Naive users messing up using CNAMEs is really neither here nor there
because they are just as likely to mess up any other type of DNS
record. The fact that CNAME MX records has not destroyed the internet
belittles the staunch firestorm that CNAME MX records will destroy the
internet. I've never h
On 26-Jan-2009, at 23:03, Tony Toews [MVP] wrote:
Ah, I think I see what is happening here. Searching at the below
article for
63.217.28.226
http://tech.slashdot.org/tech/09/01/24/0113210.shtml shows a reply
stating:
"The problem seems to kick in for DNS servers that arent rejecting
th
At 22:41 26/01/2009, Mark Andrews wrote:
>In message <200901260955.n0q9tnvm010...@mail43.nsc.no>, Jan Arild =?iso-8859-1?
>Q?Lindstr=F8m?= writes:
>> At 09:33 26/01/2009, Mark Andrews wrote:
>>
>> >In message <200901260742.n0q7gjqn029...@mail46.nsc.no>, Jan Arild=
>> =3D?iso-8859-1?
>> >Q?Lindst
In message , Scott Haneda writ
es:
> On Jan 26, 2009, at 10:03 PM, Barry Margolin wrote:
>
> > In article ,
> > Scott Haneda wrote:
> >
> >> 100% right. I refuse MX's that are cnamed, and I get emails from
> >> customers asking what is up. What is strange, and I can not figure
> >> it
> >> o
Your dig just further proves the point. smtp.secureserver.net is listed as
the MX server for secureserver.net. Yet smtp.secureserver.net is an alias
which points to the smtp.where.secureserver.net A record which has an
address of 208.109.80.149.
*** PLEASE don't copy me on replies, I'll read
The paragraph you cite regarding "LOCAL has a alias and the alias is listed
in the MX records for REMOTE..." is a peripery issue which is handled by not
doing that.
"No one is saying a CNAME is not permitted in response to a MX query."
Well good then, we agree. The MX record data value can b
On Jan 26, 2009, at 10:11 PM, Barry Margolin wrote:
In article ,
Scott Haneda wrote:
I have never got why this is such a hard thing for email admins to
get
right, but it certainly causes me headaches. I personally wish
CNAME's would just go away, keep them around, but just stop talking
abo
On Jan 26, 2009, at 10:03 PM, Barry Margolin wrote:
In article ,
Scott Haneda wrote:
100% right. I refuse MX's that are cnamed, and I get emails from
customers asking what is up. What is strange, and I can not figure
it
out, is that the admins of the DNS/email server always tell me this
In article , "Al Stu"
wrote:
> Yes, the response to an MX query, that is the subject here. And a CNAME is
> in fact permitted and specified by the RFC's to be accepted as the response
> to an MX lookup.
No, we're talking about the response to the A query for the name that
the MX points to.
In article ,
Scott Haneda wrote:
> I have never got why this is such a hard thing for email admins to get
> right, but it certainly causes me headaches. I personally wish
> CNAME's would just go away, keep them around, but just stop talking
> about them, then new to DNS users would not us
In article ,
Scott Haneda wrote:
> 100% right. I refuse MX's that are cnamed, and I get emails from
> customers asking what is up. What is strange, and I can not figure it
> out, is that the admins of the DNS/email server always tell me this is
> the first time they have heard of it.
So
In message , "Al Stu" writes:
>
> Yes, the response to an MX query, that is the subject here. And a CNAME is
> in fact permitted and specified by the RFC's to be accepted as the response
> to an MX lookup.
No one is saying a CNAME is not permitted in response to a MX
query.
>
Yes, the response to an MX query, that is the subject here. And a CNAME is
in fact permitted and specified by the RFC's to be accepted as the response
to an MX lookup.
"If the response does not contain an error response, and does not contain
aliases"
See there, alias is permitted. You ju
In message <3c802402a28c4b2390b088242a91f...@ahsnbw1>, "Al Stu" writes:
>
> RFC 974:
> "There is one other special case. If the response contains an answer which
> is a CNAME RR, it indicates that REMOTE is actually an alias for some other
> domain name. The query should be repeated with the can
RFC 974:
"There is one other special case. If the response contains an answer which
is a CNAME RR, it indicates that REMOTE is actually an alias for some other
domain name. The query should be repeated with the canonical domain name."
- Original Message -
From: "Scott Haneda"
To: "A
On Jan 26, 2009, at 7:54 PM, Al Stu wrote:
If you refuse a CNAME then it is your SMTP server that is broken.
The SMTP RFC's clearly state that SMTP servers are to accept and
lookup a CNAME.
