RFC say all
read RFC
BIND is a DNS system not an alien so follow RFC
Go and read RFC
From: bind-users on behalf of ip admin via
bind-users
Sent: Friday, October 5, 2018 4:13 PM
To: bind-users@lists.isc.org
Subject: Which timeouts are used by BIND when res
ON INTERNET IS LIKE TO BE LINKED TO RANDOM SEED GENERATION
check
# ls -l /dev/random /dev/urandom
crw-r--r-- 1 root system 39, 0 Jan 22 10:48 /dev/random
crw-r--r-- 1 root system 39, 1 Jan 22 10:48 /dev/urandom
From: bind-users on behalf of Howard,
Christop
are your compiler and libs updated ?
From: bind-users on behalf of Howard,
Christopher
Sent: Tuesday, September 18, 2018 1:11 AM
To: bind-users@lists.isc.org
Subject: PRNG not seeded, service won't start
I'm attempting to upgrade from bind 9.10.4-P8 to 9.12.2
sorry for missing letters but my keyboard ia broken
so to say, usually DNS admin low TTL on NS and/or A records that will have a
change
look bind docs to apply it
without specific record TTL , SOA ttl is used
From: bind-users on behalf of King, Harold
Cl
record and stop engine
https://en.wikipedia.org/wiki/SOA_record
Alberto Colosi
From: bind-users on behalf of King, Harold
Clyde (Hal)
Sent: Monday, August 6, 2018 7:37 PM
To: Bind Users
Subject: Need to move an NS server out of service
I have ns2.examp
have you changed zone registration?
there is DNS FQDN reference
if you change dns fqdn you have to update zone on your NIC
as it on NIC it or where you registered the domain
From: bind-users on behalf of Lucio Crusca
Sent: Thursday, April 26, 2018 3:18 P
Hi is a common problem! when you start as user or root
service take shell permission not service permission
check if exist group and user named if directory and file access mask is right
and if owner is right
as last check bind log not systemd for any error
now I don't remember but should eve
radius is only an AAA and transmit Auth OK/KO to VPN terminator and IP
allow/deny rules to VPN terminator (ip filtering like iptable)
So radius only Auth termination of VPN tunnel and transmit per user linked
policy deny and allow rules (like iptable as said).
I think VPN terminator can be co
In the years I had bad issue with ISC bind and Fedora box.
Possible was my box but moving to NIC IP all was fine.
yes inside resolv.conf NIC IP instead of localhost eg 127.0.0.1
in all case IP socket have to open on layer 3 and shouldn't go on layer2 as
socket know that IP as REACHED.
it ha
go to read isc bind view
---
Alberto Colosi
ITC NetWork & Security
From: bind-users on behalf of Lucio Crusca
Sent: Sunday, January 14, 2018 12:27 PM
To: bind-users@lists.isc.org
Subject: "rule based" A records
I'm no
SELinux in passive ? , you can putSETEnforce OFF
in conf
From: bind-users on behalf of Radu Pantiru
Sent: Friday, October 13, 2017 10:49 AM
To: bind-users@lists.isc.org
Subject: Re: bind-pkcs11-9.9.4-51.el7.x86_64 usin
TTL if not record specific on other DNS is defined inside SOA
usually shoulbe be 24H on internet and if an admin as me , put it low , it is
for a specific purpose as a server change.
is strange u have so many low ttl. I think u only can work on cache ttl on ur
dns
if are other way to arrive
SOA is a special record. As already said to read
you update SOA (should be only for email address if not ONLY intranet NS).
In all case if u make n update mean is needed n update. So the question is:
wy to not reflect on slave NSif any
Increasing SN , s
strange as need , see channels inside logging engine
is user query log , create a log channel for queries done
it does not change if done from a client or another dns
really it is a huge volume log (depending on number of queries)
From: bind-users on beha
; way to gain access
to root TLD DNS engines
see you
From: bind-users on behalf of Reindl Harald
Sent: Saturday, September 16, 2017 2:12 PM
To: bind-users@lists.isc.org
Subject: Re: Different forwarder for cerain response ip (result ip )
Am 16.09.2017 um 13:30 s
port 53 is only open directed to forwarders
as I read , you think to use different forwarders so , port 53 should be open
to all IP , right ?
I think u should read how DNS works, TLD and so on
simply drop forwarders only use TLD
From: bind-us
on behalf of Reindl Harald
Sent: Saturday, September 16, 2017 12:59 PM
To: bind-users@lists.isc.org
Subject: Re: Different forwarder for certain response ip (result ip )
Am 16.09.2017 um 12:50 schrieb Alberto Colosi:
> even on hotel . why not to use a BIND on unix or window on ur
>
even on hotel . why not to use a BIND on unix or window on ur box u r
using ?
it is so easy
From: bind-users on behalf of Reindl Harald
Sent: Saturday, September 16, 2017 12:46 PM
To: bind-users@lists.isc.org
Subject: Re: Different forwarder for cer
T USE
Really better .. and don't use Google DNS ( 1) google know what
you do 2) are really slow 3) I never seen any difference like protecion
or other)
Alberto Colosi
ITC NetWork & Security Architect & Administra
I haven't seen as from a while I have no servers to admin
as I ever say to who I teach ... right source for right content. nist ok
but .. better internic as maintaining DNS
https://www.internic.net/domain/named.root
[cid:2158d269-d79e-445b-8112-c7fce0fbb65f]
as obvious , here is
why to write here on the list ?
simply is a problem rom your script (file overwrite) or nist file could be
dirty.
