Re: injecting a temp entry into dns cache
On 02/02/2013 09:41 PM, Veaceslav Revutchi wrote: There is a credit union website that our users access from work and their dns has been broken for the past few days where the www. version works, but the plain name (without the www.) points to some old IP that's not responding. Tried to call them and all I got was that they know they have some kind of problem, but they ask users to type www. in their browser until it's resolved. In situations like this I would like to be able to inject an entry into the cache on our recursive resolvers and point it to the correct IP until the domain owner fixes the problem (poison my own cache so to speak). Is this something that can be done with bind without having to create a zone for the broken domain and make our servers act as authoritative for it? You can do this with RPZ. Simply put: thebrokensite.org.your.rpz.zone. IN A working.ip.add.r ...into the RPZ zone. This will leave names *under* that zone alone. I've used RPZ this way a couple of times to fix temporary problems, but you need to be aware of the hole you can dig yourself if you end up having to do this permanently. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
injecting a temp entry into dns cache
There is a credit union website that our users access from work and their dns has been broken for the past few days where the www. version works, but the plain name (without the www.) points to some old IP that's not responding. Tried to call them and all I got was that they know they have some kind of problem, but they ask users to type www. in their browser until it's resolved. In situations like this I would like to be able to inject an entry into the cache on our recursive resolvers and point it to the correct IP until the domain owner fixes the problem (poison my own cache so to speak). Is this something that can be done with bind without having to create a zone for the broken domain and make our servers act as authoritative for it? Thank you, Slava ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: injecting a temp entry into dns cache
Interesting. Intentionally poison your own cache so your users aren't inconvenienced by anothers misconfiguration. Not sure how you go about doing that on box. Perhaps bigger brains on this list can say. I have had occasion to forge answers locally as an immediate fix for name resolution issues which caused significant operational problems. I elected to add the zone in named.conf and answer the query correctly (and authoritatively) until I could get the owner to correct things. You will probably need to add other zone records too - MX and any other A records you can think to search for. Personally, I wouldn't consider doing something like that in this situation as you've described. However, mere inconvenience as I perceive it may be significant your view. On Sat, 2013-02-02 at 16:41 -0500, Veaceslav Revutchi wrote: There is a credit union website that our users access from work and their dns has been broken for the past few days where the www. version works, but the plain name (without the www.) points to some old IP that's not responding. Tried to call them and all I got was that they know they have some kind of problem, but they ask users to type www. in their browser until it's resolved. In situations like this I would like to be able to inject an entry into the cache on our recursive resolvers and point it to the correct IP until the domain owner fixes the problem (poison my own cache so to speak). Is this something that can be done with bind without having to create a zone for the broken domain and make our servers act as authoritative for it? Thank you, Slava ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: injecting a temp entry into dns cache
There is a credit union website that our users access from work and their dns has been broken for the past few days where the www. version From: Jeff Reasoner jeff.reaso...@mail.hccanet.org I elected to add the zone in named.conf and answer the query correctly (and authoritatively) until I could get the owner to correct things. You will probably need to add other zone records too - MX and any other A records you can think to search for. Personally, I wouldn't consider doing something like that in this situation as you've described. ... On my own computers and for my own busines, I add temporary lines to /etc/hosts every few months to deal with such problems. However, hacking a financial institution by publishing false DNS data to third parties (including employees) would promise too much excitement and too little profit for my tastes, especially after talking about the crime in public. I doubt that I could convince a court of technical facts or that I was doing the credit union a favor. The credit union would probably convince the authorities (including the newly sprouting bureaucracy run by the same people who are in charge of the TSA) that I was responsible for the whole mess from the beginning. Besides, do you really want to help drive business to that kind of financial institution? If its trivial records like DNS are a persistent mess, what about the complicated banking records required by law? If it were competent, the credit union would be using DNSSEC, which make a local DNS zone useless. Vernon Schryverv...@rhyolite.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: injecting a temp entry into dns cache
Hey Slava, You can use a small DNS proxy that will forge only this specific record while for others it will just pass it. By adding a forward DNS zone and add the proxy as the forward DNS server. This is *not* recommended but these are the tools you have. If the DNS proxy is not the well written your users will have troubles. On 2/2/2013 11:41 PM, Veaceslav Revutchi wrote: There is a credit union website that our users access from work and their dns has been broken for the past few days where the www. version works, but the plain name (without the www.) points to some old IP that's not responding. Tried to call them and all I got was that they know they have some kind of problem, but they ask users to type www. in their browser until it's resolved. In situations like this I would like to be able to inject an entry into the cache on our recursive resolvers and point it to the correct IP until the domain owner fixes the problem (poison my own cache so to speak). Is this something that can be done with bind without having to create a zone for the broken domain and make our servers act as authoritative for it? Thank you, Slava -- Eliezer Croitoru http://www1.ngtech.co.il ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
