RE: SERVFAIL error during the evening

2024-06-27 Thread sami . rahal 
Hello 
Thank you for these suggestions and advice. I will start by updating BIND to 
version 9.18, then monitor the situation and provide feedback

Regards

-Message d'origine-
De : bind-users  De la part de 
bind-users-requ...@lists.isc.org
Envoyé : jeudi 27 juin 2024 02:04
À : bind-users@lists.isc.org
Objet : bind-users Digest, Vol 4497, Issue 1

--
CAUTION : This email originated outside the company. Do not click on any links 
or open attachments unless you are expecting them from the sender.

ATTENTION : Cet e-mail provient de l'extérieur de l'entreprise. Ne cliquez pas 
sur les liens ou n'ouvrez pas les pièces jointes à moins de connaitre 
l'expéditeur.
--

Send bind-users mailing list submissions to
bind-users@lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
bind-users-requ...@lists.isc.org

You can reach the person managing the list at
bind-users-ow...@lists.isc.org

When replying, please edit your Subject line so it is more specific than "Re: 
Contents of bind-users digest..."


Today's Topics:

   1. Re: rolling my own hints file (Greg Choules)
   2. Re: SERVFAIL error during the evening (Michael Batchelder)


--

Message: 1
Date: Wed, 26 Jun 2024 20:46:46 +0100
From: Greg Choules 
To: "Cuttler, Brian R (HEALTH)" 
Cc: David Farje , bind-users
,  "Hefner, Joseph (HEALTH)"

Subject: Re: rolling my own hints file
Message-ID:

Content-Type: text/plain; charset="utf-8"

Hi Brian.
Ni problem. The server may tell the client (dig; please not nslookup) 
information about where the answer came from, if 'minimal-responses' is set to 
"no". Usually clients don't need to know that, so please take a look at how m-r 
works:
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-minimal-responses

Cheers, Greg

On Wed, 26 Jun 2024 at 17:55, Cuttler, Brian R (HEALTH) < 
brian.cutt...@health.ny.gov> wrote:

>
>
> Greg, David,
>
>
>
> Thanks, much easier than what I thought it would be.
>
> I have two ?root? servers so I went with this format, allowing a round 
> robin selection.
>
> Essentially this, sorry trying to be vague on the IPs.
>
>
>
> @ 518400   IN A xx.yy.zz..7
>
> @ 518400   IN A xx.yy.zz..8
>
> .   518400IN NS @
>
>
>
> Server reloaded fine and I am able to resolve non-domain information.
> Is there a flag someplace in dig or nslookup to show what root server 
> I?m hitting? I don?t see that in any of the named log files, I may 
> need to add an ACL to log the traffic in a router to verify.
> Then again ? my FW is not seeing queries to any of the normal root 
> servers, so that is in fact a good sign.
>
>
>
> New root servers are managed by my parent organization and my manager 
> asked me to send these queries through them. Wouldn?t be performing 
> this exercise otherwise.
>
>
>
> Thank you ? I think you?ve given me exactly what was needed.
>
>
>
> Brian
>
>
>
> *From:* Greg Choules 
> *Sent:* Wednesday, June 26, 2024 12:29 PM
> *To:* Cuttler, Brian R (HEALTH) 
> *Cc:* bind-users 
> *Subject:* Re: rolling my own hints file
>
>
>
> You don't often get email from gregchoules+bindus...@googlemail.com. 
> Learn why this is important 
> 
>
> *ATTENTION: This email came from an external source. Do not open 
> attachments or click on links from unknown senders or unexpected 
> emails.*
>
>
>
> Hi Brian.
>
> Yes, you can define your own hint zone and tell BIND to use it. The 
> contents (I called the file "db.root" but the name is your choice) 
> could be as simple as:
>
>
>
> @ 300 IN A 127.0.0.3
> @ 300 IN NS @
>
>
>
> which says for this zone (which will be called ".", coming next) the 
> NS is the same name and its IP is 127.0.0.3, which happens to be 
> another instance of BIND I have running. Your file would contain the 
> names and IPs of your internal roots.
>
>
>
> In the config, define the hint zone like this:
>
>
>
> zone "." {
> type hint;
> file "db.root";
> };
>
>
>
> That should be all you need.
>
> Cheers, Greg
>
>
>
> On Wed, 26 Jun 2024 at 15:58, Cuttler, Brian R (HEALTH) via bind-users 
> < bind-users@lists.isc.org> wrote:
>
> Running Bind 9.18.18 on Ubuntu 22.04
>
>
>
> We would like to use root servers within our organization rather than 
> the actual root servers.
> I updated the hints file with the names and IPs of our servers, but we 
> seem to still access the official root servers.
>
> Wondering how I ignore the internal/build-in hints and have my own file.
>
> Wondering if replacing the IP addresses in the db.cache file with a 
>

RE: SERVFAIL error during the evening

2024-06-26 Thread sami . rahal 
Hello 
Thank you for your response. I have configured qname to disabled for now. Once 
the issue is resolved, I will set it to relaxed. I have provided a download 
link for the log files and a dig +trace test for more details on this issue, 
which I do not think is related to BIND or its configuration. I suspected that 
a firewall was blocking the DNS traffic, so I bypassed the firewall, but the 
result is the same. How can we ensure that this is a network-level issue?

download link: 

https://we.tl/t-M77os84duE

Regards

Sami

-Message d'origine-
De : bind-users  De la part de 
bind-users-requ...@lists.isc.org
Envoyé : mardi 25 juin 2024 13:00
À : bind-users@lists.isc.org
Objet : bind-users Digest, Vol 4495, Issue 2

--
CAUTION : This email originated outside the company. Do not click on any links 
or open attachments unless you are expecting them from the sender.

ATTENTION : Cet e-mail provient de l'extérieur de l'entreprise. Ne cliquez pas 
sur les liens ou n'ouvrez pas les pièces jointes à moins de connaitre 
l'expéditeur.
--

Send bind-users mailing list submissions to
bind-users@lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
bind-users-requ...@lists.isc.org

You can reach the person managing the list at
bind-users-ow...@lists.isc.org

When replying, please edit your Subject line so it is more specific than "Re: 
Contents of bind-users digest..."


Today's Topics:

   1. Re: SERVFAIL error during the evening (Michael Batchelder)
   2. Re: qname minimization: me too :( (Stephane Bortzmeyer)
   3. Re: can I provide invalid HTTPS values for testing?
  (Stephane Bortzmeyer)


--

Message: 1
Date: Tue, 25 Jun 2024 06:34:42 + (UTC)
From: Michael Batchelder 
To: bind-users 
Cc: sami rahal 
Subject: Re: SERVFAIL error during the evening
Message-ID: <646819319.2383375.1719297282567.javamail.zim...@isc.org>
Content-Type: text/plain; charset=utf-8

>> Hello Michael
>> Thank you for your response. Here is a pcap file and some logs.
> 
> Hello Sami,
>
> Your pcap shows your resolver making thousands of queries that get no 
> responses (or at least the pcap does not contain them). There's not 
> much I can say, beyond that this does not appear to be a > problem 
> related to BIND.

Sami,

My co-worker helpfully pointed out something I missed when reviewing your 
packet capture. A large number of your resolution failures are because your 
BIND is configured to use QNAME minimization (a.k.a. "qmin") and the queries 
are to zones whose configuration is done incorrectly and breaks qmin.

