RE: SERVFAIL issues

[Frank Bulk - iName.com]

My bad.  Let me restate the request -- that all the information available
via XML in the HTML statistics channel is also printed out when issuing
"rndc stats".

Frank

-Original Message-
From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.
org] On Behalf Of Barry Margolin
Sent: Monday, January 19, 2009 9:47 PM
To: comp-protocols-dns-b...@moderators.individual.net
Subject: Re: SERVFAIL issues

In article ,
 "Frank Bulk"  wrote:

> Sorry for not being more clear.  It's my understanding that "rndc stats"
> dumps only a subset of what ARM provides.

You still don't make sense.  ARM is documentation, it doesn't provide
any statistics.  ARM = Administrator's Reference Manual for BIND.

>
> Regards,
>
> Frank
>
> -Original Message-
> From: JINMEI Tatuya / 神明達哉 [mailto:jinmei_tat...@isc.org]
> Sent: Monday, January 19, 2009 1:38 PM
> To: Frank Bulk
> Cc: bind-us...@isc.org
> Subject: Re: SERVFAIL issues
>
> At Sat, 17 Jan 2009 00:37:25 -0600,
> "Frank Bulk"  wrote:
>
> > Thanks for the info -- is there a way that there can be feature parity,
at
> > least in terms of stats reported, between ARM and "rndc stats"?
>
> I don't understand the question...what do you mean by 'feature parity
> between ARM and "rndc stats"'?
>
> Anyway, the fact is that the ARM describes both the output of 'rndc
> stats' and the output from a HTML statistics channel (to some
> extent).  In general, what is described in the ARM should be
> consistent with the actual behavior.  Of course, there can always be
> a discrepancy between a manual (ARM) and the software behavior as long
> as it's done by a human.  Please file a bug report if you find one.
>
> ---
> JINMEI, Tatuya
> Internet Systems Consortium, Inc.
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Disable cache in bind 9.6

[Dmitry Rybin]

Hello!

How to disable cache in bind-9.6? ttl=0 - bad idea.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ACL ?

[GanGan]

how to make a bind that reponde DNS fields with which he's the master ?
and it doesnt meet the request of the domain from which there is no master.

my english is very bad :( sorry 
I am french :p

-- 
- GanGan -

www.system-linux.eu

(">
/\
V_V

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

local zone forward

[Mikel Jimenez]

Hello

I have a question relationated to forwarding.

I have db.myzone.com in my local bind.

I have my mail server in 192.168.1.1 so I define this enty in my 
db.myzone.com file. (mail.zone.com)


I also have my web, and other services, but not in local net, I have in 
external hosting.


How can I say to Bind that, when I ask *.zone.com first look at 
db.zone.com, and if it isn´ t defined in the file, make recursion to 
internet dns servers.



Sorry for my English, thanks!!

--
Mikel Jimenez Fernandez
Irontec, Internet y Sistemas sobre GNU/LinuX - http://www.irontec.com
+34 94.404.81.82


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ACL ?

[Stephane Bortzmeyer]

On Tue, Jan 20, 2009 at 12:24:37PM +0100,
 GanGan  wrote 
 a message of 20 lines which said:

> how to make a bind that reponde DNS fields with which he's the
> master ?

List the zones for which it is a master in named.conf.

> and it doesnt meet the request of the domain from which there is no master.

recursion no;
allow-query-cache no;
 
> my english is very bad :( sorry I am french :p

Personne n'est parfait. Mais pourquoi ne pas utiliser la liste
francophone dns...@cru.fr 
dans ce cas ?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: local zone forward

[Chris Buxton]

You can't. You can, however, create more specific zones  
(mail.zone.tld.) rather than the overlapping zone (zone.tld.).


Chris Buxton
Professional Services
Men & Mice

On Jan 20, 2009, at 3:41 AM, Mikel Jimenez wrote:


Hello

I have a question relationated to forwarding.

I have db.myzone.com in my local bind.

I have my mail server in 192.168.1.1 so I define this enty in my  
db.myzone.com file. (mail.zone.com)


I also have my web, and other services, but not in local net, I have  
in external hosting.


How can I say to Bind that, when I ask *.zone.com first look at  
db.zone.com, and if it isn´ t defined in the file, make recursion to  
internet dns servers.



Sorry for my English, thanks!!

