ot;?
For a long time (which is why I need to know the version) BIND has had the
Internet root hints built in, so you don't need a hint zone anymore. Unless
you are defining different roots for some reason. Hence why I need to know
the contents of that file.
Thanks, Greg
On Thu, 27 Jun 2024 at
-recursive queries - and using that data to construct answers for
its clients.
I hope that helps.
Cheers, Greg
On Thu, 27 Jun 2024 at 12:02, Renzo Marengo wrote:
> I have Active Directory domain ( 'mydomain.it' ) with 8 domain
> controllers to manage 8000 computers. Every Domain controller acts
/en/latest/reference.html#namedconf-statement-minimal-responses
Cheers, Greg
On Wed, 26 Jun 2024 at 17:55, Cuttler, Brian R (HEALTH) <
brian.cutt...@health.ny.gov> wrote:
>
>
> Greg, David,
>
>
>
> Thanks, much easier than what I thought it would be.
>
> I have two “root” s
NS is
the same name and its IP is 127.0.0.3, which happens to be another instance
of BIND I have running. Your file would contain the names and IPs of your
internal roots.
In the config, define the hint zone like this:
zone "." {
type hint;
file "db.root";
};
That should be al
better which domains are the problematic ones.
Packet captures are always good for showing exactly what servers send and
what they get back. There's no hiding in Wireshark!
Cheers, Greg
On Wed, 26 Jun 2024 at 07:45, wrote:
> Hello
> Thank you for your response. I have configured
what the
problem is first and to do that, gather data (pcaps and logs) that can be
used to paint a picture of what's really happening.
Cheers, Greg
On Tue, 4 Jun 2024 at 13:01, Thomas Barth via bind-users <
bind-users@lists.isc.org> wrote:
> Am 2024-06-04 09:50, schrieb Matus UHLAR -
BIND server showing both client->server and server->forwarder DNS
traffic, crucially capturing the moment this issue occurs.
- dig results from your making test queries.
It may sound like a lot of detail, but the devil... as they say.
Cheers, Greg
On Wed, 29 May 2024 at 21:48, Cuttler, B
Odd numbers (9.17, 9.19…) are the development versions. Even numbers (9.18,
9.20 - soon…) are the production versions, based on the odd-numbered version
before.
So 9.18.27 (currently) would be the one to go for.
Cheers, Greg
> On 22 May 2024, at 16:53, Robert Wagner wrote:
>
&
om. CNAME imap-tcp-service.example.com.
and so on.
Cheers, Greg
On Thu, 16 May 2024 at 11:43, Niall O'Reilly wrote:
> On 14 May 2024, at 15:20, DEMBLANS Mathieu wrote:
>
> A part of the subdomains are managed by us, others subdomains by an other
> entity.
> So we can't configure
the latest
version, which is 9.18.26 (you can see in your screenshot).
I hope that helps.
Greg
> On 28 Apr 2024, at 08:42, Yang <395096...@qq.com> wrote:
>
>
>
> is v.9.18.21 below this reference
>

>
>
>
> Yang
> 395096...@qq.com
>
Hello.
Do you mean 9.18-S1?
> On 28 Apr 2024, at 08:06, Yang via bind-users
> wrote:
>
>
> dear admin:
> now, i use bind-9.18-21, i want to use ecs client subnet function; but i
> don't know how to configure it, and i don't get method from google
> please give me some example,or
Hi.
In BIND, since 9.11, there is an option/view statement called
"minimal-any", which defaults to "no". That might be what you're after.
Cheers, Greg
On Sat, 20 Apr 2024 at 17:29, Amaury Van Pevenaeyge <
avanpevenae...@outlook.fr> wrote:
> Hello everyone,
&
validation
will hurt you in future, or maybe even right now. My advice would be to
enable it, look at packet captures, ask questions and understand it, rather
than disable it because you don't think you need it.
Cheers, Greg.
On Sun, 31 Mar 2024 at 08:07, Crist Clark wrote:
> Thanks so m
s some
thinking about the intent. Whereas "I would like to permit none" (for me
anyway) is clearer and less ambiguous.
As for why authoritative servers need to make queries at all, please take a
look at this article.
https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-
y.
