using that?
Since you are unwilling to share a pcap I don't see what further help we
can be.
Good luck with Ubuntu and Cloudflare.
Greg
On Mon, 3 Oct 2022 at 21:55, Mike Hodson wrote:
> On Mon, Oct 3, 2022 at 2:24 PM Greg Choules <
> gregchoules+bindus...@googlemail.com> wrote:
>
&g
*actually* what
happens it will, unfortunately, be very difficult to impossible to diagnose
exactly what's going on.
Does this help for starters?
Cheers, Greg
On Mon, 3 Oct 2022 at 21:08, Mike Hodson wrote:
> On Mon, Oct 3, 2022 at 1:59 PM Ondřej Surý wrote:
>
>>
>> > -
t to
use a different set of roots (e.g. a private network, GRX or similar)
Cheers, Greg
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/
Thanks, Greg
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
t captures of port 53. Evidence is always handy to see
what is actually going on, rather than guessing what you *think* should be
going on.
Cheers, Greg
On Tue, 6 Sept 2022 at 23:16, Michael De Roover wrote:
> Hello everyone,
>
> I have currently 2 internal networks under my control,
Hi again J.
If I understand correctly, you want to enable querylog on a busy recursive
server permanently, rotate the files once a day and don't care if you lose
some logs because the number of queries on a busy day generates more data
than the specified log file is allowed to contain.
My
Hello J
What is it you're actually trying to achieve here?
Cheers, Greg
On Thu, 25 Aug 2022 at 04:24, J Doe wrote:
> Hello,
>
> I was wondering if anyone could provide feedback on whether the
> following: newsyslog.conf file is correct to allow for daily log
> rotation for my Bi
address against the corresponding bit
from the address in the mask.
The ACL 10.60.0.0/23 will match *any* address from 10.60.0.0 to 10.60.1.255
*inclusive*.
There is no concept of network address and broadcast address here. It is
just pattern matching.
Cheers, Greg
On Wed, 24 Aug 2022 at 15:40
.
I hope that helps.
Greg
On Wed, 24 Aug 2022 at 13:17, Elias Pereira wrote:
> Oh, sorry... :D
>
> here it is
>
> # cat named.conf.local
> # ACL das redes internas
> # Ultima modificação: 24/08/2022
>
> acl "internal" {
> 10.60.0.1/23;
> 1
and IPv6 addresses are being
returned? pcap would be best.
Cheers, Greg
On Fri, 19 Aug 2022 at 07:56, Matthias Fechner wrote:
> Dear all,
>
> I'm not sure if bind can do this, but let me explain what I would like
> to do.
>
> It is a hostname from a foreign domain, like:
his will produce a file called
"named_dump.db" in the working directory. Commonly this will be the same
location as your zone files. It's a text file, so you can look through it
with cat/more/less etc.
Cheers, Greg
On Wed, 3 Aug 2022 at 21:23, Robert Moskowitz wrote:
> This is boarderline n
handle it.
You also need to know what BIND will try and do when it does receive
queries.
Packet captures are your friend here, using tcpdump (to disk, not to
screen). Gather evidence first, then make theories.
Cheers, Greg
On Wed, 3 Aug 2022 at 14:29, Robert Moskowitz wrote:
> Part of my probl
and is ignored on subsequent reloads.
BIND will need a good source of randomness for crypto operations.
Cheers, Greg
On Mon, 1 Aug 2022 at 23:08, White, Peter
wrote:
> I’m running BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 (Extended Support
> Version) on RHEL 7 in a chroo
and,
if possible, any error messages you see when trying to start it.
Greg
On Mon, 25 Jul 2022 at 15:19, Gene Ammerman via bind-users <
bind-users@lists.isc.org> wrote:
> So I have tried this even with macOS to even 12.4. But I am still not able
> to get DNS setup on my machine using the instr
The SPF record type was deprecated in 2014 and the SPF definition string
*must* now be contained as data in a TXT record.