The pcap indicates you have the 'qname-minimization strict' setting in your 
BIND configuration file. See the "qname-minimization" statement in the Options 
section of the BIND ARM 
(https://bind9.readthedocs.io/en/v9.16.25/reference.html#options-statement-definition-and-usage).
 For the general background on qmin, read RFCs 7816 and 9156.

I don't know of a reason why you would experience more qmin failures in the 
evening, other than the requests that fail are only made at that time. 
Regardless, if you want to stop the failures completely, you can change the 
'qname-minimization strict' setting to 'qname-minimization disabled'. The 
drawback is that your queries will no longer be minimized, so all authoritative 
servers will see the full query name during recursion.

As a compromise between doing nothing and fully disabling qmin, you can use the 
'qname-minimization relaxed' setting which will try qmin and if BIND encounters 
a zone which breaks qmin, then BIND will switch to not doing qmin and do normal 
recursion (equivalent to 'qname-minimization disabled') for that query.

Also, you should upgrade your version of BIND, as we can see that the qmin 
queries are those used in older versions of BIND. 

Michael


--

Message: 2
Date: Tue, 25 Jun 2024 10:59:19 +0200
From: Stephane Bortzmeyer 
To: Peter 
Cc: Stephane Bortzmeyer , Michael Batchelder
, bind-users 
Subject: Re: qname minimization: me too :(
Message-ID: 
Content-Type: text/plain; charset=us-ascii

On Mon, Jun 24, 2024 at 10:32:37PM +0200,  Peter  
wrote  a message of 40 lines which said:

> In other words: why do You guys no longer talk to each other?

We do but talking is one thing, convincing is another one, and making people 
act is a third :-(


--

Message: 3
Date: Tue, 25 Jun 2024 11:03:22 +0200
From: Stephane Bortzmeyer 
To: Stephen Farrell 
Cc: bind-users@lists.isc.

RE: SERVFAIL error during the evening

2024-06-14 Thread sami . rahal 
Hello 
Okay, thank you Andrews
BR

-Message d'origine-
De : Mark Andrews  
Envoyé : vendredi 14 juin 2024 00:33
À : RAHAL Sami SOFRECOM 
Cc : ML BIND Users 
Objet : Re: SERVFAIL error during the evening

--
CAUTION : This email originated outside the company. Do not click on any links 
or open attachments unless you are expecting them from the sender.

ATTENTION : Cet e-mail provient de l'extérieur de l'entreprise. Ne cliquez pas 
sur les liens ou n'ouvrez pas les pièces jointes à moins de connaitre 
l'expéditeur.
--

Before you do anything else change your rndc shared key as you published it.

> On 14 Jun 2024, at 01:00, sami.ra...@sofrecom.com wrote:
> 
> Hello community,
>  We are experiencing a resolution problem: 'SERVFAIL error'. Our environment 
> is BIND 9.16.48, OS: Redhat8. I am sharing with you a part of the log that 
> contains this error, named.conf file.
>  What I've noticed is that the resolution problem is mainly related to domain 
> names that contain a CNAME record in the response, such as 
> 'account.api.here.com' and 'push-rtmp-l96.douyincdn.com'
>  P.S. DNSSEC is temporarily disabled to facilitate the diagnosis of the issue.
>   Regards  Orange Restricted
>  -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

SERVFAIL error during the evening

2024-06-13 Thread sami . rahal 
Hello community,

We are experiencing a resolution problem: 'SERVFAIL error'. Our environment is 
BIND 9.16.48, OS: Redhat8. I am sharing with you a part of the log that 
contains this error, named.conf file.

What I've noticed is that the resolution problem is mainly related to domain 
names that contain a CNAME record in the response, such as 
'account.api.here.com' and 'push-rtmp-l96.douyincdn.com'

P.S. DNSSEC is temporarily disabled to facilitate the diagnosis of the issue.


Regards

Orange Restricted

+++ Statistics Dump +++ (1670610522)
++ Incoming Requests ++
   94682 QUERY
   1 STATUS
++ Incoming Queries ++
   90027 A
   1 NS
   1 CNAME
   1 SOA
   1 WKS
 323 PTR
   1 HINFO
  27 TXT
2650 
  91 SRV
  82 NAPTR
   9 TYPE64
1451 TYPE65
++ Outgoing Rcodes ++
   89846 NOERROR
 142 SERVFAIL
4268 NXDOMAIN
++ Outgoing Queries ++
[View: mobile]
   22280 A
  14 NS
  26 CNAME
   1 SOA
   1 WKS
  97 PTR
   1 HINFO
  11 TXT
7390 
  19 SRV
  14 NAPTR
   1 TYPE64
1021 TYPE65
[View: defaut]
[View: _bind]
++ Name Server Statistics ++
   94685 IPv4 requests received
  25 requests with EDNS(0) received
  25 TCP requests received
   8 TCP connection high-water
   94256 responses sent
  49 truncated responses sent
  25 responses with EDNS(0) sent
   88189 queries resulted in successful answer
 424 queries resulted in authoritative answer
   93670 queries resulted in non authoritative answer
   2 queries resulted in referral answer
1635 queries resulted in nxrrset
 142 queries resulted in SERVFAIL
4268 queries resulted in NXDOMAIN
9327 queries caused recursion
 293 duplicate queries received
  64 queries dropped
  73 recursing clients
 194 response policy zone rewrites
   94588 UDP queries received
  25 TCP queries received
   1 COOKIE option received
   1 COOKIE - client only
++ Zone Maintenance Statistics ++
++ Resolver Statistics ++
[Common]
../var/log/named.stats
20-May-2024 17:49:00.463 query-errors: info: client @0x7f883402a870 
10.88.202.136#24064 (account.api.here.com): view mobile: query failed 
(SERVFAIL) for account.api.here.com/IN/A at query.c:7294
20-May-2024 17:49:00.464 query-errors: info: client @0x7f88b805ecd0 
10.176.108.141#51399 (www.facebook.com): view mobile: query failed (SERVFAIL) 
for www.facebook.com/IN/A at query.c:7294
20-May-2024 17:49:00.467 query-errors: info: client @0x7f8848072050 
10.134.204.116#22143 (youtubei.googleapis.com): view mobile: query failed 
(SERVFAIL) for youtubei.googleapis.com/IN/A at query.c:7294
20-May-2024 17:49:00.471 query-errors: info: client @0x7f8800061e10 
10.88.180.148#19837 (developers.google.cn): view mobile: query failed 
(SERVFAIL) for developers.google.cn/IN/A at query.c:7294
20-May-2024 17:49:00.474 query-errors: info: client @0x7f88f8081aa0 
10.134.43.29#19387 (netseer-ipaddr-assoc.xz.fbcdn.net): view mobile: query 
failed (failure) for netseer-ipaddr-assoc.xz.fbcdn.net/IN/A at query.c:8050
20-May-2024 17:49:00.475 query-errors: info: client @0x7f8828027430 
10.134.91.124#2620 (edge-mqtt.facebook.com): view mobile: query failed 
(SERVFAIL) for edge-mqtt.facebook.com/IN/A at query.c:7294
20-May-2024 17:49:00.475 query-errors: info: client @0x7f88e8064320 
10.116.224.79#12555 (af.ec922003.com): view mobile: query failed (SERVFAIL) for 
af.ec922003.com/IN/A at query.c:7294
20-May-2024 17:49:00.477 query-errors: info: client @0x7f88d40506a0 
10.88.148.114#32830 (youtubei.googleapis.com): view mobile: query failed 
(SERVFAIL) for youtubei.googleapis.com/IN/A at query.c:7294
20-May-2024 17:49:00.479 query-errors: info: client @0x7f87fc0271c0 
10.88.176.105#1579 (www.pullcm.com): view mobile: query failed (SERVFAIL) for 
www.pullcm.com/IN/A at query.c:7294
20-May-2024 17:49:00.485 query-errors: info: client @0x7f87e8068f60 
10.134.28.232#56091 (googleads.g.doubleclick.net): view mobile: query failed 
(SERVFAIL) for googleads.g.doubleclick.net/IN/A at query.c:7294
20-May-2024 17:49:00.488 query-errors: info: client @0x7f88d40506a0 
10.134.227.176#24591 (www.google.cd): view mobile: query failed (SERVFAIL) for 
www.google.cd/IN/A at query.c:7294
20-May-2024 17:49:00.495 query-errors: info: client @0x7f88f8081aa0 
10.176.111.173#60640

