Re: bind configuration/setup question
Alan, None of the files you listed (bind.keys, managed-keys.bind and managed-keys.bind.jnl) are in the bind installation directory, or the chroot that named is run in. I did add the following line in the named.conf file : managed-keys-directory /var/log; where /var/log is a writable directory for the userid named is run as. Re-hit the process with a kill -1 name.pid and the same errors are in the log file also touched blank managed-keys.bind and managed-keys.bind.jnl files in /var/log then re-hit the process with the same results. When I change the database directory to an OS writable directory in named.conf with this line in the options block: directory /var/log/namedb; // Directory where data files are stored the errors do not show up in the logs, but the database files are now writable to the OS. Note user permissions are set so the database files in /var/log/namedb and the/var/log/namedb directory is read only for the userid named is run as. Did I use the correct syntax for the managed-keys-directory options line, or is the problem there is not bind.keys file with the managed-keys statements? *The content of this message is my personal opinion only, and should not be construed as anything that has been through rigorous scrutiny of the professional groups who devote their life and work to the topics being discussed From: Alan Clegg a...@clegg.com To: mm half mm_ha...@yahoo.com Cc: bind-users@lists.isc.org bind-users@lists.isc.org Sent: Wednesday, August 28, 2013 1:34 PM Subject: Re: bind configuration/setup question On Aug 28, 2013, at 1:29 PM, Alan Clegg a...@clegg.com wrote: I believe that what you are seeing is the result of BIND 9.9 doing more things automatically, including bringing in a set of DNSSEC trust anchors (root and DLV) and not being able to create the file. You should be able to use the option bindkeys-file to set a location that is writable for this file. And as soon as I sent this I realized that I'd goofed. bind.keys is created on install (it is part of the problem, however). This file contains managed-keys statements that I refer to below (and it was supposed to be keystore not keystone -- spellcheck will be the death of the computer industry). It's also going to happen if you use managed-keys, as there is a keystone created that needs to be updated. See the managed-keys-directory option. This is where the problem lies. The fact that you have managed-keys requires BIND to create a journal of updates made to the trust-anchor material. Set managed-keys-directory to a writable directory and copy the managed-keys.bind and managed-keys.bind.jnl files there. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind configuration/setup question
Hello, Setup bind-9.9.2-P2 on a solaris 10 system using zones (an oracle implementation of OS virtualization), with a dns data/configuration zone and a dns zone. The dns data zone is on a private network and has the dns data tables for bind (directory where data files stored in named.conf options area), the bind installation, and bind configuration file, named.conf. The dns zone is on the internet routable public network, and has the dns data, bind installation, and bind configuration file available to it in a read only file system. Figured that since we have successfully run earlier versions of bind on dns servers with the data directory and data files as read only to the userid bind runs as, this would also work, and provide the added benefit of preventing the OS of the zone running bind on the public network from being able modify the data area at all. The dns server using this configuration seems to be running fine, but each time bind re-reads the named.conf file these messages appear in named.log : 28-Aug-2013 12:12:37.565 general: info: reloading zones succeeded 28-Aug-2013 12:12:37.572 general: notice: all zones loaded 28-Aug-2013 12:12:37.573 general: notice: running 28-Aug-2013 12:12:37.573 general: error: file.c:300: unexpected error: 28-Aug-2013 12:12:37.573 general: error: unable to convert errno to isc_result: 30: Read-only file system 28-Aug-2013 12:12:39.279 general: error: file.c:300: unexpected error: 28-Aug-2013 12:12:39.279 general: error: unable to convert errno to isc_result: 30: Read-only file system Is this error something to be worried about, or is it more of an info message? Also, is much even gained security wise by disallowing the OS to write to the dns data area? This particular error can be fixed by separating the dns data directory from the bind configuration and bind installation, and putting it on a writable file system for the public dns zone, but if the above error is only a warning thinking of keeping the data as read only also. Any suggestions are appreciated. Thanks *The content of this message is my personal opinion only, and should not be construed as anything that has been through rigorous scrutiny of the professional groups who devote their life and work to the topics being discussed___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind configuration/setup question
On Aug 28, 2013, at 12:53 PM, mm half mm_ha...@yahoo.com wrote: 28-Aug-2013 12:12:37.565 general: info: reloading zones succeeded 28-Aug-2013 12:12:37.572 general: notice: all zones loaded 28-Aug-2013 12:12:37.573 general: notice: running 28-Aug-2013 12:12:37.573 general: error: file.c:300: unexpected error: 28-Aug-2013 12:12:37.573 general: error: unable to convert errno to isc_result: 30: Read-only file system 28-Aug-2013 12:12:39.279 general: error: file.c:300: unexpected error: 28-Aug-2013 12:12:39.279 general: error: unable to convert errno to isc_result: 30: Read-only file system Is this error something to be worried about, or is it more of an info message? Also, is much even gained security wise by disallowing the OS to write to the dns data area?This particular error can be fixed by separating the dns data directory from the bind configuration and bind installation, and putting it on a writable file system for the public dns zone, but if the above error is only a warning thinking of keeping the data as read only also. Any suggestions are appreciated. When I see the words unexpected error coming out of software, I'm always concerned. I believe that what you are seeing is the result of BIND 9.9 doing more things automatically, including bringing in a set of DNSSEC trust anchors (root and DLV) and not being able to create the file. You should be able to use the option bindkeys-file to set a location that is writable for this file. It's also going to happen if you use managed-keys, as there is a keystone created that needs to be updated. See the managed-keys-directory option. AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ipv4, ipV6 DNS BIND configuration and deployment
Dear Noel and Mark,
Thanks for your input!
After thinking about the ipv6 network configuration pros and cons, I
decided to go for the ULA for my internal network and use the /64
creating static ips for my WAN. To get a set of ULA addresses I logged to:
http://www.simpledns.com/private-ipv6.aspx
All BIND configurations and Apache for the virtual hosts are working
good so far. Ipv6 does connect direct using the OS X System Preferences
Network Interface. I am going step by step and waiting to see if
everything will be fine as the time runs. The good thing about ipv6 is
that it free us to assign ips for every possible thing you can put your
hands on out there. Mark, sorry, I did laugh when you said that my ISP
should give me a /56 or /48. If with /64 I have plenty of addresses, I
have no idea what I would do with /56 or /48. Probably I would open one
ISP for myself and start to sell ips. Looks like we are thinking in
gazillions now. That is very good! I am one happy cow now!
On 8/4/13 7:17 PM, Noel Butler wrote:
On Sun, 2013-08-04 at 13:28 -0700, Eduardo Bonsi wrote:
Hello Everyone,
I have some questions about ipV6 transition and DNS configuration!
I am preparing to make my transition to a dual stack ipv4, ipv6 and I
have some concerns in regards to the security of the network since ipv6
do not have NAT. My ISP gave me a Global
2602:000:000:000:000:000:000:000/64 Range and I can just turn on ipV6 on
the router and set the network to automatic on the computer and I am
connected through what they call a SLAAC ipV6 automatic conf network,
that runs using the machine MAC address in which I am not very happy to
adopt. I well know there is a way to mask the MAC address to random
addresses as a security measure but I am still not happy about it.
Beside, there are all the BIND DNS configuration that needs to be routed
or I am stack with a slow broke SLAAC connection that it works, but not
to the level of the a DNS Server that I want to achieve. Therefore, as a
network design after analyzing my options, I have decided to use the
static ipv4, ipV6 deployment approach that uses my ipV6 with the 3 last
bit of the ipv4 NAT addresses already in place. This static option does
not expose the machine MAC addresses. However the addresses are directed
connected through ipV6 bypassing the NAT environment. On BIND, the only
change I have in the named.conf file is the,
listen-on-v6 { any; };
listen-on-v6 ::1 and your dns server ipv6 address
Therefore, here are my questions:
1. I am open to ideas or anything you think is best choosing the best
internal network design for ipV6.