BIND will still load a zone containing SPF records, but it will check
whether a TXT record also exists that contains the same string and will
generate a log message telling you
Hi Roberto. What domain is this SPF for and exactly how are you trying to
add the extra term?
Cheers, Greg
On Fri, 8 Jul 2022 at 16:38, Roberto Carna wrote:
> Dear, from my webmin interface for BIND9, I try to add an additional
> allowed sender host to our SPF record, but I get the fol
Wireshark works just fine on a Mac (I am using it right now) and yes, it is
a great tool. You also have the choice of using tcpdump in a terminal
window, if that's your preference. Personally I usually capture using
tcpdump and view later in Wireshark.
On Fri, 1 Jul 2022 at 12:01, Petr Menšík
Hi Larry.
sudo tcpdump -ni any -c 1000 -w .pcap port 5353
For I usually include the date, hostname and some other
meaningful stuff to help you remember what it was for in 6 months' time.
Whilst this is running, make some queries in another terminal window.
I hope this helps.
Cheers, Greg
istorical
baggage. You just have to give yourself time to get used to them.
Cheers, Greg
On Sat, 14 May 2022 at 00:11, Felicia P wrote:
> Hello, I see that ISC updated terminology for BIND9 to use
> primary/secondary in addition to the original master/slave which many
> projects have been d
exactly
what happened on the wire, rather than speculate.
Cheers, Greg
On Fri, 13 May 2022 at 18:00, Philip Prindeville <
philipp_s...@redfish-solutions.com> wrote:
> My MTU is 1500 bytes, so I don't think that's the problem.
>
> But UDP can fragment via IP...
>
>
> > O
check if
something is doing IP fragmentation (though I wouldn't expect this to come
into play with a packet ~1k).
I hope some of that is useful.
Cheers, Greg
On Fri, 13 May 2022 at 17:07, Philip Prindeville <
philipp_s...@redfish-solutions.com> wrote:
> After rebooting my OpenWRT route
; at least as much as the clients are generating. (0% cache hit
ratio)
Cheers, Greg
On Fri, 6 May 2022 at 16:02, Alex K wrote:
> Hi all,
>
> I have the following problem: I run a caching dns server using bind9
> v9.10.3 in a gateway device which it serves several internal LAN IP
.
Or.. it may be that some network infrastructure - firewalls are usually the
first place to look - is blocking this traffic.
Whatever is happening at the authoritative end, it needs to be fixed. All
modern recursive servers will use EDNS.
Cheers, Greg
On Wed, 4 May 2022 at 13:13, Veronique Lefebure
wrote
clients are sending these queries
and go on a hunt. Perhaps the clients are misconfigured, or just being
'playful'!
Some useful reading might be these articles and others in the KB.
https://kb.isc.org/docs/bind-best-practices-authoritative
https://kb.isc.org/docs/bind-best-practices-recursive
and
Sending from the correct email alias this time!
On Thu, 3 Mar 2022 at 09:53, Greg Choules
wrote:
> Hi Greg.
> Basically, you can't forward out of authority. If server A is
> authoritative for "example.com" it is authoritative for that and
> everything below that, ad infi
Take 2. Sent from the wrong email address!
Greg
On Sat, 12 Feb 2022 at 08:01, Greg Choules
wrote:
> > "...to use a traditional VPN solution such as DNSSEC ..."
> DNSSEC is not a VPN service. It is regular, unencrypted DNS on port 53, or
> whichever port you choose -
Hello.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
BIND port and packages have had dnstap enabled by default since August
2020[2].
[1] <https://kb.isc.org/docs/isc-packages-for-bind-9>
[2] <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237861>
--
Greg
___
Please visit https://
tion & management best
practices?
Rgds,
Greg.
On Mon, Apr 26, 2021 at 4:16 PM Tony Finch wrote:
> Anand Buddhdev wrote:
> >
>
> Anand's advice is good, as usual :-)
>
> But a small pedantic point:
>
> > The DNS protocol itself has recently been updated to allow fo
of the communication done through the ACL and the key is
TSIG only used to allow me to make changes to the zone file?
