ient
from the full impact of the large record set. But if you're exposing large
rrsets to the public (regardless whether they trigger this particular
behavior) it's worth reviewing your server posture to make sure your
limits on what's allowed via UDP are reasonable.
--
Fred
Although I see listen-on in your named.conf snippet, I don't see
query-source. You can listen on a different interface / address than the
one you issue queries from. If you need to issue queries selectively on
different interfaces, see the server stanza and put query-source in there.
--
tcurve hasn't seen fit to fix it or get back to me in
nearly a full business week I suspect they like it this way. However it
doesn't comport with the principle of least surprise. The City of Tacoma
doesn't seem to care that the licensee operating in a portion of their
/16 is impersonat
ke arguing over the particular weasels chosen
rather than the decision to stuff rabid weasels down your pants in the
first place.
--
Fred Morris
On Wed, 24 Apr 2024, tale wrote:
Hmm, I wonder if qname-minimisation is at issue here.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users
31
dig -x 131.191.85.31 +trace
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing
SOA record.
--
Fred Morris
On Fri, 5 Apr 2024, Fred Morris wrote:
When people think of "negative response caching" I suspect they're
thinking of NXDOMAIN, but there is another negative response: ANSWER:0.
To some extent this is indistiguishable from a referral, and I'm no
hich affects this behavior? NS? SOA?
Thanks in advance...
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more inf
vor of removing unused
features; emphasis is of course on "unused".
--
Fred Morris, internet plumber--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at ht
love from here on out.
If shodohflo/agents/dnstap_agent.py or dnstap2json.py itself don't suit
your payload needs, you are of course welcome to subclass dnstap2json.py
yourself.
I couldn't do it without BIND! Cheers...
--
Fred Morris, internet plumber
http://consulting.m3047.n
There used to be an example in a directory in the BIND tarball, in
contrib/dnspriv/
Here's a link to it from 9.12.3: http://athena.m3047.net/pub/bind/dnspriv/
--
Fred Morris
On Sun, 11 Feb 2024, Andrew Latham wrote:
I have seen this question a few times so would a note or example in
Surý wrote:
> Are you really complaining about the lack of handholding because you
> want to build the documentation yourself and just can’t download it?
> Because it really seems like the case here.
I concerned you've lost control of your build. However it does look
correct in 9
1> sum README.md 37785 11
m3047@sophia:/opt/downloads/bind-9.18.21> md5sum README.md
c4e08add5a135ce2573483eb0e5b1207 README.md
m3047@sophia:/opt/downloads/bind-9.18.21> sha256sum README.md
080e914decc2ed554d8887b0f719b82736c45380b987f23b3eba4ef7418f03f3 README.md
On 12/21/23 12:24 PM, Fre
No, I was correct the first time, but I had the wrong version. It is a
9.18.9 tarball, not 9.18.21. Checksums are correct for that README.md.
On 12/21/23 12:18 PM, Fred Morris wrote:
>
> I'm sorry 9.18.9 was the version where I discovered that the build
> didn't build the PDF,
ference Manual.
The checksums correct for that version of README.md.
I think I must have mistakenly cut & pasted from the source tree in
GitLab for 9.18.
On 12/21/23 10:50 AM, Fred Morris wrote:
> On 12/21/23 10:08 AM, Ondřej Surý wrote:
>
>> In the commit you referenced:
>>
&g
On 12/21/23 10:08 AM, Ondřej Surý wrote:
> In the commit you referenced:
>
> https://gitlab.isc.org/isc-projects/bind9/-/commit/561a83a29182b00bda9237ae30343d76a68dcdf4#8ec9a00bfd09b3190ac6b22251dbb1aa95a0579d_147_147
>> On 21. 12. 2023, at 18:59, Fred Morris wrote:
>>
>&
uild
system, you went too far.
I looked for this just the other day in the KB. At the least you should
have a KB article. At least there's this post to the mailing list.
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds th
I welcome birds of a feather. Need to define / refine the problem
statement first.
On 12/7/23 12:30 AM, Petr Špaček wrote:
> On 07. 12. 23 1:05, Fred Morris wrote:
>> On Wed, 6 Dec 2023, Evan Hunt wrote:
>> I say go ahead, if nothing else consider it a "scream test". But
ave a lot of them; and is there any
problem domain addressed by the DNS where that is more the case than name
to address mapping? (Counterexample: PTR records, now more than ever.)
I say go ahead, if nothing else consider it a "scream test". But can you
take a moment and tell us whi
Internetworking with TCP/IP, Volume 1_.
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-use
ve knobs in the zone data, the server, the networking stack
and all of intermediating routers to twiddle. You can throw "buffer bloat"
in there too.