RE: transfert master slave

2024-03-25 Thread sami . rahal 
It's clearer now, thank you Greg
Sami

De : Greg Choules 
Envoyé : lundi 25 mars 2024 12:52
À : RAHAL Sami SOFRECOM 
Cc : ML BIND Users 
Objet : Re: transfert master slave

Hi Sami.
"allow-..." statements are to restrict from which sources *this* server will 
accept messages, of whichever type.
On the secondary (slave), "allow-notify {192.168.56.154;};" will permit it to 
process NOTIFY messages sent to it from the primary (master), but ignore any 
others. Actually, this is not necessary because it would do that anyway. See 
the ARM description for this statement - 
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-allow-notify

NOTIFY messages from the primary will reach the secondary server and be 
processed because the primary is listed in an NS record in the zone. As Mark 
says, you cannot stop this. You could test sending NOTIFY from a third server 
that is *not* listed as an NS for the zone.

On the primary you do not need allow-transfer {192.168.56.157;}; as the primary 
is not transferring *from* the secondary.
You probably also don't need also-notify {192.168.56.157;}; if the secondary 
has an NS record in the zones it will be transferring, which it should.

Hope that helps.
Greg

On Mon, 25 Mar 2024 at 11:34, 
mailto:sami.ra...@sofrecom.com>> wrote:
Hello community,
I'm trying to configure a DNS slave server (192.168.56.157) . I want to allow 
notifications only from the master (192.168.56.154). I added the directive 
"allow-notify {192.168.56.154;};" and it works. However, when I try to test the 
prohibition of notification by adding "allow-notify {none;};" at the slave, it 
still receives updates from the master. The transfer on the master is as 
follows:
allow-transfer {192.168.56.157;};
also-notify {192.168.56.157;};
notify explicit;"

PS. BIND version : 9.16.48

Regards Sami
Orange Restricted

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: transfert master slave

2024-03-25 Thread sami . rahal 
Thank you Mark for this information
Regards



De : Mark Andrews 
Envoyé : lundi 25 mars 2024 12:42
À : RAHAL Sami SOFRECOM 
Cc : ML BIND Users 
Objet : Re: transfert master slave

Allow-notify is additive. You can’t block notify from primaries.
--
Mark Andrews


On 25 Mar 2024, at 22:34, 
sami.ra...@sofrecom.com wrote:

Hello community,
I'm trying to configure a DNS slave server (192.168.56.157) . I want to allow 
notifications only from the master (192.168.56.154). I added the directive 
"allow-notify {192.168.56.154;};" and it works. However, when I try to test the 
prohibition of notification by adding "allow-notify {none;};" at the slave, it 
still receives updates from the master. The transfer on the master is as 
follows:
allow-transfer {192.168.56.157;};
also-notify {192.168.56.157;};
notify explicit;"

PS. BIND version : 9.16.48

Regards Sami
Orange Restricted

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

transfert master slave

2024-03-25 Thread sami . rahal 
Hello community,
I'm trying to configure a DNS slave server (192.168.56.157) . I want to allow 
notifications only from the master (192.168.56.154). I added the directive 
"allow-notify {192.168.56.154;};" and it works. However, when I try to test the 
prohibition of notification by adding "allow-notify {none;};" at the slave, it 
still receives updates from the master. The transfer on the master is as 
follows:
allow-transfer {192.168.56.157;};
also-notify {192.168.56.157;};
notify explicit;"

PS. BIND version : 9.16.48

Regards Sami
Orange Restricted

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: record PTR

2024-03-14 Thread sami . rahal 
It's clear, thank you.

De : Ben Croswell 
Envoyé : jeudi 14 mars 2024 13:26
À : RAHAL Sami SOFRECOM ; ML BIND Users 

Objet : Re: record PTR

181.242.197.in-addr.arpa. 3600 IN NS 
douala0.orange.cm.
181.242.197.in-addr.arpa. 3600 IN NS nsbangui.orangerca.com.
181.242.197.in-addr.arpa. 3600 IN NS 
yaounde0.orange.cm.

The in-addr currently points to the DNS servers above. Those would need to be 
changed to your servers or the owners of those servers would need to add the 
PTR records.

On Thu, Mar 14, 2024, 8:19 AM 
mailto:sami.ra...@sofrecom.com>> wrote:
Thank you for your response.
In my case, I have added a PTR record for mail.sami.tn 
pointing to 197.242.181.69, but it is still not visible from the outside. 
However, when I test 'dig @0 -x 197.242.181.69', it works. Do I need to request 
a delegation of 197.242.181.69 to the name servers 
ns1.sami.tn?

De : Ben Croswell mailto:ben.crosw...@gmail.com>>
Envoyé : jeudi 14 mars 2024 13:10
À : RAHAL Sami SOFRECOM 
mailto:sami.ra...@sofrecom.com>>; ML BIND Users 
mailto:bind-users@lists.isc.org>>
Objet : Re: record PTR

The in-addr.arpa domain for your IP space will need to be delegated to your DNS 
servers. That generally happens at the entity that assigned the block. For 
instance ARIN, RIPE, or APNIC.

On Thu, Mar 14, 2024, 8:06 AM 
mailto:sami.ra...@sofrecom.com>> wrote:
Hello, please, I want to know if I need to delegate a range of IP addresses to 
my authoritative DNS server with my registrar before creating a PTR record or 
not. In other words, if I want to create a PTR record on my authoritative 
server (ns1.mydomain.com) for 
mail.mydomain.com pointing to 41.226.22.50, should 
the range 41.226.22.0/24 be delegated to my 
authoritative DNS server ns1.mydomain.com?
Regards Sami
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

record PTR

2024-03-14 Thread sami . rahal 
Hello, please, I want to know if I need to delegate a range of IP addresses to 
my authoritative DNS server with my registrar before creating a PTR record or 
not. In other words, if I want to create a PTR record on my authoritative 
server (ns1.mydomain.com) for mail.mydomain.com pointing to 41.226.22.50, 
should the range 41.226.22.0/24 be delegated to my authoritative DNS server 
ns1.mydomain.com?
Regards Sami
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: monitoring BIND

2023-08-04 Thread sami . rahal 
Hello Borja
Thank you very much for this feedback, yes I confirm that monitoring the 
latency time is not always obvious, please about this solution you are 
currently using, there is a tutorial to try it? Thanks in advance.
Regards Sami

-Message d'origine-
De : Borja Marcos  
Envoyé : vendredi 4 août 2023 07:34
À : RAHAL Sami SOFRECOM 
Cc : bind-users@lists.isc.org
Objet : Re: monitoring BIND



> On 3 Aug 2023, at 17:07, sami.ra...@sofrecom.com wrote:
> 
>  Hello comunity
> please what is the most recommended tool for BIND monitoring and especially 
> display response time and latency thank you in advance.