The main reason why I was leaning towards SSH was to try to ensure that all
communication between local & remote was encrypted.
Rgds,
Greg.
On Fri, Apr 23, 2021 at 2:21 PM A
named & zone files?
I dont want anyone/anything else other than my local machine to make any
changes on my remote BIND server.
Rgds,
Greg.
On Fri, Apr 23, 2021 at 11:21 AM Anand Buddhdev wrote:
> Hi Greg,
>
> You don't need to SSH into a remote server to do dynamic DNS updates!
> The
but nsdiff may be a
good option.
Rgds,
Greg.
On Thu, Apr 22, 2021 at 8:38 PM Tony Finch wrote:
> Greg Donohoe wrote:
>
> > I have created a CI/CD pipeline in order to amend zone files using
> nsupdate
> > based on a front end user request. This portion of the
security?
All input greatly appreciated.
Thanks.
Greg.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https
at some point soon.
[1]
<https://dnssec-guide.readthedocs.io/en/latest/signing.html#working-with-the-parent-zone-2>
--
Greg
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the develop
contained
within a dnssec-policy statement. A policy such as this one is working well for
me:
dnssec-policy Kreme {
keys {
ksk lifetime P1Y algorithm ECDSA256;
zsk lifetime P3M algorithm ECDSA256;
};
purge-keys 30d;
nsec3param;
};
--
Adding mailing list for archiving.
-- Forwarded message -
From: Greg Donohoe
Date: Wed, Jan 27, 2021 at 6:11 PM
Subject: Re: Reverse zone reformatting after nsupdate execution
To: Chris Isaksen
Thank you very much for your reply Chris. Changing the masterfile-style has
whcih always remains in
a /16 format.
Please see below for details and if you need any further information please
let me know.
###
named.conf
###
greg@hp-linux:/etc/bind$ cat named.conf
## OPTIONS
options {
directory "/var/cache
AAA records. The fact that you have
constrained your named to use only IPv4 transport does not change that behavior.
--
Greg
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the developmen
e only.
> Around 800 zones of varying sizes. DNSSEC in use.
>
https://gitlab.isc.org/isc-projects/bind9/-/issues/1893
--
Greg
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the d
gitlab.isc.org/isc-projects/bind9/-/issues/1859>
--
Greg
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https:
.16.2 on FreeBSD. I've opened a
ticket with ISC, and they are looking into it. Can you share any additional
information that might aid troubleshooting?
If anyone else experiences this, please report it.
--
Greg
___
Please visit https://lists.isc.org/
53>. I'm not aware of a
libuv fix for Linux yet.
Running both FreeBSD _and_ Linux is a good idea. Among other things, it's an
excellent way to provide maximum availability for DNS.
--
Greg Rivers
___
Please visit https://lists.isc.org/mailma
NOTIFY
> messages, and zone transfer requests (AXFR or IXFR) will be signed using the
> specified key. Keys may also be specified in the also-notify statement of a
> master or slave zone, causing NOTIFY messages to be signed using the specified
> key.
>
So it does. Seems my knowledg
gt; No chance to get an log entry per server and the TSIG key in use.
>
As Rick Dicaire said previously, "Notifications themselves don't use TSIG". You
will never see a TSIG key associated with a notify because notifies aren't
signed; the zone transfers tri
noticed, named's
configuration and data are now under /opt/isc/isc-bind/.
--
Greg
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
supports multi-master across multiple disparate primaries with their "xDNS"
plugin. But I wouldn't say that multi-master is a good idea in general, as it
suffers from all of the problems that come with having multiple versions of the
truth.
[1] <https://www.menandmice.com/prod
(0)TDK
98 +E(0)TDC
19 +E(0)D
18 +E(0)K
8 -E(0)TC
3 +E(0)T
54353539
FWIW, this indicates that most TCP queries come from clients that claim to
support EDNS0.