Static IP assignments on your LAN, as far as your ISP is concerned they
will just route your /64 via your routers IP. sure you can do auto
assignments, but I think if they are servers its best to do static.
2. Since this static ipV6 deployment lacks the non-rotatable NAT
environment, what are the security measures to take on BIND in regards
to the recursive issues on ipV6?
with ipv6, no more do you have security by accident (NAT) if you have a
/64 your router will route for all, forget all the bad habits of the
lazy ipv4 days, now you need to configure access lists on your router,
but also play it safe and configure firewalls on each machine,
especially if they are winblows boxes
3. Are there any other security issues that should I considerate?
Don't be over aggressive with filtering, you do not mention the OS, but
if its linux -
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 22 -m state --state INVALID,NEW
-j LOG
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
... insert ACCEPT's for your lan and whatever other ipv6 addresses you
need with full access here...
ip6tables -A INPUT -p udp -d you:ipv6:dns:server:address --dport 25 -j
ACCEPT
ip6tables -A INPUT -p tcp -d you:ipv6:dns:server:address --dport 25 -j
ACCEPT
and.. importantly..
ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT# Destination
unreachable
ip6tables -A INPUT -p icmpv6 --icmpv6-type 2 -j ACCEPT# Packet too big
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT# Time exceeded
ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT# Parameter
problem
ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 135 -j ACCEPT
ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 136 -j ACCEPT
You *will* need the above accepts regardless since your default policy
is DROP, if not, you may find ipv6 reachable problems, in fact, you may
not even be able to connect outbound without types 135/136 (neighbour
discovery)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
Re: ipv4, ipV6 DNS BIND configuration and deployment
In message 5201cce6.2040...@pacbell.net, Eduardo Bonsi writes:
Dear Noel and Mark,
Thanks for your input!
After thinking about the ipv6 network configuration pros and cons, I
decided to go for the ULA for my internal network and use the /64
creating static ips for my WAN. To get a set of ULA addresses I logged to:
http://www.simpledns.com/private-ipv6.aspx
All BIND configurations and Apache for the virtual hosts are working
good so far. Ipv6 does connect direct using the OS X System Preferences
Network Interface. I am going step by step and waiting to see if
everything will be fine as the time runs. The good thing about ipv6 is
that it free us to assign ips for every possible thing you can put your
hands on out there. Mark, sorry, I did laugh when you said that my ISP
should give me a /56 or /48. If with /64 I have plenty of addresses, I
have no idea what I would do with /56 or /48. Probably I would open one
ISP for myself and start to sell ips. Looks like we are thinking in
gazillions now. That is very good! I am one happy cow now!
It's not about address other than having more than you will ever
need per subnet. It's about not having to think about the size of
a subnet. It's about using the same size subnet everywhere and
everyone in the world using the same sized subnets. IPv6 addresses
were made as big as they were so this was possible.
Alternatives to the the current 128 bit addresses used 64 bits of
addressing and variable sized subnets. Going to 128 bits and having
/64 bits per subnet was seen as a good use of addresses space as
it simplifies operational complexity. IPv6 nodes still need to
support variable sized subnets in case this decision ended up being
wrong in practice but it is hoped that we will never need to use
that capability except when testing.
You use a /64 per subnet. /60, /56, /52 and /48 give you 16, 256,
4096 and 65536 subnets to use respectively and are easily delegatable
in ip6.arpa as they fall on nibble boundaries. Those are per site
allocations.
The smallest ISP's get /32's.
Mark
On 8/4/13 7:17 PM, Noel Butler wrote:
On Sun, 2013-08-04 at 13:28 -0700, Eduardo Bonsi wrote:
Hello Everyone,
I have some questions about ipV6 transition and DNS configuration!
I am preparing to make my transition to a dual stack ipv4, ipv6 and I
have some concerns in regards to the security of the network since ipv6
do not have NAT. My ISP gave me a Global
2602:000:000:000:000:000:000:000/64 Range and I can just turn on ipV6 on
the router and set the network to automatic on the computer and I am
connected through what they call a SLAAC ipV6 automatic conf network,
that runs using the machine MAC address in which I am not very happy to
adopt. I well know there is a way to mask the MAC address to random
addresses as a security measure but I am still not happy about it.
Beside, there are all the BIND DNS configuration that needs to be routed
or I am stack with a slow broke SLAAC connection that it works, but not
to the level of the a DNS Server that I want to achieve. Therefore, as a
network design after analyzing my options, I have decided to use the
static ipv4, ipV6 deployment approach that uses my ipV6 with the 3 last
bit of the ipv4 NAT addresses already in place. This static option does
not expose the machine MAC addresses. However the addresses are directed
connected through ipV6 bypassing the NAT environment. On BIND, the only
change I have in the named.conf file is the,
listen-on-v6 { any; };
listen-on-v6 ::1 and your dns server ipv6 address
Therefore, here are my questions:
1. I am open to ideas or anything you think is best choosing the best
internal network design for ipV6.
Static IP assignments on your LAN, as far as your ISP is concerned they
will just route your /64 via your routers IP. sure you can do auto
assignments, but I think if they are servers its best to do static.
2. Since this static ipV6 deployment lacks the non-rotatable NAT
environment, what are the security measures to take on BIND in regards
to the recursive issues on ipV6?
with ipv6, no more do you have security by accident (NAT) if you have a
/64 your router will route for all, forget all the bad habits of the
lazy ipv4 days, now you need to configure access lists on your router,
but also play it safe and configure firewalls on each machine,
especially if they are winblows boxes
3. Are there any other security issues that should I considerate?
Don't be over aggressive with filtering, you do not mention the OS, but
if its linux -
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 22 -m state --state INVALID,NEW
-j LOG
ip6tables -A INPUT -m conntrack
ipv4, ipV6 DNS BIND configuration and deployment
Hello Everyone,
I have some questions about ipV6 transition and DNS configuration!
I am preparing to make my transition to a dual stack ipv4, ipv6 and I
have some concerns in regards to the security of the network since ipv6
do not have NAT. My ISP gave me a Global
2602:000:000:000:000:000:000:000/64 Range and I can just turn on ipV6 on
the router and set the network to automatic on the computer and I am
connected through what they call a SLAAC ipV6 automatic conf network,
that runs using the machine MAC address in which I am not very happy to
adopt. I well know there is a way to mask the MAC address to random
addresses as a security measure but I am still not happy about it.
Beside, there are all the BIND DNS configuration that needs to be routed
or I am stack with a slow broke SLAAC connection that it works, but not
to the level of the a DNS Server that I want to achieve. Therefore, as a
network design after analyzing my options, I have decided to use the
static ipv4, ipV6 deployment approach that uses my ipV6 with the 3 last
bit of the ipv4 NAT addresses already in place. This static option does
not expose the machine MAC addresses. However the addresses are directed
connected through ipV6 bypassing the NAT environment. On BIND, the only
change I have in the named.conf file is the,
listen-on-v6 { any; };
Therefore, here are my questions:
1. I am open to ideas or anything you think is best choosing the best
internal network design for ipV6.
2. Since this static ipV6 deployment lacks the non-rotatable NAT
environment, what are the security measures to take on BIND in regards
to the recursive issues on ipV6?
3. Are there any other security issues that should I considerate?
Many Thanks!