You probably also don't need also-notify {192.168.56.157;}; if the
secondary has an NS record in the zones it will be transferring, which it
should.
Hope that helps.
Greg
On Mon, 25 Mar 2024 at 11:34, wrote:
> Hello community,
>
> I'm trying to configure a DNS slave server (192.16
Hi Amaury.
You should be able to do this by defining your own trust anchors. This
should explain what you need:
https://bind9.readthedocs.io/en/latest/dnssec-guide.html#trusted-keys-and-managed-keys
Have fun.
Greg
On Sat, 16 Mar 2024 at 13:38, Amaury Van Pevenaeyge <
avanpevenae...@outlook
statement because "
sub.example.com" has been delegated away.
- Do you really want to be forwarding to your hidden primary anyway?
- Why are two different servers both authoritative for
"100.168.192.in-addr.arpa"? That's asking for trouble.
Hope that helps.
Greg
On M
Please don't encourage using "search" in resolv.conf or the Windows
equivalent. Search domains make queries take longer, impose unnecessary
load on resolvers and make diagnosis of issues harder because, when users
say "it doesn't work" you have no idea what it was that didn't work.
I tried using
2nd $beverage consumed.
I have never liked sortlist since I inherited it 16 years ago in my
previous job.
For me it suffers from at least one fundamental problem:
- If a client, say at location "1", is given a bunch of sorted A records
with the server at location "1" first, what does the client
ufacturers are available), match all port 53, set DSCP to an
appropriate value for *your* network and prioritise/police as appropriate
in the core.
Cheers, Greg
On Thu, 29 Feb 2024 at 09:00, Wolfgang Riedel via bind-users <
bind-users@lists.isc.org> wrote:
> Hi Folks,
>
> OK let
primaries also-notified {a.b.c.d; e.f.g.h;};
...
zone "example.com {
type primary;
file "db.example.com";
# apply the primaries list (or lists) to the also-notify statement.
also-notify {also-notified;};
};
I hope that helps.
Cheers, Greg
On Thu, 8 Feb 2024 at 21:55, Elmar
+norecurse
dig @172.16.0.254 pc1.reseau1.lan A +norecurse
dig @172.16.0.254 pc1.reseau1.lan +norecurse
Now stop the packet capture on the auth server and send all the information.
The reason for using @ with dig is to eliminate the stub
resolver on pc1 itself.
Thanks, Greg
On Wed, 17 Jan
;- opcode: QUERY, status: NOERROR, id: 2379
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
==
So unless I'm missing something I don't see your problem.
Cheers, Greg
On Mon, 15 Jan 2024 at 15:24, wrote:
> Dear Greg,
are running the digs?
- the file "/etc/resolv.conf" on "pc1"
Please also re-send the digs with full output.
When you send information, please send it as text, not screenshots.
Thanks, Greg
On Sun, 14 Jan 2024 at 22:04, Michel Diemer via bind-users <
bind-users@lists.isc.
running that they were
not aware of, which *might* cause problems if they are trying to use the
same data files.
Cheers, Greg
On Tue, 19 Dec 2023 at 08:26, wrote:
> I found there was a db.ynu.edu.cn.intranet.jnl beside db.ynu.edu.cn.intranet,
> I tried to remove it, then restarted and c
this
point will be swallowed by the server, e.g. "a.b.c.d.e.f.reseau1.lan" will
all return NXDOMAIN +AA=1
What behaviour do you think you would like to see?
Looking at another part of your config, you should not need this at all:
options {
forwarders {8.8.8.8;};
...
};
If your serve
I really wouldn't recommend that.
If you have to, create exceptions for domains that won't validate correctly
by using the "validate-except {..." statement.
In parallel with that, encourage people with broken domains to fix them,
which makes life better for all of us.
Cheers, Greg
On T
ith your
own problem.
Cheers, Greg
On Tue, 12 Dec 2023 at 00:48, Blason R wrote:
> Oh I forgot to tell you that. This is BIND RPZ and all the queries are
> recursive.
>
> Dig output just dies out and does not spit anything.
>
> And this specifically i noticed with .gov and .gov.i
suspect BIND at the moment.