[RFC974] explicitly states that MX records shall not point to an alias
defined by a CNAME. That
"Tony Toews [MVP]" wrote:
>As far as I can tell from the same 5 or 20 IP addresses. I haven't seen these
>lines
>before.
When I analyzed todays log I got three IP address.
204.15.80.50 might be smtp9.soma.ironport.com
63.217.28.226 might be Network solutions according to the below SlashDot
a
Kobi Shachar wrote:
> Yes, I tried to downgrade to 9.50 p2 and the problem was there to.
> It's is looks like a bug on windows 2008 machine, isn’t it?
> Also, you can see that there is 8 lines of the same messages. Each for 1
> core CPU.
>
That might take some time to track down. In the meantime,
If you refuse a CNAME then it is your SMTP server that is broken. The SMTP
RFC's clearly state that SMTP servers are to accept and lookup a CNAME.
- Original Message -
From: "Scott Haneda"
To: "Mark Andrews"
Cc: "Al Stu" ;
Sent: Monday, January 26, 2009 6:24 PM
Subject: Re: BIND 9.
On Tue, 2009-01-27 at 13:16, Tony Toews [MVP] wrote:
> Noel Butler wrote:
>
> >Surely windows can block access to an inbound IP request from "some IP"
> >to local udp port 53 ?
>
> Not the firewall software built into Windows 2003 Server.
>
Gawd...
> >If not, you know what my next reply wi
Mark Andrews wrote:
>> It looks like the server is replying with a refused statement. The following
>> are the
>> two lines that WireShark captured.
>>
>> Standard query NS
>> Standard query response, refused
>
> Good. The attacker is trying to you as a amplifier and
> that is no
Noel Butler wrote:
>Surely windows can block access to an inbound IP request from "some IP"
>to local udp port 53 ?
Not the firewall software built into Windows 2003 Server.
>If not, you know what my next reply will be don't you :)
Yeah, well switching to Linux ain't gonna happen. My friend
In message , "Tony Toews [MVP]" wri
tes:
> "Tony Toews [MVP]" wrote:
>
> >>> How do I know I'm not answering those?
> >>>
> >>Since your on win, I can't help you, but whatever your packet monitor
> >>is, see if you are replying to their requests, even with a REFUSED
> >>response.
>
> It looks
On Tue, 2009-01-27 at 12:35, Tony Toews [MVP] wrote:
> "Tony Toews [MVP]" wrote:
>
> >>> How do I know I'm not answering those?
> >>>
> >>Since your on win, I can't help you, but whatever your packet monitor
> >>is, see if you are replying to their requests, even with a REFUSED
> >>response.
>
"Tony Toews [MVP]" wrote:
>>> I doubt the current firewall, the one built into Windows 2003 Server, is
>>> capable of
>>> blocking specific IP addresses but I'll check.
>>
>>In that case maybe on your router? Apply a inbound request from them on
>>port 53 udp only, that way you wont affect real
"Tony Toews [MVP]" wrote:
>>> How do I know I'm not answering those?
>>>
>>Since your on win, I can't help you, but whatever your packet monitor
>>is, see if you are replying to their requests, even with a REFUSED
>>response.
It looks like the server is replying with a refused statement. The f
In message , Barry Margolin
writes:
> In article ,
> Mark Andrews wrote:
>
> > In message , "Tony Toews [MVP]"
>
> > wri
> > tes:
> > > Gregory Hicks wrote:
> > >
> > >
> > > >> 2) What are they?
> > > >
> > > >They look like the DDoS being discussed on the NANOG list.
> > > >
> > > >Have
In message , Barry Margolin
writes:
> In article ,
> "Tony Toews [MVP]" wrote:
>
> > Gregory Hicks wrote:
> >
> >
> > >> 2) What are they?
> > >
> > >They look like the DDoS being discussed on the NANOG list.
> > >
> > >Have you implemented BCP38? If not, why not...
> >
> > I have no idea
On Jan 26, 2009, at 6:17 PM, Mark Andrews wrote:
Which just means you have not ever experienced the problems
causes. MTA are not required to look up the addresses of
all the mail exchangers in the MX RRset to process the MX
RRset. MTA usually learn their name by
In message <0aa37ce829ba458b9ba2d199a6d96...@ahsnbw1>, "Al Stu" writes:
> How about these two?
>
> > nullmx.domainmanager.com
> Non-authoritative answer:
> Name:mta.dewile.net
> Address: 69.59.189.80
> Aliases: nullmx.domainmanager.com
>
> > smtp.secureserver.net
> Non-authoritative answer
Noel Butler wrote:
>> How do I know I'm not answering those?
