subject:"ip forwarding DNS 9.6.0"

Re: ip forwarding DNS 9.6.0

2009-04-09 Thread myron


On Apr 7, 2009, at 7:44 PM, Mark Andrews wrote:



In message d7656c59-094f-4b37-b3cc-4496db3af...@cs.moravian.edu,  
myron writes:

I started reading up on Kirk's suggestions of the allow-*** settings.
In the global options level
I put
options {
directory   /etc/dns;
allow-query-cache { any; };
allow-query { any; };
auth-nxdomain   yes;
};

and that definitely worked. By no means do I understand the paragraph
below from the README.
I need to mull over it for a while and determine where the options
should go, whether globally or in a view
and whether any is the right setting.


Basically there are people using recursive DNS servers as
amplifiers in DoS attacks by sending forged UDP queries.
By restricting who can get access to the cache you reduce
the effect of such queries to just anonymising the original
query source.

The defaults were changed so that only locally connected
nets get recursive service and access to the cache.  This
default is right for a large majority of the users of named.
You should expand allow-query-cache to include all the
networks you want to offer recursive service to.

Mark


I think I got it right. I just changed any to my network. It works.

options {
directory   /etc/dns;
allow-query-cache { int-net; };
allow-query { int-net; };
auth-nxdomain   yes;
};





Thanks for all the help.

--myron
=
Myron Kowalski
MoCoSIN Network/Systems Administrator
Moravian College
my...@cs.moravian.edu

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ip forwarding DNS 9.6.0

2009-04-09 Thread Mark Andrews


In message 83f1e37b-72bd-4454-8c2d-4fa91d5fc...@cs.moravian.edu, myron writes
:
 On Apr 7, 2009, at 7:44 PM, Mark Andrews wrote:
 
 
  In message d7656c59-094f-4b37-b3cc-4496db3af...@cs.moravian.edu,  
  myron writes:
  I started reading up on Kirk's suggestions of the allow-*** settings.
  In the global options level
  I put
  options {
  directory   /etc/dns;
  allow-query-cache { any; };
  allow-query { any; };
  auth-nxdomain   yes;
  };
 
  and that definitely worked. By no means do I understand the paragraph
  below from the README.
  I need to mull over it for a while and determine where the options
  should go, whether globally or in a view
  and whether any is the right setting.
 
  Basically there are people using recursive DNS servers as
  amplifiers in DoS attacks by sending forged UDP queries.
  By restricting who can get access to the cache you reduce
  the effect of such queries to just anonymising the original
  query source.
 
  The defaults were changed so that only locally connected
  nets get recursive service and access to the cache.  This
  default is right for a large majority of the users of named.
  You should expand allow-query-cache to include all the
  networks you want to offer recursive service to.
 
  Mark
 
 I think I got it right. I just changed any to my network. It works.
 
 options {
  directory   /etc/dns;
  allow-query-cache { int-net; };
  allow-query { int-net; };

allow-query would normally be any; as you are normally
publishing zones to the world.

  auth-nxdomain   yes;
 };
 
 
 
  Thanks for all the help.
 
  --myron
  =
  Myron Kowalski
  MoCoSIN Network/Systems Administrator
  Moravian College
  my...@cs.moravian.edu
  -- 
  Mark Andrews, ISC
  1 Seymour St., Dundas Valley, NSW 2117, Australia
  PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ip forwarding DNS 9.6.0

2009-04-07 Thread myron

I started reading up on Kirk's suggestions of the allow-*** settings.  
In the global options level

I put
options {
directory   /etc/dns;
allow-query-cache { any; };
allow-query { any; };
auth-nxdomain   yes;
};

and that definitely worked. By no means do I understand the paragraph  
below from the README.
I need to mull over it for a while and determine where the options  
should go, whether globally or in a view

and whether any is the right setting.

Thanks for all the help.

--myron
=
Myron Kowalski
MoCoSIN Network/Systems Administrator
Moravian College
my...@cs.moravian.edu



On Apr 6, 2009, at 5:17 PM, Mark Andrews wrote:



allow-recursion and allow-query-cache have different defaults.

From README

   New option allow-query-cache.  This lets allow-query
   be used to specify the default zone access level rather
   than having to have every zone override the global value.
   allow-query-cache can be set at both the options and view
   levels.  If allow-query-cache is not set then allow- 
recursion

   is used if set, otherwise allow-query is used if set
   unless recursion no; is set in which case none; is used,
   otherwise the default (localhost; localnets;) is used.


Mark

In message cf090150-f1c9-45c7-a4dd-6a5e1c429...@cs.moravian.edu,  
myron writes

:


--===0424927304202673050==
Content-Type: multipart/alternative; boundary=Apple- 
Mail-233-881694232



--Apple-Mail-233-881694232
Content-Type: text/plain;
charset=US-ASCII;
format=flowed;
delsp=yes
Content-Transfer-Encoding: 7bit

I gave the wrong view if that makes the difference. That was the
internal network.

view external {
 match-clients { any; };
 recursion no;

--myron
=
Myron Kowalski
MoCoSIN Network/Systems Administrator
Moravian College
my...@cs.moravian.edu



Begin forwarded message:


From: myron kowal...@cs.moravian.edu
Date: April 6, 2009 12:00:55 PM EDT
To: bind-users@lists.isc.org
Subject: ip forwarding DNS 9.6.0

I upgraded from 9.2.3.