Cheers, Greg
On Mon, 20 Nov 2023 at 17:40, legacyone via bind-users <
bind-users@lists.isc.org> wrote:
> This might show the problem even more on two interfaces WAN side and LAN
> you can see 192.168.53.19 ask for routerpool8 #60 then bind goe
is difficult if you only have snippets of information
to work from.
Cheers, Greg
On Mon, 20 Nov 2023 at 13:48, legacyone via bind-users <
bind-users@lists.isc.org> wrote:
> Now its not working fast again! I don't know now must be Teamviewer DNS
> delaying replies causing windows bind to fail
ot;, "internal-mail.example.com" and what have you
are fine because they are more specific than the general "example.com",
queries for which will just fall through to the outide world along with any
other name.
That was a bit of an essay, but I hope at least some of it made sens
some nicer wording, or any other changes
you think would be beneficial.
Hope that helps.
Cheers, Greg
> On 21 Sep 2023, at 17:22, John Thurston wrote:
>
> I just spent 4 hours* of my life trying to figure out why BIND 9.16
> complained on startup:
>
>
>> rpz 'rp
Hi Prashasti.
I'm on my phone, so I'll keep it brief.
- ditch both 9.8 and 9.11; install 9.18
- why are you forwarding to yourself? 127.0.0.1
- get binary packet captures and look at them in Wireshark to see what's
actually going on.
- real IPs please.
- why use "port xxx"?
Cheers, Gr
>From the correct mail alias!
On Sat, 16 Sept 2023 at 21:50, Greg Choules
wrote:
> Hi Ged.
> 172.16/12 is not a special case. The whole problem (IMHO) stems from how
> humans have chosen to represent both IP addresses (v4; v6 are different and
> actually a little easier) AND D
Hi.
Although it is technically possible to do reverses on non-octet boundaries
(for example, see https://www.ietf.org/rfc/rfc2317.txt) it is a
complete pita, in my experience. Personally I would not head down that
path. Stick to /8, /16 or /24.
Cheers, Greg
On Sat, 16 Sept 2023 at 09:20, G.W
ses starting 10.1
or 10.2
Long-winded, I know. But I think it's important to understand your end goal
before configuration.
Cheers, Greg
On Sat, 16 Sept 2023 at 01:16, John Thurston
wrote:
> A host which auto-registers in MS DNS, creates an A in foo.alaska.gov and
> PTR in whatever.10.in-a
to understand just what is the problem.
- How much of 10 do you use?
- What do you mean by "...can be published from two different DNS
services."? Could you expand on that please?
- Is there any zone transfer between BIND and MS DNS?
Thanks, Greg
On Fri, 15 Sept 2023 at 21:00, John Thurs
couple of
zones you are having trouble with, as examples. Not the whole config.
- "rndc zonestatus ". Use the same zones you chose from above.
Let’s see what we see.
Cheers, Greg
> On 8 Sep 2023, at 01:24, Leroy Tennison via bind-users
> wrote:
>
> Just to clarify, the con
primary because it
already has the zone file stored locally. Just change the "type", leave the
"file" statement alone and delete (or comment) the "primaries".
Does that help?
Greg
On Thu, 7 Sept 2023 at 19:31, Fred Morris wrote:
> Re-reading the KB article refe
e rate at which a given client will be sent
responses.
It's all in the ARM :) https://bind9.readthedocs.io/en/latest/index.html
Cheers, Greg
On Wed, 30 Aug 2023 at 18:42, Ben Bridges wrote:
> Hi,
>
> Is there a BIND configuration option that would limit the number of
> recursive client buf
rally: see below.
DNSSEC validation is on ("auto") by default these days. Please don't turn
it off for everything.
options {
...
validate-except {
incometax.gov.in;
...
};
...
};
Hope this helps.
Greg
On Wed, 30 Aug 2023 at 14:20, Blason R wrote:
> Hi all,
>
> I have bind BIND
You may already have BIND installed; most distros do. If not, it's easy.
You don't *have* to run named, but tools like this (and dig, particularly)
are very useful to have.
Do "which arpaname" to see if you have it already.
Cheers, Greg
On Thu, 24 Aug 2023 at 08:00, Marco wr
Please raise a beverage of choice and celebrate the 25th birthday of BIND9:
commit 7ee52cc7d195433bb8f55972e2a8ab29668f7bce
Date: Mon Aug 17 22:05:58 1998 +
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software
This time from the correct email alias!
