving DS records, on the other hand. I also see Mark's post just now where 'dig @8.8.8.8 ds org.' returns SERVFAIL while 'dig @8.8.8.8 ds isc.org.' returns the appropriate DS records. The same thing happens for me with 'dig @8.8.8.8 ds net.' and 'dig @8.8.8.8 ds jaspain.net.', and with 'dig @8.8.8.8 ds com.' and 'dig @8.8.8.8 ds countryday.com.'. Clearly Google's server is malfunctioning in this regard. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users But another question remains, where's the DNSKEY record which's the missing link as of the current time. Querying -- dig +dnssec -t DNSKEY yahoo.com @198.41.0.4 Does not return anything. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig -- only RRSIG present.
IN A 192.26.92.30 d.gtld-servers.net. 86400 IN A 192.31.80.30 e.gtld-servers.net. 86400 IN A 192.12.94.30 f.gtld-servers.net. 86400 IN A 192.35.51.30 g.gtld-servers.net. 86400 IN A 192.42.93.30 h.gtld-servers.net. 86400 IN A 192.54.112.30 i.gtld-servers.net. 86400 IN A 192.43.172.30 j.gtld-servers.net. 86400 IN A 192.48.79.30 k.gtld-servers.net. 86400 IN A 192.52.178.30 l.gtld-servers.net. 86400 IN A 192.41.162.30 m.gtld-servers.net. 86400 IN A 192.55.83.30 ;; Query time: 193 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Mon Feb 13 10:41:12 2012 ;; MSG SIZE rcvd: 731 de@OLD_BROKEN_LAP ~ $ dig +dnssec -t A dnssec.net @bind.odvr.dns-oarc.net. ; DiG 9.8.1 +dnssec -t A dnssec.net @bind.odvr.dns-oarc.net. ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 40020 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssec.net.IN A ;; ANSWER SECTION: dnssec.net. 43179 IN A 80.69.95.164 dnssec.net. 43179 IN A 80.69.93.34 ;; AUTHORITY SECTION: dnssec.net. 172778 IN NS ns2.dnssec.net. dnssec.net. 172778 IN NS ns0.dnssec.net. dnssec.net. 172778 IN NS ns3.dnssec.net. dnssec.net. 172778 IN NS ns1.dnssec.net. ;; Query time: 883 msec ;; SERVER: 149.20.64.20#53(149.20.64.20) ;; WHEN: Mon Feb 13 10:41:19 2012 ;; MSG SIZE rcvd: 143 I think root nameservers should be used for this purpose, they're definitely DNSSEC capable and the source of all caches. Also, is it possible that the RRSIG and DS that I'm getting is from the root name servers instead of the servers of the TLD or the sub-domain? I'd be really happy if I could get some domains which are signed. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Delegating subzone of a not valid domain.
Hi, in my lan domain im trying to delegate subzones to others name servers, but im failing hard. Lets say domain acme: ns1.acme server, file acme.zone: $TTL604800 @ IN SOA ns1.acme. admin.acme. ( 19 ; Serial 7200 ; Refresh 120 ; Retry 2419200 ; Expire 604800); Default TTL ; @ IN NS ns1.acme. acme. IN A 10.0.0.3 ns1 IN A 10.0.0.3 www IN A 10.0.0.1 sub1.acme. IN NSns1.sub1.acme ns1.sub1.acme.IN A 192.168.1.3 ns1.sub1.acme server, file sub1.acme.zone: $TTL604800 @ IN SOA ns1.sub1.acme. admin.sub1.acme. ( 3 ; Serial 7200 ; Refresh 120 ; Retry 2419200 ; Expire 604800); Default TTL ; @ IN NS ns1.sub1.acme. sub1.acme. IN A 192.168.1.3 ns1 IN A 192.168.1.3 www IN A192.168.1.1 Now, if i do: dig @192.168.1.3 www.sub1.acme Returns ok. If i try: dig @10.0.0.3 www.acme Returns ok But if i try: dig @10.0.0.3 www.sub1.acme Returns NXDOMAIN To make it work, i only finded 2 solutions. Add a forward zone on ns1.acme for the domain ns1.sub1.acme, or add ns1.acme (10.0.0.3) as a slave for sub1.acme domain. What i want, is not need the forward zone or the top name server as a slave to the sub zone, but dont know what im missing. Thanks. -- Samuel Abreu de Paula Email: sdepa...@gmail.com --- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AW: ipv6 PTR in zone file
On Tue, Apr 12, 2011 at 3:41 AM, Niall O'Reilly niall.orei...@ucd.ie wrote: On 12 Apr 2011, at 10:49, Michel de Nostredame wrote: Thanks Walter and Marco. Those two tool/method do resolve short term needs. Thanks again. (btw, the URL form Walter should be ftp://ftp.bieringer.de/pub/linux/IPv6/ipv6calc/ ) Beside them, is any potential possibility to have something build-in in BIND config/zone file as kind of beautiful (my, and my team, personal point of view) solution? Anyone knows if there was any similar discussions inside BIND developer group before? Not that I recall. I'm not sure what benefit you see in adding a feature to the BIND server and tools. I should have thought that a suitable script, either for