I can't seem to do forwarding from a browser.

Everything works from 9.2.3. When I swap out to 9.6.0, from a
command line I
can do: nslookup; ping outside the domain; traceroute outside the
domain.

From a web browser I can get out if I use the ip address. However,
when I
put in a canonical name get an rcode 5.

There's a barracuda spam firewall in the path. If I take it out,
then everything works.
There's really nothing to change on the barracuda as far as dns is
concerned, other
than pointing to a dns server.

snoop on the wire:
9.6.0
barracuda - ns DNS C www22.verizon.com. Internet Addr ?
 ns - barracuda DNS R  Error: 5(Refused)

9.2.3
barracuda - ns DNS C www22.verizon.com. Internet Addr ?
 ns - barracuda DNS R www22.verizon.com. Internet CNAME
www22.verizon.com.edgekey.net.

I glanced through the archives and found some suggestions about
recursions to ip forwarding. I think the
conf is set up correctly. At least, it works fine with 9.2.3.

Here's some of my named.conf edited.

acl mylab {
 10.0.0.0/8;
};
options {
 directory   /etc/dns;
 auth-nxdomain   yes;
};
view trusted {
match-clients { mylab; };
recursion yes;
zone moravian.edu in {
 type forward;
 forwarders { 10.22.5.32; 10.22.5.38; };
};

Any help appreciated.

--myron
=
Myron Kowalski
MoCoSIN Network/Systems Administrator
Moravian College
my...@cs.moravian.edu



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



--Apple-Mail-233-881694232
Content-Type: text/html;
charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

htmlbody style=3Dword-wrap: break-word; -webkit-nbsp-mode:  
space; =
-webkit-line-break: after-white-space; I gave the wrong view if  
that =

makes the difference. That was the internal network.brbrview =
external {brnbsp;match-clients { any; };brnbsp;recursion =
no;brdivbr class=3Dwebkit-block-placeholder/divdiv =
apple-content-edited=3Dtrue span class=3DApple-style-span =
style=3Dborder-collapse: separate; color: rgb(0, 0, 0); font- 
family: =
Helvetica; font-size: 12px; font-style: normal; font-variant:  
normal; =

font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-align: auto; text-indent: 0px; text-transform:  
none; =

white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical- 
spacing: =
0px; -webkit-text-decorations-in-effect: none; -webkit-text-size- 
adjust: =

auto; -webkit-text-stroke-width: 0; div style=3Dword-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; =
divdiv--myron/ 
divdiv=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D/ 
divdivMyron =

Kowalski

Fwd: ip forwarding DNS 9.6.0

2009-04-06 Thread myron

I gave the wrong view if that makes the difference. That was the  
internal network.


view external {
 match-clients { any; };
 recursion no;

--myron
=
Myron Kowalski
MoCoSIN Network/Systems Administrator
Moravian College
my...@cs.moravian.edu



Begin forwarded message:


From: myron kowal...@cs.moravian.edu
Date: April 6, 2009 12:00:55 PM EDT
To: bind-users@lists.isc.org
Subject: ip forwarding DNS 9.6.0

I upgraded from 9.2.3.

I can't seem to do forwarding from a browser.

Everything works from 9.2.3. When I swap out to 9.6.0, from a  
command line I
can do: nslookup; ping outside the domain; traceroute outside the  
domain.


From a web browser I can get out if I use the ip address. However,  
when I

put in a canonical name get an rcode 5.

There's a barracuda spam firewall in the path. If I take it out,  
then everything works.
There's really nothing to change on the barracuda as far as dns is  
concerned, other

than pointing to a dns server.

snoop on the wire:
9.6.0
barracuda - ns DNS C www22.verizon.com. Internet Addr ?
  ns - barracuda DNS R  Error: 5(Refused)

9.2.3
barracuda - ns DNS C www22.verizon.com. Internet Addr ?
  ns - barracuda DNS R www22.verizon.com. Internet CNAME  
www22.verizon.com.edgekey.net.


I glanced through the archives and found some suggestions about  
recursions to ip forwarding. I think the

conf is set up correctly. At least, it works fine with 9.2.3.

Here's some of my named.conf edited.

acl mylab {
  10.0.0.0/8;
};
options {
  directory   /etc/dns;
  auth-nxdomain   yes;
};
view trusted {
match-clients { mylab; };
recursion yes;
zone moravian.edu in {
  type forward;
  forwarders { 10.22.5.32; 10.22.5.38; };
};

Any help appreciated.

--myron
=
Myron Kowalski
MoCoSIN Network/Systems Administrator
Moravian College
my...@cs.moravian.edu



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Fwd: ip forwarding DNS 9.6.0

2009-04-06 Thread Mark Andrews


allow-recursion and allow-query-cache have different defaults.

