Re: denied NS/IN
On Thu, 2009-01-22 at 10:25 +1100, Mark Andrews wrote: > One way to test is to have a test box that sends spoofed traffic > to a machine you control. Thanks, Mark. That tells me pretty well what I needed to know, but hoped not to hear: I have to build my own bot-net. 8-) /Niall ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc halt -p behavior
On Wed, 2009-01-21 at 19:14 -0600, Jeremy C. Reed wrote: > Maybe we should just remove the "immediately" part. > > Any suggestions would be appreciated. If you're going to make a change, adding a little more information wouldn't hurt, would it? Perhaps: s/immediately/cleanly (which may take a little time)/ IHTH /Niall ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
questions named.conf
Hello all,
first question :
for have log i add this in my named.conf
logging {
category "resolver" { "debug"; };
category "client" { "debug"; };
category "queries" { "debug"; };
channel "debug" {
file "/var/log/named/named.log" versions 2 size 50m;
print-time yes;
print-category yes;
};
};
It's good ? because my named.log is empty
second question :
for statistics i add this in my named.conf
statistics-channels {
inet 91.123.xxx.x port 8053 allow { 0.0.0.0; };
};
I want to see them from anywhere, it's not secure ? (i have not X server
for look with a navigator web in 127.0.0.1 (dedicated server))
third question :
where paste this ? :
recursion no;
allow-query-cache no;
in advance,
thank you very much for your response
good day
--
- GanGan -
www.system-linux.eu
(">
/\
V_V
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: 512 byte limit
On Wed, Jan 21, 2009 at 11:47:01AM -0500, Todd Snyder wrote a message of 38 lines which said: > I am sure there is much in the RTFM category, and I will continue to > RTFM, The FM here is RFC 2671, published nine years ago (a lot of time in Internet terms). > We are seeing some firewall messages indicating that one of our FW's is > getting DNS respones at 600ish btyes: > > 2009 Jan 21 14:03:02 -- %FWSM: Dropped UDP DNS reply from /53 to > yyy/2114; packet length 660 bytes exceeds configured limit of 512 > bytes That is a badly configured firewall. Fire the guy who configured it, and hire someone else, someone who knows about the things developed in the last ten years. As mentioned by Anton Korotin, the root name servers send answers > 512. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 512 byte limit
On Jan 22 2009, Stephane Bortzmeyer wrote: [...] As mentioned by Anton Korotin, the root name servers send answers > 512. Well not unless the EDNS flag and buffer size are set in the query, of course. This prompted me to look at what data is omitted from the additional section of the response for NS records for the root, when they are limited to 512 bytes. a, c, e, i & j.root-servers.net leave out both A and records for k, l & m, putting in all records for the others. b, d, f, g, h, k, l & m.root-servers.net include all the A records, and leave out enough records to make the answer fit. Both entirely legal, of course. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable cache in bind 9.6
> Matus UHLAR - fantomas wrote: > > This is _NOT_ a problem of BIND. This is a problem of its admin who can't > > read the docs and set up max-cache-size, which does exactly what is needed > > in this case. On 21.01.09 17:38, Dmitry Rybin wrote: > Hmm... And why bind allocate all system memory, if max-cache-size 16M? > And views... 50 views. 16*50=800M. Only 800M, this is not 3..4GB of > system memory. lower it down to e.g. 4-8MB to see if it helps a bit. But I'd think if 50 views is really needed here... and if you have 800 MB of cache and 4GB of used memory, I'd say that size of the cache is not the real problem btw is the max-cache-size really per-view? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable cache in bind 9.6
On Wed, Jan 21, 2009 at 12:10:05PM +0300, Dmitry Rybin wrote:
> view "view0"{
> max-cache-size 16M;
> match-clients {
> XXX.XXX.XXX.XXX;
> };
> include "net-views/view0.conf";
> };
>
> [... skip 48 views ...]