--
Mikel Jimenez Fernandez
Irontec, Internet y Sistemas sobre GNU/LinuX - http://www.irontec.com
+34 94.404.81.82


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: local zone forward

[Mikel Jimenez]

Chris Buxton escribió:
You can't. You can, however, create more specific zones 
(mail.zone.tld.) rather than the overlapping zone (zone.tld.).


Chris Buxton
Professional Services
Men & Mice

On Jan 20, 2009, at 3:41 AM, Mikel Jimenez wrote:


Hello

I have a question relationated to forwarding.

I have db.myzone.com in my local bind.

I have my mail server in 192.168.1.1 so I define this enty in my 
db.myzone.com file. (mail.zone.com)


I also have my web, and other services, but not in local net, I have 
in external hosting.


How can I say to Bind that, when I ask *.zone.com first look at 
db.zone.com, and if it isn´ t defined in the file, make recursion to 
internet dns servers.



Sorry for my English, thanks!!

--
Mikel Jimenez Fernandez
Irontec, Internet y Sistemas sobre GNU/LinuX - http://www.irontec.com
+34 94.404.81.82


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



Yeah!! thanks!!

One question...
one "more especific zone" for each A register?



--
Mikel Jimenez Fernandez
Irontec, Internet y Sistemas sobre GNU/LinuX - http://www.irontec.com
+34 94.404.81.82


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: local zone forward

[Chris Buxton]

On Jan 20, 2009, at 6:23 AM, Mikel Jimenez wrote:

Chris Buxton escribió:
You can't. You can, however, create more specific zones  
(mail.zone.tld.) rather than the overlapping zone (zone.tld.).


Chris Buxton
Professional Services
Men & Mice

On Jan 20, 2009, at 3:41 AM, Mikel Jimenez wrote:


Hello

I have a question relationated to forwarding.

I have db.myzone.com in my local bind.

I have my mail server in 192.168.1.1 so I define this enty in my  
db.myzone.com file. (mail.zone.com)


I also have my web, and other services, but not in local net, I  
have in external hosting.


How can I say to Bind that, when I ask *.zone.com first look at  
db.zone.com, and if it isn´ t defined in the file, make recursion  
to internet dns servers.



Sorry for my English, thanks!!

--
Mikel Jimenez Fernandez
Irontec, Internet y Sistemas sobre GNU/LinuX - http:// 
www.irontec.com

+34 94.404.81.82


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



Yeah!! thanks!!

One question...
one "more especific zone" for each A register?



Yes, that is correct.

Chris Buxton
Professional Services
Men & Mice


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: local zone forward

[Mikel Jimenez]

Chris Buxton escribió:

On Jan 20, 2009, at 6:23 AM, Mikel Jimenez wrote:

Chris Buxton escribió:
You can't. You can, however, create more specific zones 
(mail.zone.tld.) rather than the overlapping zone (zone.tld.).


Chris Buxton
Professional Services
Men & Mice

On Jan 20, 2009, at 3:41 AM, Mikel Jimenez wrote:


Hello

I have a question relationated to forwarding.

I have db.myzone.com in my local bind.

I have my mail server in 192.168.1.1 so I define this enty in my 
db.myzone.com file. (mail.zone.com)


I also have my web, and other services, but not in local net, I 
have in external hosting.


How can I say to Bind that, when I ask *.zone.com first look at 
db.zone.com, and if it isn´ t defined in the file, make recursion 
to internet dns servers.



Sorry for my English, thanks!!

--
Mikel Jimenez Fernandez
Irontec, Internet y Sistemas sobre GNU/LinuX - http://www.irontec.com
+34 94.404.81.82


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



Yeah!! thanks!!

One question...
one "more especific zone" for each A register?



Yes, that is correct.

Chris Buxton
Professional Services
Men & Mice



Yeah!! It works perfect!!

Thanks!!

--
Mikel Jimenez Fernandez
Irontec, Internet y Sistemas sobre GNU/LinuX - http://www.irontec.com
+34 94.404.81.82


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable cache in bind 9.6

[Dmitry Rybin]

Matus UHLAR - fantomas wrote:
> On 20.01.09 12:49, Dmitry Rybin wrote:
>> How to disable cache in bind-9.6? ttl=0 - bad idea.
> 
> if you know that setting TTL to 0 is a bad idea, why do yuo think that
> disabling a cache in BIND is not a bad idea?
> 

Because under high load cache grows to maximum system size and stop
responding to queues. This is known problem.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable cache in bind 9.6

[Matus UHLAR - fantomas]

> > On 20.01.09 12:49, Dmitry Rybin wrote:
> >> How to disable cache in bind-9.6? ttl=0 - bad idea.