Eduardo
--
Eduardo Bonsi
System - Network Admin
beart...@pacbell.net
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: ipv4, ipV6 DNS BIND configuration and deployment
In message 51feb96d.3070...@pacbell.net, Eduardo Bonsi writes:
Hello Everyone,
I have some questions about ipV6 transition and DNS configuration!
I am preparing to make my transition to a dual stack ipv4, ipv6 and I
have some concerns in regards to the security of the network since ipv6
do not have NAT. My ISP gave me a Global
2602:000:000:000:000:000:000:000/64
Truly, your ISP should be giving you a /48 or as a minumum a /56.
A /64 is is single subnet. Your ISP will be getting addresses based
on giving customers a /56 or /48.
Range and I can just turn on ipV6 on
the router and set the network to automatic on the computer and I am
connected through what they call a SLAAC ipV6 automatic conf network,
that runs using the machine MAC address in which I am not very happy to
adopt. I well know there is a way to mask the MAC address to random
addresses as a security measure but I am still not happy about it.
And why are you not happy? Because someone said their was a issue
with it. Do you understand the reasoning behind the issue and does
it apply to your use of the network because in many cases it doesn't.
Too often I see people complaining that MAC addresses are buried
in IPv6 addresses when in reality it is *not* a security issue for
the use case.
Modern IPv6 stacks use both types of address for different purposes.
Saying one is unhappy is quite often a knee jerk reaction that
doesn't standup to rigorous analysis. This is not to say you havn't
done that analysis but given modern stacks I find complaints like
this just don't stack up.
Beside, there are all the BIND DNS configuration that needs to be routed
or I am stack with a slow broke SLAAC connection that it works, but not
to the level of the a DNS Server that I want to achieve. Therefore, as a
network design after analyzing my options, I have decided to use the
static ipv4, ipV6 deployment approach that uses my ipV6 with the 3 last
bit of the ipv4 NAT addresses already in place. This static option does
not expose the machine MAC addresses.
However the addresses are directed
connected through ipV6 bypassing the NAT environment. On BIND, the only
change I have in the named.conf file is the,
listen-on-v6 { any; };
Therefore, here are my questions:
1. I am open to ideas or anything you think is best choosing the best
internal network design for ipV6.
Get more address space from your ISP. Use tempory addresses.
2. Since this static ipV6 deployment lacks the non-rotatable NAT
environment, what are the security measures to take on BIND in regards
to the recursive issues on ipV6?
Same as with IPv4. Locally connected networks are allowed to
recurse.
3. Are there any other security issues that should I considerate?
Many Thanks!
Eduardo
--
Eduardo Bonsi
System - Network Admin
beart...@pacbell.net
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: ipv4, ipV6 DNS BIND configuration and deployment
On Sun, 2013-08-04 at 13:28 -0700, Eduardo Bonsi wrote:
Hello Everyone,
I have some questions about ipV6 transition and DNS configuration!
I am preparing to make my transition to a dual stack ipv4, ipv6 and I
have some concerns in regards to the security of the network since ipv6
do not have NAT. My ISP gave me a Global
2602:000:000:000:000:000:000:000/64 Range and I can just turn on ipV6 on
the router and set the network to automatic on the computer and I am
connected through what they call a SLAAC ipV6 automatic conf network,
that runs using the machine MAC address in which I am not very happy to
adopt. I well know there is a way to mask the MAC address to random
addresses as a security measure but I am still not happy about it.
Beside, there are all the BIND DNS configuration that needs to be routed
or I am stack with a slow broke SLAAC connection that it works, but not
to the level of the a DNS Server that I want to achieve. Therefore, as a
network design after analyzing my options, I have decided to use the
static ipv4, ipV6 deployment approach that uses my ipV6 with the 3 last
bit of the ipv4 NAT addresses already in place. This static option does
not expose the machine MAC addresses. However the addresses are directed
connected through ipV6 bypassing the NAT environment. On BIND, the only
change I have in the named.conf file is the,
listen-on-v6 { any; };
listen-on-v6 ::1 and your dns server ipv6 address
Therefore, here are my questions:
1. I am open to ideas or anything you think is best choosing the best
internal network design for ipV6.
Static IP assignments on your LAN, as far as your ISP is concerned they
will just route your /64 via your routers IP. sure you can do auto
assignments, but I think if they are servers its best to do static.
2. Since this static ipV6 deployment lacks the non-rotatable NAT
environment, what are the security measures to take on BIND in regards
to the recursive issues on ipV6?
with ipv6, no more do you have security by accident (NAT) if you have
a /64 your router will route for all, forget all the bad habits of the
lazy ipv4 days, now you need to configure access lists on your router,
but also play it safe and configure firewalls on each machine,
especially if they are winblows boxes
3. Are there any other security issues that should I considerate?
Don't be over aggressive with filtering, you do not mention the OS, but
if its linux -
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 22 -m state --state INVALID,NEW
-j LOG
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
... insert ACCEPT's for your lan and whatever other ipv6 addresses you
need with full access here...
ip6tables -A INPUT -p udp -d you:ipv6:dns:server:address --dport 25 -j
ACCEPT
ip6tables -A INPUT -p tcp -d you:ipv6:dns:server:address --dport 25 -j
ACCEPT
and.. importantly..
ip6tables -A INPUT -p icmpv6 --icmpv6-type 1 -j ACCEPT# Destination
unreachable
ip6tables -A INPUT -p icmpv6 --icmpv6-type 2 -j ACCEPT# Packet too
big
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -j ACCEPT# Time
exceeded
ip6tables -A INPUT -p icmpv6 --icmpv6-type 4 -j ACCEPT# Parameter
problem
ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 135 -j
ACCEPT
ip6tables -A INPUT -s your:gateway:ip -p icmpv6 --icmpv6-type 136 -j
ACCEPT
You *will* need the above accepts regardless since your default policy
is DROP, if not, you may find ipv6 reachable problems, in fact, you may
not even be able to connect outbound without types 135/136 (neighbour
discovery)
signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: ipv4, ipV6 DNS BIND configuration and deployment
Mark,
I really did not mean things that way when I used the word happy. Let
say that I am concerned with it and that means if anyone can express
their views towards being more secure with ipv6, I am sure to
considerate it. We probably diverge on opinions about exposing MAC
addresses as a public address and that is ok and maybe it is not a big
deal anyway.
Thanks for your views on the issue!
Eduardo
On 8/4/13 6:12 PM, Mark Andrews wrote:
In message 51feb96d.3070...@pacbell.net, Eduardo Bonsi writes:
Hello Everyone,
I have some questions about ipV6 transition and DNS configuration!
I am preparing to make my transition to a dual stack ipv4, ipv6 and I
have some concerns in regards to the security of the network since ipv6
do not have NAT. My ISP gave me a Global
2602:000:000:000:000:000:000:000/64
Truly, your ISP should be giving you a /48 or as a minumum a /56.
A /64 is is single subnet. Your ISP will be getting addresses based
on giving customers a /56 or /48.
Range and I can just turn on ipV6 on
the router and set the network to automatic on the computer and I am
connected through what they call a SLAAC ipV6 automatic conf network,
that runs using the machine MAC address in which I am not very happy to
adopt. I well know there is a way to mask the MAC address to random
addresses as a security measure but I am still not happy about it.
And why are you not happy? Because someone said their was a issue
with it. Do you understand the reasoning behind the issue and does
it apply to your use of the network because in many cases it doesn't.
Too often I see people complaining that MAC addresses are buried
in IPv6 addresses when in reality it is *not* a security issue for
the use case.
Modern IPv6 stacks use both types of address for different purposes.
Saying one is unhappy is quite often a knee jerk reaction that
doesn't standup to rigorous analysis. This is not to say you havn't
done that analysis but given modern stacks I find complaints like
this just don't stack up.
