DNS Hosting & Managed DNS
Hi Misc, This is not an OpenBSD specific question but since the list is full of security and network professionals I would like to solicit your opinion. Are there any strong opinions on DNS Hosting & Managed DNS providers. We are small Lab currently using ZoneEdit. I believe ZoneEdit was chosen at the time they were free. We are looking to move to something little bit more secure with DNSSEC support out of box. We have one domain name, small web server and a mail server. Thank you, Predrag Punosevac
Re: DNS Hosting & Managed DNS
On 10/24/2013 10:35, Predrag Punosevac wrote: Hi Misc, This is not an OpenBSD specific question but since the list is full of security and network professionals I would like to solicit your opinion. Are there any strong opinions on DNS Hosting & Managed DNS providers. We are small Lab currently using ZoneEdit. I believe ZoneEdit was chosen at the time they were free. We are looking to move to something little bit more secure with DNSSEC support out of box. We have one domain name, small web server and a mail server. Thank you, Predrag Punosevac Take a look at Dyn: http://dyn.com/managed-dns-express/ -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post. It is not logical. Please don't CC me! I'm subscribed to whatever list I just posted on.
Re: DNS Hosting & Managed DNS
On 24 October 2013 07:35, Predrag Punosevac wrote: > Hi Misc, > > This is not an OpenBSD specific question but since the list is full of > security and network professionals I would like to solicit your > opinion. > > Are there any strong opinions on DNS Hosting & Managed DNS providers. We > are small Lab currently using ZoneEdit. I believe ZoneEdit was chosen > at the time they were free. We are looking to move to something little > bit more secure with DNSSEC support out of box. We have one domain name, > small web server and a mail server. Do you run it all out of a single network? If so, then running a third-party DNS is not recommended: http://cr.yp.to/djbdns/third-party.html OTOH, named and nsd in base work great. BTW, if you start adding DNS servers in far away places around the world, and with bad connectivity from your target audience, then the time it takes to resolve your domain for your target audience will suffer overall, not improve. Yes, these ideas are basically exactly the opposite of what the marketing would lead you to believe. C.
Re: DNS Hosting & Managed DNS
On Thu, Oct 24, 2013 at 10:35:51AM -0400, Predrag Punosevac wrote: > We are looking to move to something little bit more secure with DNSSEC > support out of box. The "security" you'd get with DNSSEC would be tiny in comparison to problems in reliability. For realistic security, you'd get far more by choosing 1) a registrar without a history of compromises, and 2) a DNS provider that uses something other than BIND. NSD is in base. Nicolai
Re: DNS Hosting & Managed DNS
"Constantine A. Murenin" wrote: > On 24 October 2013 07:35, Predrag Punosevac wrote: > > Hi Misc, > > > > This is not an OpenBSD specific question but since the list is full of > > security and network professionals I would like to solicit your > > opinion. > > > > Are there any strong opinions on DNS Hosting & Managed DNS providers. We > > are small Lab currently using ZoneEdit. I believe ZoneEdit was chosen > > at the time they were free. We are looking to move to something little > > bit more secure with DNSSEC support out of box. We have one domain name, > > small web server and a mail server. > > Do you run it all out of a single network? > > If so, then running a third-party DNS is not recommended: > http://cr.yp.to/djbdns/third-party.html > That was an interesting reading. > OTOH, named and nsd in base work great. > I inherited managed DNS setup for our web site and mailing lists as well as full blown BIND for internal network. I am moving internal network to Unbound, trying to get permission to outsource mailing lists to our university host and trying to avoid running NSD just to have our small web site visible by outside world. I appreciate all knowledge shared with me on and off this list. @Nicolai I am with you on DNSSEC. One of the reasons I asked bout managed DNS on this list was a hope to have non BIND recommendations. Most Kind Regard, Predrag > BTW, if you start adding DNS servers in far away places around the > world, and with bad connectivity from your target audience, then the > time it takes to resolve your domain for your target audience will > suffer overall, not improve. > > Yes, these ideas are basically exactly the opposite of what the > marketing would lead you to believe. > > C.
Re: DNS Hosting & Managed DNS
On Thu, Oct 24, 2013 at 08:06, Constantine A. Murenin wrote: > On 24 October 2013 07:35, Predrag Punosevac wrote: >> Are there any strong opinions on DNS Hosting & Managed DNS providers. We >> are small Lab currently using ZoneEdit. I believe ZoneEdit was chosen >> at the time they were free. We are looking to move to something little >> bit more secure with DNSSEC support out of box. We have one domain name, >> small web server and a mail server. Amazon offers route 53, but no DNSSEC at this time. > Do you run it all out of a single network? > > If so, then running a third-party DNS is not recommended: > http://cr.yp.to/djbdns/third-party.html Certainly worth considering, but a few counter points. That page appears to have been last updated around 2000. I pay about 57 cents per month for route 53 dns hosting. That's not particularly costly for me. It's reasonably performant, easy to manage, and so forth. Unlike web and mail hosting, for which I (and everyone else these days) am running custom code, DNS is a complete commodity.
Re: DNS Hosting & Managed DNS
On 13-10-24 09:35 AM, Predrag Punosevac wrote: Are there any strong opinions on DNS Hosting & Managed DNS providers. We are small Lab currently using ZoneEdit. I believe ZoneEdit was chosen at the time they were free. We are looking to move to something little bit more secure with DNSSEC support out of box. We have one domain name, small web server and a mail server. Thank you, Predrag Punosevac Certainly not the cheapest, but the best reliability and service I've found comes from EasyDNS (www.easydns.com). Their DNSSEC implementation is a bit weak, they haven't implemented any of the stronger ciphers yet, but it works and is easy to use. They're in Canada, so are somewhat resistant to the random take-down orders emanating from both the USA and the UK. (As long as you don't have a .com or a .uk domain, anyway.) They have lots - way too much, they'd say - of experience weathering DDOS storms and attacks. Depending on the level of service you pay for, your DNS is distributed across up to 6(?) anycast strands, which translates to a maximum of something insane like ~300 DNS servers world-wide. Their customer service and general cluefulness is so far unequalled in my book. I've worked with them since ~1999 and I haven't yet seen any cause to doubt them. I do wish they were a little bit more price-competitive, but at least you get what you pay for. -- -Adam Thompson athom...@athompso.net
Re: DNS Hosting & Managed DNS
On Thu, 24 Oct 2013, Constantine A. Murenin wrote: > BTW, if you start adding DNS servers in far away places around the > world, and with bad connectivity from your target audience, then the > time it takes to resolve your domain for your target audience will > suffer overall, not improve. > > Yes, these ideas are basically exactly the opposite of what the > marketing would lead you to believe. That said, there are several reasons why handing off the authoritative DNS tasks to an outside source might be worthwhile as long as one still ran a recursive server locally for ones own users. These reasons would include doing DNSSEC as well as dealing with amplification attacks using your pubilc DNS server. My preference is to run a local recursive DNS server on every OpenBSD machine. Just make sure they aren't open. Eric
Re: DNS Hosting & Managed DNS
I like http://www.rollernet.us Supports DNSSEC, secondary DNS is free to some extent. Chi On Thu, 24 Oct 2013 10:35:51 -0400 Predrag Punosevac wrote: > Hi Misc, > > This is not an OpenBSD specific question but since the list is full of > security and network professionals I would like to solicit your > opinion. > > Are there any strong opinions on DNS Hosting & Managed DNS providers. We > are small Lab currently using ZoneEdit. I believe ZoneEdit was chosen > at the time they were free. We are looking to move to something little > bit more secure with DNSSEC support out of box. We have one domain name, > small web server and a mail server. > > Thank you, > Predrag Punosevac
Re: DNS Hosting & Managed DNS
On 2013-10-24 Thu 10:35 AM |, Predrag Punosevac wrote: > We have one domain name, small web server and a mail server. > In that situation, I'd: 1) run a master DNS server on the public web/mail server 2) find a domain name registrar that: 1. will slave the zone from your master 2. has 2-4 servers, mainly in the general geographic region of the web/mail users 3. runs an acceptable OS/daemon You'd have control over the zone's contents (incl subdomains, client caching, refresh, retry & expire periods). Not have to use any stupid web forms that limit how you use your zone. Have fun using more of OpenBSD's capabilities. Do you have others that you could partner with to provide each other's reciprocal slave DNS service? People on this list - running the most secure OS? If for some (bizarre) reason you don't want your DNS server to be public, then run the above as a hidden master: 1) don't list it in the zone's whois records 2) restrict DNS requests to the slaves only (via the daemon's access controls & pf too.) There's no difference whatsoever for the external provider, and same benefits as above, but no public queries. Running a public web or mail server is much more complicated and risky, so there's not much point in hiding it. Become a hostmaster - you know you can. Do it, -- Craig Skinner | http://twitter.com/Craig_Skinner | http://linkd.in/yGqkv7
Re: DNS Hosting & Managed DNS
* Nicolai [2013-10-24 18:49]: > On Thu, Oct 24, 2013 at 10:35:51AM -0400, Predrag Punosevac wrote: > > > We are looking to move to something little bit more secure with DNSSEC > > support out of box. > > The "security" you'd get with DNSSEC would be tiny in comparison to > problems in reliability. For realistic security, you'd get far more by > choosing 1) a registrar without a history of compromises, and 2) a DNS > Provider that uses something other than BIND. NSD is in base. wise advice. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
dns
I see now there's a patch, apologies for not checking errata first. Brian The path to a desireable destination is often more difficult than the path to stay where you are.
DNS
I'm a little confused on the topic of running Bind on OBSD. I've read the Secure Architectures book, some material at http://www.aei.ca/~pmatulis/pub/obsd_pf.html and a few other places. My goal is to provide DNS to my local LANs and probably act as a caching/forwarding DNS. What confuses me is 1) where to put my db.wired and db.1.168.192 files, 2) what to add to named.conf to put these files to use, and 3) how to configure named.conf for caching/forwarding. Some articles I've read via Google say the default named.conf is configured as a caching nameserver and to simply start the named daemon, while others say the forwarders first and forwarders options must be entered. Could someone with a little more experience on this topic please point me in the right direction?
DNS
Dear Sir / Madam im located in SA , Johannebsurg there is site i can no longer open , pls help it's : www.gwomen.co.za i was wondering if u can provide me with a solution
Re: dns
On Thu, 2005-05-05 at 10:54:43 -0700, Brian W. proclaimed... > I see now there's a patch, apologies for not checking errata first. Just as a follow-up; the patch definitely helps. I'd be interested in seeing what performance tweaks people have for high-activity caches.