> Matus UHLAR - fantomas wrote:
> > if you know that setting TTL to 0 is a bad idea, why do yuo think that
> > disabling a cache in BIND is not a bad idea?

On 20.01.09 18:39, Dmitry Rybin wrote:
> Because under high load cache grows to maximum system size and stop
> responding to queues. This is known problem.

Did you set up maximum cache size to a sane value?

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Enter any 12-digit prime number to continue.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable cache in bind 9.6

[Alan Clegg]

Dmitry Rybin wrote:
> Matus UHLAR - fantomas wrote:
>> On 20.01.09 12:49, Dmitry Rybin wrote:
>>> How to disable cache in bind-9.6? ttl=0 - bad idea.
>> if you know that setting TTL to 0 is a bad idea, why do yuo think that
>> disabling a cache in BIND is not a bad idea?
>>
> 
> Because under high load cache grows to maximum system size and stop
> responding to queues. This is known problem.

This is NOT a "known problem" in 9.6.  Please provide your configuration
and logs that show the issue that you are having.

AlanC



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

in-addr.arpa delegation failure

[Lars Hecking]

 I've been beating my head against the wall with this issue, and I'm out
 of ideas: I can't get reverse lookups for a particular, delegated RFC1918
 net to work.

 Setup:
 Internal root dns.domain.com running bind 9.4.2-P2.
 This host is set up as a master for 172.30/16. It delegates 172.30 to a 
 subdomain (A record for ns1.sub.domain.com is present elsewhere).

 db.172.30:
 @ IN SOA dns.domain.com. root. 2009012001 10800 3600 604800 300
   IN NS  ns1.sub.domain.com.

 Working query (status: NOERROR) returns as expected:

$ dig @dns.comain.com 30.172.in-addr.arpa. soa

; <<>> DiG 9.3.4-P1 <<>> @dns.comain.com 30.172.in-addr.arpa. soa
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41833
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;30.172.in-addr.arpa.   IN  SOA

;; ANSWER SECTION:
30.172.in-addr.arpa.86400   IN  SOA dns.comain.com. root. 2009012001
 10800 3600 604800 300

;; AUTHORITY SECTION:
30.172.in-addr.arpa.86400   IN  NS  ns1.sub.domain.com.

;; ADDITIONAL SECTION:
ns1.sub.domain.com. 1818  IN  A   172.30.112.4
...
$ 

 Now, the setup of ns1.sub.domain.com:
 bind 9.4.2-P2
 This host is set up as a master for 172.30/16 and 172.30.10/24. It delegates
 172.30.10 to itself.

 db.172.30:
 @   IN SOA ns1.sub.domain.com. root. 2009011900 10800 3600 
604800 300
 10.30.172.in-addr.arpa. IN NS ns1.sub.domain.com.

 A lookup for 10.30.172.in-addr.arpa. fails everywhere except on
 ns1.sub.domain (status: NXDOMAIN):

$ dig @dns.comain.com. 10.30.172.in-addr.arpa. soa

; <<>> DiG 9.3.4-P1 <<>> @dns.comain.com. 10.30.172.in-addr.arpa. soa
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54056
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;10.30.172.in-addr.arpa.IN  SOA

;; AUTHORITY SECTION:
30.172.in-addr.arpa.0   IN  SOA dns.domain.com. root. 2009012001
 10800 3600 604800 300
...
$

 Why is the delegation chain not working? Is it a conflict for having both
 the top level dns.domain.com. and ns1.sub.domain.com. as master for 172.30?

 Would it be better to use stubs to delegate 172.30 down from the top level?
 I have a feeling they wouldn't solve this particular problem, though.

 Do I need to delegate all 255 /24 subnets explicitly at the top level server?
 That would kind of defeat the purpose of having delegation in the first
 place.

 I think I'm missing something fundamental here ...


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: in-addr.arpa delegation failure

[Stephane Bortzmeyer]

On Tue, Jan 20, 2009 at 04:14:01PM +,
 Lars Hecking  wrote 
 a message of 87 lines which said:

>  This host is set up as a master for 172.30/16. It delegates 172.30
>  to a subdomain (A record for ns1.sub.domain.com is present
>  elsewhere).