Beside, there are all the BIND DNS configuration that needs to be routed
or I am stack with a slow broke SLAAC connection that it works, but not
to the level of the a DNS Server that I want to achieve. Therefore, as a
network design after analyzing my options, I have decided to use the
static ipv4, ipV6 deployment approach that uses my ipV6 with the 3 last
bit of the ipv4 NAT addresses already in place. This static option does
not expose the machine MAC addresses.
However the addresses are directed
connected through ipV6 bypassing the NAT environment. On BIND, the only
change I have in the named.conf file is the,
listen-on-v6 { any; };
Therefore, here are my questions:
1. I am open to ideas or anything you think is best choosing the best
internal network design for ipV6.
Get more address space from your ISP. Use tempory addresses.
2. Since this static ipV6 deployment lacks the non-rotatable NAT
environment, what are the security measures to take on BIND in regards
to the recursive issues on ipV6?
Same as with IPv4. Locally connected networks are allowed to
recurse.
3. Are there any other security issues that should I considerate?
Many Thanks!
Eduardo
--
Eduardo Bonsi
System - Network Admin
beart...@pacbell.net
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
BEARTCOMMUNICATIONS
Eduardo Bonsi
System - Network Admin
beart...@pacbell.net
webmas...@beart.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Configuration
DNS is not the place to solve that problem, it's the routing layer. Use Bgp Luke :-) Sent from my iPad On 08/05/2013, at 15:24, Sten Carlsen st...@s-carlsen.dk wrote: I believe your major point is the routing tables because they determine how the response is trying to get out. On 08/05/13 22:22, Steven Carr wrote: You will need to have some form of automation in place to update the DNS zone to change the IP address which should now be accessed when one of the links goes down. You will also need to ensure you have a low TTL value on the records you want to update on link change so that the records are refreshed quickly. On 8 May 2013 20:40, Ward, Mike S mw...@ssfcu.org wrote: Hello all, I was wondering if someone could me out. I am using Bind 9.2 on a Redhat Linux server. We have two ISPS on separate networks Lets call them A and B. My Linux Server can listen on A's Network as well as B's network. I'm using fictitious IPs and names A 111.111.111.1 B 555.555.555.1 Secondary A 111.111.222.1 Redhat Bind Bind is listening on both IP addresses and we have a secondary server at 111.111.222.1 If A the ISP has a backbone router problem how can I get people trying to get to our web servers to use B's network? I have been think of different ways to do this, but have come up empty. Our network is really simple I just want to be able to use diverse ISPS in case we lose one we still have the other. Can anyone help me out. Any help appreciated. Thanks. == This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Configuration
On May 9, 2013, at 8:44 AM, Carlos Martinez carlosm3...@gmail.com wrote: DNS is not the place to solve that problem, it's the routing layer. Yes, but *sometimes* DNS is the right layer for this… For example, if you have 2 sites (so you can remain up when a meteor / flood / avalanche hits one), if you need better latency, etc. I guess the short answer is Redundancy is hard, lets go shopping… Use Bgp Luke :-) Sent from my iPad On 08/05/2013, at 15:24, Sten Carlsen st...@s-carlsen.dk wrote: I believe your major point is the routing tables because they determine how the response is trying to get out. On 08/05/13 22:22, Steven Carr wrote: You will need to have some form of automation in place to update the DNS zone to change the IP address which should now be accessed when one of the links goes down. You will also need to ensure you have a low TTL value on the records you want to update on link change so that the records are refreshed quickly. On 8 May 2013 20:40, Ward, Mike S mw...@ssfcu.org wrote: Hello all, I was wondering if someone could me out. I am using Bind 9.2 on a Redhat Linux server. We have two ISPS on separate networks Lets call them A and B. My Linux Server can listen on A's Network as well as B's network. I'm using fictitious IPs and names A 111.111.111.1 B 555.555.555.1 Secondary A 111.111.222.1 Redhat Bind Bind is listening on both IP addresses and we have a secondary server at 111.111.222.1 If A the ISP has a backbone router problem how can I get people trying to get to our web servers to use B's network? I have been think of different ways to do this, but have come up empty. Our network is really simple I just want to be able to use diverse ISPS in case we lose one we still have the other. Can anyone help me out. Any help appreciated. Thanks. == This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- After you'd known Christine for any length of time, you found yourself fighting a desire to look into her ear to see if you could spot daylight coming the other way. -- (Terry Pratchett, Maskerade) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Configuration
I don't know how it's done, I'm not a networking guru, but here we have 2 upstream providers and somehow we route out through both, and both can route in to our /16 network. No messing with DNS changes depending on which ISP is having problems, As Clarke's third law states, Any sufficiently advanced technology is indistinguishable from magic. Bill Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: BIND Configuration
Sounds like they are using BGP for routing. That's probably the way we are going to go. That way we don't have to make any crazy changes in our bind configurations. Thanks all for the replies. -Original Message- From: bind-users-bounces+mward=ssfcu@lists.isc.org [mailto:bind-users-bounces+mward=ssfcu@lists.isc.org] On Behalf Of wbr...@e1b.org Sent: Thursday, May 09, 2013 7:17 AM To: bind-users@lists.isc.org Subject: Re: BIND Configuration I don't know how it's done, I'm not a networking guru, but here we have 2 upstream providers and somehow we route out through both, and both can route in to our /16 network. No messing with DNS changes depending on which ISP is having problems, As Clarke's third law states, Any sufficiently advanced technology is indistinguishable from magic. Bill Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users == This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND Configuration
Hello all, I was wondering if someone could me out. I am using Bind 9.2 on a Redhat Linux server. We have two ISPS on separate networks Lets call them A and B. My Linux Server can listen on A's Network as well as B's network. I'm using fictitious IPs and names A 111.111.111.1 B 555.555.555.1 Secondary A 111.111.222.1 Redhat Bind Bind is listening on both IP addresses and we have a secondary server at 111.111.222.1 If A the ISP has a backbone router problem how can I get people trying to get to our web servers to use B's network? I have been think of different ways to do this, but have come up empty. Our network is really simple I just want to be able to use diverse ISPS in case we lose one we still have the other. Can anyone help me out. Any help appreciated. Thanks. == This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Configuration
You will need to have some form of automation in place to update the DNS zone to change the IP address which should now be accessed when one of the links goes down. You will also need to ensure you have a low TTL value on the records you want to update on link change so that the records are refreshed quickly. On 8 May 2013 20:40, Ward, Mike S mw...@ssfcu.org wrote: Hello all, I was wondering if someone could me out. I am using Bind 9.2 on a Redhat Linux server. We have two ISPS on separate networks Lets call them A and B. My Linux Server can listen on A's Network as well as B's network. I'm using fictitious IPs and names A 111.111.111.1 B 555.555.555.1 Secondary A 111.111.222.1 Redhat Bind Bind is listening on both IP addresses and we have a secondary server at 111.111.222.1 If A the ISP has a backbone router problem how can I get people trying to get to our web servers to use B's network? I have been think of different ways to do this, but have come up empty. Our network is really simple I just want to be able to use diverse ISPS in case we lose one we still have the other. Can anyone help me out. Any help appreciated. Thanks. == This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Configuration