On Mon, 17 Jul 2023 at 22:58, Greg Choules
wrote:
> Hi.
> Some observations:
> - Please don't use nslookup. Please use dig, it is much more versatile and
> gives much more information with which to try and interpret what might be
> going on
Real data please:
- example queries (genuine, not invented for illustration)
- real domains
- real IP addresses
- packet captures
- both BIND server configs
- zone file contents
- startup logs
There are so many things it *could* be, the more information the better.
Cheers, Greg
On Sun, 16 Jul
It looks like your server cannot resolve cadyst.com/A for some reason,
which would explain what gets sent back to the client.
However, it resolves fine for me:
cadyst.com. 908 IN A 146.59.209.152
Maybe you have some other issue with your resolver?
Cheers, Greg
On Wed, 12 Jul 2023 at 09:26, wrote:
>
ce (or two for resilience). It makes it easier to
administer and to understand which way data is flowing.
Cheers, Greg
On Thu, 29 Jun 2023 at 16:14, Ubence Quevedo wrote:
> Hi,
>
> Actually, that config was from the primary at 192.168.10.3.
>
> Below is the config from the la
etc...
zone "net6.domain.com" {
# ?.?.?.?
etc...
"system" has A records in all of these, with the relevant interface address
for the network. Clients lookup the FQDN of interest to them at the time.
This way there is guaranteed no ambiguity.
Cheers, Greg
On Thu, 29 Jun 2023 at
uires clients to use FQDNs, which IMHO is a good thing. I
always try to avoid "search" in resolv.conf because it leaves the OS
stub resolver guessing what the user actually wants.
Hope that helps. But as i said, configs please and then *we* don't have to
guess :)
Cheers, Greg
On Wed,
Hi Sami.
Let me ask you a question.
How would you define the terms "latency" and "response time"?
Greg
On Tue, 27 Jun 2023 at 17:23, wrote:
> Hello In DNS benchmarking which is more important latency or response
> time? for a DNS server what is the differe
>From the correct email alias this time!
On Mon, 19 Jun 2023 at 16:50, Greg Choules
wrote:
> Hi Lee/Sami.
> `break-dnssec yes;` *may* also be needed in some cases. But not here as
> the zone isn't signed anyway.
>
> The reason that "example.com" works but "
Hi Sami.
That's not what I said.
Yes, you can do this with RPZ if you want - it's all in the BIND ARM - but
it's not something I would do.
Cheers, Greg
On Mon, 19 Jun 2023 at 12:40, wrote:
> Thank you Greg
>
> So if I understand correctly if we receive a servfail return co
not to be authoritative for "antlauncher.com".
Personally I would live with the SERVFAIL because it tells you that
something is wrong, not just that it doesn't exist. Then try to contact the
people who own this domain and tell them it is broken.
Cheers, Greg
On Mon, 19 Jun 2023 at 10:33, wrote
ueries to the server and any
queries the server makes to try and get answers, plus all the responses.
Please do that and share the results, using real domains, not examples.
Hope that helps, Greg
On Mon, 19 Jun 2023 at 09:39, wrote:
> Hello Thank you for your feedback,
> yes it works like tha
You are most welcome, I'm glad you got it running. Now the fun starts! :D
Greg
On Tue, 30 May 2023 at 21:02, Pacific wrote:
> Thank you and to everyone who took the time to respond. Your collective
> input did the trick and I now have bind running successfully through a brew
> insta
what to do with. Either way, it should be fixed.
Hope that helps.
Greg
On Tue, 16 May 2023 at 15:53, Alex wrote:
> Hi,
> I have a bind-9.18.7 system on fedora37 and having some strange errors
> with some queries.
>
> $ host info.apr.gov.rs
> Host info.apr.gov.rs not found: 2(S
named: Mach-O 64-bit executable x86_64
If you find an executable, do /named -V (uppercase V), which will
print a summary of how it was built.
Similarly /named -C (uppercase) will print the defaults.
Hope this helps.
Greg
On Wed, 10 May 2023 at 05:55, Pacific wrote:
> Hi, thanks for the rep
that helps.