About DNS
For to surf into Internet my ISP provider specify two DNS (primary and secondary) how I must to add it to the network card I will use for connect to Internet? Salutes, Mike
Re: DNS
On Sat, 17 Sep 2005, Steve B wrote: I'm a little confused on the topic of running Bind on OBSD. I've read the Secure Architectures book, some material at http://www.aei.ca/~pmatulis/pub/obsd_pf.html and a few other places. My goal is to provide DNS to my local LANs and probably act as a caching/forwarding DNS. What confuses me is 1) where to put my db.wired and db.1.168.192 files, /var/named/master/ If you just need a local resolver, you won't need to create these files and configure your server to be authoritative for any zones. 2) what to add to named.conf to put these files to use, for example, zone "1.168.192.in-addr.arpa" { type master; file "master/db.192.168.1"; }; IF you need this. and 3) how to configure named.conf for caching/forwarding. You don't have to do anything to set up a caching nameserver. Just set named_flags="" in your /etc/rc.conf.local file to have it start at boot time. Some articles I've read via Google say the default named.conf is configured as a caching nameserver and to simply start the named daemon, while others say the forwarders first and forwarders options must be entered. Could someone with a little more experience on this topic please point me in the right direction? You almost certainly don't need to set it up as a forwarder. It sounds like you need to familiarize yourself with some of the basics of DNS and BIND. If all you want is to have a DNS resolver for your local network, don't do anything except add named_flags="" to your rc.conf.local file and you're done. -- Ian
Re: DNS
On Sat, 17 Sep 2005 21:08:20 -0700 Steve B <[EMAIL PROTECTED]> wrote: > I'm a little confused on the topic of running Bind on OBSD. I've read > the Secure Architectures book, some material at > http://www.aei.ca/~pmatulis/pub/obsd_pf.html and a few other places. > My goal is to provide DNS to my local LANs and probably act as a > caching/forwarding DNS. What confuses me is 1) where to put my > db.wired and db.1.168.192 files, 2) what to add to named.conf to put > these files to use, and 3) how to configure named.conf for > caching/forwarding. > > Some articles I've read via Google say the default named.conf is > configured as a caching nameserver and to simply start the named > daemon, while others say the forwarders first and forwarders options > must be entered. Could someone with a little more experience on this > topic please point me in the right direction? Try dnscache part of djbdns from http://cr.yp.to, its very good and efficient, also rather secure compared to BIND (Buggy Internet Name Daemon). -- http://www.usenix.org.uk - http://irc.is-cool.net
Re: DNS
On Sun, Sep 18, 2005 at 10:34:30AM +0100, ed wrote: > Steve B <[EMAIL PROTECTED]> wrote: > > > I'm a little confused on the topic of running Bind on OBSD. I've read > > the Secure Architectures book, some material at > > http://www.aei.ca/~pmatulis/pub/obsd_pf.html and a few other places. o'reilly DNS and BIND. cakewalk; you'll come out of it with no more confusion at all. > > My goal is to provide DNS to my local LANs and probably act as a > > caching/forwarding DNS. > > What confuses me is 1) where to put my db.wired and db.1.168.192 files already answered by someone, but again, /var/named/master is a sensible target. > > 2) what to add to named.conf to put > > these files to use, and zone "1.168.192.in-addr.arpa" IN { type master; file "master/db.1.168.192"; }; zone "wired" IN { type master; file "master/db.wired"; }; put these, as a suggestion, under the "// Master zones" section of the default named.conf, because the heading is already there, so you might as well take advantage of it . > > 3) how to configure named.conf for > > caching/forwarding. > > > > Some articles I've read via Google say the default named.conf is > > configured as a caching nameserver and to simply start the named > > daemon the /var/named/etc/named.conf that comes in openbsd is good to go as a local caching resolver. just start it. it will recurse/resolve for you anything you ask it(or at least try to). it will only answer queries from ::1 and 'localnets'. localnets is referenced in the html on your filesystem i point to below, just read the 'acl statement grammar' section. as long as you have pf filtering queries from the world (which, if you're just using this as a caching resolver and locally-authoritative-only server, is probably what you're doing), you're set. > >, while others say the forwarders first and forwarders options > > must be entered. only if you're using forward zones, which the default openbsd named.conf does not. anyone saying that you have to do that is hopefully talking about a different OS. > Try dnscache part of djbdns from http://cr.yp.to, its very good and > efficient, also rather secure compared to BIND (Buggy Internet Name > Daemon). bah, screw djb. use software in base before software in ports; use software in ports before software not in base or ports. exceptions for good reasons are of course, exceptions. but someone who just wants to "turn on some DNS for their LAN" doesn't have a good reason to use (DNS) software which is wholly unsupported in the (s/the/this) community. jared /usr/share/doc/html/bind/Bv9ARM.html - [ openbsd 3.7 GENERIC ( sep 10 ) // i386 ]
Re: DNS
On Sat, Sep 17, 2005 at 09:08:20PM -0700, Steve B wrote: > I'm a little confused on the topic of running Bind on OBSD. I've read the > Secure Architectures book, some material at > http://www.aei.ca/~pmatulis/pub/obsd_pf.html and a few other places. My goal > is to provide DNS to my local LANs and probably act as a caching/forwarding > DNS. What confuses me is 1) where to put my db.wired and db.1.168.192 files, > 2) what to add to named.conf to put these files to use, and 3) how to > configure named.conf for caching/forwarding. > > Some articles I've read via Google say the default named.conf is configured > as a caching nameserver and to simply start the named daemon, while others > say the forwarders first and forwarders options must be entered. Could > someone with a little more experience on this topic please point me in the > right direction? hello, for a similar setup (forwarder + master for a local domain), i use the following lines in /var/named/etc/named.conf: ... zone "." { type forward; forwarders { 62.4.16.70; 62.4.17.69; }; }; zone "localdomain" { type master; file "master/localdomain"; }; zone "10.in-addr.arpa" { type master; file "master/localdomain.rev"; }; ....... where "62.4.16.70" and "62.4.17.69" are my ISP's DNS servers, "localdomain" is the name of my local domain and 10.0.0.0/8 are the corresponding IP numbers. /var/named/master/localdomain contains "A" records for "localdomain" and /var/named/master/localdomain.rev contains "PTR" records for "10.0.0.0/8" regards, -- Alexandre
DNS question
Hello, I have a problem in DNS. Here is the diagram of my network. internet | V ISP | V obsd-3.6 (FW,DNS) 192.168.1.0/24 | V switch <-wired-> obsd-3.8-AP <-wireless-> obsd,window-xp |--> 192,168.2.0/24 1. I have setup routes that obsd-3.6(FW,DNS) between obsd-3.8-AP. 2. I have setup intructs the obsd and the window-xp to use the nameserver at obsd-3.6(FW,DNS). 3. I can ping the internet using IP like 129.128.5.191 (www.openbsd.org) at obsd, window-xp. However, I can't ping with the names like www.openbsd.org. I would like to know if it is possible for the obsd and the window-xp client to access the nameserver at obsd-3.6 (FW) Thanks Clarence ___ 7Q'Y.I&,(l7s email 3q*>!H $U8| Yahoo! Messenger http://messenger.yahoo.com.hk
Re: DNS
On Thu, 27 Oct 2005 15:18:42 -0700 (PDT) Mpumi Nu Siyaya <[EMAIL PROTECTED]> wrote: > im located in SA , Johannebsurg > there is site i can no longer open , pls help it's : www.gwomen.co.za > > i was wondering if u can provide me with a solution You might want to have a read through DJB's pages, http://cr.yp.to/djbdns.html for help with DNS, it offers a good explanation, although not related to the default install of OpenBSD, it's still good background. Check your /etc/resolve.conf has a valid nameserver. If not either install BIND or dnscache. -- Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net A TCP/IP stack was the worst feature windows ever got ~ ~ :wq
DNS attack?
I am starting to see TONS of these things in my pflog Nov 12 19:50:58.030904 rule 48/(match) block in on tun0: 63.219.179.130.13519 > 65.x.x.169.53: 47505+[|domain] Nov 12 19:51:08.037007 rule 48/(match) block in on tun0: 63.219.179.130.13519 > 65.x.x.169.53: 59022+[|domain] I have a block of static IPs - but nothing is running on the .169 IP and I dont understand this sorta thing. PF is doing its job just fine...I guess I am looking for what these mean and if anyone knows what this is. Usually all the IPs that are hitting me have no rDNS and are all over the world -- J.D. Bronson Information Services West Allis Memorial Hospital Aurora Health Care - Milwaukee, Wisconsin Office: 414.978.8282 // Fax: 414.977.5299 Microsoft Gives you Windows || Unix Gives you a home
DNS issues
Dear Readers; I'm using 4.1 with the generic kernel. Here is my dmesg: # dmesg OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III ("GenuineIntel" 686-class, 512KB L2 cache) 552 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 536428544 (523856K) avail mem = 481763328 (470472K) using 4278 buffers containing 26943488 bytes (26312K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 05/19/00, BIOS32 rev. 0 @ 0xf06c0, SMBIOS rev. 2.3 @ 0xf1f50 (45 entries) bios0: ASUSTeK Computer INC. apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xf22 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf0e80/160 (8 entries) pcibios0: PCI Interrupt Router at 000:04:0 ("Intel 82371FB ISA" rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03 ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "ATI Rage Pro" rev 0x5c wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 4 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02 pciide0 at pci0 dev 4 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA, 76319MB, 156301488 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 4 function 2 "Intel 82371AB USB" rev 0x01: irq 12 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered piixpm0 at pci0 dev 4 function 3 "Intel 82371AB Power" rev 0x02: SMI iic0 at piixpm0 lm1 at iic0 addr 0x2d: AS99127F rl0 at pci0 dev 11 function 0 "Accton MPX 5030/5038" rev 0x10: irq 10, address 00:10:b5:8d:0c:e8 rlphy0 at rl0 phy 0: RTL internal PHY my ifconfig # ifconfig =A =A: no such interface # ifconfig -A #Loop back, pflog ommitted rl0: flags=8843 mtu 1500 lladdr 00:10:b5:8d:0c:e8 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.1.2 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::210:b5ff:fe8d:ce8%rl0 prefixlen 64 scopeid 0x1 my resolv.conf nameserver 208.201.224.11 nameserver 208.201.224.33 My name server, a.ns.theamericanbray.com, is having issues resolving any DNS related matters; dig returns a time out error, an nslookup from a workstation on another site returns a time out as well when checking the status of theamericanbray.com. My other name server, b.ns.theamericanbray.com, has no problems with dig, but nslookup from a different site doesn't seem to receive any answers from that name server. The software being used is DJBDNS and my data files look as thus: .theamericanbray.com:64.142.102.9:a:259200 .theamericanbray.com:64.142.102.10:b:259200 =www.theamericanbray.com:64.142.102.11:86400 +www.theamericanbray.com:64.142.102.11 Also, I'm using a pf firewall to distribute and manage my internet connection. My pf.conf is thus: # 192.168.0.1 subnet ext_ip="64.142.102.8" int_ip="192.168.0.1" int_block="192.168.0.0/24" #DMZ subnet #Interface dmz_ip="192.168.1.1" dmz_block="192.168.1.0/24" #DNS 1 ns_a="192.168.1.2" pub_ns_a="64.142.102.9" #DNS 2 ns_b="192.168.1.3" pub_ns_b="64.142.102.10" #WWW 1 www_ip="192.168.1.4" pub_www="64.142.102.11" #DMZ Services services="{ domain, www, smtp, }" #Normalizing scrub in all set skip on lo0 #NAT and Binat nat on rl0 from $int_block to any -> $ext_ip binat on rl0 from $ns_a to any -> $pub_ns_a binat on rl0 from $ns_b to any -> $pub_ns_b binat on rl0 from $www_ip to any -> $pub_www #Redirection rdr on rl1 proto tcp from any to $pub_www port 80 -> $www_ip #Default block policy block log all #Anti-spoofing block in quick from urpf-failed #rl0 traffic pass on rl0 proto icmp all pass in on rl0 proto { tcp, udp } from any to { $ns_a, $ns_b } port domain pass in on rl0 proto tcp from any to $ext_ip port ftp pass in on rl0 proto tcp from any to { $ext_ip, $www_ip } port { 80, 443 } pass in on rl0 proto tcp from any to { $pub_ns_b, $pub_www, $pub_ns_a, $ext_ip } port 123 pass out on r
dns query
Hi all, I don't know if it is the right place to write about this problem. I am running OpenBSD 3.9, however it seem to me that my OpenBSD box always send a DNS query for: - email sending (from internal and external) I had tried to add in my resolv.conf to use nameserver localhost. So that @mcojaya.com will not go to other DNS server for query. I use /etc/hosts to add 127.0.0.1 mcojaya.com I have problem that when the internet is down, my local users were not able to send email because of DNS query check. - nagios. I use check_ping, and it seem that it will always query DNS for every ip address (host) that I setup to check_ping. I did not modify any inetd.conf Thanks, best regards, riwan
DNS setup
Hello all Aprox. 2 weeks ago i posted a question titled web browsing to this list. It was about how to setup NAT on my gateway so intranet computers can access Internet. The current situation is: I have a obsd3.9 box connected to internet using ppp.conf, on the inside i have a winXP box connected to switch, connected to obsd box. The thing that wasn't working was that my XP box couldn't access web pages. I blamed it on pf.conf. But that wasn't the case. Today i tried this: I turned off Pf i will set that up later I checked man ppp and found this info. ...to turn on NAT add this line to ppp.confnat enable yes... . With this line added to ppp.conf things started to work. Now the question : 1. My resolv.conf contains namesservers from my ISP 2. At the begining xp box was setup with DNS parameter pointing to my gateway 192.168.0.1. I could not access Internet, then i changed this parameter to dns server ip of my ISP and things work again. What must i do that things will work with dns parameter set to my gateway ? Are there any security threats with parameters set to dns ip form my ISP ? Will this be a problem when setting up Pf ?