I believe your major point is the routing tables because they determine how the response is trying to get out. On 08/05/13 22:22, Steven Carr wrote: You will need to have some form of automation in place to update the DNS zone to change the IP address which should now be accessed when one of the links goes down. You will also need to ensure you have a low TTL value on the records you want to update on link change so that the records are refreshed quickly. On 8 May 2013 20:40, Ward, Mike S mw...@ssfcu.org wrote: Hello all, I was wondering if someone could me out. I am using Bind 9.2 on a Redhat Linux server. We have two ISPS on separate networks Lets call them A and B. My Linux Server can listen on A's Network as well as B's network. I'm using fictitious IPs and names A 111.111.111.1 B 555.555.555.1 Secondary A 111.111.222.1 Redhat Bind Bind is listening on both IP addresses and we have a secondary server at 111.111.222.1 If A the ISP has a backbone router problem how can I get people trying to get to our web servers to use B's network? I have been think of different ways to do this, but have come up empty. Our network is really simple I just want to be able to use diverse ISPS in case we lose one we still have the other. Can anyone help me out. Any help appreciated. Thanks. == This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Configuration
That's kind of how we do our DR... I have things scripted so that every update to our zone, results two versions of the zone file...the master server signs the first one and does its usual notifies, then the master signs the second and its scp'd to secondaries in another network. In the event we lose our connectivitywe can direct the remote slave to take over with with the alternate signed zone file. So that our main web presence will resolve to servers at our DR site.which we don't yet have :) - Original Message - You will need to have some form of automation in place to update the DNS zone to change the IP address which should now be accessed when one of the links goes down. You will also need to ensure you have a low TTL value on the records you want to update on link change so that the records are refreshed quickly. On 8 May 2013 20:40, Ward, Mike S mw...@ssfcu.org wrote: Hello all, I was wondering if someone could me out. I am using Bind 9.2 on a Redhat Linux server. We have two ISPS on separate networks Lets call them A and B. My Linux Server can listen on A's Network as well as B's network. I'm using fictitious IPs and names A 111.111.111.1 B 555.555.555.1 Secondary A 111.111.222.1 Redhat Bind Bind is listening on both IP addresses and we have a secondary server at 111.111.222.1 If A the ISP has a backbone router problem how can I get people trying to get to our web servers to use B's network? I have been think of different ways to do this, but have come up empty. Our network is really simple I just want to be able to use diverse ISPS in case we lose one we still have the other. Can anyone help me out. Any help appreciated. Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind configuration and log error
Hi all I have in my messages log file many lines as follows but with different domains unreachable what does this mean: named[15490]: network unreachable resolving 'platinum.cs.umanitoba.ca/A/IN' also I can't dig or nslookup or ping my DNS server remotely what should I do to enable that? Regards ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind configuration and log error
On 23.05.12 12:56, Amira Othman wrote: I have in my messages log file many lines as follows but with different domains unreachable what does this mean: named[15490]: network unreachable resolving 'platinum.cs.umanitoba.ca/A/IN' also I can't dig or nslookup or ping my DNS server remotely what should I do to enable that? your server has apparently problems with internet conectivity. Is it behind firewall? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind configuration and log error
-Original Message- From: Matus UHLAR - fantomas uh...@fantomas.sk Date: Wednesday, May 23, 2012 4:04 AM To: bind-users@lists.isc.org Subject: Re: Bind configuration and log error On 23.05.12 12:56, Amira Othman wrote: I have in my messages log file many lines as follows but with different domains unreachable what does this mean: named[15490]: network unreachable resolving 'platinum.cs.umanitoba.ca/A/IN' also I can't dig or nslookup or ping my DNS server remotely what should I do to enable that? your server has apparently problems with internet conectivity. Is it behind firewall? i suppose it could be peering or some other internet anomaly as well, anything affecting connectivity? i'm in the middle of migrating several large sites from tiny to bind and had to work through errors in logs with firewall admins... allowing general 'any 53 udp/tcp' access and adjusting permissible udp payload size for edns are the two main examples which are well understood. that said, even after the firewall admins opened up access to any on 53 udp/tcp from the name servers i still see these in my logs...but only occasionally and typicaly for hosts that are far away geographically. after having the firewall configuration shown to me in plain text, i mostly wrote it off...how often do others see this? thanks! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind configuration
Hi all
I have configured bind9 on centos 5.8 but I still can't nslookup my domain.
Below are my configuration:
Named.conf
key rndckey {
algorithm hmac-md5;
secret
jQdcyY1HIkooWVB24Dr4uX5jrVcuZFNEJaGa9Q5e3otOjSrcMVGOwhACivlX;
};
options {
directory /var/named;
pid-file /var/run/named/named.pid;
zone cairosource {
type master;
notify no;
file cairosource.zone;
};
Zone file
; BIND db file for cairosource.com
$TTL 86400
@ IN SOA nameserverof domain. mail account. (
2012051810
28800
7200
864000
86400 )
NS ns1
localhost A 127.0.0.1
ns1 A server local ip
mydomainname A server external ip
any help please ?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind configuration
Use the full zone name in the zone definition.
zone cairosource
Regards
Eivind Olsen
Den 21. mai 2012 kl. 16:33 skrev Amira Othman a.oth...@cairosource.com:
Hi all
I have configured bind9 on centos 5.8 but I still can't nslookup my domain.
Below are my configuration:
Named.conf
key rndckey {
algorithm hmac-md5;
secret
jQdcyY1HIkooWVB24Dr4uX5jrVcuZFNEJaGa9Q5e3otOjSrcMVGOwhACivlX;
};
options {
directory /var/named;
pid-file /var/run/named/named.pid;
zone cairosource {
type master;
notify no;
file cairosource.zone;
};
Zone file
; BIND db file for cairosource.com
$TTL 86400
@ IN SOA nameserverof domain. mail account. (
2012051810
28800
7200
864000
86400 )
NS ns1
localhost A 127.0.0.1
ns1 A server local ip
mydomainname A server external ip
any help please ?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Catchall BIND configuration for DNS parking service
Hello there,
I'm trying to configure BIND (BIND 9.7.3) as a catchall DNS server for a parking domain service. This is a way to let
users/clients park their domains automatically by pointing primary and secondary DNS servers there. It should work with ANY TLD
(both generic and countrycodes).
In named.conf, I have created a test zone (for debugging porpuses, will be
removed once working):
zone working.test IN { type master; file parked.domains; };
and I have defined the . zone as master:
zone . IN { type master; file parked.domains; };
So, as you see, both working.test and . use the same zone.
The parked.domains zone looks like this:
$TTL 86400
; parked.domains zone
@ IN SOA ns1.parkingdomini.com.
postmaster.ns1.parkingdomini.com. (
2011052800
86400
3600
604800
86400 )
NS ns1.parkingdomini.com.
NS ns2.parkingdomini.com.
MX 100 mail.parkingdomini.com.
IN A 1.2.3.4
* IN A 1.2.3.4
Here is the problem:
If I explicitly declare a zone in named.conf with parked.domains as zonefile, it behaves correctly. But as catchall is not
anwering correctly.
If I run:
dig working.test @localhost ANY
the ANSWER SECTION IS:
;; ANSWER SECTION:
working.test. 86400 IN SOA ns1.parkingdomini.com. postmaster.ns1.parkingdomini.com. 2011052800 86400 3600
604800 86400
working.test. 86400 IN NS ns1.parkingdomini.com.
working.test. 86400 IN NS ns2.parkingdomini.com.
working.test. 86400 IN MX 100 mail.parkingdomini.com.
working.test. 86400 IN A 1.2.3.4
while, if I dig anything else, the ANSWER SECTION IS:
;; ANSWER SECTION:
somethingelse.test. 86400 IN A 1.2.3.4
Why? The zone defined is exactly the same.
Any help is welcome.