For latency, your friend is Dnstap. The implementation on Bind is superb. When 
Dnstap reports a RESOLVER_RESPONSE event it includes *both* the query timestamp 
and the received response timestamp. It doesn´t work on CLIENT_REPONSE right 
now, although it may with a small caveat (I am going to lobby a bit: issue 
3695).

Other DNS servers are not so complete so you should keep track of those 
timestamps yourself. 




Borja.

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: monitoring BIND

2023-08-04 Thread sami . rahal 
Hello Andrew
Thank you for your feedback I am testing some tools including netdata from the 
list suggested by the isc except that I want to know your feedback about the 
tools you use especially to monitor latency.
Regards

De : Andrew Latham 
Envoyé : jeudi 3 août 2023 16:14
À : RAHAL Sami SOFRECOM 
Cc : bind-users@lists.isc.org
Objet : Re: monitoring BIND

Maybe start with https://kb.isc.org/docs/monitoring-recommendations-for-bind-9

On Thu, Aug 3, 2023 at 9:07 AM 
mailto:sami.ra...@sofrecom.com>> wrote:

Hello comunity
please what is the most recommended tool for BIND monitoring and especially 
display response time and latency thank you in advance.
Regards Sami
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--
- Andrew "lathama" Latham -
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

monitoring BIND

2023-08-03 Thread sami . rahal 

Hello comunity
please what is the most recommended tool for BIND monitoring and especially 
display response time and latency thank you in advance.
Regards Sami
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: extended dns error

2023-07-12 Thread sami . rahal 
Hi Greg, Thank you for your answer
I use RPZ as follows :

response-policy { zone "rpz"; }
   break-dnssec yes
   recursive-only no
   qname-wait-recurse no;
};
Regards Sami

De : Greg Choules 
Envoyé : mercredi 12 juillet 2023 10:07
À : RAHAL Sami SOFRECOM 
Cc : bind-users@lists.isc.org
Objet : Re: extended dns error

Hi Sami.
In the "response-policy" block in your config, what (if anything) is the value 
of the statement "qname-wait-recurse"?
If you do not have that set explicitly, please do "named -C" to list the 
defaults and see what it is; probably "yes".

This parameter controls whether RPZ waits until successful recursion has 
finished before it rewrites the response, according to the matching rule in the 
RPZ zone.
If there is no successful response from recursion then RPZ has nothing to 
rewrite, so your server's response to its client will be SERVFAIL.

It looks like your server cannot resolve cadyst.com/A for some reason, which 
would explain what gets sent back to the client.
However, it resolves fine for me:
cadyst.com. 908 IN A 146.59.209.152

Maybe you have some other issue with your resolver?

Cheers, Greg

On Wed, 12 Jul 2023 at 09:26, 
mailto:sami.ra...@sofrecom.com>> wrote:
Hello
 Thank you for your answer yes we will plan a migration to version 9.18.
now I have activated "error log" to have the cause of an error servfail is here 
is the result.

11-Jul-2023 10:36:21.146 query-errors: debug 3: client @0x7f217a2bd250 
127.0.0.1#39627 (cadyst.com): view default: rpz QNAME rewrite cadyst.com stop 
on qresult in rpz_rewrite(): timed out
11-Jul-2023 10:36:21.146 query-errors: debug 1: client @0x7f217a2bd250 
127.0.0.1#39627 (cadyst.com): view default: query failed (timed out) for 
cadyst.com/IN/A at query.c:8042
11-Jul-2023 10:36:21.146 query-errors: debug 4: fetch completed at 
resolver.c:4983 for cadyst.com/A in 10.000118: timed out/success 
[domain:cadyst.com,referral:0,restart:3,qrysent:6,timeout:5,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]

Regards Sami


Message: 2
Date: Tue, 11 Jul 2023 12:04:15 +0200
From: Matthijs Mekking mailto:matth...@isc.org>>
To: bind-users@lists.isc.org
Subject: Re: extended dns error
Message-ID: 
<6f5bb3dc-ddf0-873c-c630-fa89fe260...@isc.org>
Content-Type: text/plain; charset=UTF-8; format=flowed

Upgrade to 9.18, because 9.16 does not support extended DNS errors.

See

https://gitlab.isc.org/isc-projects/bind9/-/issues/?sort=created_date=all_name%5B%5D=Extended%20DNS%20Errors_page_size=20

For which errors are supported.

Best regards, Matthijs

On 7/11/23 11:10, sami.ra...@sofrecom.com wrote:
> Hello ?community
>
> I want to use "extended dns error" option on my recursive dns server.
> What config changes are required to enable EDE?
>
> I am using BIND 9.16.42 as recursive server.
>
> Regards Sami
>
>


--

Subject: Digest Footer

___
ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--

End of bind-users Digest, Vol 4279, Issue 3
***
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: extended dns error

2023-07-12 Thread sami . rahal 
Hello
 Thank you for your answer yes we will plan a migration to version 9.18. 
now I have activated "error log" to have the cause of an error servfail is here 
is the result.

11-Jul-2023 10:36:21.146 query-errors: debug 3: client @0x7f217a2bd250 
127.0.0.1#39627 (cadyst.com): view default: rpz QNAME rewrite cadyst.com stop 
on qresult in rpz_rewrite(): timed out
11-Jul-2023 10:36:21.146 query-errors: debug 1: client @0x7f217a2bd250 
127.0.0.1#39627 (cadyst.com): view default: query failed (timed out) for 
cadyst.com/IN/A at query.c:8042
11-Jul-2023 10:36:21.146 query-errors: debug 4: fetch completed at 
resolver.c:4983 for cadyst.com/A in 10.000118: timed out/success 
[domain:cadyst.com,referral:0,restart:3,qrysent:6,timeout:5,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]

Regards Sami


Message: 2
Date: Tue, 11 Jul 2023 12:04:15 +0200
From: Matthijs Mekking 
To: bind-users@lists.isc.org
Subject: Re: extended dns error
Message-ID: <6f5bb3dc-ddf0-873c-c630-fa89fe260...@isc.org>
Content-Type: text/plain; charset=UTF-8; format=flowed

Upgrade to 9.18, because 9.16 does not support extended DNS errors.

See

https://gitlab.isc.org/isc-projects/bind9/-/issues/?sort=created_date=all_name%5B%5D=Extended%20DNS%20Errors_page_size=20

For which errors are supported.

Best regards, Matthijs

On 7/11/23 11:10, sami.ra...@sofrecom.com wrote:
> Hello ?community
> 
> I want to use "extended dns error" option on my recursive dns server. 
> What config changes are required to enable EDE?
> 
> I am using BIND 9.16.42 as recursive server.
> 
> Regards Sami
> 
> 


--

Subject: Digest Footer

___
ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--

End of bind-users Digest, Vol 4279, Issue 3
***
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

extended dns error

2023-07-11 Thread sami . rahal 
Hello  community

I want to use "extended dns error" option on my recursive dns server. What 
config changes are required to enable EDE?

I am using BIND 9.16.42 as recursive server.