It's interesting that Dig automagically tries TCP first with ANY queries,
since that is not the default behavior with e.g. A
over what's in the MS DNS zone,
at least as seen when BIND is queried.
Rear View RPZ (https://github.com/m3047/rear_view_rpz/) watches (BIND)
Dnstap telemetry for A/ queries and uses it to update PTR records in
an RPZ, as an example.
--
Fred Morris
--
Visit https://lists.isc.org/mai
could get multicast (without a T/MG), but that doesn't allow for the
Dnstap overhead since DNS message sizes are already capped at the maximum
possible size of a UDP message.
Doing nothing is an option. ;-)
Thanks for all the work you do...
--
Fred Morris
--
Visit https://lists.isc.o
Hi Greg.
So somebody referenced this KB article because presumably it was
tangentially relevant, but I don't know that the OP is working with
standby infrastructure (good question!). All they say is that after an
upgrade all servers were masters.
The amount of direct relevance of the article
dary in real time: if you store the data in a file, simply redefine
the zone type and change type primary; to type secondary;.
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support s
Then "the usual" applies: set one of them to be a secondary and the master
to allow zone transfers from it. Configure Notify if desired.
Make sure it works, i.e. a zone transfer (AXFR / IXFR) occurs and the
correct serial number is represented in the SOA.
Pause for another scre
the scenario was in someways
different, was idempotence: the updaters would continue to attempt to
update whatever the master was until it conformed to their ideal image,
and their ideal image could change in consideration of what the zone held.
--
Fred Morris, internet plumber
--
Visit https
has any need to access the data in
the zone, whether directly or via BIND.
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/co
e
the best option regardless of the recursive server (BIND, Unbound, etc.)?
Thanks in advance...
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact u
orate / mitigate SERVFAIL
utilizing RPZ.
I'll try to pay more attention and see if I can isolate a test case if the
problem recurs. (I was kind of hoping someone would have a solution!)
--
Fred Morris
On Fri, 16 Jun 2023, Crist Clark wrote:
That should return a NXDOMAIN. Returning SERVFAI
arate zones).
In terms of NXDOMAIN and SOA queries, both state.ak.us and
challenge.state.ak.us seem to do the right thing in terms of pretending to
be separate zones, e.g. in the first case returning the correct domain in
the AUTHORITY and in the second case returning the relevant SOA records
d
Going forward, what is anticipated to be the proper configuration for that
scenario?
Thanks...
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at
s not
picking up the updated include file and *nagesh3.com <http://nagesh3.com>* rpz
rule is not working.
Are you incrementing the SOA serial number?
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds t
I've found myself in situations in the past where NOTIFY has been
fetishized as "real time", and nobody ever ever asked which upstream
server was being queried as a result. So this has been an eye-opening
thread, and if I ever find myself in that situation again it'll give me
something else to
roof do you have that the CPU usage correlates, and that it's a problem?
What are the vendor's recommendations (for provisioning and operational
management), and are you following them?
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
Hello Petr:
On 12/5/22 4:35 AM, Petr Špaček wrote:
> On 05. 12. 22 3:49, Fred Morris wrote:
>> If the UDP query returns TC=1 DiG retries with TCP. I want to see the
>> UDP results and am unable to. Specifying +notcp makes no difference.
>> The correct option is +ig
as specified.
(The MSG SIZE is also a clue.)
Searching the intertubes wasn't much help. When I tried to search the
list archives I got a Gateway Timeout. :-( Anyway, it's been a minor
personal annoyance for a while; hopefully this helps somebody else with
a problem they didn't know th
Errata..
On Thu, 1 Dec 2022, Fred Morris wrote:
"authoritative" zone served by an authoritative server configured to return
complete 1024/1025 responses look like?
1034/1035
--
FWM
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC
fun arguing about whether or not a server which is "authoritative"
should have an NS record in the zone, once you have something which
demonstrably works.
I don't have a lot of patience for "experts" who can't demonstrate a
working system, so I probably won
get ahead of it and bring ShoDoHFlo up to spec. I'll compile
from source.
(Although it would be nice if somebody from Fedora could speak to
support for Dnstap in the available BIND package...)
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to un
requested them.
From my vantage most PTR records are demonstrably garbage.
Caching exists because if you requested it once you might request it
again. Who knows, maybe you didn't believe it the first time. In any case,
that's why the aphorism "garbage in garbage out" is a thing
ir ilk the likely use case for resources
under in-addr.arpa. There are some things I would avoid as a courtesy to
others if I was so inclined: escape, completion and wildcard characters in
shells and SQL implementations...
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users
ric, or customer
centric; I can also make arguments for outright lying. Hey, choose your
own adventure; other people will judge you accordingly.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development o
n-addr.arpa.rearview.m3047.net. 600 IN TXT
"depth=1,first=1665810308.1564665,last=1667535958.6280398,count=152,trend=11758.670145495724,update=1667540875.2953703,score=5.3302068902418895"
;; AUTHORITY SECTION:
REARVIEW.M3047.NET. 600 IN NS LOCALHOST.