>
> view "view50"{
> max-cache-size 8M;
> match-clients {
> XXX.XXX.XXX.XXX;
> };
> include "net-views/view50.conf";
> };
The way i read this you are using one view for each of the different
client IPs you have. Do you really need all of those or are you just
trying to have an internal and an external view for a range of clients?
The match-clients statement takes a list of IPs, CIDR ranges or ACLs.
Stefan
--
printk("%s: huh ? Who issued this format command ?\n")
linux-2.6.6/drivers/block/ps2esdi.c
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable cache in bind 9.6
Actually thinking about your problem i just got an idea for a quick and
dirty solution that might just be it for you:
Keep running the views on your fontend nameserver but forward all
recursive queries to another recursive server via the "forward only;"
statement. IIRC that should cause BIND not to cache on the frontend
server.
Stefan
--
printk("CPU[%d]: Sending penguins to jail...",smp_processor_id());
linux-2.4.8/arch/sparc64/kernel/smp.c
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
How can you verify TSIG is working b/t Master & Slave servers
I have setup and configured TSIG on our Bind 9. DNS servers. How can you verify/test that it is working correctly? Thanks in advance for any assistance provided. Mark ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can you verify TSIG is working b/t Master & Slave servers
Mark A. Moore wrote: > I have setup and configured TSIG on our Bind 9. DNS servers. How can you > verify/test that it is working correctly? Check your logging: xfer.log:20-Jan-2009 20:06:24.677 xfer-out: info: client 149.20.XX.XX#60073: transfer of '154.XX.XX.in-addr.arpa/IN': AXFR-style IXFR started: TSIG KEYNAME-HERE You can also use the -y option on dig to force your query/transfer from the command line to use TSIG: dig @SERVER -y KEYNAME-HERE:KEYING-MATERIAL ZONE-NAME axfr (and then check your logs) :) AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can you verify TSIG is working b/t Master & Slave servers
Shouldn't using dig fail from the slave? For example: [...@stuey ~]$ dig -t AXFR domain.tld @ns1.someserver ; <<>> DiG 9.5.1-P1 <<>> -t AXFR domain.tld @ns1.someserver ;; global options: printcmd ; Transfer failed. On Thu, January 22, 2009 08:58, Mark A. Moore wrote: > I have setup and configured TSIG on our Bind 9. DNS servers. How can you > verify/test that it is working correctly? > > > > Thanks in advance for any assistance provided. > > Mark > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can you verify TSIG is working b/t Master & Slave servers
Vincent Rivellino wrote: > Shouldn't using dig fail from the slave? > > For example: > > [...@stuey ~]$ dig -t AXFR domain.tld @ns1.someserver > > ; <<>> DiG 9.5.1-P1 <<>> -t AXFR domain.tld @ns1.someserver > ;; global options: printcmd > ; Transfer failed. It all depends on what you do with the TSIG. I don't block using TSIG, I just validate (certain) domain transfers. Also, the use of TSIG to pick a view, etc. won't result in a failed query. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Richmond H Dyes/mchhosp.gov is out of the office.
I will be out of the office starting 01/20/2009 and will not return until 01/26/2009. If it is an emergency, the help line at 760-6277 -- Confidentiality Notice -- This email message, including all the attachments, is for the sole use of the intended recipient(s) and contains confidential information. Unauthorized use or disclosure is prohibited. If you are not the intended recipient, you may not use, disclose, copy or disseminate this information. If you are not the intended recipient, please contact the sender immediately by reply email and destroy all copies of the original message, including attachments. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: denied NS/IN
In article , Mark Andrews wrote: > In message , Scott Haneda > writ > es: > > > Is BCP 38 really as solid and plug and play as it sounds? In a > > shared, or colo'd environment, can that ISP really deploy something > > like this, without it causing trouble for those that assume unfettered > > inbound and outbound traffic to their servers? > > Yes it is. Everyone in a colo should be able to tell you which > source address (prefixes) they should be emitting. You filter > everything else. > > The closer to the edge that you do this the easier it is to do. Just a niggle (because we've been bitten by this): if you have multihomed hosts you need to be careful. Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Richmond H Dyes/mchhosp.gov is out of the office.