Regards Sami
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: latency and response time

2023-06-30 Thread sami . rahal 
Hello Greg
Thank you for your feedback
Latency is the amount of time it takes for a data packet to go from one place 
to another but
Response time it's the total time taken to respond to a service request, 
including the service time (time to complete the requested task) and the wait 
time (time spent waiting in a queue for service).
For the DNS there are benchmarking tools that give as output the latency time 
(resperf) and there are tools that give as output the response time (namebench) 
I want  know what is the diffirence for the DNS and which value is the most 
important.
Regars Sami

De : Greg Choules 
Envoyé : mardi 27 juin 2023 21:19
À : RAHAL Sami SOFRECOM 
Cc : bind-users@lists.isc.org
Objet : Re: latency and response time

Hi Sami.
Let me ask you a question.

How would you define the terms "latency" and "response time"?

Greg

On Tue, 27 Jun 2023 at 17:23, 
mailto:sami.ra...@sofrecom.com>> wrote:
Hello In DNS benchmarking  which is more important latency or response time? 
for a DNS server what is the difference between the two values?

Regards, Sami
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

latency and response time

2023-06-27 Thread sami . rahal 
Hello In DNS benchmarking  which is more important latency or response time? 
for a DNS server what is the difference between the two values?

Regards, Sami
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Tools to mesure performance and benchmarking of a DNS

2023-06-22 Thread sami . rahal 
Hello 
thank you for the details
regards

-Message d'origine-
De : bind-users  De la part de 
bind-users-requ...@lists.isc.org
Envoyé : jeudi 22 juin 2023 13:00
À : bind-users@lists.isc.org
Objet : bind-users Digest, Vol 4265, Issue 1

Send bind-users mailing list submissions to
bind-users@lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
bind-users-requ...@lists.isc.org

You can reach the person managing the list at
bind-users-ow...@lists.isc.org

When replying, please edit your Subject line so it is more specific than "Re: 
Contents of bind-users digest..."


Today's Topics:

   1. Tools to mesure  performance and benchmarking of a DNS 
  (sami.ra...@sofrecom.com)
   2. AW: Tools to mesure  performance and benchmarking of a DNS
  (Klaus Darilion)
   3. Re: AW: Tools to mesure performance and benchmarking of a DNS
  (Petr ?pa?ek)


--

Message: 1
Date: Wed, 21 Jun 2023 15:58:47 +
From: sami.ra...@sofrecom.com
To: "bind-users@lists.isc.org" 
Subject: Tools to mesure  performance and benchmarking of a DNS
Message-ID: 
Content-Type: text/plain; charset="us-ascii"

Hello

Please, what is the recommended open source tool to test the performance and 
benchmarking of a DNS server i.e. capture packets and then send them to a DNS 
server to measure response time, latency, cache usage etc.

Regards
Sami

-- next part --
An HTML attachment was scrubbed...
URL: 


--

Message: 2
Date: Wed, 21 Jun 2023 23:34:50 +0200
From: Klaus Darilion 
To: "sami.ra...@sofrecom.com"  ,
"bind-users@lists.isc.org" 
Subject: AW: Tools to mesure  performance and benchmarking of a DNS
Message-ID: 
Content-Type: text/plain; charset="iso-8859-1"

There are several tools with different features and behavior. I would take 
alook at dnsperf, kxdpgun and flamethrower regards

> -Urspr?ngliche Nachricht-
> Von: bind-users  Im Auftrag von 
> sami.ra...@sofrecom.com
> Gesendet: Mittwoch, 21. Juni 2023 17:59
> An: bind-users@lists.isc.org
> Betreff: Tools to mesure performance and benchmarking of a DNS
> 
> Hello
> 
> Please, what is the recommended open source tool to test the 
> performance and benchmarking of a DNS server i.e. capture packets and 
> then send them to a DNS server to measure response time, latency, cache usage 
> etc.
> 
> Regards
> 
> Sami
> 
> 



--

Message: 3
Date: Thu, 22 Jun 2023 09:57:50 +0200
From: Petr ?pa?ek 
To: bind-users@lists.isc.org
Subject: Re: AW: Tools to mesure performance and benchmarking of a DNS
Message-ID: <3ac4572b-dd6c-fc37-c082-720fbe765...@isc.org>
Content-Type: text/plain; charset=UTF-8; format=flowed

Tools listed by Klaus below are mostly suitable for authoritative servers.

For resolvers the only tool with sensible methodology I know of is DNS
Shotgun:
https://dns-shotgun.readthedocs.io/


When you select a tool, make sure you drill down into it's load 
generator model and judge it's impact on your benchmark. For details see
https://www.usenix.org/legacy/event/nsdi06/tech/full_papers/schroeder/schroeder.pdf

Good luck with benchmarking!
Petr ?pa?ek
Internet Systems Consortium


On 21. 06. 23 23:34, Klaus Darilion via bind-users wrote:
> There are several tools with different features and behavior. I would take 
> alook at dnsperf, kxdpgun and flamethrower
> regards
> 
>> -Urspr?ngliche Nachricht-
>> Von: bind-users  Im Auftrag von
>> sami.ra...@sofrecom.com
>> Gesendet: Mittwoch, 21. Juni 2023 17:59
>> An: bind-users@lists.isc.org
>> Betreff: Tools to mesure performance and benchmarking of a DNS
>>
>> Hello
>>
>> Please, what is the recommended open source tool to test the performance
>> and benchmarking of a DNS server i.e. capture packets and then send them
>> to a DNS server to measure response time, latency, cache usage etc.
>>
>> Regards
>>
>> Sami



--

Subject: Digest Footer

___
ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--

End of bind-users Digest, Vol 4265, Issue 1
***
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Tools to mesure performance and benchmarking of a DNS

2023-06-21 Thread sami . rahal 
Hello

Please, what is the recommended open source tool to test the performance and 
benchmarking of a DNS server i.e. capture packets and then send them to a DNS 
server to measure response time, latency, cache usage etc.

Regards
Sami

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: replace "SERVFAIL" to "NXDOMAIN" with rpz

2023-06-20 Thread sami . rahal 
Thank you very much, it now works fine, just another question please, what is 
the recommended open source tool to test the performance of a DNS server i.e. 
capture packets and then send them to a DNS server to measure response time, 
latency, cache usage etc.
Regards

De : Greg Choules 
Envoyé : lundi 19 juin 2023 16:56
À : Lee ; RAHAL Sami SOFRECOM 
Cc : bind-users@lists.isc.org
Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

From the correct email alias this time!

On Mon, 19 Jun 2023 at 16:50, Greg Choules 
mailto:gregchou...@googlemail.com>> wrote:
Hi Lee/Sami.
`break-dnssec yes;` *may* also be needed in some cases. But not here as the 
zone isn't signed anyway.

The reason that "example.com" works but 
"antlauncher.com" doesn't is down to BIND needing to 
perform recursion and get an answer before RPZ kicks in and overwrites it 
(unless you specify `qname-wait-recurse no;`). "example.com" actually gets an 
answer (from IANA) but "antlauncher.com" gets REFUSED.

Wireshark it and see.