Hold on! There is already a contradiction. It is supposed to be an
authoritative name server (a master is a special case of an
authoritative name server) but it delegates to a different
machine. You cannot have both. Either dns.domain.com is authoritative
for 30.172.in-addr.arpa or it is not.
 
>  db.172.30:
>  @ IN SOA dns.domain.com. root. 2009012001 10800 3600 604800 300
>IN NS  ns1.sub.domain.com.

I do not see a delegation of 10.30.172.in-addr.arpa.
 
>  Now, the setup of ns1.sub.domain.com:
>  bind 9.4.2-P2
>  This host is set up as a master for 172.30/16 

Now, you have *two* masters for 30.172.in-addr.arpa. Again, it is a
contradiction (unless the two masters get their data from an external
source such as a DBMS but it does not appear to be the case here).

>  Why is the delegation chain not working? Is it a conflict for having both
>  the top level dns.domain.com. and ns1.sub.domain.com. as master for 172.30?

Partly. You can have only one master. But you may have several
authoritative name servers for one zone (actually, this is
recommended).
 
>  Would it be better to use stubs to delegate 172.30 down from the
>  top level?

No.

>  Do I need to delegate all 255 /24 subnets explicitly at the top
>  level server?

All those you use, yes.

>  I think I'm missing something fundamental here ...

IMHO, you need to go back to the drawing board and, before writing
named.conf and zone files, deciding on a general architecture.

Who will be the master for 30.172.in-addr.arpa?
Who will be authoritative for 30.172.in-addr.arpa?
Who will be the master for 10.30.172.in-addr.arpa?
Who will be authoritative for 10.30.172.in-addr.arpa?

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

forwarding but no recursion?

[etirado.ext]

Hello,

Is this possible to disable recursion for all incoming queries except
for those listed in zone statement with a forwarder.

I know that no forwarding is allowed if we disable recursion.

Something like this ( but this doesn't work I know ):

I can't match people so I can't create a view.

options {

allow-query { any; };
allow-query-cache { none; };
allow-recursion { none; };

};

zone "example.fr" {

type forward;
forwarders { x.x.x.x; };
forward only;
};

Thank you for your advice.

Emmanuel


*
This message and any attachments (the "message") are confidential and intended 
solely for the addressees. 
Any unauthorised use or dissemination is prohibited.
Messages are susceptible to alteration. 
France Telecom Group shall not be liable for the message if altered, changed or 
falsified.
If you are not the intended addressee of this message, please cancel it 
immediately and inform the sender.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

compiling BIND on AIX

[Jerry Kemp]

I have compiled BIND many times on Solaris/OpenSolaris and several 
different *BSD's, and this has always been a pretty simple procedure.


I currently need to compile (a current) BIND on AIX 5.2 and it appears 
to me that there is a little more work involved to get a successful 
compile on this platform vs. others that I have worked with.


Can anyone who is currently compiling/running BIND on AIX share any 
getting started pointers ( i.e. BIND only compiles with gcc, etc)??


A search of the archives indicate that there are people on the list 
running BIND on AIX, but I was unable to uncover any specific tips, 
hints, etc. as to getting a good compile.


TIA,

Jerry K.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable cache in bind 9.6

[John Wobus]

Disabling the cache makes sense if the purpose of your
nameserver is to provide your authoritative zone data and you
have a different nameserver to handle your site's general
DNS queries.

TTL settings are part of authoritative zone data, which is
completely independent of whether you disable caching in the
nameserver.

On Jan 20, 2009, at 4:49 AM, Dmitry Rybin wrote:


Hello!

How to disable cache in bind-9.6? ttl=0 - bad idea.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding but no recursion?

[Josh Kuo]

I believe the behavior of the following configuration is to send back
the IP address of the forwarders to the clients, and rely on clients
to do the recursive query against the forwarders.