Thank you for this notification. It indicates that today would be a great day for for miscreants to make hacking attempts at your account. You don't put a sign up in the front yard of your home that you're away on vacation do you? ;-) -david rd...@monroehosp.org wrote: > I will be out of the office starting 01/20/2009 and will not return until > 01/26/2009. > > If it is an emergency, the help line at 760-6277 > > > > -- Confidentiality Notice -- > This email message, including all the attachments, is for the sole use of the > intended recipient(s) and contains confidential information. Unauthorized use > or disclosure is prohibited. If you are not the intended recipient, you may > not use, disclose, copy or disseminate this information. If you are not the > intended recipient, please contact the sender immediately by reply email and > destroy all copies of the original message, > including attachments. > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > -- Linux: freedom to build is good Please top-post and trim when replying to my messages. I most often read mail on a small device. VERY NOT-IMPORTANT NOT-LEGAL NOTICES: Recalling a message does in no way delete it from my computer. Rather, it brings attention to your original email and recalling it causes me to search for a reason to find embarrassment. Please don't send message recall messages. It's silly and obnoxious and wastes even more bandwidth and patience. Regardless of what legal message you append to your email message, I am not obligated or constrained in any way shape or form. If I feel like printing it outand taping it up at the local gym, or mass mailing it to 15,000 people, I will. I feel especially inclined to do so the longer your "legal" advisory is. Such notices are unenforceable and do not protect you or your company from things you say, or things others do with the email. "Millions of innocent men, women and children, since the introduction of Christianity, have been burnt, tortured, fined, imprisoned; yet we have not advancedone inch towards uniformity. What has been the effect of coercion? To make half the world fools, and the other half hypocrites." --Thomas Jefferson This message is confidential to the Internet at large, unless otherwise indicated or apparent from its nature. It may not be reproduced on Mars unless it has previously been printed on Uranus. This message is directed to the intended recipient only (usually everyone, but sometimes nobody and once in a blue moon, just somebody), who may be readily determined by the sender of this message and its contents. This email message (including any attachments) is not for the sole use of the intended recipient(s) and may or may not contain confidential, proprietary and privileged information. It may include sarcastic holier than tho content. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient: (a) any dissemination or copying of this message is strictly prohibited unless you feel otherwise; and (b) immediately notify the sender by return message (but only if the sun has gone black) and de stroy any copies of this message in any form (electronic, paper or carved in stone) that you have. Please destroy by smashing your computer with a 21lb sledge hammer approximately 17 times to ensure destruction of your system. Any unauthorized review, use, disclosure or distribution is most assuredly not prohibited and you will not IMMEDIATELY be PROSECUTED to the fullest ... or emptiest ... extent of the law. If you are not the intended recipient, please immediately notify some random person of your age, sex, and location and your undying desire to fornicate with them by email and destroy all copies of the original message if you sent it to an underage person. Oh, and definitely don't tell me about it. The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. If you happen to be a corporation that uses lawyer-think-s peak-asinine-thoughts well then please sit your ass back down and we will promptly ignore the hell out of you and your disclaimers. Wait, no we won't. We have this urgent primal need to publicly make fun of you, and then we'll repost your message in blazing full frontal nudity across the internet. The authority of the individual sending this message to legally bind any entity is neither apparent nor implied, and must be independently verified - uh ... duh? Isn't that obvious? Of course not. Only people with intelligence recognize such simple facts. Thank you for standing in the back yard and whining your ass off holding up tiny little posters forbi
Re: questions named.conf
> Hello all,