By the way, I have been testing this on 9.18.15
Cheers, Greg


On Mon, 19 Jun 2023 at 16:10, Lee mailto:ler...@gmail.com>> 
wrote:
On 6/19/23, sami.rahal wrote:
> Thank you Greg
>
> I tested with other domain name to replace "SERVFAIL" with "NXDOMAIN" is it
> not working

You're missing "break-dnssec yes" on your response-policy stanza?
You need something like
  response-policy { zone "rpz.mozilla"; zone "rpz.zone"; }
 break-dnssec yes
 recursive-only no
 qname-wait-recurse no;
  #enable rpz
  # By default, RPZ actions are applied only to DNS requests that either do not
  # request DNSSEC metadata (DO=0) or when no DNSSEC records are available for
  # request name in the original zone (not the response policy zone).
  # This default can be changed for all response policy zones in a view with a
  # break-dnssec yes clause. In that case, RPZ actions are applied regardless
  # of DNSSEC.
  #
  # zone "rpz.mozilla";
# 
https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https

Regards,
Lee

>
> I use CentOS7 with BIND9.16.41
>
>
>
> grep antlauncher db.rpz
>
> antlauncher.com CNAME   .
>
> *.antlauncher.com   CNAME   .
>
>
>
> grep example db.rpz
>
> example.com IN  CNAME   .
>
> *.example.com   IN  CNAME   .
>
>
>
> dig @0 foo.antlauncher.com
>
>
>
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @0
> foo.antlauncher.com ; (1 server found) ;; global 
> options: +cmd ;; Got
> answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54704 ;; flags: qr rd
> ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
>
>
> ;; OPT PSEUDOSECTION:
>
> ; EDNS: version: 0, flags:; udp: 4096
>
> ;; QUESTION SECTION:
>
> ;foo.antlauncher.com.   IN  A
>
>
>
> ;; Query time: 241 msec
>
> ;; SERVER: 127.0.0.1#53(0.0.0.0)
>
> ;; WHEN: Mon Jun 19 10:52:22 CET 2023
>
> ;; MSG SIZE  rcvd: 48
>
>
>
> # dig @0 example.com
>
>
>
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @0 example.com ; (1
> server found) ;; global options: +cmd ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9852 ;; flags: qr rd
> ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
>
>
>
> ;; OPT PSEUDOSECTION:
>
> ; EDNS: version: 0, flags:; udp: 4096
>
> ;; QUESTION SECTION:
>
> ;example.com.   IN  A
>
>
>
> ;; ADDITIONAL SECTION:
>
> siteblockeddb.  1   IN  SOA LOCALHOST.
> need.to.know.only. 2016011100 43200 900 1814400 7200
>
>
>
> ;; Query time: 347 msec
>
> ;; SERVER: 127.0.0.1#53(0.0.0.0)
>
> ;; WHEN: Mon Jun 19 10:52:36 CET 2023
>
> ;; MSG SIZE  rcvd: 115
>
>
>
>
> De : Greg Choules 
> mailto:gregchoules%2bbindus...@googlemail.com>>
> Envoyé : lundi 19 juin 2023 15:12
> À : RAHAL Sami SOFRECOM 
> mailto:sami.ra...@sofrecom.com>>
> Cc : bind-users@lists.isc.org
> Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
>
> Hi Sami.
> That's not what I said.
> Yes, you can do this with RPZ if you want - it's all in the BIND ARM - but
> it's not something I would do.
>
> Cheers, Greg
>
> On Mon, 19 Jun 2023 at 12:40,
> mailto:sami.ra...@sofrecom.com>>>
>  wrote:
> Thank you Greg
> So if I understand correctly if we receive a servfail return code we can not
> modify this code by nxdomain with the rpz configuration?
> Regards
>
> De : Greg Choules
> mailto:gregchoules%2bbindus...@googlemail.com>>>
> Envoyé : lundi 19 juin 2023 12:02
> À : RAHAL Sami SOFRECOM
> mailto:sami.ra...@sofrecom.com>>>
> Cc : 
>

RE: replace "SERVFAIL" to "NXDOMAIN" with rpz

2023-06-19 Thread sami . rahal 
Thank you Greg

I tested with other domain name to replace "SERVFAIL" with "NXDOMAIN" is it not 
working

I use CentOS7 with BIND9.16.41



grep antlauncher db.rpz

antlauncher.com CNAME   .

*.antlauncher.com   CNAME   .



grep example db.rpz

example.com IN  CNAME   .

*.example.com   IN  CNAME   .



dig @0 foo.antlauncher.com



; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @0 foo.antlauncher.com ; 
(1 server found) ;; global options: +cmd ;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54704 ;; flags: qr rd ra; 
QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1



;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;foo.antlauncher.com.   IN  A



;; Query time: 241 msec

;; SERVER: 127.0.0.1#53(0.0.0.0)

;; WHEN: Mon Jun 19 10:52:22 CET 2023

;; MSG SIZE  rcvd: 48



# dig @0 example.com



; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @0 example.com ; (1 
server found) ;; global options: +cmd ;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9852 ;; flags: qr rd ra; 
QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2



;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;example.com.   IN  A



;; ADDITIONAL SECTION:

siteblockeddb.  1   IN  SOA LOCALHOST. need.to.know.only. 
2016011100 43200 900 1814400 7200



;; Query time: 347 msec

;; SERVER: 127.0.0.1#53(0.0.0.0)

;; WHEN: Mon Jun 19 10:52:36 CET 2023

;; MSG SIZE  rcvd: 115




De : Greg Choules 
Envoyé : lundi 19 juin 2023 15:12
À : RAHAL Sami SOFRECOM 
Cc : bind-users@lists.isc.org
Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

Hi Sami.
That's not what I said.
Yes, you can do this with RPZ if you want - it's all in the BIND ARM - but it's 
not something I would do.

Cheers, Greg

On Mon, 19 Jun 2023 at 12:40, 
mailto:sami.ra...@sofrecom.com>> wrote:
Thank you Greg
So if I understand correctly if we receive a servfail return code we can not 
modify this code by nxdomain with the rpz configuration?
Regards

De : Greg Choules 
mailto:gregchoules%2bbindus...@googlemail.com>>
Envoyé : lundi 19 juin 2023 12:02
À : RAHAL Sami SOFRECOM 
mailto:sami.ra...@sofrecom.com>>
Cc : bind-users@lists.isc.org
Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

That's because this domain is broken. The NS for it are:
antlauncher.com: type NS, class IN, ns 
ns1626.ztomy.com (204.11.56.26)
antlauncher.com: type NS, class IN, ns 
ns2626.ztomy.com (204.11.57.26)
No matter what query you send them (so far) they respond with REFUSED and claim 
not to be authoritative for "antlauncher.com".

Personally I would live with the SERVFAIL because it tells you that something 
is wrong, not just that it doesn't exist. Then try to contact the people who 
own this domain and tell them it is broken.

Cheers, Greg

On Mon, 19 Jun 2023 at 10:33, 
mailto:sami.ra...@sofrecom.com>> wrote:
Hello
Thank you for these details Greg, by the way I worked on a problem on one of my 
resolvers and there are no errors of type "SERVFAIL" currently for valid domain 
names but I receive servfail for this domain name 
"antlauncher.com" that's why I wanted to change the 
return code for this domain name to "NXDOMAIN" so as not to distort the 
monitoring result .
Regards
De : Greg Choules 
mailto:gregchoules%2bbindus...@googlemail.com>>
Envoyé : lundi 19 juin 2023 10:03
À : RAHAL Sami SOFRECOM 
mailto:sami.ra...@sofrecom.com>>
Cc : bind-users@lists.isc.org
Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

Hi Sami.
Firstly, a couple of definitions:
NXDOMAIN is a response from an authoritative server (or a resolver because it 
cached it). It is a positive confirmation that "this name does not exist". It 
means that the QNAME in the query cannot be found, for any record type.
SERVFAIL is a response from a recursive server meaning "I tried my best to get 
a response to your query but I just failed".