On Tue, Jan 20, 2009 at 9:25 AM,   wrote:
>
> Hello,
>
> Is this possible to disable recursion for all incoming queries except
> for those listed in zone statement with a forwarder.
>
> I know that no forwarding is allowed if we disable recursion.
>
> Something like this ( but this doesn't work I know ):
>
> I can't match people so I can't create a view.
>
> options {
>
>allow-query { any; };
>allow-query-cache { none; };
>allow-recursion { none; };
>
> };
>
> zone "example.fr" {
>
>type forward;
>forwarders { x.x.x.x; };
>forward only;
> };
>
> Thank you for your advice.
>
> Emmanuel
>
>
> *
> This message and any attachments (the "message") are confidential and 
> intended solely for the addressees.
> Any unauthorised use or dissemination is prohibited.
> Messages are susceptible to alteration.
> France Telecom Group shall not be liable for the message if altered, changed 
> or falsified.
> If you are not the intended addressee of this message, please cancel it 
> immediately and inform the sender.
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SERVFAIL issues

[JINMEI Tatuya / 神明達哉]

At Tue, 20 Jan 2009 02:16:00 -0600,
"Frank Bulk - iName.com"  wrote:

> My bad.  Let me restate the request -- that all the information available
> via XML in the HTML statistics channel is also printed out when issuing
> "rndc stats".

It's the opposite: all the information printed out when issuing 'rndc
stats' is also available via XML in the HTML statistics channel (but
not vice versa).

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: in-addr.arpa delegation failure

[Chris Buxton]

On Jan 20, 2009, at 8:30 AM, Stephane Bortzmeyer wrote:

On Tue, Jan 20, 2009 at 04:14:01PM +,
Lars Hecking  wrote
a message of 87 lines which said:

Do I need to delegate all 255 /24 subnets explicitly at the top
level server?


All those you use, yes.


Alternatively, make your "root" server a slave of the zone, so that it  
can continue to be managed on the intended master.


Chris Buxton
Professional Services
Men & Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding but no recursion?

[Chris Buxton]

On Jan 20, 2009, at 9:25 AM,  > wrote:

Hello,

Is this possible to disable recursion for all incoming queries except
for those listed in zone statement with a forwarder.

I know that no forwarding is allowed if we disable recursion.

Something like this ( but this doesn't work I know ):

I can't match people so I can't create a view.


According to the ARM for BIND 9.4, forward zones support only a few  
substatements. The same is true of hint zones (for the root hints  
list). Therefore, I see only one ungainly way to achieve this,  
creating a slave of the root zone and restricting access to it.

__

options {
directory "/some/path";
allow-query { any; };
allow-recursion { any; }; // no need for allow-query-cache
};

zone "." {
type slave;
masters { 192.5.5.241; 192.228.79.201; 192.33.4.12; };
file "root.zone";
allow-query { none; };
allow-transfer { none; };
};

zone "example.fr" {
type forward;
forwarders { ... };
forward only;
};
__

Chris Buxton
Professional Services
Men & Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

denied NS/IN

[Scott Haneda]

Hello, looking at my logs today, I am getting hammered with these:
20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517:  
query (cache) './NS/IN' denied
20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593:  
query (cache) './NS/IN' denied


Repeated over and over, how do I tell what they are, and if they are  
bad, what is the best way to block them?

--
Scott

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: denied NS/IN

[Frank Bulk]

That's being discussed on NANOG, here's one thread:
http://markmail.org/message/ydiqnztzmz5qmusf

See here for more details in blocking them:
http://www.cymru.com/Documents/secure-bind-template.html
specifically:

blackhole {
// Deny anything from the bogon networks as
// detailed in the "bogon" ACL.
bogon;
};

Note that isprime is suggesting an ACL on your firewall or router.

Frank

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Scott Haneda
Sent: Tuesday, January 20, 2009 5:41 PM
To: BIND Users Mailing List
Subject: denied NS/IN

Hello, looking at my logs today, I am getting hammered with these:
20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517:
query (cache) './NS/IN' denied
20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593:
query (cache) './NS/IN' denied

Repeated over and over, how do I tell what they are, and if they are
bad, what is the best way to block them?
--
Scott

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: denied NS/IN

[Scott Haneda]

On Jan 20, 2009, at 3:52 PM, Frank Bulk wrote:


That's being discussed on NANOG, here's one thread:
http://markmail.org/message/ydiqnztzmz5qmusf

See here for more details in blocking them:
http://www.cymru.com/Documents/secure-bind-template.html
specifically:

   blackhole {
   // Deny anything from the bogon networks as
   // detailed in the "bogon" ACL.
   bogon;
   };

Note that isprime is suggesting an ACL on your firewall or router.



Thank you, curious, why does it say block all but 53, isnt that  
exactly what we want to block?

--
Scott

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: denied NS/IN

[Frank Bulk]

According to ISPrime, 66.230.128.15 and 66.230.160.1 are authoritative DNS
servers, but do not make outbound requests.  As such, they only *receive*
queries from remote DNS servers (or clients).  So all UDP or TCP-based DNS
requests to those two DNS servers are made *to* port 53.  And those two DNS
servers respond to those requests on port 53.  The spoofers are sourcing
their queries from non-port 53 ports, so it's easy to tell what is spoofed
and what's not.