Greg
On Tue, 9 May 2023 at 21:43, Pacific wrote:
> Installing bind9 (9.18.14) on macOS Ventura (13.3.1) — install is not
> creating a namedb directory nor can I find a boilerplate named.conf.
>
> Steps taken:
>
> Downloaded tar directly from isc, saved to a local d
- benefit. Just my
2p.
Cheers, Greg
On Fri, 21 Apr 2023 at 15:41, Jiaming Zhang wrote:
> Hi Greg,
>
> Thanks for the example given. I was trying to digest your answer, it seems
> it would be better to have intermediate subdomain for the purpose. So it
> will be site1.internal.exa
ion to work internally.
Hope that helps.
Greg
On Wed, 19 Apr 2023 at 18:20, Jiaming Zhang wrote:
> Dear Greg,
>
> That’s what I thought, of each individual zone must have NS record point
> to it. But my point is not hiding NS record (or which server handles it)
> from internal
Hi Håvard
Odd, it works for me. Try a literal copy/paste of the link below. Or go to
https://kb.isc.org and search for packages:
https://kb.isc.org/docs/isc-packages-for-bind-9
Cheers, Greg
On Wed, 19 Apr 2023 at 12:03, Havard Eidnes via bind-users <
bind-users@lists.isc.org>
they will be making queries for NS records normally.
But what if they do? Why does it matter if clients find out the NS names
for the internal zones?
Cheers, Greg
On Tue, 18 Apr 2023 at 13:27, Jiaming Zhang wrote:
> Dear Greg,
>
> I agree using child zones is a better idea, and I'm actually using thi
internally with different answers.
Cheers, Greg
On Tue, 18 Apr 2023 at 12:59, Jiaming Zhang wrote:
> Dear Greg,
>
> The initiative was that we have certain records that wish to be view only
> internally and may resolve to private address (e.g. insite A 10.1.1.1).
>
> Kind Regard
iple zones of the
same name but different contents caused me problems daily. I would
recommend having internal zones be proper delegations from external zones.
e.g.:
external "example.com"
internal "internal.example.com"
Cheers, Greg
On Mon, 17 Apr 2023 at 14:41, Jiam
141.168.22
QM can't be disabled per destination server, only globally.
I would recommend you contact the NS administrators and inform them they
have a problem. According to the SOA the RNAME is
named-...@wannms.state.tn.us
Cheers, Greg
On Mon, 27 Mar 2023 at 18:54, wrote:
> Hi,
>
>
Hi Nath.
What have you got on SrvB for biopyrenees.net, or net?
On SrvB, please do "dig @127.0.0.1 sri.biopyrenees.net" (please use the
actual address rather than "localhost") and paste the full result here. I
am interested in flags and the query time right now.
Cheers, Greg
bled. 'named' starts as root, but immediately drops to a
lower-priviliged user, which can prevent it from discovering new addresses
unless it has the necessary linux-caps.
Cheers, Greg
On Mon, 13 Mar 2023 at 09:16, Serg via bind-users
wrote:
> The problem is I have lots of IPv6 addresses whe
-key.movie.edu: tsig verify failure
(BADKEY)
I'd take packet captures of both cases and compare them, see what the
differences are.
Hope that helps.
Greg
On Tue, 21 Feb 2023 at 16:06, Patrik.Graser--- via bind-users <
bind-users@lists.isc.org> wrote:
> Hi all
>
>
>
> Due to circumstan
as
much RAM as you can afford. That way you minimise the frequency of cache
cleaning, which is an overhead.
Greg
On Wed, 15 Feb 2023 at 19:45, Jan Schaumann via bind-users <
bind-users@lists.isc.org> wrote:
> Greg Choules wrote:
>
> > Since the queries are unique the responses
lt) called "named_dump.db" in named's working
directory. Grep for NXDOMAIN in that file.
Cheers, Greg
On Tue, 14 Feb 2023 at 15:29, Jan Schaumann via bind-users <
bind-users@lists.isc.org> wrote:
> Jan Schaumann via bind-users wrote:
> > Greg Choules wrote:
>
> >
. Just sit and
watch it, monitor the system and process memory use. etc.
That turned into a bit more than a few! I hope some of that helps a bit.