provisioning your zone file(s) or for applying a dynamic update, would both relieve any burden you currently have, and leave you more flexibility than would an extension to BIND. If there is $REVERSE (or some similar directive) can put inside ZONE file and named.conf file, then it would be a good help for those people who need to manually manage PTR records. From regular people point of view, it could be easier to read, maintain and less possible of human errors. Not sure how large will be the effort to add a new directive into BIND, but that just a feed back, and wish, from me and my team members, who needs to maintain few hundreds of statically assigned IPs for servers and CE/PE routers. -- Michel~ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AW: ipv6 PTR in zone file
On Tue, Apr 12, 2011 at 2:21 AM, Marco Davids (SIDN) marco.dav...@sidn.nl wrote: On 04/12/11 10:50, walter.jontofs...@t-systems.com wrote: you could use ipv6calc (ftp://ftp.bieringer.de/pub/linux/ipv6/ipv6calc) to calculate the reverse strings. Yes. Or do it 'the BIND way': dig -x 2001:7b8:c05::80:1 | grep ip6.arpa | tail -1 | awk '{print $1}' Thanks Walter and Marco. Those two tool/method do resolve short term needs. Thanks again. (btw, the URL form Walter should be ftp://ftp.bieringer.de/pub/linux/IPv6/ipv6calc/ ) Beside them, is any potential possibility to have something build-in in BIND config/zone file as kind of beautiful (my, and my team, personal point of view) solution? Anyone knows if there was any similar discussions inside BIND developer group before? -- Michel~ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ipv6 PTR in zone file
Hi BIND Users, I am not sure if my post here is proper or not. If not please kindly guide me to a correct list. I have lot of static IPv6 address needs to add into DNS PTR record. Most of them are server IP addresses and addresses on router interfaces. Compose proper PTR records, without human errors, is highly difficult (compares to IPv4 PTR records), as we encode some customer information into the address. I tried to look into bit-string and soon realized it is already removed from recent BIND versions. Then tried to search $REVERSE and $INVERSE on Google but got no much luck; seems not much development / discussion recently. For example, today we probably do PTR list this, $ORIGIN 0.0.0.0.0.0.d.4.1.a.1.0.1.0.0.2.ip6.arpa. 1.0.1.a.0.0.0.5.6.0.c.1.0.0.5.6 PTR xe-3-0-3-101.ar.par1.fr.netname.net. What I am think about is if there is any potential possibility to compose IPv6 PTR records in ZONE files in a little easier method? something like $ORIGIN $REVERSE(2001:01a1:4d00:).ip6.arpa. $REVERSE(6500:1c06:5000:a101) PTR xe-3-0-3-101.ar.par1.fr.netname.net. Thanks, -- Michel~ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
named and dhcpd warnings and errors questions
Hello everybody, bind9 1:9.6.ESV.R1+dfsg-0+lenny2 dhcp3-server3.1.1-6+lenny4 I am having a lot of timed out errors in my syslogs, that I want to solve. Below is the output of egrep 'named|dhcpd' /var/log/syslog http://debian.pastebin.com/hyD915BA I know the _ character is giving time-outs, so please ignore those. (If there is a way to fix them without changing the dhcp host name of the client I am open for suggestions) Also ignore the errors from clients from vlan6, it tried to setup my /etc/dhcp3/dhcpd.conf so it would only use the reverse dns zone for vlan4 but I can't seem to get that working. My /etc/dhcp3/dhcpd.conf is posted here: http://debian.pastebin.com/xWC1V55z I would appreciate anyhelp in getting my setup cleaned up so it does not genereate so many errors. With kind regards, Jelle de Jong ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
What does func refer to in announce list archives
Hi all, In archives of bind-announce, for every release of bind there is a corresponding message with heading: ISC BIND version is now available In that message a list of chnages that went into the new version is also mentioned. But, every chnage mentioned has a tag infront of it. The tag is either : bug, port, func or doc (If there are more then I havent seend them yet) I want to know what does this func tag mean? Does it indicate a basic functionality enhancement that was carried out in the new version Apologies for the basic question but I would be grateful if you can provide even a single line answer to my question Regards, Mayuk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