;; SERVER: 10.0.0.
Ok. This is public address space. Delegation for reverse zones is separate
from forward zones.
Kind of depends on where the connectivity failure is, as to whether or not
clients can walk the delegation tree (or need to). Then there's the effect
of TTLs expiring.
--
Fred Morris, int
d purposes.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users ma
s which can be queried as well as the
types of allowed queries.
Here is my contribution to ensuring employment for DNS subject matter
experts:
* https://github.com/m3047/rkvdns -- DNS proxy for Redis
* https://github.com/m3047/rkvdns_examples -- examples
--
Fred Morris, internet plumbe
Why are you forwarding at all?
On Fri, 23 Sep 2022, Philip Prindeville wrote:
I've changed locations (moved houses) and consequently ISPs (now on
Sparklight, used to have CTC) and I'm seeing a slew of DNS issues I
didn't have before [...]
As you can see, a LOT of noise.
[...]
// If y
Nearly identical to what was posted to the unbound list. -- FWM6
On Fri, 23 Sep 2022, JAHANZAIB SYED wrote:
I am trying to get some basic ideas on dns/hosting.
[...]
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this sof
eople give a better
answer.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
Self explanatory? Maybe it's the nomenclature but I can't spot this in
the manpage; search engines haven't been much help. I might have to read
code! :-o
Thanks in advance, whoever you are; I owe you a beer.
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinf
If you need something for POC / smoke:
https://github.com/m3047/shodohflo/blob/master/examples/dnstap2json.py
Assuming you can figure out how to get Splunk to consume log oriented json
over UDP...
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind
postfix. Crikey, they can't even be bothered to get an LE cert for the
website and catch flak at least monthly. Honey badger don't care.
They're very clear about postconf output. If you pasted postconf output
from the manual (or Stack Overflow) I think the response would
his is veering
into the realm of what's possible (which is seldom actually technical);
this includes your means and ability to analyze the DNS traffic. If you
want to discuss further feel free to email me.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/b
I would expect the information you seek to be available via Dnstap.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://w
ens on 127.0.0.53.)
Maybe you should turn it off.
--
Fred Morris, internet plumber--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for
d if they exist they
shouldn't) and I block them (e.g. *.com.com) to prevent information
leakage and garbage traffic.
HTH...
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this softwa
serve to inform server implementers /
operators.
(I think the RFC has a number of biases towards server implementers /
operators, some plain, some more along the lines of moral hazard.)
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
I should have included this in the first message, and I apologize.
What I'm looking at is trying to build a BIND kernel, like a nanokernel.
Socat won't work in this case, because because there's no "IPC" layer,
because there is only one process in the kernel.
One process. No users. I need to
for sending this to another address, presumably
via TCP... socat? Too bad about the handshake, any best practices for
forwarding there?
Thanks in advance...
(Pure Python implementation of fstrm:
https://github.com/m3047/shodohflo/blob/master/shodohflo/fstrm.py
sponse you get here is going to involve changing your BIND server's
configuration and behavior, probably to convert it from forwarding to
caching... although grizzled veterans may tell you horror stories about
hotels and other public wifi.
--
Fred Morris
I posted just such a thing a few weeks ago on the dnsrpz list at
redbarn. Hrm, seems to be down at the moment.
On 12/2/21 11:00 AM, Grant Taylor via bind-users wrote:
> On 12/2/21 9:59 AM, Fred Morris wrote:
>> Hello, Rear View RPZ (https://github.com/m3047/rear_view_rpz) is now
>
tion
which ships BIND compiled with Dnstap support, please let me know!
Cheers...
--
Fred Morris
This is being posted to the Dnstap, RPZ and BIND Users mailing lists.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from
er to live
on a different machine.
https://github.com/m3047/rear_view_rpz/blob/main/install/Optional_DNS_Service.md
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the deve
are utilized in the second view.
and the "lie" is that the "unused" RPZ is dynamically updated in the
first view (that's where update requests are sent); I suppose I could
jigger that so that the updates happen in the second view. But the
stopper is that error message,
Is there a way to do this or should I bite the bullet and run two copies
of BIND?
Thanks in advance...
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of t
Grant Taylor's reply is good, but you might also look at the check-names
option. As he says, underscores are frowned on in hostnames but that's
about it in theory if not in practice.
You could also contemplate changing the logging destination and level...
or not.
--
Fred Morris
c. Doesn't bother the media devices, but 1980s stub resolver logic
isn't up to competing with 100,000:1 packet contention and doesn't provide
any way to do traffic shaping.