I hate automatic update special each day specia for roots inside dns (they
change one time every twenty years ... if is a change).
I don't kno nist file, I ever used internic for
simply firewall port TCP and UDP 53 if behind a firewall or use ACL or change
NS records if not propagated in a public domain
if you want to test from clients , see that RFC sap is around 5 minutes if I am
not wrong and use PC firewall or simply firewall it or shutdown master engine
and so on
is like is missing the file referenced in log
SHA-1 RSA signing is obsolete and banned from NIST and ENRISA is a CVE or
should if I remember ell
All CA only use SHA-2 no more version 1 as said before.
SHA-2 and 2048 or greater
yor problem is like file permission or file is missing
_
as just said inside previous mail
ever if you edit some , you should understand
From: bind-users on behalf of Tom Browder
Sent: Friday, July 21, 2017 10:48 PM
To: bind-users@lists.isc.org
Subject: Re: Systemd bind9.service file?
On Fri, Jul 21, 2017 at 3:46
Main needs are
start
stop
and pid file location
ater you change a file in systemd you need to reload config ith a systemd
statement.
read sometutorials like https://wiki.archlinux.org/index.php/systemd
is obvious files need to go where are scripts and linked inside "dierent run
level"
Hi, is hard an ISP give to you a reverse lookup zone
first of all , is needed you to "own" all zone (ipv4 , all C class) for example.
as second thing, is really hard to move definitions on TLD like ripe , arin,
apnic or others
is more possible ISP give to you (if first line is true) cont
If u 've as forwarder the dns master for such zones (meaning that dns know how
to resolve)
>check acl inside conf
>check authoritative (master dns) logs and if not
implemented , put some log channels inside conf to check
y use isc bind RRL
https://kb.isc.org/article/AA-00994/0/Using-the-Response-Rate-Limiting-Feature-in-BIND-9.10.html
i use it on my auth dns box
Alberto Colosi
Network & Security Admin & Architect Engineer
From: bind-users on behalf of
ramkishor
sorry, let me only to add a comment to previous mail
if who make the query use a DNS Forwarding System (like use ISP DNS as
forwarders or direct resolver) you'll only have ISP DNS on last forward action
From: bind-users on behalf of Job
Sent: Tuesday, Febru
ut is so a large log file (as network accounting,
can't be live for "too much".
Alberto Colosi
IT NetWork & Security Architect Engineer
From: bind-users on behalf of Job
Sent: Tuesday, February 28, 2017 2:35 PM
To: bind-users@lists.isc.org
S
s@lists.isc.org"
Subject: bind 9 goes rogue and revert zone information
Date: Tue, Feb 7, 2017 23:38
Am 07.02.2017 um 23:31 schrieb Alberto Colosi:
> lucky you say
>
> zombie host and hijacked resourced poisoned DNS are not an hack
>
> In years as Security Desk Seat I had at leat on
a zombie host is a valuable item for them.
From: bind-users on behalf of Alan Clegg
Sent: Tuesday, February 7, 2017 10:48 PM
To: bind-users@lists.isc.org
Subject: Re: bind 9 goes rogue and revert zone information
On 2/7/17 8:42 AM, Alberto Colosi wrote:
>
disable it
From: Raul Dias
Sent: Tuesday, February 7, 2017 3:34 PM
To: Alberto Colosi; bind-users@lists.isc.org
Subject: Re: bind 9 goes rogue and revert zone information
Sorry,
Static files.
It is the master server.
No dynamic updates.
Host under lxc with only
hi is unclear named structure if is a slave a master if dynamic updates are
enabled and if the unix box has been hacked
as last , zones are static files on fs ?
From: bind-users on behalf of Raul Dias
Sent: Tuesday, February 7, 2017 3:03 PM
To: bind-users@lis
don't own a full C subnet or ISP don't want to delegate (if your DNS
server will be unreachable could arm something on ISP) you only can try to ask
the ISP to map names on their DNS , ISP DNS and even this not all ISP do or is
done with default IN-ADDR-ARPA naming.
Alberto Colosi
, you could have a command line session too if used with
SSH instead.
The main difference is a bit of security more ;)
---
Alberto Colosi
IBM Global Business Services
Sistemi Informativi S.P.A.
IT NetWork & Security Department
*-* *-* *-*
SECURITY IS EVERYO
why not? beter handled by isc and done in a clean way then 1.000.000 of
dirty ways as these ;)
---
Alberto Colosi
IBM Global Business Services
Sistemi Informativi S.P.A.
IT NetWork & Security Department
*-* *-* *-*
SECURITY IS EVERYONE'S BUSINESS
Memb
no, if not I was not writing here.
I compile and run bing from version 4 and I have compiled and runned each
bind version one by one...
till today I can't count how many ;)
---
Alberto Colosi
IBM Global Business Services
Sistemi Informativi S.P.A.
IT Ne
s;
print-severity yes;
};
---
Alberto Colosi
IBM Global Business Services
Sistemi Informativi S.P.A.
IT NetWork & Security Department
*-* *-* *-*
SECURITY IS EVERYONE'S BUSINESS
Member of
IBM Information Security WW CoP
David Ford <
the end ISC BIND
9.6.0b1 does not remain as daemon serving user requests?!.
---
Alberto Colosi
IBM Global Business Services
Sistemi Informativi S.P.A.
IT NetWork & Security Department
*-* *-* *-*
SECURITY IS EVERYONE'S BUSINESS
Member of
IBM Information Se
40 matches
Mail list logo