>
> first question :
>
> for have log i add this in my named.conf
>
> logging {
> category "resolver" { "debug"; };
> category "client" { "debug"; };
> category "queries" { "debug"; };
> channel "debug" {
> file "/var/log/named/named.log" versions 2 size 50m;
> print-time yes;
> print-category yes;
> };
> };
>
> It's good ? because my named.log is empty
>
> second question :
>
> for statistics i add this in my named.conf
>
> statistics-channels {
> inet 91.123.xxx.x port 8053 allow { 0.0.0.0; };
> };
>
> I want to see them from anywhere, it's not secure ? (i have not X server
> for look with a navigator web in 127.0.0.1 (dedicated server))
>
> third question :
>
> where paste this ? :
>
> recursion no;
> allow-query-cache no;
>
> in advance,
> thank you very much for your response
>
> good day
>
>
--
- GanGan -
www.system-linux.eu
(">
/\
V_V
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
allow-query-cache and resolution time
Hello, Thank you for answering my quesiton yesterday. I have a new question about allow-query-cache and its effect on a dns server' response resolution time. allow-query-cache "specifies which hosts are allowed to get answers from the cache". I'm assuming this is refering to the memory cache. If allow-query-cache is set to "none" in options/views statement does it mean that the DNS server's query response time would be less efficient/slower than with setting allow-query-cache to "any"? If the answer is allow-query-cache is leff efficient, is it possible to override the setting for some zones and how? allow-query-cache cannot be used within zone statements. Thank you in advance. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dig for domain registration
Hello, I want to do some spring cleaning on my dns. WHOIS seems to throttle me back with too many checks, how can I use dig to check for registration of a domains? If I do `dig NS example.com` and grep out my NS, does that suffice for making sure my primary and secondary are listed? What about if I want to check if a domain is registered, regardless of NS's listed? Just omit the specific grep and I would accomplish that? Thank you -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-query-cache and resolution time
On 22-Jan-2009, at 16:00 , LENA MATUSOVSKAYA, BLOOMBERG/ 731 LEXIN wrote: Hello, Thank you for answering my quesiton yesterday. I have a new question about allow-query-cache and its effect on a dns server' response resolution time. allow-query-cache "specifies which hosts are allowed to get answers from the cache". I'm assuming this is refering to the memory cache. If allow-query-cache is set to "none" in options/views statement does it mean that the DNS server's query response time would be less efficient/slower than with setting allow-query-cache to "any"? If the answer is allow-query-cache is leff efficient, is it possible to override the setting for some zones and how? allow-query-cache cannot be used within zone statements. I'm going to assume you're talking about a recursive server and not an authoritative server. You generally do not want to restrict caching by zone, but rather by query source. That is, you want the computers in your network to be able to do recursion (and get responses from cache) for all zones, but you do not want computers outside your network (outside of your control) using your recursive server at all, because that makes you a vector for denial of service against other people's networks. Normally, the setting on a recursive server for allow-query-cache will match your restrictions on recursion. That is, the same clients which are allowed to send recursive queries are allowed to get answers from cache. PGP.sig Description: This is a digitally signed message part ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig for domain registration
I believe there are any restrictions if you run a WHOIS from your dig prompt. [ch...