DNS vunerable??
Hi friends, I'm not an expert in security but I saw something strange on my tcpdump and searching on google it seems like a security fault. A message of tcpdump: 10:58:35.107197 192.168.1.12.1372 > 192.168.1.254.53: 28645+ ? ncdserver.ncd.org.br. (38) (DF) 10:58:35.115757 192.168.1.254.53 > 192.168.1.14.3288: 38173 NXDomain* 0/1/0 (94) An searchin on google: http://www.kb.cert.org/vuls/id/714121 My OpenBSD is 3.8 stable. My dns is not doing recursion. I just want know if it is realy a problem or not. Thanks. [ ]'s Beto
DNS Question.
Hi all, Is possible perform a DNS query, that gives me all A records from one ip, (without using the reverse DNS) ? Thanks a lot
DNS patch
Does this mean we should expect one soon ? http://securosis.com/publications/CERT%20Advisory.doc /Pete
DNS Proxy
Hi all, I'm running OpenBSD 5.2 with squid for a friend who owns an ISP outside the U.S and uses my OpenBSD squid proxy to access netflix. I've been told this can be also accomplished via DNS Proxy. Is it true? If yes which one do you recommend? Thanks
DNS problem
This falls under the category "When in doubt, ask the OpenBSD guys" (and as all of my firewalls are running OpenBSD I hope this isn't too off topic). Basically, four of my networks are not getting an answer for a specific mx query from dyn.com's DNS server. Yet every other DNS cache I've queried works just fine (Google, Level3, Hurricane Electric, Comcast, etc.) and dyn's support claims there is no problem on their end and all of their tests return the proper answer just as one of my networks does. Results from the four non-working networks (two are on Comcast, one is AT&T): = dig @216.146.35.35 lwtitle.com mx ; <<>> DiG 9.4.2-P2 <<>> @216.146.35.35 lwtitle.com mx ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5502 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;lwtitle.com. IN MX ;; Query time: 29 msec ;; SERVER: 216.146.35.35#53(216.146.35.35) ;; WHEN: Fri Dec 6 11:18:05 2013 ;; MSG SIZE rcvd: 29 = Consequently mail fails to get sent to the lwtitle.com domain. I should note that if I dig with +trace the proper answer does show up: = dig @216.146.35.35 lwtitle.com mx +trace ; <<>> DiG 9.4.2-P2 <<>> @216.146.35.35 lwtitle.com mx +trace ; (1 server found) ;; global options: printcmd . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS m.root-servers.net. ;; Received 228 bytes from 216.146.35.35#53(216.146.35.35) in 34 ms com.172800 IN NS j.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.172800 IN NS a.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. ;; Received 489 bytes from 202.12.27.33#53(m.root-servers.net) in 116 ms lwtitle.com.172800 IN NS ns21.domaincontrol.com. lwtitle.com.172800 IN NS ns22.domaincontrol.com. ;; Received 113 bytes from 192.12.94.30#53(e.gtld-servers.net) in 115 ms lwtitle.com.3600IN MX 0 lwtitle-com.mail.protection.outlook.com. lwtitle.com.3600IN NS ns22.domaincontrol.com. lwtitle.com.3600IN NS ns21.domaincontrol.com. ;; Received 133 bytes from 208.109.255.11#53(ns22.domaincontrol.com) in 32 ms = Although this doesn't help normal resolution. So I'm baffled. Any clues? Thanks, Chris
DNS Google ?
Hi DNS Google NS 1 : 8.8.8.8NS 2 : 8.8.4.4 Good alternative or Bad alternative ? Best regards
nat - DNS-ALG ... Translating DNS for "Twice-NAT"
Hi, I have a Problem with DNS while connecting two overlapping private networks. Now I'm looking for a DNS Server which will "remap" certain IP-addresses according to a translation table or rule. While beeing unsure - googeling on the topic I found that I'm looking for something called DNS-ALG - but I didn't find anything like this for OpenBSD. Any idea how I could achieve such a kind of "NATting"(Masquerading) DNS query-results on my OpenBSD Firewall ? Kind regards, Stefan
Re: nat - DNS-ALG ... Translating DNS for "Twice-NAT"
Stefan Sczekalla wrote: Hi, I have a Problem with DNS while connecting two overlapping private networks. Now I'm looking for a DNS Server which will "remap" certain IP-addresses according to a translation table or rule. Hi, What is the real problem you're trying to solve ? Laurent
Re: nat - DNS-ALG ... Translating DNS for "Twice-NAT"
Hi Laurent, The Problem I like to solve is: Hiding a Network by nat while keeping it accessible via DNS without translating every natted IP manually on a local DNS-Server. Kind regards, Stefan -Original Message- From: Laurent CARON [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2008 3:02 PM To: Stefan Sczekalla Cc: misc@openbsd.org Subject: Re: nat - DNS-ALG ... Translating DNS for "Twice-NAT" Stefan Sczekalla wrote: > Hi, > > I have a Problem with DNS while connecting two overlapping private > networks. > > Now I'm looking for a DNS Server which will "remap" certain > IP-addresses according to a translation table or rule. Hi, What is the real problem you're trying to solve ? Laurent
Re: nat - DNS-ALG ... Translating DNS for "Twice-NAT"
"Stefan Sczekalla" <[EMAIL PROTECTED]> writes: > I have a Problem with DNS while connecting two overlapping private > networks. > > Now I'm looking for a DNS Server which will "remap" certain IP-addresses > according to a translation table or rule. Overlapping address ranges tend to produce their own sets of problems unless dealt with sanely, but you probably already know that. For the DNS problem, have you considered using views? That is, having BIND present different results depending on where the query comes from. The DNS-ALG bit (look at the dates) is likely a dead end, see if you can't get what you need with some relatively straightforward BIND9 tricks like views. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: nat - DNS-ALG ... Translating DNS for "Twice-NAT"
Stefan Sczekalla wrote: Hi Laurent, The Problem I like to solve is: Hiding a Network by nat while keeping it accessible via DNS without translating every natted IP manually on a local DNS-Server. Maybe i'm completely stupid but i *really* don't see the goal of this. - You've got a private network. - You want to hide it from the internet - You use NAT - You use the same domain on the external internet and on your internal LAN - Why not using a split DNS config ? Maybe there is too many assumptions ;) Please tell me if i'm wrong ;)
Re: nat - DNS-ALG ... Translating DNS for "Twice-NAT"
Hi Lurent, e.g. : you join two companies ( lets name them "A" and "B" ) using overlapping private adress-space. Lets assume "A" has a Fileserver.A at 192.168.2.1. Users on Company B like to acces Fileserver.A using - but at "B" they have their Mailserver.B at 192.168.2.1. So the network form Company A needs to be hidden behind NAT so that 192.168.2.1 at A is accessed by something else from B using e.g. 192.168.202.1. ( or any other feasible address ). And beause "A" has several 1000 Systems which should be accessed by "B" it would be a big deal when querying the DNS from A - would lead to a response with a NATted IP-Address "B" could use instead the "real" A IP-Address which are paritally in use at "B" too. -Original Message- From: Laurent CARON [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2008 3:30 PM To: Stefan Sczekalla Cc: misc@openbsd.org Subject: Re: nat - DNS-ALG ... Translating DNS for "Twice-NAT" Stefan Sczekalla wrote: > Hi Laurent, > > The Problem I like to solve is: > > Hiding a Network by nat while keeping it accessible via DNS without > translating every natted IP manually on a local DNS-Server. Maybe i'm completely stupid but i *really* don't see the goal of this. - You've got a private network. - You want to hide it from the internet - You use NAT - You use the same domain on the external internet and on your internal LAN - Why not using a split DNS config ? Maybe there is too many assumptions ;) Please tell me if i'm wrong ;)
Re: nat - DNS-ALG ... Translating DNS for "Twice-NAT"
Stefan Sczekalla wrote: Hi Lurent, e.g. : you join two companies ( lets name them "A" and "B" ) using overlapping private adress-space. Lets assume "A" has a Fileserver.A at 192.168.2.1. Users on Company B like to acces Fileserver.A using - but at "B" they have their Mailserver.B at 192.168.2.1. So the network form Company A needs to be hidden behind NAT so that 192.168.2.1 at A is accessed by something else from B using e.g. 192.168.202.1. ( or any other feasible address ). And beause "A" has several 1000 Systems which should be accessed by "B" it would be a big deal when querying the DNS from A - would lead to a response with a NATted IP-Address "B" could use instead the "real" A IP-Address which are paritally in use at "B" too. I think your best option is to use bind views. Don't you think so ?