Frank

-Original Message-
From: Scott Haneda [mailto:talkli...@newgeo.com] 
Sent: Tuesday, January 20, 2009 6:12 PM
To: frnk...@iname.com
Cc: BIND Users Mailing List
Subject: Re: denied NS/IN

On Jan 20, 2009, at 3:52 PM, Frank Bulk wrote:

> That's being discussed on NANOG, here's one thread:
> http://markmail.org/message/ydiqnztzmz5qmusf
>
> See here for more details in blocking them:
> http://www.cymru.com/Documents/secure-bind-template.html
> specifically:
>
>blackhole {
>// Deny anything from the bogon networks as
>// detailed in the "bogon" ACL.
>bogon;
>};
>
> Note that isprime is suggesting an ACL on your firewall or router.


Thank you, curious, why does it say block all but 53, isnt that
exactly what we want to block?
--
Scott


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: denied NS/IN

[Mark Andrews]

In message <232b45f8-acd3-427a-95e9-bc3ca5fc9...@newgeo.com>, Scott Haneda writ
es:
> Hello, looking at my logs today, I am getting hammered with these:
> 20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517:  
> query (cache) './NS/IN' denied
> 20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593:  
> query (cache) './NS/IN' denied
> 
> Repeated over and over, how do I tell what they are, and if they are  
> bad, what is the best way to block them?
> --
> Scott

You should talk to your ISP to chase the traffic back to
its source and get BCP 38 implemented there.  BCP 38 is ~10
years old now.  There is no excuse for not filtering spoofed
traffic.

If the source doesn't want to implement BCP 38 then de-peering
the source should be considered.

Mark
 
http://www.ietf.org/rfc/rfc2267.txt January 1998
http://www.ietf.org/rfc/rfc2827.txt May 2000  (BCP 38)
http://www.ietf.org/rfc/rfc3704.txt March 2004 (BCP 84)

> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: denied NS/IN

[Scott Haneda]

On Jan 20, 2009, at 5:44 PM, Mark Andrews wrote:

In message <232b45f8-acd3-427a-95e9-bc3ca5fc9...@newgeo.com>, Scott  
Haneda writ

es:

Hello, looking at my logs today, I am getting hammered with these:
20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517:
query (cache) './NS/IN' denied
20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593:
query (cache) './NS/IN' denied

Repeated over and over, how do I tell what they are, and if they are
bad, what is the best way to block them?
--
Scott


You should talk to your ISP to chase the traffic back to
its source and get BCP 38 implemented there.  BCP 38 is ~10
years old now.  There is no excuse for not filtering spoofed
traffic.

If the source doesn't want to implement BCP 38 then de-peering
the source should be considered.



Is BCP 38 really as solid and plug and play as it sounds?  In a  
shared, or colo'd environment, can that ISP really deploy something  
like this, without it causing trouble for those that assume unfettered  
inbound and outbound traffic to their servers?

--
Scott

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

What to do about openDNS

[Scott Haneda]

I brought this up a few months back.  For me, it is getting worse, and  
I am not able to come up with a solution.


I have many clients who reg domains.  They all point to my NS.   
Sometimes, the client lapses hosting with me, and I delete the zones.   
They usually leave the domain reg'd and my NS's listed.


I also have other clients who register thousands of domains, some get  
used, some do not.  In the end, I am listed as an NS.  Going back to  
clients and asking them to delete the NS from their registrar; it just  
is not going to happen. I do not always know, so to add a zone, can  
not happen, and even then, I have to add a wildcard for them all to  
resolve them.


I have heard varying levels of disapproval for wildcards to solve this  
as well.


The problem is with openDNS, which grows every day.  If one uses them  
as a rr, when someone requests a domain that is not setup, openDNS  
will make around 50 requests for that domain.  Then the browser will  
inject www. to the domain, and it asks for another 50.  Add in spam  
for MX's and any number of other requests, and I have on average, 40  
queries per second.


When it gets really bad, is a heavily used domain that the client lets  
go, where there are img src links in a forum, which can get popular on  
occasion.


I have tested this with my own NS, as the rr, and it makes 2 or 3  
queries, sees there is no zone, and goes away.  OpenDNS *never* caches  
the result, and happily goes about this all day long.