Thank you
gian
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Catchall BIND configuration for DNS parking service
Named really isn't designed to be a catch all server. It's designed
to serve the configured zones and only the configured zones. That
being said the later versions of named allow zones to be added via
rndc so the configuration effort required to add a new zone is much
lower.
e.g.
rndc addzone 'example.com { type master; file parked.domains; };'
However if even this is too much effort I would just use a specialised
server that has been configured to know which label patterns identify
end user zones and can generate canned responses based on that
indentification.
e.g.
label.com
label.com.au
Mark
In message 4df143b2.2090...@ipfrom.com, Gianfranco Pra Floriani writes:
Hello there,
I'm trying to configure BIND (BIND 9.7.3) as a catchall DNS server for a pa
rking domain service. This is a way to let
users/clients park their domains automatically by pointing primary and second
ary DNS servers there. It should work with ANY TLD
(both generic and countrycodes).
In named.conf, I have created a test zone (for debugging porpuses, will be re
moved once working):
zone working.test IN { type master; file parked.domains; };
and I have defined the . zone as master:
zone . IN { type master; file parked.domains; };
So, as you see, both working.test and . use the same zone.
The parked.domains zone looks like this:
$TTL 86400
; parked.domains zone
@ IN SOA ns1.parkingdomini.com. postmaster.ns1.parking
domini.com. (
2011052800
86400
3600
604800
86400 )
NS ns1.parkingdomini.com.
NS ns2.parkingdomini.com.
MX 100 mail.parkingdomini.com.
IN A 1.2.3.4
* IN A 1.2.3.4
Here is the problem:
If I explicitly declare a zone in named.conf with parked.domains as zonefil
e, it behaves correctly. But as catchall is not
anwering correctly.
If I run:
dig working.test @localhost ANY
the ANSWER SECTION IS:
;; ANSWER SECTION:
working.test. 86400 IN SOA ns1.parkingdomini.com. postma
ster.ns1.parkingdomini.com. 2011052800 86400 3600
604800 86400
working.test. 86400 IN NS ns1.parkingdomini.com.
working.test. 86400 IN NS ns2.parkingdomini.com.
working.test. 86400 IN MX 100 mail.parkingdomini.com.
working.test. 86400 IN A 1.2.3.4
while, if I dig anything else, the ANSWER SECTION IS:
;; ANSWER SECTION:
somethingelse.test. 86400 IN A 1.2.3.4
Why? The zone defined is exactly the same.
Any help is welcome.
Thank you
gian
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind configuration help
On 12/11/2009 00:32, Błażej Ślusarek wrote: Hi, first of all thanks to everyone for the interest and for pointing me out my mistakes :) I've already changed recursion and transfer to trusted acls. But unfortunately, I've been administering this server for a short time and as I'm reading more and more through the configuration, I'm starting to think that this DNS server is completely misconfigured. Before I ask my next question, I'll try to explain my situation a little: The server I'am administering is one of nine, let's say, units, which are parts of bigger organization (let's say organization.com, it doesn't really matter). They units are given domain names from first.organization.com to ninth.organization.com. Each unit's server is responsible for their subdomains, i.e. a.first.organization.com, b.first.organization.com, and so on... At the same time, they should be synchronized with the main dns server of the organization, let's say dns.organization.com, and also act as a dns server of it's own, providing information about i.e. for first, *.first.organization.com. I think my name cannot be resolved after some time problem (NXDOMAIN, I've checked it) lies somewhere in the synchronization part. I'll post a part of my zone file, which is responsible for the domain and which is, I think, the source of this problem: Hi, Are zone transfers completed over a VPN ? If yes, are you sure the slaves are reachable ? No evil packet filtering ? Laurent ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: bind configuration help
Sorry, but could You specify more accurately what is bad ? This is
my first bind configuration, so probably I've made some mistakes, but
I'd like to do it the right way in the end.:)
On Tue, Nov 10, 2009 at 11:19 PM, Laurent CARON lca...@lncsa.com wrote:
allow-recursion { any; };
bad
allow-transfer { any; };
bad
It's usually a bad idea to allow any to use your server recursively, or allow
any transfer zone data. Like an open dns-server.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: bind configuration help
From: Holger Honert [mailto:holger.hon...@signal-iduna.org]
..
*Please be carefull when quoting, this was not me:
Jukka Pakkanen schrieb:
Sorry, but could You specify more accurately what is bad ? This is
my first bind configuration, so probably I've made some mistakes, but
I'd like to do it the right way in the end.:)
On Tue, Nov 10, 2009 at 11:19 PM, Laurent CARON mailto:lca...@lncsa.com
lca...@lncsa.com wrote:
allow-recursion { any; };
bad
allow-transfer { any; };
bad
*This was mine:
It's usually a bad idea to allow any to use your server recursively, or
allow any transfer zone data. Like an open dns-server.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind configuration help
Security issues!
Usually you only want *trusted* clients to use your server recursively.
And you don't really want to allow *any* fetching your hosted zones for
doing something bad, i.e. getting (unwanted!) infos
over your network and infrastructure.
Regards
Holger
Jukka Pakkanen schrieb:
Sorry, but could You specify more accurately what is bad ? This is
my first bind configuration, so probably I've made some mistakes, but
I'd like to do it the right way in the end.:)
On Tue, Nov 10, 2009 at 11:19 PM, Laurent CARON lca...@lncsa.com wrote:
allow-recursion { any; };
bad
allow-transfer { any; };
bad
It's usually a bad idea to allow any to use your server recursively, or
allow any transfer zone data. Like an open dns-server.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
SIGNAL Krankenversicherung a. G., Sitz: Dortmund, HR B 2405, AG Dortmund
IDUNA Vereinigte Lebensversicherung aG für Handwerk, Handel und Gewerbe,
Sitz: Hamburg, HR B 2740, AG Hamburg
Deutscher Ring Krankenversicherungsverein a.G., Sitz: Hamburg,
HR B 4673, AG Hamburg,
SIGNAL IDUNA Allgemeine Versicherung AG, Sitz: Dortmund, HR B 19108,
AG Dortmund
Vorstände: Reinhold Schulte (Vorsitzender),
Wolfgang Fauter (stellv. Vorsitzender), Dr. Karl-Josef Bierth,
Jens O. Geldmacher, Marlies Hirschberg-Tafel,
Michael Johnigk, Ulrich Leitermann, Michael Petmecky,
Dr. Klaus Sticker, Prof. Dr. Markus Warg
Vorsitzender der Aufsichtsräte: Günter Kutz
SIGNAL IDUNA Gruppe Hauptverwaltungen, Internet: www.signal-iduna.de
44121 Dortmund, Hausanschrift: Joseph-Scherer-Str. 3, 44139 Dortmund
20351 Hamburg, Hausanschrift: Neue Rabenstraße 15-19, 20354 Hamburg
attachment: holger_honert.vcf___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind configuration help
Holger Honert wrote:
Security issues!
Usually you only want *trusted* clients to use your server recursively.
And you don't really want to allow *any* fetching your hosted zones
for doing something bad, i.e. getting (unwanted!) infos
over your network and infrastructure.
If the infos are public, they're public, the only difference is that
zone transfers are a more efficient way of fetching more than about 2 or
3 records in a single transaction, compared to querying each one
individually.
If you want your network and infrastructure infos to be private, then
put them in a private zone that can't be queried from the Internet at all.