Re: nat - DNS-ALG ... Translating DNS for "Twice-NAT"
I will definitely take a look at it ... -Original Message- From: Laurent CARON [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2008 4:13 PM To: Stefan Sczekalla Cc: misc@openbsd.org Subject: Re: nat - DNS-ALG ... Translating DNS for "Twice-NAT" Stefan Sczekalla wrote: > Hi Lurent, > > e.g. : > > you join two companies ( lets name them "A" and "B" ) using > overlapping private adress-space. > > Lets assume "A" has a Fileserver.A at 192.168.2.1. > > Users on Company B like to acces Fileserver.A using - but at "B" they > have their Mailserver.B at 192.168.2.1. > So the network form Company A needs to be hidden behind NAT so that > 192.168.2.1 at A is accessed by something else from B using e.g. > 192.168.202.1. ( or any other feasible address ). > > And beause "A" has several 1000 Systems which should be accessed by "B" > it would be a big deal when querying the DNS from A - would lead to a > response with a NATted IP-Address "B" could use instead the "real" A > IP-Address which are paritally in use at "B" too. I think your best option is to use bind views. Don't you think so ?
Re: nat - DNS-ALG ... Translating DNS for "Twice-NAT"
On 16:13, Thu 11 Sep 08, Laurent CARON wrote: > Stefan Sczekalla wrote: > >Hi Lurent, > > > >e.g. : > > > >you join two companies ( lets name them "A" and "B" ) using overlapping > >private adress-space. > > > >Lets assume "A" has a Fileserver.A at 192.168.2.1. > > > >Users on Company B like to acces Fileserver.A using - but at "B" they > >have their Mailserver.B at 192.168.2.1. > >So the network form Company A needs to be hidden behind NAT so that > >192.168.2.1 at A is accessed by something else from B using e.g. > >192.168.202.1. ( or any other feasible address ). > > > >And beause "A" has several 1000 Systems which should be accessed by "B" > >it would be a big deal when querying the DNS from A - would lead to a > >response with a NATted IP-Address "B" could use instead the "real" A > >IP-Address which are paritally in use at "B" too. > > > I think your best option is to use bind views. > > Don't you think so ? I think so too. You can also look at dnsmasq. dnsmasq has some nice alias features. -- Michiel van Baak [EMAIL PROTECTED] http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD "Why is it drug addicts and computer aficionados are both called users?"
Re: nat - DNS-ALG ... Translating DNS for "Twice-NAT"
On Thu, 2008-09-11 at 18:27 +0200, Michiel van Baak wrote: > You can also look at dnsmasq. dnsmasq has some nice alias features. djbdns is also able to provide different responses based on query source IP address. ciao Luca
DNS Configuration Problem
Hello. I have recently installed OpenBSD 3.7 on my future router and I had the surpise to see that I am not able to properly config DNS (bind) on this box. I have generated "/etc/rndc.key" with the help of rndc-confgen. The file is successfully generated and I "cat" and see its content, it is nicely generated with no problem, but when I try to execute "/usr/sbin/named" I get tons of errors telling me that "/etc/rndc.key" doesn't really exist. This is when I check again, and yes, "/etc/rndc.key" is there but "/usr/sbin/named" again tells me that it is not there. If someone could help me with this problem then I could carry on with the "NAT ruleset research" for pf, as I have never completed such a configuration before. Thank you all in advance for your help. Best regards. Mihai. Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html
Re: About DNS
On Sun, Aug 14, 2005 at 09:22:57PM +0200, Mike Henker wrote: > For to surf into Internet my ISP provider specify two DNS (primary and > secondary) how I must to add it to the network card I will use for > connect to Internet? > > > > Salutes, > Mike Edit /etc/resolve.conf to look like this lookup file bind nameserver nameserver
Re: About DNS
This question is answered in FAQ! http://www.openbsd.org/faq/faq6.html On Sunday 14 August 2005 21:22, Mike Henker wrote: > For to surf into Internet my ISP provider specify two DNS (primary and > secondary) how I must to add it to the network card I will use for > connect to Internet? > > > > Salutes, > Mike > > -- Best regards Maxim Bourmistrov
Re: About DNS
For to surf into Internet my ISP provider specify two DNS (primary and secondary) how I must to add it to the network card I will use for connect to Internet? put them into /etc/resolv.conf file, there should be entries like: nameserver primary_dns nameserver secondary_dns -- Wojtek
Re: About DNS
Thanks James, I don t have the file you talked about but I will create it (resolve.conf) with the info you explained. Salutes and thanks for the patience with newbies! ;) Mike James Boothe escribis: On Sun, Aug 14, 2005 at 09:22:57PM +0200, Mike Henker wrote: For to surf into Internet my ISP provider specify two DNS (primary and secondary) how I must to add it to the network card I will use for connect to Internet? Salutes, Mike Edit /etc/resolve.conf to look like this lookup file bind nameserver nameserver
Re: About DNS
No. Mike: You _do_ have the file. It's resolv.conf with no E. resolve.conf will do nothing. I also strongly suggest you read the very excellent OpenBSD FAQ at http://www.openbsd.org/faq/index.html James: bad typo bad! --James Mike Henker wrote: Thanks James, I don t have the file you talked about but I will create it (resolve.conf) with the info you explained. Salutes and thanks for the patience with newbies! ;) Mike James Boothe escribis: On Sun, Aug 14, 2005 at 09:22:57PM +0200, Mike Henker wrote: For to surf into Internet my ISP provider specify two DNS (primary and secondary) how I must to add it to the network card I will use for connect to Internet? Salutes, Mike Edit /etc/resolve.conf to look like this lookup file bind nameserver nameserver -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.8/71 - Release Date: 12/08/2005
Re: About DNS
On Sun, Aug 14, 2005 at 09:49:12PM +0200, Mike Henker wrote: > Thanks James, I don t have the file you talked about but I will create > it (resolve.conf) with the info you explained. > resolv.conf not resolve.conf
Re: DNS attack?
On Sat, 12 Nov 2005 20:15:18 -0600 "J.D. Bronson" <[EMAIL PROTECTED]> wrote: > I am starting to see TONS of these things in my pflog > > Nov 12 19:50:58.030904 rule 48/(match) block in on tun0: > 63.219.179.130.13519 > 65.x.x.169.53: 47505+[|domain] > > Nov 12 19:51:08.037007 rule 48/(match) block in on tun0: > 63.219.179.130.13519 > 65.x.x.169.53: 59022+[|domain] > > I have a block of static IPs - but nothing is running on the .169 IP > and I dont understand this sorta thing. PF is doing its job just > fine...I guess I am looking for what these mean and if anyone knows > what this is. Why don't you use the options that tcpdump provides to decode what the queries are? Have a look at the "-v" option in tcpdump(8) (you will probably need to increase -s too). -d
dynamic dns update
Hi, I will like to know if OpenBSD have the capability to update my dynamic ip to www.dyndns.org. I am currently running myDYNIPPRO on Windows to update my dynamic ip. I want to move to OpenBSD. I had currently running sendmail, popa3d, mrtg, mySQL on the machine. Thanks and best regards, Riwan
DNS and PF
Hello Everyone; dmz_ip="192.168.1.1" dmz_block="192.168.1.0/24" #DNS 1 scarlett="192.168.1.2" pub_scarlett="64.142.102.9" #DNS 2 shelly="192.168.1.3" pub_shelly="64.142.102.10" #WWW 1 www_ip="192.168.1.4" pub_www="64.142.102.11" #Normalizing scrub in all #NAT and Binat nat on rl0 from $int_block to any -> $ext_ip binat on rl0 from $scarlett to any -> $pub_scarlett binat on rl0 from $shelly to any -> $pub_shelly binat on rl0 from $www_ip to any -> $pub_www #Redirection rdr on rl1 proto tcp from any to $pub_www port 80 -> $www_ip #Default block policy block all #Anti-spoofing block in quick from urpf-failed #vr0 traffic pass in on vr0 proto tcp from $int_block to any port 6112 pass in on vr0 proto tcp from $int_block to any port 80 pass in on vr0 proto tcp from $int_block to 207.212.58.16 pass in on vr0 proto tcp from $int_block to any port 443 pass in on vr0 proto tcp from $int_block to any port 5190 pass in on vr0 proto { udp, icmp } from $int_block to any #pass in all #pass out all #rl1 traffic pass in on rl1 proto { tcp, udp } from $dmz_block port 1024:65535 to any port 53 pass in on rl1 proto icmp from $scarlett to any pass in on rl1 proto tcp from $www_ip to any port 80 pass in on rl1 proto { udp, icmp } from $www_ip to any #rl0 traffic pass out on rl0 proto { tcp, udp, icmp } all modulate state # ifconfig -A rl0: flags=8843 mtu 1500 lladdr 00:50:bf:3a:2e:66 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 64.142.102.8 netmask 0xff00 broadcast 64.142.102.255 inet6 fe80::250:bfff:fe3a:2e66%rl0 prefixlen 64 scopeid 0x1 inet 64.142.102.9 netmask 0x broadcast 64.142.102.9 inet 64.142.102.10 netmask 0x broadcast 64.142.102.10 inet 64.142.102.11 netmask 0x broadcast 64.142.102.11 rl1: flags=8843 mtu 1500 lladdr 00:13:46:30:0b:b2 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::213:46ff:fe30:bb2%rl1 prefixlen 64 scopeid 0x2 I'm currently running DJBDNS 1.05 and cannot resolve my NS records whenever my PF firewall is on a default blocking policy. The commened line, rl1 traffic, contains the pass rule for any DNS traffic, but, even with that line, I cannot resolve the NS records. Whenever the pass in all and pass out all rules are set and loaded, DNS resolves just fine so it would seem that, somewhere in my rules, a problem exists. Anyone who is familiar with PF or DNS and has a thought on how to solve this problem, their input is much appreciated. Thank you; Bray.
