Re: ip forwarding DNS 9.6.0
On Apr 7, 2009, at 7:44 PM, Mark Andrews wrote: In message d7656c59-094f-4b37-b3cc-4496db3af...@cs.moravian.edu, myron writes: I started reading up on Kirk's suggestions of the allow-*** settings. In the global options level I put options { directory /etc/dns; allow-query-cache { any; }; allow-query { any; }; auth-nxdomain yes; }; and that definitely worked. By no means do I understand the paragraph below from the README. I need to mull over it for a while and determine where the options should go, whether globally or in a view and whether any is the right setting. Basically there are people using recursive DNS servers as amplifiers in DoS attacks by sending forged UDP queries. By restricting who can get access to the cache you reduce the effect of such queries to just anonymising the original query source. The defaults were changed so that only locally connected nets get recursive service and access to the cache. This default is right for a large majority of the users of named. You should expand allow-query-cache to include all the networks you want to offer recursive service to. Mark I think I got it right. I just changed any to my network. It works. options { directory /etc/dns; allow-query-cache { int-net; }; allow-query { int-net; }; auth-nxdomain yes; }; Thanks for all the help. --myron = Myron Kowalski MoCoSIN Network/Systems Administrator Moravian College my...@cs.moravian.edu -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ip forwarding DNS 9.6.0
In message 83f1e37b-72bd-4454-8c2d-4fa91d5fc...@cs.moravian.edu, myron writes : On Apr 7, 2009, at 7:44 PM, Mark Andrews wrote: In message d7656c59-094f-4b37-b3cc-4496db3af...@cs.moravian.edu, myron writes: I started reading up on Kirk's suggestions of the allow-*** settings. In the global options level I put options { directory /etc/dns; allow-query-cache { any; }; allow-query { any; }; auth-nxdomain yes; }; and that definitely worked. By no means do I understand the paragraph below from the README. I need to mull over it for a while and determine where the options should go, whether globally or in a view and whether any is the right setting. Basically there are people using recursive DNS servers as amplifiers in DoS attacks by sending forged UDP queries. By restricting who can get access to the cache you reduce the effect of such queries to just anonymising the original query source. The defaults were changed so that only locally connected nets get recursive service and access to the cache. This default is right for a large majority of the users of named. You should expand allow-query-cache to include all the networks you want to offer recursive service to. Mark I think I got it right. I just changed any to my network. It works. options { directory /etc/dns; allow-query-cache { int-net; }; allow-query { int-net; }; allow-query would normally be any; as you are normally publishing zones to the world. auth-nxdomain yes; }; Thanks for all the help. --myron = Myron Kowalski MoCoSIN Network/Systems Administrator Moravian College my...@cs.moravian.edu -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ip forwarding DNS 9.6.0
I started reading up on Kirk's suggestions of the allow-*** settings. In the global options level I put options { directory /etc/dns; allow-query-cache { any; }; allow-query { any; }; auth-nxdomain yes; }; and that definitely worked. By no means do I understand the paragraph below from the README. I need to mull over it for a while and determine where the options should go, whether globally or in a view and whether any is the right setting. Thanks for all the help. --myron = Myron Kowalski MoCoSIN Network/Systems Administrator Moravian College my...@cs.moravian.edu On Apr 6, 2009, at 5:17 PM, Mark Andrews wrote: allow-recursion and allow-query-cache have different defaults. From README New option allow-query-cache. This lets allow-query be used to specify the default zone access level rather than having to have every zone override the global value. allow-query-cache can be set at both the options and view levels. If allow-query-cache is not set then allow- recursion is used if set, otherwise allow-query is used if set unless recursion no; is set in which case none; is used, otherwise the default (localhost; localnets;) is used. Mark In message cf090150-f1c9-45c7-a4dd-6a5e1c429...