- Kevin
Regards
Holger
Jukka Pakkanen schrieb:
Sorry, but could You specify more accurately what is bad ? This is
my first bind configuration, so probably I've made some mistakes, but
I'd like to do it the right way in the end.:)
On Tue, Nov 10, 2009 at 11:19 PM, Laurent CARON lca...@lncsa.com wrote:
allow-recursion { any; };
bad
allow-transfer { any; };
bad
It's usually a bad idea to allow any to use your server recursively, or allow any
transfer zone data. Like an open dns-server.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
SIGNAL Krankenversicherung a. G., Sitz: Dortmund, HR B 2405, AG Dortmund
IDUNA Vereinigte Lebensversicherung aG für Handwerk, Handel und Gewerbe,
Sitz: Hamburg, HR B 2740, AG Hamburg
Deutscher Ring Krankenversicherungsverein a.G., Sitz: Hamburg,
HR B 4673, AG Hamburg,
SIGNAL IDUNA Allgemeine Versicherung AG, Sitz: Dortmund, HR B 19108,
AG Dortmund
Vorstände: Reinhold Schulte (Vorsitzender),
Wolfgang Fauter (stellv. Vorsitzender), Dr. Karl-Josef Bierth,
Jens O. Geldmacher, Marlies Hirschberg-Tafel,
Michael Johnigk, Ulrich Leitermann, Michael Petmecky,
Dr. Klaus Sticker, Prof. Dr. Markus Warg
Vorsitzender der Aufsichtsräte: Günter Kutz
SIGNAL IDUNA Gruppe Hauptverwaltungen, Internet: www.signal-iduna.de
44121 Dortmund, Hausanschrift: Joseph-Scherer-Str. 3, 44139 Dortmund
20351 Hamburg, Hausanschrift: Neue Rabenstraße 15-19, 20354 Hamburg
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: bind configuration help
I can't quite agree with that.
While public information is indeed public it is intended to be so for specific
lookups not for zone transfers. Someone external to you asking get a zone
transfer may be looking for what he can exploit. Maybe he can find that
information anyway with enough digging but why make it easy for him?
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kevin Darcy
Sent: Wednesday, November 11, 2009 12:53 PM
To: bind-users@lists.isc.org
Subject: Re: bind configuration help
Holger Honert wrote:
Security issues!
Usually you only want *trusted* clients to use your server recursively.
And you don't really want to allow *any* fetching your hosted zones
for doing something bad, i.e. getting (unwanted!) infos
over your network and infrastructure.
If the infos are public, they're public, the only difference is that
zone transfers are a more efficient way of fetching more than about 2 or
3 records in a single transaction, compared to querying each one
individually.
If you want your network and infrastructure infos to be private, then
put them in a private zone that can't be queried from the Internet at all.
- Kevin
Regards
Holger
Jukka Pakkanen schrieb:
Sorry, but could You specify more accurately what is bad ? This is
my first bind configuration, so probably I've made some mistakes, but
I'd like to do it the right way in the end.:)
On Tue, Nov 10, 2009 at 11:19 PM, Laurent CARON lca...@lncsa.com wrote:
allow-recursion { any; };
bad
allow-transfer { any; };
bad
It's usually a bad idea to allow any to use your server recursively, or
allow any transfer zone data. Like an open dns-server.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
SIGNAL Krankenversicherung a. G., Sitz: Dortmund, HR B 2405, AG Dortmund
IDUNA Vereinigte Lebensversicherung aG für Handwerk, Handel und Gewerbe,
Sitz: Hamburg, HR B 2740, AG Hamburg
Deutscher Ring Krankenversicherungsverein a.G., Sitz: Hamburg,
HR B 4673, AG Hamburg,
SIGNAL IDUNA Allgemeine Versicherung AG, Sitz: Dortmund, HR B 19108,
AG Dortmund
Vorstände: Reinhold Schulte (Vorsitzender),
Wolfgang Fauter (stellv. Vorsitzender), Dr. Karl-Josef Bierth,
Jens O. Geldmacher, Marlies Hirschberg-Tafel,
Michael Johnigk, Ulrich Leitermann, Michael Petmecky,
Dr. Klaus Sticker, Prof. Dr. Markus Warg
Vorsitzender der Aufsichtsräte: Günter Kutz
SIGNAL IDUNA Gruppe Hauptverwaltungen, Internet: www.signal-iduna.de
44121 Dortmund, Hausanschrift: Joseph-Scherer-Str. 3, 44139 Dortmund
20351 Hamburg, Hausanschrift: Neue Rabenstraße 15-19, 20354 Hamburg
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Proud partner. Susan G. Komen for the Cure.
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
information and is for the sole use of the intended recipient(s). If you are
not the intended recipient, any disclosure, copying, distribution, or use of
the contents of this information is prohibited and may be unlawful. If you have
received this electronic transmission in error, please reply immediately to the
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind configuration help
Jeff Lightner wrote:
I can't quite agree with that.
While public information is indeed public it is intended to be so for specific lookups not for zone transfers.
Circular argument: allowing zone transfers is bad if one didn't intend
to allow zone transfers.
Someone external to you asking get a zone transfer may be looking for what he can exploit.
Speculative argument: someone may do something bad with information that
was intentionally made public.
Maybe he can find that information anyway with enough digging but why make it easy for him?
On the other hand, why make it harder for good and bad folks alike?
Superfluous concealment often raises curiosity and attracts probing.
(Don't even get me started on whether BIND version numbers should be
suppressed/spoofed; I think you might be able to guess where I stand on
that too).
Why not allow knowledgeable experts to diagnose problems with your
external-facing zones, or business partners to set up stealth slaves,
if they wish, for architectural, performance and/or availability
reasons, without having to reconfigure one's nameserver, and/or
generate/distribute a TSIG key, every time they want to?
Consider long and deep how much configuration complexity and churn
raises opportunities for infrastructure breakins and/or denials of
service, perhaps far more than simple information disclosures ever could...
- Kevin
P.S. I've already lost this argument in our own organization, so don't
even bother with the practice what you preach observation. I can but
offer advice to others to avoid such a ridiculous state of affairs.
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kevin Darcy
Sent: Wednesday, November 11, 2009 12:53 PM
To: bind-users@lists.isc.org
Subject: Re: bind configuration help
Holger Honert wrote:
Security issues!
Usually you only want *trusted* clients to use your server recursively.
And you don't really want to allow *any* fetching your hosted zones
for doing something bad, i.e. getting (unwanted!) infos
over your network and infrastructure.
If the infos are public, they're public, the only difference is that
zone transfers are a more efficient way of fetching more than about 2 or
3 records in a single transaction, compared to querying each one
individually.
If you want your network and infrastructure infos to be private, then
put them in a private zone that can't be queried from the Internet at all.
- Kevin
Regards
Holger
Jukka Pakkanen schrieb:
Sorry, but could You specify more accurately what is bad ? This is
my first bind configuration, so probably I've made some mistakes, but
I'd like to do it the right way in the end.:)
On Tue, Nov 10, 2009 at 11:19 PM, Laurent CARON lca...@lncsa.com wrote:
allow-recursion { any; };
bad
allow-transfer { any; };
bad
It's usually a bad idea to allow any to use your server recursively, or allow any
transfer zone data. Like an open dns-server.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
SIGNAL Krankenversicherung a. G., Sitz: Dortmund, HR B 2405, AG Dortmund
IDUNA Vereinigte Lebensversicherung aG für Handwerk, Handel und Gewerbe,
Sitz: Hamburg, HR B 2740, AG Hamburg
Deutscher Ring Krankenversicherungsverein a.G., Sitz: Hamburg,
HR B 4673, AG Hamburg,
SIGNAL IDUNA Allgemeine Versicherung AG, Sitz: Dortmund, HR B 19108,
AG Dortmund
Vorstände: Reinhold Schulte (Vorsitzender),
Wolfgang Fauter (stellv. Vorsitzender), Dr. Karl-Josef Bierth,
Jens O. Geldmacher, Marlies Hirschberg-Tafel,
Michael Johnigk, Ulrich Leitermann, Michael Petmecky,
Dr. Klaus Sticker, Prof. Dr. Markus Warg
Vorsitzender der Aufsichtsräte: Günter Kutz
SIGNAL IDUNA Gruppe Hauptverwaltungen, Internet: www.signal-iduna.de
44121 Dortmund, Hausanschrift: Joseph-Scherer-Str. 3, 44139 Dortmund
20351 Hamburg, Hausanschrift: Neue Rabenstraße 15-19, 20354 Hamburg
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Proud partner. Susan G. Komen for the Cure.