Re: DNS issues
Braden Mailloux wrote: Dear Readers; I'm using 4.1 with the generic kernel. Here is my dmesg: # dmesg OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III ("GenuineIntel" 686-class, 512KB L2 cache) 552 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 536428544 (523856K) avail mem = 481763328 (470472K) using 4278 buffers containing 26943488 bytes (26312K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 05/19/00, BIOS32 rev. 0 @ 0xf06c0, SMBIOS rev. 2.3 @ 0xf1f50 (45 entries) bios0: ASUSTeK Computer INC. apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xf22 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf0e80/160 (8 entries) pcibios0: PCI Interrupt Router at 000:04:0 ("Intel 82371FB ISA" rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03 ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "ATI Rage Pro" rev 0x5c wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 4 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02 pciide0 at pci0 dev 4 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA, 76319MB, 156301488 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 4 function 2 "Intel 82371AB USB" rev 0x01: irq 12 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered piixpm0 at pci0 dev 4 function 3 "Intel 82371AB Power" rev 0x02: SMI iic0 at piixpm0 lm1 at iic0 addr 0x2d: AS99127F rl0 at pci0 dev 11 function 0 "Accton MPX 5030/5038" rev 0x10: irq 10, address 00:10:b5:8d:0c:e8 rlphy0 at rl0 phy 0: RTL internal PHY my ifconfig # ifconfig =A =A: no such interface # ifconfig -A #Loop back, pflog ommitted rl0: flags=8843 mtu 1500 lladdr 00:10:b5:8d:0c:e8 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.1.2 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::210:b5ff:fe8d:ce8%rl0 prefixlen 64 scopeid 0x1 my resolv.conf nameserver 208.201.224.11 nameserver 208.201.224.33 My name server, a.ns.theamericanbray.com, is having issues resolving any DNS related matters; dig returns a time out error, an nslookup from a workstation on another site returns a time out as well when checking the status of theamericanbray.com. My other name server, b.ns.theamericanbray.com, has no problems with dig, but nslookup from a different site doesn't seem to receive any answers from that name server. The software being used is DJBDNS and my data files look as thus: .theamericanbray.com:64.142.102.9:a:259200 .theamericanbray.com:64.142.102.10:b:259200 =www.theamericanbray.com:64.142.102.11:86400 +www.theamericanbray.com:64.142.102.11 Also, I'm using a pf firewall to distribute and manage my internet connection. My pf.conf is thus: # 192.168.0.1 subnet ext_ip="64.142.102.8" int_ip="192.168.0.1" int_block="192.168.0.0/24" #DMZ subnet #Interface dmz_ip="192.168.1.1" dmz_block="192.168.1.0/24" #DNS 1 ns_a="192.168.1.2" pub_ns_a="64.142.102.9" #DNS 2 ns_b="192.168.1.3" pub_ns_b="64.142.102.10" #WWW 1 www_ip="192.168.1.4" pub_www="64.142.102.11" #DMZ Services services="{ domain, www, smtp, }" #Normalizing scrub in all set skip on lo0 #NAT and Binat nat on rl0 from $int_block to any -> $ext_ip binat on rl0 from $ns_a to any -> $pub_ns_a binat on rl0 from $ns_b to any -> $pub_ns_b binat on rl0 from $www_ip to any -> $pub_www #Redirection rdr on rl1 proto tcp from any to $pub_www port 80 -> $www_ip #Default block policy block log all #Anti-spoofing block in quick from urpf-failed #rl0 traffic pass on rl0 proto icmp all pass in on rl0 proto { tcp, udp } from any to { $ns_a, $ns_b } port domain pass in on rl0 proto tcp from any to $ext_ip port ftp pass in on rl0 proto tcp from any to { $ext_ip, $www_ip } port { 80, 443 } pass in on rl0 proto tcp from any to { $pub_ns_b, $pub_www, $pub_ns_a, $ext_ip
Re: DNS issues
On 7/15/07, Braden Mailloux <[EMAIL PROTECTED]> wrote: Dear Readers; #Default block policy block log all You have a nice "block log all" policy. How about using the debugging capabilities of this policy? Run tcpdump on the pflog0 interface to see the blocked packets. tcpdump -eni pflog0. Unless you have a routing issue, this will give you all the clues you need. =Adriaan=
Re: DNS issues
On 2007/07/14 21:21, Braden Mailloux wrote: >> block in quick from urpf-failed I would get a 'log' on here too > A follow up, when running the route show command, the routing table prints > with excruciatingly slow speed, its been almost 8 minutes and it is still > going. It looks up names, try -n
Re: DNS issues
Stuart Henderson wrote: On 2007/07/14 21:21, Braden Mailloux wrote: block in quick from urpf-failed I would get a 'log' on here too A follow up, when running the route show command, the routing table prints with excruciatingly slow speed, its been almost 8 minutes and it is still going. It looks up names, try -n Dear Readers; I've been using the log feature of pf and have found that, when attempting to access my webserver via dns, that pf does not block any traffic. I also added a log to my "block in quick from urpf-failed" and that has returned no hits in the log. I posted my dmesg because, perhaps, the problem is hardware related (a broken ethernet card). But, this seems less than hopeful as I'm able to connect to the dns server with ssh and can ping other computers on my network. This is such an odd problem because other computers on my network have no problems reaching a DNS server, but this one server has been continually problematic in the past and present. Thanks; Braden.
Re: DNS issues
On 7/15/07, Braden Mailloux <[EMAIL PROTECTED]> wrote: Dear Readers; I've been using the log feature of pf and have found that, when attempting to access my webserver via dns, that pf does not block any traffic. I also added a log to my "block in quick from urpf-failed" and that has returned no hits in the log. The time that I had a similar issue, where tcpdump on pflog0 didn't show anything, turned out to be a routing issue. I had a authoritative-only nameserver in a DMZ and forgot to set it's default route to the IP address of the DMZ NIC of the OBSD firewall. It didn't know how to route ihe replies to the outside and hence nothing showed up on pflog0. tcpdump is not limited to pflog0, you also can run it on a normal interface. ;) SSH in on the nameserver and run tcpdump on it's NIC tcpdump -ni fxp0 port domain Check if you see a DNS request coming in =Adriaan=
Re: DNS issues
Adriaan wrote: On 7/15/07, Braden Mailloux <[EMAIL PROTECTED]> wrote: Dear Readers; I've been using the log feature of pf and have found that, when attempting to access my webserver via dns, that pf does not block any traffic. I also added a log to my "block in quick from urpf-failed" and that has returned no hits in the log. The time that I had a similar issue, where tcpdump on pflog0 didn't show anything, turned out to be a routing issue. I had a authoritative-only nameserver in a DMZ and forgot to set it's default route to the IP address of the DMZ NIC of the OBSD firewall. It didn't know how to route ihe replies to the outside and hence nothing showed up on pflog0. tcpdump is not limited to pflog0, you also can run it on a normal interface. ;) SSH in on the nameserver and run tcpdump on it's NIC tcpdump -ni fxp0 port domain Check if you see a DNS request coming in =Adriaan= Dear Readers; My nameserver's default route is set to the ip address of the DMZ nic. Also, when attempting to access my webserver via DNS from another site, no DNS queries came through to my server while monitoring the dump information on rl0 (my nameserver's nic). Thanks; Braden.
Re: DNS issues
Braden Mailloux wrote: Adriaan wrote: On 7/15/07, Braden Mailloux <[EMAIL PROTECTED]> wrote: Dear Readers; I've been using the log feature of pf and have found that, when attempting to access my webserver via dns, that pf does not block any traffic. I also added a log to my "block in quick from urpf-failed" and that has returned no hits in the log. The time that I had a similar issue, where tcpdump on pflog0 didn't show anything, turned out to be a routing issue. I had a authoritative-only nameserver in a DMZ and forgot to set it's default route to the IP address of the DMZ NIC of the OBSD firewall. It didn't know how to route ihe replies to the outside and hence nothing showed up on pflog0. tcpdump is not limited to pflog0, you also can run it on a normal interface. ;) SSH in on the nameserver and run tcpdump on it's NIC tcpdump -ni fxp0 port domain Check if you see a DNS request coming in =Adriaan= Dear Readers; My nameserver's default route is set to the ip address of the DMZ nic. Also, when attempting to access my webserver via DNS from another site, no DNS queries came through to my server while monitoring the dump information on rl0 (my nameserver's nic). Thanks; Braden. Dear Readers; Ok, so I added these two lines to my pf.conf rdr on rl0 proto udp from any to $pub_ns_a port domain -> $ns_a rdr on rl0 proto udp from any to $pub_ns_b port doman -> $ns_b Afterwards, while watching traffic on both my a and b server using tcpdump -ni (my interface) port domain, my traffic now lights up with domain requests. But, I still cannot seem to get on the internet with my a server. thanks; Braden.
Re: DNS issues
On 7/15/07, Braden Mailloux <[EMAIL PROTECTED]> wrote: Adriaan wrote: > On 7/15/07, Braden Mailloux <[EMAIL PROTECTED]> wrote: > >> Dear Readers; >> >> I've been using the log feature of pf and have found that, when >> attempting to access my webserver via dns, that pf does not block any >> traffic. I also added a log to my "block in quick from urpf-failed" and >> that has returned no hits in the log. > > The time that I had a similar issue, where tcpdump on pflog0 didn't > show anything, turned out to be a routing issue. > I had a authoritative-only nameserver in a DMZ and forgot to set it's > default route to the IP address of the DMZ NIC of the OBSD firewall. > It didn't know how to route ihe replies to the outside and hence > nothing showed up on pflog0. > > tcpdump is not limited to pflog0, you also can run it on a normal > interface. ;) > > SSH in on the nameserver and run tcpdump on it's NIC > tcpdump -ni fxp0 port domain > > Check if you see a DNS request coming in > > =Adriaan= > > > Dear Readers; My nameserver's default route is set to the ip address of the DMZ nic. Also, when attempting to access my webserver via DNS from another site, no DNS queries came through to my server while monitoring the dump information on rl0 (my nameserver's nic). Does tcpdump on the external NIC of your OpenBSD firewall show any DNS requests coming in? Doing a A record seach for www.theamericanbray.com at http://www.squish.net/dnscheck/ gives the following result: 50.0% of queries will end in failure at 64.142.102.9 (a.ns.theamericanbray.com) - query timed out 50.0% of queries will end in failure at 64.142.102.10 (b.ns.theamericanbray.com) - query timed out Keep in mind that you have to perform test from the outside as described in http://openbsd.unixtech.be/faq/pf/rdr.html#reflect Did you do the tests suggested in the section "Checking addresses of your computers" of http://cr.yp.to/djbdns/run-server.html ? =Adriaan=
NIS and DNS
Dear list members, i have reading Makefiles for building nis databases and realized there is an option "-b" for allowing hostnames to be retrieved from DNS. Correct me if i am wrong but i understand all hostname spaces are made available for each of the nis domains one is managing after enabling such option. After managing to have yp lookuing up hostnames on DNS what would it be the rationale behind using netgroups for managing hostnames after they all have been made available through DNS usage. Thanks in advance.