My first question is, I assume they are ignoring some TTL, and in  
doing so, are they in violation of any standard in this regard?


Second would be, is this exploitable as I think it is?  In that, one  
could enter any NS they want into their registrar, and create a  
situation in which openDNS is used as a way to attack that NS.


Is there any way for me to locally block this act?  I do not think  
there is, aside from blocking openDNS, which would have negative  
repercussions since they are used by so many people.  Looking for  
automated blocking, not to sit on my logs all day long.


For what it is worth, I did email them, first email was ignored,  
second email was not understood and they told me they did not support  
grep, which I was simply using to extract the number of lines in my  
log to show them the issue.  My reply to that, was ignored as well.


To be honest, if I wanted to make named behave this way, I would not  
even know how to do so, I would certainly have to take effort to try.


This represent the last 4 hours of my query log, for one domain that  
is not even the best example.  I have my logs set to 10M, and this  
case already caused a roll of the logs in only 4 hours:

grep -i 'juliansummerhill.com' query.log | wc -l
1289

Thanks for any pointers and eduction on this issue.
--
Scott

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

unwanted delegations was: What to do about openDNS

[Danny Thomas]

Scott Haneda wrote:
I brought this up a few months back.  For me, it is getting worse, and 
I am not able to come up with a solution.


I have many clients who reg domains.  They all point to my NS.  
Sometimes, the client lapses hosting with me, and I delete the zones.  
They usually leave the domain reg'd and my NS's listed.

The system should recognise the rights of nameserver operators.
There should be some process by which unwanted delegations can be removed.
Obviously doing this on the basis of an email is not a good idea, but 
perhaps

the nameserver operator can publish their desire in a credible fashion:

dig @ns1.uq.edu.au 71.155.in-addr.arpa  any
~   

; <<>> DiG 9.4.2-P2 <<>> @ns1.uq.edu.au 71.155.in-addr.arpa 
any
; (1 server found)9C

;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 436
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 3

;; QUESTION SECTION:
;71.155.in-addr.arpa.INANY

;; ANSWER SECTION:
71.155.in-addr.arpa.3600INSOAnoddns.cc.uq.edu.au. 
hostmaster.uq.edu.au. 2008121901 10800 1800 360 3600

71.155.in-addr.arpa.259200INNSns1.uq.edu.au.
71.155.in-addr.arpa.259200INNSns2.uq.edu.au.
71.155.in-addr.arpa.259200INNSns3.uq.edu.au.
71.155.in-addr.arpa.3600INTXT"zone transfers are allowed 
to show the zone is useless"
71.155.in-addr.arpa.3600INTXT"please remove delegations 
to the name-servers listed in this zones NS records"


Danny


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: denied NS/IN

[Mark Andrews]

In message , Scott Haneda writ
es:
> On Jan 20, 2009, at 5:44 PM, Mark Andrews wrote:
> 
> > In message <232b45f8-acd3-427a-95e9-bc3ca5fc9...@newgeo.com>, Scott  
> > Haneda writ
> > es:
> >> Hello, looking at my logs today, I am getting hammered with these:
> >> 20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517:
> >> query (cache) './NS/IN' denied
> >> 20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593:
> >> query (cache) './NS/IN' denied
> >>
> >> Repeated over and over, how do I tell what they are, and if they are
> >> bad, what is the best way to block them?
> >> --
> >> Scott
> >
> > You should talk to your ISP to chase the traffic back to
> > its source and get BCP 38 implemented there.  BCP 38 is ~10
> > years old now.  There is no excuse for not filtering spoofed
> > traffic.
> >
> > If the source doesn't want to implement BCP 38 then de-peering
> > the source should be considered.
> 
> 
> Is BCP 38 really as solid and plug and play as it sounds?  In a  
> shared, or colo'd environment, can that ISP really deploy something  
> like this, without it causing trouble for those that assume unfettered  
> inbound and outbound traffic to their servers?

Yes it is.  Everyone in a colo should be able to tell you which
source address (prefixes) they should be emitting.  You filter
everything else.

The closer to the edge that you do this the easier it is to do.

Mark

> --
> Scott
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: unwanted delegations was: What to do about openDNS

[Matthew Pounsett]

On 20-Jan-2009, at 21:24 , Danny Thomas wrote:


Scott Haneda wrote:
I brought this up a few months back.  For me, it is getting worse,  
and I am not able to come up with a solution.