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
Re: bind configuration help
Hi,
first of all thanks to everyone for the interest and for pointing me
out my mistakes :) I've already changed recursion and transfer to
trusted acls. But unfortunately, I've been administering this server
for a short time and as I'm reading more and more through the
configuration, I'm starting to think that this DNS server is
completely misconfigured. Before I ask my next question, I'll try to
explain my situation a little:
The server I'am administering is one of nine, let's say, units,
which are parts of bigger organization (let's say organization.com, it
doesn't really matter). They units are given domain names from
first.organization.com to ninth.organization.com. Each unit's server
is responsible for their subdomains, i.e. a.first.organization.com,
b.first.organization.com, and so on... At the same time, they should
be synchronized with the main dns server of the organization, let's
say dns.organization.com, and also act as a dns server of it's own,
providing information about i.e. for first, *.first.organization.com.
I think my name cannot be resolved after some time problem
(NXDOMAIN, I've checked it) lies somewhere in the synchronization
part. I'll post a part of my zone file, which is responsible for the
domain and which is, I think, the source of this problem:
***
$TTL604800
@ IN SOA dns.organization.com. first.organization.com. (
2006120508 ; Serial
3600 ; Refresh
86400 ; Retry
2419200 ; Expire
604800); Negative Cache TTL
;
NS first.organization.com.
NS dns.organization.com.
***
The problem is, I don't even know if *I* should synchronize with
*them* (the main dns server) or vice versa, maybe it's not my problem
at all. Also, who should I allow-update {} the zone, should the zone
be of type master and what is the authoritative server for the zone:
the one I'm administering or the main dns server or maybe both are ok?
Thanks in advance:)
On Wed, Nov 11, 2009 at 7:09 PM, Jeff Lightner jlight...@water.com wrote:
I can't quite agree with that.
While public information is indeed public it is intended to be so for
specific lookups not for zone transfers. Someone external to you asking get
a zone transfer may be looking for what he can exploit. Maybe he can find
that information anyway with enough digging but why make it easy for him?
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kevin Darcy
Sent: Wednesday, November 11, 2009 12:53 PM
To: bind-users@lists.isc.org
Subject: Re: bind configuration help
Holger Honert wrote:
Security issues!
Usually you only want *trusted* clients to use your server recursively.
And you don't really want to allow *any* fetching your hosted zones
for doing something bad, i.e. getting (unwanted!) infos
over your network and infrastructure.
If the infos are public, they're public, the only difference is that
zone transfers are a more efficient way of fetching more than about 2 or
3 records in a single transaction, compared to querying each one
individually.
If you want your network and infrastructure infos to be private, then
put them in a private zone that can't be queried from the Internet at all.
- Kevin
Regards
Holger
Jukka Pakkanen schrieb:
Sorry, but could You specify more accurately what is bad ? This is
my first bind configuration, so probably I've made some mistakes, but
I'd like to do it the right way in the end.:)
On Tue, Nov 10, 2009 at 11:19 PM, Laurent CARON lca...@lncsa.com wrote:
allow-recursion { any; };
bad
allow-transfer { any; };
bad
It's usually a bad idea to allow any to use your server recursively, or
allow any transfer zone data. Like an open dns-server.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
SIGNAL Krankenversicherung a. G., Sitz: Dortmund, HR B 2405, AG Dortmund
IDUNA Vereinigte Lebensversicherung aG für Handwerk, Handel und Gewerbe,
Sitz: Hamburg, HR B 2740, AG Hamburg
Deutscher Ring Krankenversicherungsverein a.G., Sitz: Hamburg,
HR B 4673, AG Hamburg,
SIGNAL IDUNA Allgemeine Versicherung AG, Sitz: Dortmund, HR B 19108,
AG Dortmund
Vorstände: Reinhold Schulte (Vorsitzender),
Wolfgang Fauter (stellv. Vorsitzender), Dr. Karl-Josef Bierth,
Jens O. Geldmacher, Marlies Hirschberg-Tafel,
Michael Johnigk, Ulrich Leitermann, Michael Petmecky,
Dr. Klaus Sticker, Prof. Dr. Markus Warg
Vorsitzender der Aufsichtsräte: Günter Kutz
SIGNAL IDUNA Gruppe Hauptverwaltungen, Internet: www.signal-iduna.de
44121 Dortmund, Hausanschrift: Joseph-Scherer-Str. 3, 44139 Dortmund
20351 Hamburg, Hausanschrift: Neue Rabenstraße 15-19, 20354 Hamburg
___
bind-users mailing list
bind-users
Re: bind configuration help
On 10/11/2009 23:07, Błażej Ślusarek wrote:
Hello,
Hi
I'd like to ask for help in setting up my DNS server. When I start the
server, everything is fine, but only for some time. After the some
time passes, my external domain name cannot be resolved from anywhere
on the Internet. When I restart the Named, everything is back to
normal after few seconds, again for the some time. Here are some
fragments of my DNS configuration:
***
options {
directory /var/bind;
forward first;
forwarders {
some.ip;
};
allow-query { any; };
allow-recursion { any; };
bad
listen-on-v6 { none; };
listen-on { 127.0.0.1; internal.ip; external.ip; };
zone my.domain.name IN {
type master;
file pri/costam.zone;
allow-update { none; };
//allow-transfer { slaves; };
allow-transfer { any; };
bad
notify yes;
};
***
I've got no clue what could be the cause of this behavior. The server
should provide service to internal and external networks and allow
zone transfers. I'd also like to ask for correct iptables
configuration for the above dns settings. I'm quite not sure that if I
have the forwarders option, I have to enable port 53 in FORWARD
chain, or maybe just INPUT and OUTPUT is enough. Also, what rules are
necessary for the zone transfer to work?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind configuration help
Sorry, but could You specify more accurately what is bad ? This is
my first bind configuration, so probably I've made some mistakes, but
I'd like to do it the right way in the end.:)
On Tue, Nov 10, 2009 at 11:19 PM, Laurent CARON lca...@lncsa.com wrote:
On 10/11/2009 23:07, Błażej Ślusarek wrote:
Hello,
Hi
I'd like to ask for help in setting up my DNS server. When I start the
server, everything is fine, but only for some time. After the some
time passes, my external domain name cannot be resolved from anywhere
on the Internet. When I restart the Named, everything is back to
normal after few seconds, again for the some time. Here are some
fragments of my DNS configuration:
***
options {
directory /var/bind;
forward first;
forwarders {
some.ip;
};
allow-query { any; };
allow-recursion { any; };
bad
listen-on-v6 { none; };
listen-on { 127.0.0.1; internal.ip; external.ip; };
zone my.domain.name IN {
type master;
file pri/costam.zone;
allow-update { none; };
//allow-transfer { slaves; };
allow-transfer { any; };
bad
notify yes;
};
***
I've got no clue what could be the cause of this behavior. The server
should provide service to internal and external networks and allow
zone transfers. I'd also like to ask for correct iptables
configuration for the above dns settings. I'm quite not sure that if I
have the forwarders option, I have to enable port 53 in FORWARD
chain, or maybe just INPUT and OUTPUT is enough. Also, what rules are
necessary for the zone transfer to work?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