>>
>
>Since your on win, I can't help you, but whatever your packet monitor
>is, see if you are replying to their requests, even with a REFUSED
>response.
Thanks, I'll take a look using WireShark.
>> >It's a forged request asking you
"Tony Toews [MVP]" wrote:
>I just noticed that our small scale Bind server as a lot of the following
>lines.
Just to clarify things. We're running a personal scale IIS, DNS and email
server on
Windows 2003 Server with about 20 or so domains on a friends DSL connection.
To
give you an idea
Barry Margolin wrote:
>> >Have you implemented BCP38? If not, why not...
>>
>> I have no idea what BCP38 is and how I can implement that. Would you be so
>> kind as
>> to supply links relevant to Windows 2003 Server?
>
>BCP38 is not something you implement, it's something that has to be
>imp
maybe this will help
http://peppyheppy.com/2008/1/18/bulk-zone-file-serial-number-increment
--- On Tue, 1/27/09, Barry Margolin wrote:
> From: Barry Margolin
> Subject: Re: Forcing a secondary update...
> To: comp-protocols-dns-b...@isc.org
> Date: Tuesday, January 27, 2009, 2:12 PM
> In artic
In article ,
Mark Andrews wrote:
> In message , "Tony Toews [MVP]"
> wri
> tes:
> > Gregory Hicks wrote:
> >
> >
> > >> 2) What are they?
> > >
> > >They look like the DDoS being discussed on the NANOG list.
> > >
> > >Have you implemented BCP38? If not, why not...
> >
> > I have no idea w
In article ,
Jeff Justice wrote:
> Without getting into how I managed to accomplish this, I have wound up
> with a secondary DNS that has incorrect information in it but the
> serial numbers are the same as on the master.
>
> So, my question is: how can I get the secondary to sync up? I
In article ,
"Tony Toews [MVP]" wrote:
> Gregory Hicks wrote:
>
>
> >> 2) What are they?
> >
> >They look like the DDoS being discussed on the NANOG list.
> >
> >Have you implemented BCP38? If not, why not...
>
> I have no idea what BCP38 is and how I can implement that. Would you be so
>
In message , "Tony Toews [MVP]" wri
tes:
> Gregory Hicks wrote:
>
>
> >> 2) What are they?
> >
> >They look like the DDoS being discussed on the NANOG list.
> >
> >Have you implemented BCP38? If not, why not...
>
> I have no idea what BCP38 is and how I can implement that.
http://www
How about these two?
nullmx.domainmanager.com
Non-authoritative answer:
Name:mta.dewile.net
Address: 69.59.189.80
Aliases: nullmx.domainmanager.com
smtp.secureserver.net
Non-authoritative answer:
Name:smtp.where.secureserver.net
Address: 208.109.80.149
Aliases: smtp.secureserver.
In article ,
RainyCity10 wrote:
> I inherited a Bind DNS server set up for a company that runs a number
> of web site. I'm in the process of cleaning up the zone files and
> adding additional slave DNS servers and I haven't got my head around
> NS records yet. When a domain is registered you spe
At Thu, 22 Jan 2009 09:12:11 +0300,
Dmitry Rybin wrote:
> > +50 views of zone data + memory for 10 clients +
> >
> > You have a 32bit build which will give a maximum of 2G data.
> >
> > You are just trying to cram too much into too small a place.
>
> OK. May be you can giv
Hi Tony,
On Tue, 2009-01-27 at 09:35, Tony Toews [MVP] wrote:
> Noel Butler wrote:
>
> >This is not your config, so long as you are not answering thats fine.
>
> How do I know I'm not answering those?
>
Since your on win, I can't help you, but whatever your packet monitor
is, see if you are
Noel Butler wrote:
>This is not your config, so long as you are not answering thats fine.
How do I know I'm not answering those?
>It's a forged request asking you to participate in a DDoS thats been
>going on since last Wedensday,
>it's best if you firewall off your replies to those IP's so you
Gregory Hicks wrote:
>> 2) What are they?
>
>They look like the DDoS being discussed on the NANOG list.
>
>Have you implemented BCP38? If not, why not...
I have no idea what BCP38 is and how I can implement that. Would you be so
kind as
to supply links relevant to Windows 2003 Server?
Thank
On 26-Jan-2009, at 17:50, Jeff Justice wrote:
Without getting into how I managed to accomplish this, I have wound
up with a secondary DNS that has incorrect information in it but the
serial numbers are the same as on the master.