@ks1dc ~]$ whois newgeo.com [Querying whois.internic.net] [Redirected to whois.wildwestdomains.com] [Querying whois.wildwestdomains.com] [whois.wildwestdomains.com] The data contained in this Registrar's Whois database, while believed by the registrar to be reliable, is provided "as is" with no guarantee or warranties regarding its accuracy. This information is provided for the sole purpose of assisting you in obtaining information about domain name registration records. Any use of this data for any other purpose is expressly forbidden without the prior written permission of this registrar. By submitting an inquiry, you agree to these terms of usage and limitations of warranty. In particular, you agree not to use this data to allow, enable, or otherwise make possible, dissemination or collection of this data, in part or in its entirety, for any purpose, such as the transmission of unsolicited advertising and solicitations of any kind, including spam. You further agree not to use this data to enable high volume, automated or robotic electronic processes designed to collect or compile this data for any purpose, including mining this data for your own personal or commercial purposes. Please note: the owner of the domain name is specified in the "registrant" field. In most cases, the Registrar is not the owner of domain names listed in this database. Registrant: Hostwizard.com 320 Silvio Lane Novato, California 94949 United States Registered through: Hostwizard.com Domain Name: NEWGEO.COM Created on: 22-Feb-99 Expires on: 22-Feb-10 Last Updated on: 27-Nov-07 Administrative Contact: Haneda, Scott sc...@newgeo.com 320 Silvio Lane Novato, California 94949 United States 415-893-0374 Fax -- Technical Contact: Haneda, Scott sc...@newgeo.com 320 Silvio Lane Novato, California 94949 United States 415-893-0374 Fax -- Domain servers in listed order: NS1.NACIO.COM NS1.HOSTWIZARD.COM On Thu, Jan 22, 2009 at 4:16 PM, Scott Haneda wrote: > Hello, I want to do some spring cleaning on my dns. WHOIS seems to > throttle me back with too many checks, how can I use dig to check for > registration of a domains? > > If I do `dig NS example.com` and grep out my NS, does that suffice for > making sure my primary and secondary are listed? > > What about if I want to check if a domain is registered, regardless of NS's > listed? Just omit the specific grep and I would accomplish that? > > Thank you > -- > Scott > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- ** Sometimes the appropriate response to reality is to go insane. Philip K. Dick (1928 - 1982), Valis The individual has always had to struggle to keep from being overwhelmed by the tribe. If you try it, you will be lonely often, and sometimes frightened. But no price is too high to pay for the privilege of owning yourself. Friedrich Nietzsche ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig for domain registration
oops..arent any On Thu, Jan 22, 2009 at 4:24 PM, CB wrote: > I believe there are any restrictions if you run a WHOIS from your dig > prompt. > > [ch...@ks1dc ~]$ whois newgeo.com > [Querying whois.internic.net] > [Redirected to whois.wildwestdomains.com] > [Querying whois.wildwestdomains.com] > [whois.wildwestdomains.com] > The data contained in this Registrar's Whois database, > while believed by the registrar to be reliable, is provided "as is" > with no guarantee or warranties regarding its accuracy. This information > is provided for the sole purpose of assisting you in obtaining > information about domain name registration records. Any use of > this data for any other purpose is expressly forbidden without > the prior written permission of this registrar. By submitting an > inquiry, you agree to these terms of usage and limitations of warranty. > In particular, you agree not to use this data to allow, enable, or > otherwise make possible, dissemination or collection of this data, in > part or in its entirety, for any purpose, such as the transmission of > unsolicited advertising and solicitations of any kind, including spam. > You further agree not to use this data to enable high volume, automated > or robotic electronic processes designed to collect or compile this data > for any purpose, including mining this data for your own personal or > commercial purposes. > > Please note: the owner of the domain name is specified in the "registrant" > field. > In most cases, the Registrar is not the owner of domain names listed in > this database. > > > Registrant: >Hostwizard.com >320 Silvio Lane >Novato, California 94949 >United States > >Registered through: Hostwizard.com >Domain Name: NEWGEO.COM > Created on: 22-Feb-99 > Expires on: 22-Feb-10 > Last Updated on: 27-Nov-07 > >Administrative Contact: > Haneda, Scott sc...@newgeo.com > 320 Silvio Lane > Novato, California 94949 > United States > 415-893-0374 Fax -- > >Technical Contact: > Haneda, Scott sc...