So if your monitoring tool, whatever it is, is receiving SERVFAIL responses 
from your DNS server then you need to fix whatever is causing those in the 
server.
Causes of SERVFAIL could be that your server cannot contact the authoritative 
server(s) that should know the answer. Or it might be because your server is 
trying to do DNSSEC validation and that is failing.
The best way to know *why* you are getting SERVFAIL would be to take a packet 
capture that includes the client queries to the server and any queries the 
server makes to try and get answers, plus all the responses.
Please do that and share the results, using real domains, not examples.

Hope that helps, Greg


On Mon, 19 Jun 2023 at 09:39, 
mailto:sami.ra...@sofrecom.com>>

RE: replace "SERVFAIL" to "NXDOMAIN" with rpz

2023-06-19 Thread sami . rahal 
Thank you Greg
So if I understand correctly if we receive a servfail return code we can not 
modify this code by nxdomain with the rpz configuration?
Regards

De : Greg Choules 
Envoyé : lundi 19 juin 2023 12:02
À : RAHAL Sami SOFRECOM 
Cc : bind-users@lists.isc.org
Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

That's because this domain is broken. The NS for it are:
antlauncher.com: type NS, class IN, ns 
ns1626.ztomy.com (204.11.56.26)
antlauncher.com: type NS, class IN, ns 
ns2626.ztomy.com (204.11.57.26)
No matter what query you send them (so far) they respond with REFUSED and claim 
not to be authoritative for "antlauncher.com".

Personally I would live with the SERVFAIL because it tells you that something 
is wrong, not just that it doesn't exist. Then try to contact the people who 
own this domain and tell them it is broken.

Cheers, Greg

On Mon, 19 Jun 2023 at 10:33, 
mailto:sami.ra...@sofrecom.com>> wrote:
Hello
Thank you for these details Greg, by the way I worked on a problem on one of my 
resolvers and there are no errors of type "SERVFAIL" currently for valid domain 
names but I receive servfail for this domain name 
"antlauncher.com" that's why I wanted to change the 
return code for this domain name to "NXDOMAIN" so as not to distort the 
monitoring result .
Regards
De : Greg Choules 
mailto:gregchoules%2bbindus...@googlemail.com>>
Envoyé : lundi 19 juin 2023 10:03
À : RAHAL Sami SOFRECOM 
mailto:sami.ra...@sofrecom.com>>
Cc : bind-users@lists.isc.org
Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

Hi Sami.
Firstly, a couple of definitions:
NXDOMAIN is a response from an authoritative server (or a resolver because it 
cached it). It is a positive confirmation that "this name does not exist". It 
means that the QNAME in the query cannot be found, for any record type.
SERVFAIL is a response from a recursive server meaning "I tried my best to get 
a response to your query but I just failed".

So if your monitoring tool, whatever it is, is receiving SERVFAIL responses 
from your DNS server then you need to fix whatever is causing those in the 
server.
Causes of SERVFAIL could be that your server cannot contact the authoritative 
server(s) that should know the answer. Or it might be because your server is 
trying to do DNSSEC validation and that is failing.
The best way to know *why* you are getting SERVFAIL would be to take a packet 
capture that includes the client queries to the server and any queries the 
server makes to try and get answers, plus all the responses.
Please do that and share the results, using real domains, not examples.

Hope that helps, Greg


On Mon, 19 Jun 2023 at 09:39, 
mailto:sami.ra...@sofrecom.com>> wrote:
Hello Thank you for your feedback,
yes it works like that!  for that does not work for a domain name that already 
has the return code "SERVFAIL" and we want to change this code by "NXDDOMAIN" 
like this domain name "antlauncher.com"
regards Rahal

-Message d'origine-
De : bind-users 
mailto:bind-users-boun...@lists.isc.org>> De 
la part de 
bind-users-requ...@lists.isc.org
Envoyé : samedi 17 juin 2023 06:23
À : bind-users@lists.isc.org
Objet : bind-users Digest, Vol 4262, Issue 1

Send bind-users mailing list submissions to
bind-users@lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to

bind-users-requ...@lists.isc.org

You can reach the person managing the list at
bind-users-ow...@lists.isc.org

When replying, please edit your Subject line so it is more specific than "Re: 
Contents of bind-users digest..."


Today's Topics:

   1. replace "SERVFAIL"  to "NXDOMAIN"  with rpz
  (sami.ra...@sofrecom.com)
   2. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Crist Clark)
   3. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Fred Morris)
   4. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Ond?ej Sur?)


--

Message: 1
Date: Fri, 16 Jun 2023 20:39:43 +
From: sami.ra...@sofrecom.com
To: "bind-users@lists.isc.org" 
mailto:bind-users@lists.isc.org>>
Subject: replace "SERVFAIL"  to "NXDOMAIN"  with rpz
Message-ID: 
<9c4465dc103645149093f4d3f60cf...@sofrecom.com>
Content-Type: text/plain; charset="us-ascii"


Hello
For monitoring reasons I try to change the return code of a domain name

RE: replace "SERVFAIL" to "NXDOMAIN" with rpz

2023-06-19 Thread sami . rahal 
Hello
Thank you for these details Greg, by the way I worked on a problem on one of my 
resolvers and there are no errors of type "SERVFAIL" currently for valid domain 
names but I receive servfail for this domain name "antlauncher.com" that's why 
I wanted to change the return code for this domain name to "NXDOMAIN" so as not 
to distort the monitoring result .
Regards
De : Greg Choules 
Envoyé : lundi 19 juin 2023 10:03
À : RAHAL Sami SOFRECOM 
Cc : bind-users@lists.isc.org
Objet : Re: replace "SERVFAIL" to "NXDOMAIN" with rpz

Hi Sami.
Firstly, a couple of definitions:
NXDOMAIN is a response from an authoritative server (or a resolver because it 
cached it). It is a positive confirmation that "this name does not exist". It 
means that the QNAME in the query cannot be found, for any record type.
SERVFAIL is a response from a recursive server meaning "I tried my best to get 
a response to your query but I just failed".

So if your monitoring tool, whatever it is, is receiving SERVFAIL responses 
from your DNS server then you need to fix whatever is causing those in the 
server.
Causes of SERVFAIL could be that your server cannot contact the authoritative 
server(s) that should know the answer. Or it might be because your server is 
trying to do DNSSEC validation and that is failing.
The best way to know *why* you are getting SERVFAIL would be to take a packet 
capture that includes the client queries to the server and any queries the 
server makes to try and get answers, plus all the responses.
Please do that and share the results, using real domains, not examples.

Hope that helps, Greg


On Mon, 19 Jun 2023 at 09:39, 
mailto:sami.ra...@sofrecom.com>> wrote:
Hello Thank you for your feedback,
yes it works like that!  for that does not work for a domain name that already 
has the return code "SERVFAIL" and we want to change this code by "NXDDOMAIN" 
like this domain name "antlauncher.com"
regards Rahal

-Message d'origine-
De : bind-users 
mailto:bind-users-boun...@lists.isc.org>> De 
la part de 
bind-users-requ...@lists.isc.org
Envoyé : samedi 17 juin 2023 06:23
À : bind-users@lists.isc.org
Objet : bind-users Digest, Vol 4262, Issue 1

Send bind-users mailing list submissions to
bind-users@lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to

bind-users-requ...@lists.isc.org

You can reach the person managing the list at
bind-users-ow...@lists.isc.org

When replying, please edit your Subject line so it is more specific than "Re: 
Contents of bind-users digest..."