Cheers, Greg
On Sun, 12 Feb 2023 at 01:14, Jan Schaumann via bind-users <
bind-users@lists.isc.org> wrote:
> Hi,
>
> I have a local cach
lps, Greg
On Thu, 2 Feb 2023 at 23:43, Bhangui, Sandeep - BLS CTR via bind-users <
bind-users@lists.isc.org> wrote:
> Hi
>
> We are running ISC DNS Bind Version 9.18.10 ( will soon be moving to
> 9.18.11) on our Linux Servers.
>
> DNS resolution in general seems to
-F text -o junk.raw.txt junk junk.raw
Is that what you're after? Or is it specifically whether 9.18's
interpretation of "raw" is different to 9.16's? (I don't know at the moment
and I don't have a raw file generated with 9.16 to test it).
Cheers, Greg
On Mon, 30 Jan 2023 at 10:11, Hav
ready done. But if it's
only you looking at them, drop the "x")
- pcaps on a working and the troublesome box (and on the primary) and a
lot of time in Wireshark. There *must* be *something* different going on.
*If* it turns out that 9.18.11 is behaving incorrectly, ISC will want to
just like real users. If you
*want* to see all the Authority and Additional data then add "+norecurse"
to your dig command, which causes it to set RD=0. Your server is then not
being asked to do recursion, so it will just reply with everything (if
anything) it has.
Hope that helps.
Greg
t;?
- Do Akamai have any knobs you can tweak (I believe they have a customer
web portal for viewing/changing settings?) that would make them behave like
an RFC compliant DNS server?
Cheers, Greg
On Tue, 24 Jan 2023 at 21:17, John Thurston
wrote:
> My "resolvers" running BIND 9.18.1
ers make queries out
to other places? If so, recursion must be enabled.
Secondly, do you have "minimal-responses" configured on either/both
servers? If so, what is it set to? There were changes in 9.16 so maybe
these explain your observations.
Cheers, Greg
On Tue, 24 Jan 2023 at 16:49,
FAIL and have fun in Wireshark.
If you can afford to put up with the noise, turn debugging up to the max -
rndc trace 99 - and see if anything pops out.
Also, when you say "even with dnssec turned off.." what do you mean,
exactly?
HTH
Greg
On Wed, 18 Jan 2023 at 12:32,
not worth worrying about.
Cheers, Greg
On Fri, 13 Jan 2023 at 06:19, Jesus Cea wrote:
> On 13/1/23 7:12, Greg Choules via bind-users wrote:
> > Hi Jesus.
> > No. Zone Transfer always uses TCP. Is it really that much of an overhead
> > for you?
>
> Not now, but
Hi Jesus.
No. Zone Transfer always uses TCP. Is it really that much of an overhead
for you?
Cheers, Greg
On Fri, 13 Jan 2023 at 05:56, Jesus Cea wrote:
> I have a dns zone with many dns updates per minute. The updates are
> tiny, like 2-3 records, <500 bytes in total.
>
&g
Hi Jeff.
Query logging is quite an overhead and very heavy on writing to storage, so
use it sparingly as it can have a detrimental impact on performance. For
any moderately loaded server I would not have it enabled by default.
Cheers, Greg
On Thu, 12 Jan 2023 at 18:22, Jeff Sumner wrote
of your config day one. It's a bit like configuring an Ethernet
switch: do I configure VLANs even though (today) it's one flat network?
Hope that helps.
Greg
On Wed, 4 Jan 2023 at 01:15, E R wrote:
> New to BIND and just starting to read the 5th edition from O'Reilly after
> watching some vi
Hello.
What exact version of BIND are you running? "named -V" From dig it *looks*
like you are running 9.18.9.
ECS support only exists in the subscription editions of BIND (-S suffix)
and to get that you need to be an eligible ISC support customer.
Thanks, Greg
On Tue, 13 Dec 2022 at
prefix length to whatever has been configured; in this case /24. But
they MUST set the scope prefix length to zero because this field is
intended for use by an ECS enabled authoritative server to signal (in its
response) the prefix to which it applies.
I hope that helps.
Cheers, Greg
On Thu, 8 Dec 2022
s example does not help to explain what you are seeing.