Re: dns query
On Monday 07 August 2006 15:58, riwanlky wrote: > Hi all, > > I don't know if it is the right place to write about this problem. > I am running OpenBSD 3.9, however it seem to me that my OpenBSD > box always send a DNS query for: > - email sending (from internal and external) I had tried to add in my > resolv.conf to use nameserver localhost. So that @mcojaya.com > will not go to other DNS server for query. I use /etc/hosts to add > 127.0.0.1 mcojaya.com > I have problem that when the internet is down, my local users were > not able to send email because of DNS query check. > - nagios. I use check_ping, and it seem that it will always query > DNS for every ip address (host) that I setup to check_ping. > > I did not modify any inetd.conf > > Thanks, best regards, > riwan Why not setting up your own DNS server to serve mcojaya.com zone and forward dns queries other than mcojaya.com to your ISP dns servers? It can be easily achieved with bind and djbdns' tinydns and dnscache. -- Warm regards, Kevin Foo Key fingerprint : 4B23 FC1C E50B 9693 CCDD 2A7D A048 E909 8924 9BDD Public key : http://keyserver.linux.it/pks/lookup?op=get&search=0xA048E90989249BDD *Internet Email Confidentiality Footer * Legal Privilege & Confidentiality --- This email contains privileged and/or confidential information. If you are not the intended recipient (or responsible for delivery of the message to such person) or if you have inadvertently received this email, you should destroy or delete this message and notify the sender by reply email accordingly. If you or your employer do not consent to using Internet email for messages of this kind please advise immediately by sending an email to the sender of this message . All opinions, conclusions and other information in this message that do not relate to the official business of Zaid Ibrahim & Co shall be understood as neither given nor endorsed by Zaid Ibrahim & Co. Our company accepts no liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided, unless that information is subsequently confirmed in writing. Caveat -WARNING: Computer viruses can be transmitted via email, and you should check this email and any attachments for the presence of viruses. Zaid Ibrahim & Co accepts no liability for any damage caused by any virus transmitted by this email. Our employees are expressly required not to make defamatory statements nor infringe or authorise any infringement of copyright or any other legal right via any communications. Any such communication is contrary to our company policy and outside the scope of the employment of said individual. We will not be liable for such communication.
Re: dns query
** Reply to message from riwanlky <[EMAIL PROTECTED]> on Mon, 07 Aug 2006 14:58:52 +0700 >I don't know if it is the right place to write about this problem. >I am running OpenBSD 3.9, however it seem to me that my OpenBSD >box always send a DNS query for: >- email sending (from internal and external) I had tried to add in my >resolv.conf to use nameserver localhost. So that @mcojaya.com >will not go to other DNS server for query. I use /etc/hosts to add >127.0.0.1 mcojaya.com >I have problem that when the internet is down, my local users were >not able to send email because of DNS query check. >- nagios. I use check_ping, and it seem that it will always query >DNS for every ip address (host) that I setup to check_ping. > >I did not modify any inetd.conf Sending email requires more than just an IP address. When sending a message to @, the mailer first checks where it should be sent by looking for an 'MX' (Mail eXchanger) record for -- and 'MX' records can only be suppied via DNS. The typical setup is something like: domain.example IN MX 10,mail-server.domain.example mail-server.domain.example IN A192.168.13.57 So if you want this to work when your internet connection is down you need to either set up your own DNS server (it's not all that hard, but is certainly not trivial) or find a mailer (if one exists) that does some special hackery to avoid DNS queries for locally-addressed messages. Dave -- Dave Anderson <[EMAIL PROTECTED]>
Re: dns query
Hi, Original-Nachricht Datum: Mon, 07 Aug 2006 14:58:52 +0700 Von: riwanlky <[EMAIL PROTECTED]> An: misc@openbsd.org Betreff: dns query > Hi all, > > I don't know if it is the right place to write about this problem. > I am running OpenBSD 3.9, however it seem to me that my OpenBSD > box always send a DNS query for: > - email sending (from internal and external) I had tried to add in my > resolv.conf to use nameserver localhost. So that @mcojaya.com > will not go to other DNS server for query. I use /etc/hosts to add > 127.0.0.1 mcojaya.com > I have problem that when the internet is down, my local users were > not able to send email because of DNS query check. > - nagios. I use check_ping, and it seem that it will always query > DNS for every ip address (host) that I setup to check_ping. > > I did not modify any inetd.conf > > Thanks, best regards, > riwan have a look at DNSMASQ, which is in ports, I think. Homepage is at "http://www.thekelleys.org.uk/dnsmasq/doc.html"; and fills probably all your needs. Regards Stefan Kell
Re: DNS setup
martin g wrote: Hello all Aprox. 2 weeks ago i posted a question titled web browsing to this list. It was about how to setup NAT on my gateway so intranet computers can access Internet. The current situation is: I have a obsd3.9 box connected to internet using ppp.conf, on the inside i have a winXP box connected to switch, connected to obsd box. The thing that wasn't working was that my XP box couldn't access web pages. I blamed it on pf.conf. But that wasn't the case. Today i tried this: I turned off Pf i will set that up later I checked man ppp and found this info. ...to turn on NAT add this line to ppp.confnat enable yes... . With this line added to ppp.conf things started to work. Now the question : 1. My resolv.conf contains namesservers from my ISP 2. At the begining xp box was setup with DNS parameter pointing to my gateway 192.168.0.1. I could not access Internet, then i changed this parameter to dns server ip of my ISP and things work again. What must i do that things will work with dns parameter set to my gateway ? Your GW needs to run dns, resolv.conf sets up dns for the GW to use for itself; it does not make it a forwarder or nameserver . Do a search for setting up a caching dns box. Alternatively you could I suppose proxy dns requests from your client PC to your ISP's dns servers ... Are there any security threats with parameters set to dns ip form my ISP ? Will this be a problem when setting up Pf ? Depends on weather your ISP knows how to keep their dns servers secure.
Re: DNS vunerable??
--On 11 December 2005 11:08 -0200, Beto wrote: I'm not an expert in security but I saw something strange on my tcpdump and searching on google it seems like a security fault. 10:58:35.107197 192.168.1.12.1372 > 192.168.1.254.53: 28645+ ? ncdserver.ncd.org.br. (38) (DF) 10:58:35.115757 192.168.1.254.53 > 192.168.1.14.3288: 38173 NXDomain* 0/1/0 (94) It doesn't like there's any record for ncdserver.ncd.org.br (or ncd.org.br, for that matter), so NXDomain is correct in this case. Try your query against some name that does exist in DNS (e.g. something with an A record and no record) and you shouldn't get NXDomain.
Re: DNS Question.
2008/5/17 Dark Nebula <[EMAIL PROTECTED]>: > Hi all, > > Is possible perform a DNS query, that gives me all A records from one ip, > (without using the reverse DNS) ? > > Thanks a lot > > Are you asking to find all the forward A records for a given IP? If so, there is no way to do that, not even with rDNS -- -Lawrence
Re: DNS Question.
On Sat, 2008-05-17 at 18:21 -0700, Lord Sporkton wrote: > 2008/5/17 Dark Nebula <[EMAIL PROTECTED]>: > > Hi all, > > > > Is possible perform a DNS query, that gives me all A records from one ip, > > (without using the reverse DNS) ? > > > > Thanks a lot > > > > > > Are you asking to find all the forward A records for a given IP? > If so, there is no way to do that, not even with rDNS There are services that track IP usage and correlate them to domains. The tools allow you to find out (approximately) what A records point to any given IP. This one is relatively accurate: http://www.myipneighbors.com/ I would not treat its output as gospel. It gives a decent indicator of how many virtual hosts are pointed at any given IP and shows you who they are. Note, this only tracks A records, not MX records and is easily confused by CNAMEs. There is no way to query for this, you would have to get a list of all FQDN's in use on the Internet and continuously dig them to record their IP. I don't know of any service that does this and offers free automated queries via some kind of text client, most insist that you use their web interface. This makes them handy for manual look ups but useless in any kind of automated tool. Cheers, --Tim -- Monkey + Typewriter = Echoreply ( http://echoreply.us )
Re: DNS patch
Pete Vickers <[EMAIL PROTECTED]> writes: > Does this mean we should expect one soon ? Possibly. Still can't think of a valid reason why they decided to post a Microsoft document (your choice of strings or OpenOffice.org) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: DNS patch
On 7/8/08 2:30 PM, Peter N. M. Hansteen wrote: Pete Vickers <[EMAIL PROTECTED]> writes: Does this mean we should expect one soon ? Possibly. Still can't think of a valid reason why they decided to post a Microsoft document (your choice of strings or OpenOffice.org) or html: http://is.gd/OD7 dn
dhcp and dns
I'm running 5.2. And starting to have more and more things that need IP addresses pop in and out of the house. Rather than hardcoding everything into dhcpd.conf, I thought I'd check with you guys to see what you use to have new devices register into DNS? I'm using unbound, but will go back to bind if need be. Thanks! -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk "This officer's men seem to follow him merely out of idle curiosity." -- Sandhurst officer cadet evaluation. "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
Split zone DNS?
Hi, I recently upgraded to 6.1 and am trying to (finally, after many OpenBSD versions over 10 years) fine tune my home network. I would like to run a local resolver on my internal network that will resolve all my hosts on my local network to IP addresses on my local network(s) rather than resolving to their public IP addresses. I believe it's called a "split zone" DNS, where my domain is resolved locally, but everyone else is resolved using normal resolution processes. I set this up at one of my previous jobs using BIND, but that was 7 years ago. I've never gone to the trouble of doing it at home, but I would like to exercise my brain a bit as well as having my home network set up "better". What is the best tool to accomplish this these days? Is NSD the "modern" tool to be using on OpenBSD? Are there any hooks for dhcpd to update records? I've read the NSD(8), nsd.conf(5) man pages and that seems to be the way to go, but I thought I'd check the wisdom here to see if there is a better approach. Thanks, Steve Williams
Managed DNS recommendation
This is not strictly OpenBSD based question but I highly value advises from this list. I just logged into our ZoneEdit account which is recently acquired by EasyDNS of Toronto. To my horror I found out that our renewal date has conveniently changed from August of 2018 to two weeks from now. I called EasyDNS customer service who conceded that transition is very tricky and they can't help me with my ZoneEdit account but would be happy to open their own account. ZoneEdit can be reached only via e-mail. Long story short I am going to pull the trigger and changed our managed DNS provider. I just learnt that EasyDNS is BIND based. Any recommendation in particular for NSD based providers. Cheers, Predrag
Periodic DNS resolution
A problem that seems to come up over and over again with egress filtering firewalls are sites that move IPs so the names need to be resolved periodically and rules updated. I recently migrated to using pf and was wondering if anyone had suggestions for how they tackle this problem. I realize I could create cron jobs with scripts to do this, but was curious if there was a better way. I'd eventually like to track changes and log them as well. Cheers, Austin
Re: DNS Proxy
On 15. september 2013 at 11:57 AM, "Monah Baki" wrote: > >Hi all, > > >I'm running OpenBSD 5.2 with squid for a friend who owns an ISP >outside the U.S and uses my OpenBSD squid proxy to access netflix. I've been >told this can be also accomplished via DNS Proxy. Is it true? > >If yes which one do you recommend? I don't know about that, but the same can be accomplished if your server runs sshd and your friend sets up an SSH tunnel for instance using PuTTY and Firefox. O.D.