So, my question is: how can I get the secondary to sync up?
In message <2d378cb064ba4d06880aed8ed81f3...@ahsnbw1>, "Al Stu" writes:
> "Thus, if an alias is used as the value of an NS or MX record, no address
> will be returned with the NS or MX value."
>
> Above statement, belief, perception etc. has already been proven to be a
> fallacy (see the networ
"In all the time its taken him to type his rants and raves and have his little
dummy spit, he could have gone and changed the MX to be a real name, ..." -
Noel Butler
Wow, such narrow mindedness.
"I like most I suspect stopped reading his rants days ago." - Noel Butler
And yet here you are cont
Without getting into how I managed to accomplish this, I have wound up
with a secondary DNS that has incorrect information in it but the
serial numbers are the same as on the master.
So, my question is: how can I get the secondary to sync up? I
presume all I would need to do is make a sin
On Tue, 2009-01-27 at 07:45, Tony Toews [MVP] wrote:
> Folks
>
> Warning - I know just enough about Bind to be dangerous. Which is why I'm
> asking.
>
> I just noticed that our small scale Bind server as a lot of the following
> lines.
>
> 26-Jan-2009 14:28:24.004 client 76.9.16.171#23101:
> To: comp-protocols-dns-b...@isc.org
> From: "Tony Toews [MVP]"
> Subject: What are these entries in the log file - " query: . IN NS +"?
> Date: Mon, 26 Jan 2009 21:45:18 GMT
>
> Folks
>
> Warning - I know just enough about Bind to be dangerous. Which is
> why I'm asking.
>
> I just noticed
On Tue, 2009-01-27 at 07:43, Danny Thomas wrote:
> Al Stu wrote:
> > So within the zone SMTP requirements are in fact met when the
> > MX RR is a CNAME.
> you might argue the line of it being OK when additional processing
> includes an A record.
>
In all the time its taken him to type his ran
Folks
Warning - I know just enough about Bind to be dangerous. Which is why I'm
asking.
I just noticed that our small scale Bind server as a lot of the following lines.
26-Jan-2009 14:28:24.004 client 76.9.16.171#23101: query: . IN NS +
26-Jan-2009 14:28:58.254 client 63.217.28.226#28035: que
> -Original Message-
>
> [ ... ]
>
> On 23.01.09 23:06, Barry Margolin wrote:
> > Why don't you just use normal reverse DNS:
> >
> > zone for 1.1.1.in-addr.arpa
> >
> > 1 IN PTR metis.local.
> > IN PTR bob-www-sol-l01.local.
>
> accorging to the above, metis.local is a CNAME, so the
Good day,
I am trying to wrap my head around a weird configuration I ran across
today, and see if my assumptions are correct.
Working with the TLD .testdomain.
We have the record:
test2.testdomain. IN NS ns01.blahblah.testdomain.
But, on the same server, we also have the zone
In message <497caef2.80...@yahoo.com>, Andre LeClaire writes:
> Hello everyone,
> I've been seeing these syslog messages for about a week on a FreeBSD
> server running BIND 9.4.3-P1:
>
> Jan 25 02:35:21 asimov named[145]: client 206.71.158.30#138: error
> sending response: permission denied
> J
Al Stu wrote:
> So within the zone SMTP requirements are in fact met when the
> MX RR is a CNAME.
you might argue the line of it being OK when additional processing
includes an A record.
"Be conservative in what you send" means that fewer problems are
likely from reasonable compliance with standa
In message <200901260955.n0q9tnvm010...@mail43.nsc.no>, Jan Arild =?iso-8859-1?
Q?Lindstr=F8m?= writes:
> At 09:33 26/01/2009, Mark Andrews wrote:
>
> >In message <200901260742.n0q7gjqn029...@mail46.nsc.no>, Jan Arild=
> =3D?iso-8859-1?
> >Q?Lindstr=3DF8m?=3D writes:
> >>=20
> >> Hi,
> >>=20
> >
"Thus, if an alias is used as the value of an NS or MX record, no address
will be returned with the NS or MX value."
Above statement, belief, perception etc. has already been proven to be a
fallacy (see the network trace attached to one of the previous messages).
Both the CNAME and A record is
On 26.01.09 09:19, bsfin...@anl.gov wrote:
> If I have in DNS
>
> cn IN CNAME realname
>
> and I query for cn, the DNS resolver will return "realname".
> BIND also returns the "A" record for realname. Is this a requirement?