Today's Topics:

   1. replace "SERVFAIL"  to "NXDOMAIN"  with rpz
  (sami.ra...@sofrecom.com)
   2. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Crist Clark)
   3. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Fred Morris)
   4. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Ond?ej Sur?)


--

Message: 1
Date: Fri, 16 Jun 2023 20:39:43 +
From: sami.ra...@sofrecom.com
To: "bind-users@lists.isc.org" 
mailto:bind-users@lists.isc.org>>
Subject: replace "SERVFAIL"  to "NXDOMAIN"  with rpz
Message-ID: 
<9c4465dc103645149093f4d3f60cf...@sofrecom.com>
Content-Type: text/plain; charset="us-ascii"


Hello
For monitoring reasons I try to change the return code of a domain name from 
"SERVFAIL" to "NXDOMAIN" with the rpz classic configuration of BIND9.16.42 as 
follows:
example.com IN CNAME.
*.example.com IN CNAME .
But it still doesn't work, I still have the message  " SERVFAIL", is it 
feasible or not please ?
Kind regards

-- next part --
An HTML attachment was scrubbed...
URL: 


--

Message: 2
Date: Fri, 16 Jun 2023 20:29:16 -0700
From: Crist Clark 
mailto:cjc%2bbind-us...@pumpky.net>>
To: sami.ra...@sofrecom.com
Cc: "bind-users@lists.isc.org" 
mailto:bind-users@lists.isc.org>>
Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
Message-ID:

mailto:ozrfq_scazbn-ruz...@mail.gmail.com>>
Content-Type: text/plain; charset="utf-8"

That should return a NXDOMAIN. Returning SERVFAIL is never a normal RPZ action. 
Something is wrong with your configuration.

On Fri, Jun 16, 2023 at 1:39?PM 
mailto:sami.ra...@sofrecom.com>> wrote:

>
>
> Hello
>
> For monitoring reasons I try to change the return code of a domain
> name from "SERVFAIL" to

RE: replace "SERVFAIL" to "NXDOMAIN" with rpz

2023-06-19 Thread sami . rahal 
Hello Thank you for your feedback, 
yes it works like that!  for that does not work for a domain name that already 
has the return code "SERVFAIL" and we want to change this code by "NXDDOMAIN" 
like this domain name "antlauncher.com"
regards Rahal

-Message d'origine-
De : bind-users  De la part de 
bind-users-requ...@lists.isc.org
Envoyé : samedi 17 juin 2023 06:23
À : bind-users@lists.isc.org
Objet : bind-users Digest, Vol 4262, Issue 1

Send bind-users mailing list submissions to
bind-users@lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
bind-users-requ...@lists.isc.org

You can reach the person managing the list at
bind-users-ow...@lists.isc.org

When replying, please edit your Subject line so it is more specific than "Re: 
Contents of bind-users digest..."


Today's Topics:

   1. replace "SERVFAIL"  to "NXDOMAIN"  with rpz
  (sami.ra...@sofrecom.com)
   2. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Crist Clark)
   3. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Fred Morris)
   4. Re: replace "SERVFAIL" to "NXDOMAIN" with rpz (Ond?ej Sur?)


--

Message: 1
Date: Fri, 16 Jun 2023 20:39:43 +
From: sami.ra...@sofrecom.com
To: "bind-users@lists.isc.org" 
Subject: replace "SERVFAIL"  to "NXDOMAIN"  with rpz
Message-ID: <9c4465dc103645149093f4d3f60cf...@sofrecom.com>
Content-Type: text/plain; charset="us-ascii"


Hello
For monitoring reasons I try to change the return code of a domain name from 
"SERVFAIL" to "NXDOMAIN" with the rpz classic configuration of BIND9.16.42 as 
follows:
example.com IN CNAME.
*.example.com IN CNAME .
But it still doesn't work, I still have the message  " SERVFAIL", is it 
feasible or not please ?
Kind regards

-- next part --
An HTML attachment was scrubbed...
URL: 


--

Message: 2
Date: Fri, 16 Jun 2023 20:29:16 -0700
From: Crist Clark 
To: sami.ra...@sofrecom.com
Cc: "bind-users@lists.isc.org" 
Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
Message-ID:

Content-Type: text/plain; charset="utf-8"

That should return a NXDOMAIN. Returning SERVFAIL is never a normal RPZ action. 
Something is wrong with your configuration.

On Fri, Jun 16, 2023 at 1:39?PM  wrote:

>
>
> Hello
>
> For monitoring reasons I try to change the return code of a domain 
> name from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration 
> of
> BIND9.16.42 as follows:
>
> example.com IN CNAME.
>
> *.example.com IN CNAME .
>
> But it still doesn't work, I still have the message  " SERVFAIL", is 
> it feasible or not please ?
>
> Kind regards
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> ISC funds the development of this software with paid support 
> subscriptions. Contact us at https://www.isc.org/contact/ for more 
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- next part --
An HTML attachment was scrubbed...
URL: 


--

Message: 3
Date: Fri, 16 Jun 2023 21:40:11 -0700 (PDT)
From: Fred Morris 
To: "bind-users@lists.isc.org" 
Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
Message-ID: 
Content-Type: text/plain; charset="utf-8"; Format="flowed"

Admittedly, since I'm writing software to do "off label" stuff with DNS I make 
mistakes. But I have seen things along this line (interactions between RPZ and 
regular resolution in the context of "broken" domains): in some cases it has 
seemed impossible to ameliorate / mitigate SERVFAIL utilizing RPZ.

I'll try to pay more attention and see if I can isolate a test case if the 
problem recurs. (I was kind of hoping someone would have a solution!)

--

Fred Morris

On Fri, 16 Jun 2023, Crist Clark wrote:
> 
> That should return a NXDOMAIN. Returning SERVFAIL is never a normal 
> RPZ action. Something is wrong with your configuration.
>
> On Fri, Jun 16, 2023 at 1:39?PM  wrote:
>>
>> For monitoring reasons I try to change the return code of a domain 
>> name from "SERVFAIL" to "NXDOMAIN" with the rpz classic configuration 
>> of
>> BIND9.16.42 as follows:
>>
>> example.com IN CNAME.
>>
>> *.example.com IN CNAME .
>>
>> But it still doesn't work, I still have the message  " SERVFAIL", is 
>> it feasible or not please ?
>>

--

Message: 4
Date: Sat, 17 Jun 2023 07:22:50 +0200
From: Ond?ej Sur? 
To: Fred Morris 
Cc: bind-users@lists.isc.org
Subject: Re: replace "SERVFAIL" to "NXDOMAIN" with rpz
Message-ID: 
Content-Type: text/plain;

replace "SERVFAIL" to "NXDOMAIN" with rpz

2023-06-16 Thread sami . rahal 

Hello
For monitoring reasons I try to change the return code of a domain name from 
"SERVFAIL" to "NXDOMAIN" with the rpz classic configuration of BIND9.16.42 as 
follows:
example.com IN CNAME.
*.example.com IN CNAME .
But it still doesn't work, I still have the message  " SERVFAIL", is it 
feasible or not please ?
Kind regards

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users