Re: DNS Proxy
DNS proxy uses less bandwidth on your end. There are a dozen DNS proxy services out there for media, they all work on the same basic principle. On Sun, Sep 15, 2013 at 4:55 AM, Monah Baki wrote: > Hi all, > > > I'm running OpenBSD 5.2 with squid for a friend who owns an ISP outside the > U.S and uses my OpenBSD squid proxy to access netflix. I've been told this > can be also accomplished via DNS Proxy. Is it true? > > If yes which one do you recommend? > > > Thanks
Re: DNS Proxy
Also given dns is a user of UDP by default you need to use some other tunnel mechanism other than ssh. -Joel Johan Beisser wrote: >DNS proxy uses less bandwidth on your end. > >There are a dozen DNS proxy services out there for media, they all >work on the same basic principle. > >On Sun, Sep 15, 2013 at 4:55 AM, Monah Baki >wrote: >> Hi all, >> >> >> I'm running OpenBSD 5.2 with squid for a friend who owns an ISP >outside the >> U.S and uses my OpenBSD squid proxy to access netflix. I've been told >this >> can be also accomplished via DNS Proxy. Is it true? >> >> If yes which one do you recommend? >> >> >> Thanks -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: DNS Proxy
Use the D option in ssh(1) and the SOCKS proxy will do lookups through the tunnel. Make sure you use version 5 (OpenSSH supports 4 and 5). On Sun, Sep 15, 2013 at 12:42 PM, Joel Wirāmu Pauling wrote: > Also given dns is a user of UDP by default you need to use some other tunnel > mechanism other than ssh. > > -Joel > > > Johan Beisser wrote: >> >> DNS proxy uses less bandwidth on your end. >> >> There are a dozen DNS proxy services out there for media, they all >> work on the same basic principle. >> >> On Sun, Sep 15, 2013 at 4:55 AM, Monah Baki wrote: >>> >>> Hi all, >>> >>> >>> I'm running OpenBSD 5.2 with squid for a friend who owns an ISP outside >>> the >>> U.S and uses my OpenBSD squid proxy to access netflix. I've been told >>> this >>> can be also accomplished via DNS Proxy. Is it true? >>> >>> If yes which one do you recommend? >>> >>> >>> Thanks >> >> > > -- > Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: DNS Proxy
Thanks, but if i need to create one on my server is it doable? Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. From: Johan BeisserSent: Sunday, September 15, 2013 3:37 PMTo: Monah BakiCc: Openbsd Misc (E-mail)Subject: Re: DNS Proxy DNS proxy uses less bandwidth on your end. There are a dozen DNS proxy services out there for media, they all work on the same basic principle. On Sun, Sep 15, 2013 at 4:55 AM, Monah Baki wrote: > Hi all, > > > I'm running OpenBSD 5.2 with squid for a friend who owns an ISP outside the > U.S and uses my OpenBSD squid proxy to access netflix. I've been told this > can be also accomplished via DNS Proxy. Is it true? > > If yes which one do you recommend? > > > Thanks
Re: DNS problem
Chris Smith writes: > Basically, four of my networks are not getting an answer for a > specific mx query from dyn.com's DNS server. but, say $ dig @216.146.35.35 bsdly.net mx works? Or do you get no answer for any queries? - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: DNS problem
On Fri, Dec 6, 2013 at 11:54 AM, Peter N. M. Hansteen wrote: > but, say > > $ dig @216.146.35.35 bsdly.net mx > > works? > > Or do you get no answer for any queries? It's just that one particular query and the same domain's TXT record. There may be others but this one was found because one of my clients needed to email that company. All other queries seem to work - even the A record for that domain. And yet from one of the 4 networks I do work for the query works just fine.
Re: DNS problem
Em 06-12-2013 14:31, Chris Smith escreveu: > This falls under the category "When in doubt, ask the OpenBSD guys" > (and as all of my firewalls are running OpenBSD I hope this isn't too > off topic). > > Basically, four of my networks are not getting an answer for a > specific mx query from dyn.com's DNS server. Yet every other DNS cache > I've queried works just fine (Google, Level3, Hurricane Electric, > Comcast, etc.) and dyn's support claims there is no problem on their > end and all of their tests return the proper answer just as one of my > networks does. > > Results from the four non-working networks (two are on Comcast, one is AT&T): > = > dig @216.146.35.35 lwtitle.com mx > > ; <<>> DiG 9.4.2-P2 <<>> @216.146.35.35 lwtitle.com mx > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5502 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;lwtitle.com. IN MX > > ;; Query time: 29 msec > ;; SERVER: 216.146.35.35#53(216.146.35.35) > ;; WHEN: Fri Dec 6 11:18:05 2013 > ;; MSG SIZE rcvd: 29 > = > Consequently mail fails to get sent to the lwtitle.com domain. > > I should note that if I dig with +trace the proper answer does show up: > = > dig @216.146.35.35 lwtitle.com mx +trace > > ; <<>> DiG 9.4.2-P2 <<>> @216.146.35.35 lwtitle.com mx +trace > ; (1 server found) > ;; global options: printcmd > . 518400 IN NS a.root-servers.net. > . 518400 IN NS b.root-servers.net. > . 518400 IN NS c.root-servers.net. > . 518400 IN NS d.root-servers.net. > . 518400 IN NS e.root-servers.net. > . 518400 IN NS f.root-servers.net. > . 518400 IN NS g.root-servers.net. > . 518400 IN NS h.root-servers.net. > . 518400 IN NS i.root-servers.net. > . 518400 IN NS j.root-servers.net. > . 518400 IN NS k.root-servers.net. > . 518400 IN NS l.root-servers.net. > . 518400 IN NS m.root-servers.net. > ;; Received 228 bytes from 216.146.35.35#53(216.146.35.35) in 34 ms > > com.172800 IN NS j.gtld-servers.net. > com.172800 IN NS k.gtld-servers.net. > com.172800 IN NS h.gtld-servers.net. > com.172800 IN NS b.gtld-servers.net. > com.172800 IN NS c.gtld-servers.net. > com.172800 IN NS e.gtld-servers.net. > com.172800 IN NS i.gtld-servers.net. > com.172800 IN NS l.gtld-servers.net. > com.172800 IN NS m.gtld-servers.net. > com.172800 IN NS a.gtld-servers.net. > com.172800 IN NS f.gtld-servers.net. > com.172800 IN NS d.gtld-servers.net. > com.172800 IN NS g.gtld-servers.net. > ;; Received 489 bytes from 202.12.27.33#53(m.root-servers.net) in 116 ms > > lwtitle.com.172800 IN NS ns21.domaincontrol.com. > lwtitle.com.172800 IN NS ns22.domaincontrol.com. > ;; Received 113 bytes from 192.12.94.30#53(e.gtld-servers.net) in 115 ms > > lwtitle.com.3600IN MX 0 > lwtitle-com.mail.protection.outlook.com. > lwtitle.com.3600IN NS ns22.domaincontrol.com. > lwtitle.com.3600IN NS ns21.domaincontrol.com. > ;; Received 133 bytes from 208.109.255.11#53(ns22.domaincontrol.com) in 32 ms > = > Although this doesn't help normal resolution. > > So I'm baffled. Any clues? > > Thanks, > > Chris > Chris, I do not know if it is the case, but many isp's today use dns transparent proxying. That is, even if you're not using their provided dns servers, they intercept your dns connection, and they do all sort of nasty things with it, ranging from displaying ad pages for mistyped domains, to recording every dns query you make. You can try using the site www.dnsleaktest.com to see if it is your case. If it is, I suggest you to use the dnscrypt proxy, which is a implementation of dnscurve, that was made by opendns. By default it uses the opendns server, but there are others servers enabled for it and you can use one of your servers too. Try this and see if it improves your situation. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: DNS problem
On Fri, Dec 6, 2013 at 12:07 PM, Giancarlo Razzolini wrote: > I do not know if it is the case, but many isp's today use dns > transparent proxying. > > You can try using the site www.dnsleaktest.com to see if it is your > case. The lwtitle.com mx and lwtitle.com txt queries both fail for me here and I run unbound as a resolver on my firewall and I pass the DNS leak test. The one network of the 4 that I do get a proper answer on has an older version of OpenBSD on its firewall (4.9) while all the ones that are failing for me run a fairly current (or even -current) version. And if my ISP, and a couple of the others, were doing dns proxy and that was messing up the results it would surely mess them up for all of the DNS caches I tested. = dig @216.146.35.35 lwtitle.com mx +noall +answer ; <<>> DiG 9.4.2-P2 <<>> @216.146.35.35 lwtitle.com mx +noall +answer ; (1 server found) ;; global options: printcmd = dig @8.8.8.8 lwtitle.com mx +noall +answer ; <<>> DiG 9.4.2-P2 <<>> @8.8.8.8 lwtitle.com mx +noall +answer ; (1 server found) ;; global options: printcmd lwtitle.com.3600IN MX 0 lwtitle-com.mail.protection.outlook.com. = dig @209.244.0.3 lwtitle.com mx +noall +answer ; <<>> DiG 9.4.2-P2 <<>> @209.244.0.3 lwtitle.com mx +noall +answer ; (1 server found) ;; global options: printcmd lwtitle.com.3600IN MX 0 lwtitle-com.mail.protection.outlook.com. = dig @198.153.192.40 lwtitle.com mx +noall +answer ; <<>> DiG 9.4.2-P2 <<>> @198.153.192.40 lwtitle.com mx +noall +answer ; (1 server found) ;; global options: printcmd lwtitle.com.3600IN MX 0 lwtitle-com.mail.protection.outlook.com. = etc. Only those specific queries from some places to dyn's internet guide fail. >From the network running 4.9: = dig @216.146.35.35 lwtitle.com mx +noall +answer ; <<>> DiG 9.4.2-P2 <<>> @216.146.35.35 lwtitle.com mx +noall +answer ; (1 server found) ;; global options: printcmd lwtitle.com.2181IN MX 0 lwtitle-com.mail.protection.outlook.com. = -- Chris
Re: DNS problem
Em 06-12-2013 15:42, Chris Smith escreveu: > The lwtitle.com mx and lwtitle.com txt queries both fail for me here > and I run unbound as a resolver on my firewall and I pass the DNS leak > test. The dns leaktest only detects if the provider is actively redirecting your queries to their caching resolvers. And if even so, who is to say that they are detecting your dnsleaktest attempt and they do not try to resolve it, so your test pass, but when you query another domain they intercept it? I know it does sound too of a conspiracy theory, but these days post snowden, who can assure anything? > The one network of the 4 that I do get a proper answer on has an older > version of OpenBSD on its firewall (4.9) while all the ones that are > failing for me run a fairly current (or even -current) version. > > And if my ISP, and a couple of the others, were doing dns proxy and > that was messing up the results it would surely mess them up for all > of the DNS caches I tested. > As I said above, this is not necessarily true, they could be messing only some domains, although it is very unlikely. This seems to me a problem with the other end, even when they told you everything is ok with them. Anyway, it won't hurt if you use dnscrypt proxy. -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: DNS problem
On Fri, Dec 06, 2013 at 12:42:09PM -0500, Chris Smith wrote: > > The lwtitle.com mx and lwtitle.com txt queries both fail for me here > and I run unbound as a resolver on my firewall and I pass the DNS leak > test. > Just out of curiosity: If you are running unbound on the firewall, why are you querying the troublesome resolver directly? Do you get the same result when querying the local unbound? > > The one network of the 4 that I do get a proper answer on has an older > version of OpenBSD on its firewall (4.9) while all the ones that are > failing for me run a fairly current (or even -current) version. > Are you running dig from the firewall or a client behind the firewall? How about tcpdumping the traffic on all affected interfaces and comparing the results between the working location and a non-working one in order to see if anything funky is happening on the wire? Regards, Patrik Lundin
Re: DNS problem
On Fri, Dec 6, 2013 at 1:38 PM, Patrik Lundin wrote: > Just out of curiosity: If you are running unbound on the firewall, why > are you querying the troublesome resolver directly? Do you get the same > result when querying the local unbound? Same results from Unbound. That's why I started "digging". > Are you running dig from the firewall or a client behind the firewall? Have done both. Same results with NLNet's drill utility as well. > How about tcpdumping the traffic on all affected interfaces and comparing > the results between the working location and a non-working one in order > to see if anything funky is happening on the wire? I did that also. I see nothing funky. One packet sent, one returned.