Greg
On Thu, 27 Oct 2022 at 13:28, Veronique Lefebure
wrote:
> Well,
>
> So here a bit more details.
> Sorry, I cannot take an example with a DNS server accessible to you (*)
> because they have all been upgraded to 9.16.
&g
of the DNS
system generally, lengthen query times and mean that you can't be sure
exactly where an answer came from.
Thanks, Greg
On Thu, 27 Oct 2022 at 08:08, Veronique Lefebure
wrote:
> Hi all,
>
> yes, here is a concrete example:
>
> # ip-dns-1 runs BIND 9.16.33:
>
>
, the best way to see queries and responses, right down to the nuts
and bolts, is with a packet capture.
You thought this was an easy question, huh ;)
Can you provide at least some of these things, to get started?
Cheers, Greg
On Wed, 26 Oct 2022 at 16:41, Veronique Lefebure
wrote:
> Hi,
>
Hi Greg.
Short answer: no.
Slightly less short answer: no, if you prevent the server from trying to
follow delegations. It's that potentially wild goose chase that was the
problem.
In short:
- Forwarding must cover everything the server needs to do (that isn't
locally defined) i.e. global
Hi bind-users,
This vulnerability was recently fixed in BIND 9.16.33:
CVE-2022-2795: Processing large delegations may severely degrade resolver
performance
Question: Would a server that is configured to forward all queries be impacted
by this issue?
Thanks,
Greg
--
Visit https
to
external clients.
attach-cache "external"; # internal clients have access to records that
have already been cached due to queries made by external clients.
...
};
Greg
On Sat, 15 Oct 2022 at 18:52, Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:
> On 10/1
this.
Just my 2p.
Greg
On Fri, 14 Oct 2022 at 17:38, JW λ John Woodworth wrote:
> Hi Bob,
>
> I've been able to do this with 'forward' zones. The config would go in
> the resolver but the files would not.
>
>
> /John
>
> Original message
> From:
rt, if you have the
option.
I hope that helps.
Greg
On Fri, 14 Oct 2022 at 17:08, Bob McDonald wrote:
> I'm thinking about redesigning an internal DNS environment. To begin
> with, all internal DNS zones would reside on non-recursive servers
> only. That said, all clien
using that?
Since you are unwilling to share a pcap I don't see what further help we
can be.
Good luck with Ubuntu and Cloudflare.
Greg
On Mon, 3 Oct 2022 at 21:55, Mike Hodson wrote:
> On Mon, Oct 3, 2022 at 2:24 PM Greg Choules <
> gregchoules+bindus...@googlemail.com> wrote:
>
&g
*actually* what
happens it will, unfortunately, be very difficult to impossible to diagnose
exactly what's going on.
Does this help for starters?
Cheers, Greg
On Mon, 3 Oct 2022 at 21:08, Mike Hodson wrote:
> On Mon, Oct 3, 2022 at 1:59 PM Ondřej Surý wrote:
>
>>
>> > -
t to
use a different set of roots (e.g. a private network, GRX or similar)
Cheers, Greg
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/
Thanks, Greg
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
t captures of port 53. Evidence is always handy to see
what is actually going on, rather than guessing what you *think* should be
going on.
Cheers, Greg
On Tue, 6 Sept 2022 at 23:16, Michael De Roover wrote:
> Hello everyone,
>
> I have currently 2 internal networks under my control,
Hi again J.
If I understand correctly, you want to enable querylog on a busy recursive
server permanently, rotate the files once a day and don't care if you lose
some logs because the number of queries on a busy day generates more data
than the specified log file is allowed to contain.
My
Hello J
What is it you're actually trying to achieve here?
Cheers, Greg
On Thu, 25 Aug 2022 at 04:24, J Doe wrote:
> Hello,
>
> I was wondering if anyone could provide feedback on whether the
> following: newsyslog.conf file is correct to allow for daily log
> rotation for my Bi
address against the corresponding bit
from the address in the mask.
The ACL 10.60.0.0/23 will match *any* address from 10.60.0.0 to 10.60.1.255
*inclusive*.
There is no concept of network address and broadcast address here. It is
just pattern matching.
Cheers, Greg
On Wed, 24 Aug 2022 at 15:40
1 - 100 of 155 matches
Mail list logo