@cs.moravian.edu, myron writes : --===0424927304202673050== Content-Type: multipart/alternative; boundary=Apple- Mail-233-881694232 --Apple-Mail-233-881694232 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit I gave the wrong view if that makes the difference. That was the internal network. view external { match-clients { any; }; recursion no; --myron = Myron Kowalski MoCoSIN Network/Systems Administrator Moravian College my...@cs.moravian.edu Begin forwarded message: From: myron kowal...@cs.moravian.edu Date: April 6, 2009 12:00:55 PM EDT To: bind-users@lists.isc.org Subject: ip forwarding DNS 9.6.0 I upgraded from 9.2.3. I can't seem to do forwarding from a browser. Everything works from 9.2.3. When I swap out to 9.6.0, from a command line I can do: nslookup; ping outside the domain; traceroute outside the domain. From a web browser I can get out if I use the ip address. However, when I put in a canonical name get an rcode 5. There's a barracuda spam firewall in the path. If I take it out, then everything works. There's really nothing to change on the barracuda as far as dns is concerned, other than pointing to a dns server. snoop on the wire: 9.6.0 barracuda - ns DNS C www22.verizon.com. Internet Addr ? ns - barracuda DNS R Error: 5(Refused) 9.2.3 barracuda - ns DNS C www22.verizon.com. Internet Addr ? ns - barracuda DNS R www22.verizon.com. Internet CNAME www22.verizon.com.edgekey.net. I glanced through the archives and found some suggestions about recursions to ip forwarding. I think the conf is set up correctly. At least, it works fine with 9.2.3. Here's some of my named.conf edited. acl mylab { 10.0.0.0/8; }; options { directory /etc/dns; auth-nxdomain yes; }; view trusted { match-clients { mylab; }; recursion yes; zone moravian.edu in { type forward; forwarders { 10.22.5.32; 10.22.5.38; }; }; Any help appreciated. --myron = Myron Kowalski MoCoSIN Network/Systems Administrator Moravian College my...@cs.moravian.edu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --Apple-Mail-233-881694232 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: quoted-printable htmlbody style=3Dword-wrap: break-word; -webkit-nbsp-mode: space; = -webkit-line-break: after-white-space; I gave the wrong view if that = makes the difference. That was the internal network.brbrview = external {brnbsp;match-clients { any; };brnbsp;recursion = no;brdivbr class=3Dwebkit-block-placeholder/divdiv = apple-content-edited=3Dtrue span class=3DApple-style-span = style=3Dborder-collapse: separate; color: rgb(0, 0, 0); font- family: = Helvetica; font-size: 12px; font-style: normal; font-variant: normal; = font-weight: normal; letter-spacing: normal; line-height: normal; = orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; = white-space: normal; widows: 2; word-spacing: 0px; = -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical- spacing: = 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size- adjust: = auto; -webkit-text-stroke-width: 0; div style=3Dword-wrap: = break-word; -webkit-nbsp-mode: space; -webkit-line-break: = after-white-space; = divdiv--myron/ divdiv=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D/ divdivMyron = Kowalski
Fwd: ip forwarding DNS 9.6.0
I gave the wrong view if that makes the difference. That was the internal network. view external { match-clients { any; }; recursion no; --myron = Myron Kowalski MoCoSIN Network/Systems Administrator Moravian College my...@cs.moravian.edu Begin forwarded message: From: myron kowal...@cs.moravian.edu Date: April 6, 2009 12:00:55 PM EDT To: bind-users@lists.isc.org Subject: ip forwarding DNS 9.6.0 I upgraded from 9.2.3. I can't seem to do forwarding from a browser. Everything works from 9.2.3. When I swap out to 9.6.0, from a command line I can do: nslookup; ping outside the domain; traceroute outside the domain. From a web browser I can get out if I use the ip address. However, when I put in a canonical name get an rcode 5. There's a barracuda spam firewall in the path. If I take it out, then everything works. There's really nothing to change on the barracuda as far as dns is concerned, other than pointing to a dns server. snoop on the wire: 9.6.0 barracuda - ns DNS C www22.verizon.com. Internet Addr ? ns - barracuda DNS R Error: 5(Refused) 9.2.3 barracuda - ns DNS C www22.verizon.com. Internet Addr ? ns - barracuda DNS R www22.verizon.com. Internet CNAME www22.verizon.com.edgekey.net. I glanced through the archives and found some suggestions about recursions to ip forwarding. I think the conf is set up correctly. At least, it works fine with 9.2.3. Here's some of my named.conf edited. acl mylab { 10.0.0.0/8; }; options { directory /etc/dns; auth-nxdomain yes; }; view trusted { match-clients { mylab; }; recursion yes; zone moravian.edu in { type forward; forwarders { 10.22.5.32; 10.22.5.38; }; }; Any help appreciated. --myron = Myron Kowalski MoCoSIN Network/Systems Administrator Moravian College my...@cs.moravian.edu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Fwd: ip forwarding DNS 9.6.0