I have many clients who reg domains.  They all point to my NS.   
Sometimes, the client lapses hosting with me, and I delete the  
zones.  They usually leave the domain reg'd and my NS's listed.

The system should recognise the rights of nameserver operators.
There should be some process by which unwanted delegations can be  
removed.
Obviously doing this on the basis of an email is not a good idea,  
but perhaps
the nameserver operator can publish their desire in a credible  
fashion:


I think the fix would be to registry operations, not the protocol.

Registries that implement host records (so, at least the gTLDs) could  
accept the word of the registrant of the zone that contains a name  
server (or the word of their registrar on their behalf) that the  
server is no longer authoritative for zone X.  Registries that haven't  
implemented host records could also do it, but it may be more  
complicated to implement, depending on their particular system.





PGP.sig
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What to do about openDNS

[Fr34k]

Hello,

The ole rainy day bite.

Some quick ideas for dealing with, what I will call, defunct domains.

FIRST, STOP THE MADNESS:
Define what a defunct zone is in your TOS/AUP, so you have the power to deal 
with this situation as you see fit.

DEAL WITH IT AS YOU SEE FIT:
Setup that wildcard for the deadbeatzone.com zone to be:
* IN A 127.0.0.1
Add this to all the zones for which you do not want to be lame for, but want to 
answer bogus requests and have that traffic kept, well, locally.

Perhaps point any defunct zones A and WWW to be pointed to your commerial web 
site.
For example, www.deadbeats.com is a vhost for www.yourbiz.com
Maybe you'll get some more customers, who knows.

FINALLY:
I would automate the above process via scripts/tools
Customer cancels --> modify zone as you see fit --> audit all zones on a 
weekly/monthly/whatever basis and cleanup and garbage as necessary.

Also, make it your policy to be the registrar contact (or have access to make 
changes) and stop this from happening altogether.




- Original Message 
From: Scott Haneda 
To: BIND Users Mailing List 
Sent: Tuesday, January 20, 2009 9:12:28 PM
Subject: What to do about openDNS

I brought this up a few months back.  For me, it is getting worse, and I am not 
able to come up with a solution.

I have many clients who reg domains.  They all point to my NS.  Sometimes, the 
client lapses hosting with me, and I delete the zones.  They usually leave the 
domain reg'd and my NS's listed.

I also have other clients who register thousands of domains, some get used, 
some do not.  In the end, I am listed as an NS.  Going back to clients and 
asking them to delete the NS from their registrar; it just is not going to 
happen. I do not always know, so to add a zone, can not happen, and even then, 
I have to add a wildcard for them all to resolve them.

I have heard varying levels of disapproval for wildcards to solve this as well.

The problem is with openDNS, which grows every day.  If one uses them as a rr, 
when someone requests a domain that is not setup, openDNS will make around 50 
requests for that domain.  Then the browser will inject www. to the domain, and 
it asks for another 50.  Add in spam for MX's and any number of other requests, 
and I have on average, 40 queries per second.

When it gets really bad, is a heavily used domain that the client lets go, 
where there are img src links in a forum, which can get popular on occasion.

I have tested this with my own NS, as the rr, and it makes 2 or 3 queries, sees 
there is no zone, and goes away.  OpenDNS *never* caches the result, and 
happily goes about this all day long.

My first question is, I assume they are ignoring some TTL, and in doing so, are 
they in violation of any standard in this regard?

Second would be, is this exploitable as I think it is?  In that, one could 
enter any NS they want into their registrar, and create a situation in which 
openDNS is used as a way to attack that NS.

Is there any way for me to locally block this act?  I do not think there is, 
aside from blocking openDNS, which would have negative repercussions since they 
are used by so many people.  Looking for automated blocking, not to sit on my 
logs all day long.

For what it is worth, I did email them, first email was ignored, second email 
was not understood and they told me they did not support grep, which I was 
simply using to extract the number of lines in my log to show them the issue.  
My reply to that, was ignored as well.

To be honest, if I wanted to make named behave this way, I would not even know 
how to do so, I would certainly have to take effort to try.

This represent the last 4 hours of my query log, for one domain that is not 
even the best example.  I have my logs set to 10M, and this case already caused 
a roll of the logs in only 4 hours:
grep -i 'juliansummerhill.com' query.log | wc -l
    1289

Thanks for any pointers and eduction on this issue.
--
Scott

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users