--
Greg Rivers
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users t
you serve. If your
answers don't fit in 512 bytes (without EDNS) or ~4096 bytes (with EDNS),
you're going to be serving over TCP. Obviously you're way more likely to see
TCP queries from systems that don't support EDNS. Perhaps you have many such
On Thursday, August 02, 2018 12:58:32 Randy Bush wrote:
> ... are there that many folk doing tcp out there?
>
All name servers fall back to TCP when they receive truncated replies.
--
Greg Rivers
___
Please visit https://lists.isc.org/mailman/li
be that we
misunderstood the wording of your question. If your actual question was "can I
publish a public IP in DNS and NAT it to a private IP behind my firewall", then
of course the answer is "yes". Otherwise, trust the given advi
via hostname, if I did a nat on
> the firewall?
>
No, by definition, private addresses are not routable on the Internet.
--
Greg Rivers
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users maili
xpiring, were other requests
> being rejected due to the two nameservers for that zone being
> unreachable?
>
No. You should find the zone expiration event in your logs.
--
Greg Rivers
___
Please visit https://lists.isc.org/mailman/listinfo/bi
many pieces of software, this list comes built into the
software.". As I recall, this is true for BIND.
--
Greg Rivers
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lis
;
masters { xxx.xxx.xxx.xxx; yyy.yyy.yyy.yyy; }; };
zone "31.172.in-addr.arpa" { type stub; file "/etc/namedb/slave/172.31.db";
masters { xxx.xxx.xxx.xxx; yyy.yyy.yyy.yyy; }; };
zone "168.192.in-addr.arpa" { type stub; file "/etc/namedb/slave/192.168.db&qu
its as if they think hackers main source of targets comes from here.doesn't
appear to really want any help anyway.
-g
On Oct 4, 2010, at 8:35 PM, Noel Butler wrote:
On Mon, 2010-10-04 at 17:29 -0500, Lyle Giese wrote:
Dotan Cohen wrote:
The ports aren't blocked as another site
someone with way more bind clues than I would be able to give you a better
answer.the error returned begs two questions..
1. is this server behind or running a local firewall?
2. is bind actually listening on the proper interface?
you could confirm #2 by typing 'nslookup ns1.example.de
they (the distro maintainers) could not agree to put anything in the same place
if the worlds sanity depended on it.
/var/named
/srv/bind
/etc/bind
/var/lib/named
/usr/local/named
it's all over the place. myself i just create links from /var/named (which is
where I think it was found on most
Hi,
Can I ask if anyone has a good idea for how I could identify (filter
packets) that are transiting via a company proxy server [e.g.
proxy.mycompany.com]. The challenge here is that the DNS server will
issue any one of a number of IP addresses back to the browser to use,
associated with the
I'd say no, and your ISP may need to gain a working knowledge of bind views if
they need to resolve 1812 addresses for their own needs without affecting
customers who are using the ISP DNS servers as their resolver.
the way you could fix this without their involvement is to bring up your own
, the error went away.
thanks again and have a great day,
greg
On Jun 14, 2010, at 6:25 AM, Cathy Almond wrote:
Greg Whynott wrote:
sorry, forgot the subject. not very good on my first posting
Hello,
I'm seeing an unfamiliar error while attempting to start a newly built from
. Is it really a Day Light
related?
thanks much for your time,
greg
the error:
[r...@fido ~]# /etc/init.d/named start
Starting named:[FAILED]
[r...@fido ~]# grep named /var/log/messages
Jun 13 10:20:00 fido named[2430]: starting BIND 9.7.0-P2 -u named
Jun 13
of them will transfer to the secondary.
I have tried many things with no luck(my secondary was running an older
version of bind so I upgraded it)
Any help would be appreciated.
Greg Kuechle
Sorry about the notice appended to the email
NOTICE: This confidential e-mail message is only
I know this is a very lame question, But I have been out of the Bind loop
for a number of years ( yes I went over to the dark side ...MS DNS) but I
want to come back. My question is this I have win2K servers what version of
bind will run on this?
Thanks
Greg
This message has been checked
101 - 163 of 163 matches
Mail list logo