allow-recursion and allow-query-cache have different defaults. From README New option allow-query-cache. This lets allow-query be used to specify the default zone access level rather than having to have every zone override the global value. allow-query-cache can be set at both the options and view levels. If allow-query-cache is not set then allow-recursion is used if set, otherwise allow-query is used if set unless recursion no; is set in which case none; is used, otherwise the default (localhost; localnets;) is used. Mark In message cf090150-f1c9-45c7-a4dd-6a5e1c429...@cs.moravian.edu, myron writes : --===0424927304202673050== Content-Type: multipart/alternative; boundary=Apple-Mail-233-881694232 --Apple-Mail-233-881694232 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit I gave the wrong view if that makes the difference. That was the internal network. view external { match-clients { any; }; recursion no; --myron = Myron Kowalski MoCoSIN Network/Systems Administrator Moravian College my...@cs.moravian.edu Begin forwarded message: From: myron kowal...@cs.moravian.edu Date: April 6, 2009 12:00:55 PM EDT To: bind-users@lists.isc.org Subject: ip forwarding DNS 9.6.0 I upgraded from 9.2.3. I can't seem to do forwarding from a browser. Everything works from 9.2.3. When I swap out to 9.6.0, from a command line I can do: nslookup; ping outside the domain; traceroute outside the domain. From a web browser I can get out if I use the ip address. However, when I put in a canonical name get an rcode 5. There's a barracuda spam firewall in the path. If I take it out, then everything works. There's really nothing to change on the barracuda as far as dns is concerned, other than pointing to a dns server. snoop on the wire: 9.6.0 barracuda - ns DNS C www22.verizon.com. Internet Addr ? ns - barracuda DNS R Error: 5(Refused) 9.2.3 barracuda - ns DNS C www22.verizon.com. Internet Addr ? ns - barracuda DNS R www22.verizon.com. Internet CNAME www22.verizon.com.edgekey.net. I glanced through the archives and found some suggestions about recursions to ip forwarding. I think the conf is set up correctly. At least, it works fine with 9.2.3. Here's some of my named.conf edited. acl mylab { 10.0.0.0/8; }; options { directory /etc/dns; auth-nxdomain yes; }; view trusted { match-clients { mylab; }; recursion yes; zone moravian.edu in { type forward; forwarders { 10.22.5.32; 10.22.5.38; }; }; Any help appreciated. --myron = Myron Kowalski MoCoSIN Network/Systems Administrator Moravian College my...@cs.moravian.edu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --Apple-Mail-233-881694232 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: quoted-printable htmlbody style=3Dword-wrap: break-word; -webkit-nbsp-mode: space; = -webkit-line-break: after-white-space; I gave the wrong view if that = makes the difference. That was the internal network.brbrview = external {brnbsp;match-clients { any; };brnbsp;recursion = no;brdivbr class=3Dwebkit-block-placeholder/divdiv = apple-content-edited=3Dtrue span class=3DApple-style-span = style=3Dborder-collapse: separate; color: rgb(0, 0, 0); font-family: = Helvetica; font-size: 12px; font-style: normal; font-variant: normal; = font-weight: normal; letter-spacing: normal; line-height: normal; = orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; = white-space: normal; widows: 2; word-spacing: 0px; = -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: = 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: = auto; -webkit-text-stroke-width: 0; div style=3Dword-wrap: = break-word; -webkit-nbsp-mode: space; -webkit-line-break: = after-white-space; = divdiv--myron/divdiv=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D/divdivMyron = Kowalski/divdivMoCoSIN Network/Systems = Administrator/divdivMoravian College/divdiva = href=3Dmailto:my...@cs.moravian.edu;my...@cs.moravian.edu/a/divdiv= br/div/div/div/spanbr class=3DApple-interchange-newline = /divdivbrdivBegin forwarded message:/divbr = class=3DApple-interchange-newlineblockquote type=3Dcitedivdiv = style=3Dmargin-top: 0px; margin-right: 0px; margin-bottom: 0px; = margin-left: 0px; font face=3DHelvetica size=3D3 color=3D#00 = style=3Dfont: 12.0px Helvetica; color: #00bFrom: = /b/fontfont face=3DHelvetica