--
Fred
On Fri, 1 Oct 2021, Fred Morris wrote:
On Thu, 30 Sep 2021, Carl Byington wrote:
On Thu, 2021-0
Exactly!
On Thu, 30 Sep 2021, Carl Byington wrote:
On Thu, 2021-09-30 at 16:30 -0700, Fred Morris wrote:
https://github.com/m3047/tcp_only_forwarder
So what exactly are the media devices doing to screw up dns resolution
between the osx laptop and the local dns server?
Dropping UDP replies
e the (UDP) response, they'll never try TCP. (1980s logic)
What you can do is force the clients to use TCP... or TLS.
https://github.com/m3047/tcp_only_forwarder
Good luck...
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/lis
I suggest changing it to "953".
Correction: 853.
--
FWM
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at http
didn't have a clever
story.
I suggest changing it to "953".
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subs
in the QUERY section.
--
Fred Morris
--
#!/usr/bin/python3
# Copyright (c) 2021 by Fred Morris Tacoma WA
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#
rs, although that's perhaps better
handled in the mail filtering pipeline, which is where it really seems to
matter.
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the
D problem with the pipe). But my grepping the strace
didn't catch anything opening the "dnstap.sock" pipe.
The way they did framestream initialization it requires the "optional"
handshake. I documented it (pydoc) here:
https://gith
Check your clock. Have you got NTP turned on? Is it working? If it's not,
flush cache/restart before you test again.
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC fund
s.
So which is it:
* Hi I'm Jason and I want to create a DNS record so that the world can
find my web server. How do I do that? (answer #1)
* Hi I'm Jason and I want to run my own nameservers for a bunch of
irrelevant reasons such as CentOS, web servers and stuff. How
On Mon, 14 Sep 2020, Mark Andrews wrote:
[...] All
the queries to the recursive server with this configuration not answered by
the server will leak. The configuration needs “forward only;” to be added
to prevent the leak. We see this all the time.
zone “non-existant-tld” {
type forward
hat the TLD is, or if that
occurs that the choice of TLD mitigates in any fashion whatsoever.
There's always a way to make it happen, I just can't imagine it making
it sanely into production even by accident. (This applies to DLV.ISC.ORG
too, which returns an SOA, but they could make it NX
Carl Byington wrote:
> On Wed, 2020-09-02 at 17:47 -0700, Fred Morris wrote:
> > how do I disable the (useless) resolution directed at upstream
> > servers?
>
> Isn't that just "qname-wait-recurse no;"
>
You are correct! I got confused and the doc didn
my-outhouse-example.com" is NXDOMAIN.
In this case:
* "my-outhouse-example.com.example.com" will return NXDOMAIN (it does!)
* There should be /no/ upstream (pointless) query for
my-outhouse-example.com.example.com. (oops!)
Let's stop the leaks.
--
Fred Morris
loits which work across a large installed
base is exactly what they're aiming to prevent.
Disclosure: I've heckled their CTO in a friendly fashion for making better
idiots, but I paid for my own Old Fashioned.
--
Fred Morris
___
Please
Perhaps slightly OT, but here's a company which has a whole business model
based on one nonobvious (?) reason to compile from source:
https://polyverse.com/
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-use
rvers now running on Alpine (because super
lightweight), that blurs the lines a bit.
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid su
Plain-TCP (DoPT) forwarder
(see the README for why), but it was trivial to add TLS support.
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software
r nonrouting addresses commonly used for gateways, things like
that.
This is not a DNS problem, it's a problem in what commonly used programs
aid and abet in the name of "freedom of commerce" or something.
--
Fred Morris
--
[0]
https://www.bleepingcomputer.com/news/securi
did! Instead it
reports "Temporary failure in name resolution" in the ping example.
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with p
It's incredibly hacky, but what about setting different nameservers
with different sets of addresses for the FQDN in question?
--
Fred
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users maili
27;ve ruled out the obvious conclusion you have to start
considering scenarios such as someone intentionally interfering in path
with port 53 traffic.
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
ss is something to do with NSCD.
There is a tension between the protocol ("any octet") vs what you can
register ("valid hostnames") vs what's sent to the public DNS ("case
insensitive").
--
Fred Morris
___
Pl
Look in the BIND ARM for dump-file:
dump-file
The pathname of the file the server dumps the database to when
instructed to do so with rndc dumpdb. If not specified, the default is
named_dump.db.
Regards...
--
Fred Morris
On Wed, 27 Nov 2019, isc-bind-us...@ics-il.net wrote
the
modules above (dnspython).
If the output of the sample program and the protobuf implementation
itself look a bit Scapy-like, that's because I originally implemented it
as a Scapy dissector several years ago. Unlike Scapy, this software is
released under an Apache license.
--
Fred M
91 matches
Mail list logo