What does func refer to in announce list archives
Hi all, In archives of bind-announce, for every release of bind there is a corresponding message with heading: ISC BIND version is now available In that message a list of chnages that went into the new version is also mentioned. But, every chnage mentioned has a tag infront of it. The tag is either : bug, port, func or doc (If there are more then I havent seend them yet) I want to know what does this func tag mean? Does it indicate a basic functionality enhancement that was carried out in the new version Apologies for the basic question but I would be grateful if you can provide even a single line answer to my question Regards, Mayuk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Windows : compilation options
Danny Mayer a écrit : Romain De Rasse wrote: Hi, I succeeded in compile ISC Bind for Windows. I'm now trying to enable fixed rrset (--enable-fixed-rrset for the configure file). But I did'nt find how to change options for a Windows compilation. Can anyone help me ? #define DNS_RDATASET_FIXED 1 in config.h Danny OK thanks, I succeeded in compiling with fixed rrset enabled. Strange thing though, the Beyond Compare soft doesn't find any difference between this two directories : Build\Release after compiling with fixed rrset enabled and Build\Release after compiling without. In the Bind sources directory tree, only .obj files are different, and these files are not located in Build\Release. I don't really understand how, but it works. It's the most important. Regards, Romain ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Windows : compilation options
Hi, I succeeded in compile ISC Bind for Windows. I'm now trying to enable fixed rrset (--enable-fixed-rrset for the configure file). But I did'nt find how to change options for a Windows compilation. Can anyone help me ? Best regards, Romain De Rasse ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
rndc command for erased zone?
I no longer manage one of our DNS domain. As I use 'rndc reconfig' to load newly created zones I was wondering if exists a way to do the same as reconfig but inversely, I mean, reload configuration forgetting the just erased zones. I tried every command that rndc has, but I guess that my only choice is to restart bind. I even tried flushing cache, but it keeps answering to DNS queries to that zone even when I erased the zone file. Is there a way to do this without stopping and starting the named daemon? Thanks in advance and thanks everyone that helped me out in my last thread. -- ,---. | The United States is like the guy at the party who gives cocaine | | to everybody and still nobody likes him. | | -- Jim Samuels| |---| | Técnico de Sistemas| | | Departamento de Informática| Debian GNU/Linux Powerer | | Ayuntamiento de Getafe |.--. | || |o_o | | | _ | .''`.|:_/ | | | |~~ @| Marcos Lorenzo de Santiago | : :' : // \ \| | | | marcos.lore...@ayto-getafe.org | `. `' (| | ) | | |_| Teléfono: (+34) 91-202-79-48 | `- /'\_ _/`\ | | Móvil:(+34) 608-300-935 |\___)=(___/ | || | `---' ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Modified a zone, so when it becomes available?
This is another quite short and simple question: When I modify a RR or add a new one on an existing zone, I have to restart master server to make the change available. Is there any other way to reload the zone without stopping bind? I've tried with: - rdnc reload [zone] - rndc reconfig [zone] - rndc refresh [zone] But none of this makes bind re-read the zone file. Am I missing anything? Thank you in advance. -- ,---. | +#if defined(__alpha__) defined(CONFIG_PCI)| | + /*| | +* The meaning of life, the universe, and everything. | | +* Plus this makes the year come out right. | | +*/ | | + year -= 42; | | +#endif | | (From the patch for 1.3.2: (kernel/time.c), submitted by Marcus | | Meissner) | |---| | Técnico de Sistemas| | | Departamento de Informática| Debian GNU/Linux Powerer | | Ayuntamiento de Getafe |.--. | || |o_o | | | _ | .''`.|:_/ | | | |~~ @| Marcos Lorenzo de Santiago | : :' : // \ \| | | | marcos.lore...@ayto-getafe.org | `. `' (| | ) | | |_| Teléfono: (+34) 91-202-79-48 | `- /'\_ _/`\ | | Móvil:(+34) 608-300-935 |\___)=(___/ | || | `---' ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Modified a zone, so when it becomes available?