Re: DNS problem
On Fri, Dec 06, 2013 at 01:50:33PM -0500, Chris Smith wrote: > > Same results from Unbound. That's why I started "digging". > Sorry if I'm missing something, but what lead you to suspect the 216.146.35.35 machine in the first place? Given the +trace output you supplied that address is not part of the trail from the DNS root, and in that case the only involvement is answering the initial equivalent of "dig @216.146.35.35 . NS". Regards, Patrik Lundin
Re: DNS problem
On Fri, Dec 6, 2013 at 2:35 PM, Patrik Lundin wrote: > Sorry if I'm missing something, but what lead you to suspect the > 216.146.35.35 machine in the first place? Some of my clients use that service and for them Unbound doesn't act as a validator, just an iterator that forwards non-local queries to Dyn's Internet Guide service. Chris
Re: DNS problem
Thus said Chris Smith on Fri, 06 Dec 2013 11:31:23 -0500: > Basically, four of my networks are not getting an answer for a > specific mx query from dyn.com's DNS server. Yet every other DNS cache > I've queried works just fine (Google, Level3, Hurricane Electric, > Comcast, etc.) and dyn's support claims there is no problem on their > end and all of their tests return the proper answer just as one of my > networks does. Seems dyn might be doing a transparent load balancing proxy for their DNS; what else could account for the strange TTL jumping around below? Perhaps they have a bad server in the pool that you just happen to hit consistently due to some hashing. Notice the first query is 3600 (normal given that is the TTL). The second query shows it took me 3 seconds to issue the query again. But the third shows a sudden jump in time of almost 5 minutes. $ env DNSCACHEIP=216.146.35.35 dnsqr mx lwtitle.com 15 lwtitle.com: 133 bytes, 1+1+2+0 records, response, noerror query: 15 lwtitle.com answer: lwtitle.com 3600 MX 0 lwtitle-com.mail.protection.outlook.com authority: lwtitle.com 3600 NS ns22.domaincontrol.com authority: lwtitle.com 3600 NS ns21.domaincontrol.com $ env DNSCACHEIP=216.146.35.35 dnsqr mx lwtitle.com 15 lwtitle.com: 133 bytes, 1+1+2+0 records, response, noerror query: 15 lwtitle.com answer: lwtitle.com 3597 MX 0 lwtitle-com.mail.protection.outlook.com authority: lwtitle.com 3597 NS ns22.domaincontrol.com authority: lwtitle.com 3597 NS ns21.domaincontrol.com $ env DNSCACHEIP=216.146.35.35 dnsqr mx lwtitle.com 15 lwtitle.com: 133 bytes, 1+1+2+0 records, response, noerror query: 15 lwtitle.com answer: lwtitle.com 3350 MX 0 lwtitle-com.mail.protection.outlook.com authority: lwtitle.com 3350 NS ns22.domaincontrol.com authority: lwtitle.com 3350 NS ns21.domaincontrol.com Then a few more seconds passed and I see: $ env DNSCACHEIP=216.146.35.35 dnsqr mx lwtitle.com 15 lwtitle.com: 133 bytes, 1+1+2+0 records, response, noerror query: 15 lwtitle.com answer: lwtitle.com 3095 MX 0 lwtitle-com.mail.protection.outlook.com authority: lwtitle.com 3095 NS ns22.domaincontrol.com authority: lwtitle.com 3095 NS ns21.domaincontrol.com $ env DNSCACHEIP=216.146.35.35 dnsqr mx lwtitle.com 15 lwtitle.com: 133 bytes, 1+1+2+0 records, response, noerror query: 15 lwtitle.com answer: lwtitle.com 3331 MX 0 lwtitle-com.mail.protection.outlook.com authority: lwtitle.com 3331 NS ns22.domaincontrol.com authority: lwtitle.com 3331 NS ns21.domaincontrol.com Has anything changed recently with the NS records for lwtitle.com? Do you get the same results if you query one of the other well known public DNS resolvers like 8.8.8.8? Andy -- TAI64 timestamp: 400052a25f91
Re: DNS problem
Turns out the problem was with the Internet Guide service. If the IP address from which the query was sent was on the subscriber list then the incorrect info was sent. That's why it worked from one of my networks but not the others. Thanks to all. Chris
Re: DNS problem
On Fri, Dec 06, 2013 at 08:35:52PM +0100, Patrik Lundin wrote: > > Given the +trace output you supplied that address is not part of the > trail from the DNS root, and in that case the only involvement is > answering the initial equivalent of "dig @216.146.35.35 . NS". > For the archives: That should have been "dig +norecurse @216.146.35.35 . NS" since recursion is disabled when +trace is used. Regards, Patrik Lundin
Routing/DNS Mystery
Dear All, I have being scratching my head over this issue for two days now so I am soliciting help from numerous ISP and network engineers who are luring on this list. I upgraded all machines on my home network to predrag@oko$ uname -a OpenBSD oko.bagdala2.net 6.0 GENERIC.MP#0 amd64 on September 2 and a day latter I started having a very strange issue connecting to my employer network (Carnegie Mellon University 128.2.0.0/16) Namely on three random days since September 2 I could not ssh nor see the web content on any of CMU machines for several hours at the time. My fist suspect was my own DNS. I run my own Unbound cashing DNS. Sure enough I could not dig any of CMU machines except the one for which I hold A record (actually EasyDNS is doing it for me). So I switched off my own DNS at home and started using Google and OpenDNS DNS server and shure enough I could dig all CMU machines including the one for which I don't hold DNS records. However I still could not ping them even with a correct IPv4 address. At this point I concur that I didn't run traceroute but I tried something else that made me believe that it might not be problem with my own network. Namely I logged to my devio.us and freeshell.org shell accounts. I was able to ping CMU machines and my home network. I was able from devio.us and freeshell.org to dig my work machines. I was also able to ssh to them. Great. Now I tried to ping from my CMU computers my home network with the correct IPv4 address and I was not getting respond. No my firewall is not a problem. I am letting ping in and I was able all that time to ping from devio.us and freeshell.org. At this point I was truly stamped. It almost felt that either CMU was blocking my home IP address or my ISP was blocking CMU addresses possibly due to DoS attack). I have not tried reseting DHCP lease on my home network to see if I would do better with a different IP from my ISP. Note also that IPv6 is turned off on my home and at work. At this point as somebody who has never dealt with more serious things like BGPD and who don't really understand how ISP business works I am running out of ideas with the exception of traceroute which I will run if I lose ssh connection again (right now is working perfectly and I am using my own DNS server again). Thanks for the help. Predrag P.S. Oh yes I tired flashing my own DNS and fetching new root.key file but was not helpfull.
DNS and rdomains
Hi all, How can I allow different rdomains to use separate DNS nameservers? Thanks
pppd and DNS
Dear Sirs! How it is supposed that I get the DNS servers from a PPP connection? Should I guess the servers and put them manually in resolv.conf? Something like dhclient ppp0 does not work. I think this is an old thema: http://openbsd-archive.7691.n7.nabble.com/pppd-usepeerdns-td261633.html https://marc.info/?l=openbsd-tech&m=111946828027916&w=2 Is there a solution that I do not know? Otherwise I wonder that others do not miss such a feature: UMTS providers do not give much information and one must lietraly quess it with help google. Rodrigo.
Split-horizon dns
Hello, Is there a way to do split horizon dns using NSD? I did not find anything similar in man nsd.conf -- Best regards Maksim Rodin
openbsd.org DNS problems
It'd be good to sort this, a bit of a meta remote hole... This = bad. Only people with necessary access can fix. $ host -t a openbsd.org 199.185.230.19 Using domain server: Name: 199.185.230.19 Address: 199.185.230.19#53 Aliases: Host openbsd.org not found: 2(SERVFAIL) $ host -t a openbsd.org 199.185.230.18 Using domain server: Name: 199.185.230.18 Address: 199.185.230.18#53 Aliases: Host openbsd.org not found: 2(SERVFAIL) Web page tool: https://dnschecker.org/all-dns-records-of-domain.php?query=openbsd.org&rtype=A&dns=dnsauth
ignore dns dhcpleased
Hi, I noticed that ignoring nameservers from leases only works on IPv4 addresses. in /etc/dhcpleased.conf interface vio0 { ignore dns } resolvd still adds a IPv6 nameserver nameserver 2001:19f0:300:1704::6 # resolvd: vio0 Is this intentional? Best regards, Peter
KeyTrap DNS vulnerability
“A single packet can exhaust the processing capacity of a vulnerable DNS server, effectively disabling the machine, by exploiting a 20-plus-year-old design flaw in the DNSSEC specification. https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
Re: DNS Google ?
Good alternative: OpenBSD + unbound hvom .org [hvom@gmail.com] wrote: > Hi > > DNS Google NS 1 : 8.8.8.8NS 2 : 8.8.4.4 > > Good alternative or Bad alternative ? > > Best regards -- There are only three sports: bullfighting, motor racing, and mountaineering; all the rest are merely games. - E. Hemingway
Re: DNS Google ?
On 11/21/2011 12:35 PM, hvom .org wrote: Hi DNS Google NS 1 : 8.8.8.8NS 2 : 8.8.4.4 Good alternative or Bad alternative ? Best regards It's a Good Thing to remember when setting up a system, as they are easy-to-remember emergency DNS resolvers, though I wouldn't recommend that for production. If you set up 500 machines with Google for DNS resolution...what do you do if Google decides to get out of that business? or finds it not profitable so doesn't maintain it well (other than get a heck of a lot of phone calls, that is). Better to simply run your own DNS resolver. OpenBSD makes that trivial in the basic system. For small offices where I set up an OpenBSD firewall, I always set up a local DNS resolver, too, usually on the firewall. It Just Works. If the firewall goes down, no point in worrying about (external) DNS resolution, so no need for additional redunancy. My DNS local resolvers never seems to go down and are never overloaded; I can't say the same about most ISPs. If putting the DNS resolver on the firewall is not appropriate, you need redundancy, though a pair of machines serving DNS via CARP may be better than the standard "two separate IP addresses" for many/most machines needing DNS services. Really, the only place where OpenBSD enters this question is OpenBSD does make it really easy and relatively safe to run a DNS Resolver, so one (or several) less reason not to. Nick.