From README

New option allow-query-cache.  This lets allow-query
be used to specify the default zone access level rather
than having to have every zone override the global value.
allow-query-cache can be set at both the options and view
levels.  If allow-query-cache is not set then allow-recursion
is used if set, otherwise allow-query is used if set
unless recursion no; is set in which case none; is used,
otherwise the default (localhost; localnets;) is used.


Mark

In message cf090150-f1c9-45c7-a4dd-6a5e1c429...@cs.moravian.edu, myron writes
:
 
 --===0424927304202673050==
 Content-Type: multipart/alternative; boundary=Apple-Mail-233-881694232
 
 
 --Apple-Mail-233-881694232
 Content-Type: text/plain;
   charset=US-ASCII;
   format=flowed;
   delsp=yes
 Content-Transfer-Encoding: 7bit
 
 I gave the wrong view if that makes the difference. That was the  
 internal network.
 
 view external {
   match-clients { any; };
   recursion no;
 
 --myron
 =
 Myron Kowalski
 MoCoSIN Network/Systems Administrator
 Moravian College
 my...@cs.moravian.edu
 
 
 
 Begin forwarded message:
 
  From: myron kowal...@cs.moravian.edu
  Date: April 6, 2009 12:00:55 PM EDT
  To: bind-users@lists.isc.org
  Subject: ip forwarding DNS 9.6.0
 
  I upgraded from 9.2.3.
 
  I can't seem to do forwarding from a browser.
 
  Everything works from 9.2.3. When I swap out to 9.6.0, from a  
  command line I
  can do: nslookup; ping outside the domain; traceroute outside the  
  domain.
 
  From a web browser I can get out if I use the ip address. However,  
  when I
  put in a canonical name get an rcode 5.
 
  There's a barracuda spam firewall in the path. If I take it out,  
  then everything works.
  There's really nothing to change on the barracuda as far as dns is  
  concerned, other
  than pointing to a dns server.
 
  snoop on the wire:
  9.6.0
  barracuda - ns DNS C www22.verizon.com. Internet Addr ?
ns - barracuda DNS R  Error: 5(Refused)
 
  9.2.3
  barracuda - ns DNS C www22.verizon.com. Internet Addr ?
ns - barracuda DNS R www22.verizon.com. Internet CNAME  
  www22.verizon.com.edgekey.net.
 
  I glanced through the archives and found some suggestions about  
  recursions to ip forwarding. I think the
  conf is set up correctly. At least, it works fine with 9.2.3.
 
  Here's some of my named.conf edited.
 
  acl mylab {
10.0.0.0/8;
  };
  options {
directory   /etc/dns;
auth-nxdomain   yes;
  };
  view trusted {
  match-clients { mylab; };
  recursion yes;
  zone moravian.edu in {
type forward;
forwarders { 10.22.5.32; 10.22.5.38; };
  };
 
  Any help appreciated.
 
  --myron
  =
  Myron Kowalski
  MoCoSIN Network/Systems Administrator
  Moravian College
  my...@cs.moravian.edu
 
 
 
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 
 
 --Apple-Mail-233-881694232
 Content-Type: text/html;
   charset=US-ASCII
 Content-Transfer-Encoding: quoted-printable
 
 htmlbody style=3Dword-wrap: break-word; -webkit-nbsp-mode: space; =
 -webkit-line-break: after-white-space; I gave the wrong view if that =
 makes the difference. That was the internal network.brbrview =
 external {brnbsp;match-clients { any; };brnbsp;recursion =
 no;brdivbr class=3Dwebkit-block-placeholder/divdiv =
 apple-content-edited=3Dtrue span class=3DApple-style-span =
 style=3Dborder-collapse: separate; color: rgb(0, 0, 0); font-family: =
 Helvetica; font-size: 12px; font-style: normal; font-variant: normal; =
 font-weight: normal; letter-spacing: normal; line-height: normal; =
 orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; =
 white-space: normal; widows: 2; word-spacing: 0px; =
 -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =
 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
 auto; -webkit-text-stroke-width: 0; div style=3Dword-wrap: =
 break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
 after-white-space; =
 divdiv--myron/divdiv=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D/divdivMyron =
 Kowalski/divdivMoCoSIN Network/Systems =
 Administrator/divdivMoravian College/divdiva =
 href=3Dmailto:my...@cs.moravian.edu;my...@cs.moravian.edu/a/divdiv=
 br/div/div/div/spanbr class=3DApple-interchange-newline =
 /divdivbrdivBegin forwarded message:/divbr =
 class=3DApple-interchange-newlineblockquote type=3Dcitedivdiv =
 style=3Dmargin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
 margin-left: 0px; font face=3DHelvetica size=3D3 color=3D#00 =
 style=3Dfont: 12.0px Helvetica; color: #00bFrom: =
 /b/fontfont face=3DHelvetica

Re: ip forwarding DNS 9.6.0

Re: ip forwarding DNS 9.6.0

Re: ip forwarding DNS 9.6.0

Fwd: ip forwarding DNS 9.6.0

Re: Fwd: ip forwarding DNS 9.6.0

5 matches

Site Navigation

Mail list logo

Footer information