El mar, 15-09-2009 a las 07:04 -0300, Leonardo Rodrigues escribió: Marcos Lorenzo de Santiago escreveu: When I modify a RR or add a new one on an existing zone, I have to restart master server to make the change available. Is there any other way to reload the zone without stopping bind? I've tried with: - rdnc reload [zone] - rndc reconfig [zone] - rndc refresh [zone] Am I missing anything? 'rndc reload' is enough to make the zones being re-read and new/updated records available. Problably you're missing: 1) to increment the zone serial ... if you dont do that, bind wont know you updated the zone. That's important, ALWAYS update the serial when changing/adding records; I always update the serial, I know little but I know this ;) 2) your DNS server itself is using another DNS server which is caching the records, so cache needs to expire so new/updated records can be seen. You can have your DNS server using itself (127.0.0.1) as DNS server, that should solve if this is the problem; This master server is its own server, so that's not the case... After making changes to zone, updated serial, and rndc reload, I dig my zone and get always the old serial. The serial and the changes only appear when I '/etc/init.d/bind restart' it. I use bind 9.5.1 on debian 5.0.3. Any clue? Thanks in advance. -- ,---. | Air is water with holes in it | |---| | Técnico de Sistemas| | | Departamento de Informática| Debian GNU/Linux Powerer | | Ayuntamiento de Getafe |.--. | || |o_o | | | _ | .''`.|:_/ | | | |~~ @| Marcos Lorenzo de Santiago | : :' : // \ \| | | | marcos.lore...@ayto-getafe.org | `. `' (| | ) | | |_| Teléfono: (+34) 91-202-79-48 | `- /'\_ _/`\ | | Móvil:(+34) 608-300-935 |\___)=(___/ | || | `---' ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Modified a zone, so when it becomes available?
El mar, 15-09-2009 a las 11:50 +0100, Cathy Almond escribió: Marcos Lorenzo de Santiago wrote: El mar, 15-09-2009 a las 07:04 -0300, Leonardo Rodrigues escribió: Marcos Lorenzo de Santiago escreveu: When I modify a RR or add a new one on an existing zone, I have to restart master server to make the change available. Is there any other way to reload the zone without stopping bind? I've tried with: - rdnc reload [zone] - rndc reconfig [zone] - rndc refresh [zone] Am I missing anything? 'rndc reload' is enough to make the zones being re-read and new/updated records available. Problably you're missing: 1) to increment the zone serial ... if you dont do that, bind wont know you updated the zone. That's important, ALWAYS update the serial when changing/adding records; I always update the serial, I know little but I know this ;) 2) your DNS server itself is using another DNS server which is caching the records, so cache needs to expire so new/updated records can be seen. You can have your DNS server using itself (127.0.0.1) as DNS server, that should solve if this is the problem; This master server is its own server, so that's not the case... After making changes to zone, updated serial, and rndc reload, I dig my zone and get always the old serial. The serial and the changes only appear when I '/etc/init.d/bind restart' it. I use bind 9.5.1 on debian 5.0.3. Any clue? Thanks in advance. Are your zone file modification timestamps being updated when you make changes? Yes, it updates as I write on the zone file. What shocks me too is that every while the zone file timestamp updates automatically I think due to bind's strange beahaviour, my configuration is as follows, nothing fancy: options { listen-on { any; }; directory /var/cache/bind; query-source address 10.5.20.11 port 53; version hidden; allow-notify { none; }; allow-transfer { slaves-dmz; }; transfer-source 10.5.20.11; allow-query { slaves-dmz; localhost; }; forwarders { 10.5.20.12; 10.5.20.13; }; forward only; transfers-in 100; recursion yes; }; include /etc/bind/dmz/zones; Where zones is a file containing another 'include' statements with the zone configuration of each domain like: include /etc/bind/zone1.conf; include /etc/bind/zone2.conf; ... include /etc/bind/zoneN.conf; My server is chrooted and, otherwise everything else works fine. -- ,---. | ..you could spend *all day* customizing the title bar. Believe me. | | I speak from experience. | | (By Matt Welsh) | |---| | Técnico de Sistemas| | | Departamento de Informática| Debian GNU/Linux Powerer | | Ayuntamiento de Getafe |.--. | || |o_o | | | _ | .''`.|:_/ | | | |~~ @| Marcos Lorenzo de Santiago | : :' : // \ \| | | | marcos.lore...@ayto-getafe.org | `. `' (| | ) | | |_| Teléfono: (+34) 91-202-79-48 | `- /'\_ _/`\ | | Móvil:(+34) 608-300-935 |\___)=(___/ | || | `---' ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