> If not, then
>
> mx IN 10 MX cn
>
> will result in:
>
>
On Jan 26 2009, Wolfgang S. Rupprecht wrote:
For someone to "register a domain and listing our server name with a
bogus IP", the registry has to be incredibly careless
I wonder if he is seeing the same thing I was a few days ago. I had a
certain *.edu host listed as a nameserver of mine with
I am looking to set up DHCP in an environment that does not support Dynamic
DNS. There are many servers that will not be using DHCP in this
environment. Ideally, I would like to do collision detection both by ping
(which I know can be done) and reverse DNS lookup.
I know that ping collision dete
I have not copied the entire thread.
>You've added an additional step in your second paragraph that is
>prohibited by the section you quoted in the first. The section from
>the RFC describes a situation where A is queried for and an MX record
>pointing to B is returned. When B is queried f
I inherited a Bind DNS server set up for a company that runs a number
of web site. I'm in the process of cleaning up the zone files and
adding additional slave DNS servers and I haven't got my head around
NS records yet. When a domain is registered you specify what DNS
servers will be providing the
I am looking to set up DHCP in an environment that does not support
Dynamic DNS. There are many servers that will not be using DHCP in
this environment. Ideally, I would like to do collision detection
both by ping (which I know can be done) and reverse DNS lookup.
I know that ping collision dete
update de mon domaine andre chaudier___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Hello everyone,
I've been seeing these syslog messages for about a week on a FreeBSD
server running BIND 9.4.3-P1:
Jan 25 02:35:21 asimov named[145]: client 206.71.158.30#138: error
sending response: permission denied
Jan 25 03:43:32 asimov named[145]: client 206.71.158.30#138: error
sending
> For someone to "register a domain and listing our server name with a
> bogus IP", the registry has to be incredibly careless
I wonder if he is seeing the same thing I was a few days ago. I had a
certain *.edu host listed as a nameserver of mine with several
registries (gandi for .com, arin for
Danny Mayer wrote:
> Kobi Shachar wrote:
>> Recently I upgraded my bind machine to a new windows 2008 server web
>> edition 32 bit with 2 E5420 quad core CPU's.
>>
>> The server is configured with about 7000 master zone files.
>>
>>
>>
>> Since the upgrade, BIND hangs every 5-10 hours.
>>
>> I ch
At 10:29 26/01/2009, Mark Andrews wrote:
>In message <200901260800.n0q80lkh017...@mail49.nsc.no>, Jan Arild =?iso-8859-1?
>Q?Lindstr=F8m?= writes:
>>
>> Hi,
>>
>> just to clarify that Solaris really is different from Linux:
>>
>> ns12(root) / 503# su - named
>> Sun Microsystems
At 09:33 26/01/2009, Mark Andrews wrote:
>In message <200901260742.n0q7gjqn029...@mail46.nsc.no>, Jan Arild =?iso-8859-1?
>Q?Lindstr=F8m?= writes:
>>
>> Hi,
>>
>> I was going to upgrade from BIND 9.4.3 to BIND 9.6.0-P1, but run into a =
>>
>> strange "bug" in BIND 9.6.0-P1.
>>
>> Exact same co
In message <200901260800.n0q80lkh017...@mail49.nsc.no>, Jan Arild =?iso-8859-1?
Q?Lindstr=F8m?= writes:
>
> Hi,
>
> just to clarify that Solaris really is different from Linux:
>
> ns12(root) / 503# su - named
> Sun Microsystems Inc. SunOS 5.10 Generic January 2005
>
On Sun, Jan 25, 2009 at 6:39 PM, Matus UHLAR - fantomas
wrote:
>> When i tried this host did not resolve
>> the cname. i.e a host 1.1.1.1 returned metis.local. it did not know
>> to resolve metis.local as bob
>
> the host 1.1.1.1 returned that 1.1.1.1.in-addr.arpa is a CNAME to
> metis.loc
In message <200901260742.n0q7gjqn029...@mail46.nsc.no>, Jan Arild =?iso-8859-1?
Q?Lindstr=F8m?= writes:
>
> Hi,
>
> I was going to upgrade from BIND 9.4.3 to BIND 9.6.0-P1, but run into a =
>
> strange "bug" in BIND 9.6.0-P1.
>
> Exact same config for 9.4.3 and 9.6.0-P1, only added "new" to fi
Hi,
just to clarify that Solaris really is different from Linux:
ns12(root) / 503# su - named
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
-bash-3.00$ ls -la /var/run/named/
total 80
drwxr-s--- 4 namednamed307 Jan 26 08:22 .
74 matches
Mail list logo