forwarder that doesn't ask root servers
I believe bind has some root servers hardcoded inside and bind always looks for root servers even if you give it a list of forwarders, I see this in the firewall blocked connections. So the question is quite simple: Is there anyway to disable this? I mean, I just want bind to forward queries related to not-owned maps to a list of forwarders as FW will drop all packages going to non-local nets. Does any of you know how to accomplish this? Thanks in advance. -- ,---. | Son los inocentes y no los sabios los que resuelven las cuestiones| | difíciles.| | -- Pío Baroja. (1872-1956) Escritor español. | |---| | Técnico de Sistemas| | | Departamento de Informática| Debian GNU/Linux Powerer | | Ayuntamiento de Getafe |.--. | || |o_o | | | _ | .''`.|:_/ | | | |~~ @| Marcos Lorenzo de Santiago | : :' : // \ \| | | | marcos.lore...@ayto-getafe.org | `. `' (| | ) | | |_| Teléfono: (+34) 91-202-79-48 | `- /'\_ _/`\ | | Móvil:(+34) 608-300-935 |\___)=(___/ | || | `---' ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarder that doesn't ask root servers
El lun, 14-09-2009 a las 15:01 +0200, Adam Tkac escribió: On Mon, Sep 14, 2009 at 01:31:24PM +0200, Marcos Lorenzo de Santiago wrote: I believe bind has some root servers hardcoded inside and bind always looks for root servers even if you give it a list of forwarders, I see this in the firewall blocked connections. So the question is quite simple: Is there anyway to disable this? I mean, I just want bind to forward queries related to not-owned maps to a list of forwarders as FW will drop all packages going to non-local nets. Does any of you know how to accomplish this? options { ... forward only; ... }; Regards, Adam Thanks a lot... I feel stupid now, but thanks for opening my eyes! :D Cheers. -- ,---. | Dejemos las conclusiones para los idiotas.| | -- Pío Baroja. (1872-1956) Escritor español. | |---| | Técnico de Sistemas| | | Departamento de Informática| Debian GNU/Linux Powerer | | Ayuntamiento de Getafe |.--. | || |o_o | | | _ | .''`.|:_/ | | | |~~ @| Marcos Lorenzo de Santiago | : :' : // \ \| | | | marcos.lore...@ayto-getafe.org | `. `' (| | ) | | |_| Teléfono: (+34) 91-202-79-48 | `- /'\_ _/`\ | | Móvil:(+34) 608-300-935 |\___)=(___/ | || | `---' ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Using bind 9.5.0 with Active directory
Hi, I need to create a new Windows 2008 domain in a network with an existing Bind setup. I know I need dynamic DNS for the Windows domain. I also know I need GSS support to get secure dynamic updates and this is supported in Bind 9.5.0. However I can't figure out how to configure everything properly (how do I generate the gss credentials? what if I don't have a Kerberos server yet?). Is there anybody who can point me to some documentation on how to bootstrap a Windows domain installation in a bind environment? I'm not interested in running Bind on Windows, I can find plenty of info about that but my binds are running just fine on linux. The main issue is getting secure dynamic updates working. Thanks in advance, Nico -- With kind regards, Nico De Ranter Senior System Administrator Sony Techsoft Centre The Corporate Village · Da Vincilaan 7-D1 · B-1935 Zaventem · Belgium Phone: +32 (0)2 700 8641 Fax: +32 (0)2 700 8622 E-mail: nico.deran...@eu.sony.com Internet: www.sony-europe.com Sony Technology and Software Centre Europe A division of Sony Service Centre (Europe) N.V. Registered office: Technologielaan 7 · B-1840 Londerzeel · Belgium VAT BE 0413.825.160 · RPR Brussels Fortis Bank Londerzeel 293-0376800-10 GEBA-BE-BB ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users