@newgeo.com > 320 Silvio Lane > Novato, California 94949 > United States > 415-893-0374 Fax -- > >Domain servers in listed order: > NS1.NACIO.COM > NS1.HOSTWIZARD.COM > > > > On Thu, Jan 22, 2009 at 4:16 PM, Scott Haneda wrote: > >> Hello, I want to do some spring cleaning on my dns. WHOIS seems to >> throttle me back with too many checks, how can I use dig to check for >> registration of a domains? >> >> If I do `dig NS example.com` and grep out my NS, does that suffice for >> making sure my primary and secondary are listed? >> >> What about if I want to check if a domain is registered, regardless of >> NS's listed? Just omit the specific grep and I would accomplish that? >> >> Thank you >> -- >> Scott >> >> ___ >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > > > > -- > ** > Sometimes the appropriate response to reality is to go insane. > > Philip K. Dick (1928 - 1982), Valis > > The individual has always had to struggle to keep from being overwhelmed by > the tribe. If you try it, you will be lonely often, and sometimes > frightened. But no price is too high to pay for the privilege of owning > yourself. > > Friedrich Nietzsche > > -- ** Sometimes the appropriate response to reality is to go insane. Philip K. Dick (1928 - 1982), Valis The individual has always had to struggle to keep from being overwhelmed by the tribe. If you try it, you will be lonely often, and sometimes frightened. But no price is too high to pay for the privilege of owning yourself. Friedrich Nietzsche ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig for domain registration
There are, I ran a repeat loop in bash, for only 50 domains, and I was thorttled back to I believe, once every 3 minutes. Different WHOIS servers may have different policy, but it is also slow. Dig should speed up my queries by a large degree. Thank you. On Jan 22, 2009, at 1:24 PM, CB wrote: oops..arent any On Thu, Jan 22, 2009 at 4:24 PM, CB wrote: I believe there are any restrictions if you run a WHOIS from your dig prompt. [ch...@ks1dc ~]$ whois newgeo.com [Querying whois.internic.net] [Redirected to whois.wildwestdomains.com] [Querying whois.wildwestdomains.com] [whois.wildwestdomains.com] -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-query-cache and resolution time
Thank you Maybe I didn't word my question correctly. allow-query-cache definitions states allow-query-cache "specifies which hosts are allowed to get answers from the cache." Which cache is it refering to? Could the cache also contain records which a master server is authoritative for? With allow-query-cache set to "none", does it mean a master dns host would forgo looking at its memory cache to serve records its authoritative for? Thank you. - Original Message - From: Matthew Pounsett To: LENA MATUSOVSKAYA (BLOOMBERG/ 731 LEXIN) Cc: BIND-USERS@lists.isc.org At: 1/22 16:21:46 On 22-Jan-2009, at 16:00 , LENA MATUSOVSKAYA, BLOOMBERG/ 731 LEXIN wrote: > Hello, > > Thank you for answering my quesiton yesterday. > > I have a new question about allow-query-cache and its effect on a > dns server' response resolution time. > > allow-query-cache "specifies which hosts are allowed to get answers > from the cache". I'm assuming this is refering to the memory cache. > If allow-query-cache is set to "none" in options/views statement > does it mean that the DNS server's query response time would be less > efficient/slower than with setting allow-query-cache to "any"? > If the answer is allow-query-cache is leff efficient, is it possible > to override the setting for some zones and how? allow-query-cache > cannot be used within zone statements. I'm going to assume you're talking about a recursive server and not an authoritative server. You generally do not want to restrict caching by zone, but rather by query source. That is, you want the computers in your network to be able to do recursion (and get responses from cache) for all zones, but you do not want computers outside your network (outside of your control) using your recursive server at all, because that makes you a vector for denial of service against other people's networks. Normally, the setting on a recursive server for allow-query-cache will match your restrictions on recursion. That is, the same clients which are allowed to send recursive queries are allowed to get answers from cache. PGP.sig Description: Binary data ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-query-cache and resolution time
My goal is for my authoritiative server to use its memory cache to reply to the queries its authoritiative for. However, it should not satisfy all other queries - NO to recursion ;) . Overall, I'm wondering what affect setting "allow-query-cache" to "none" has on the performance of authoritative name servers. Thank you - Original Message - From: LENA MATUSOVSKAYA (BLOOMBERG/ 731 LEXIN) To: BIND-USERS@lists.isc.org At: 1/22 16:52:12 Thank you Maybe I didn't word my question correctly. allow-query-cache definitions states allow-query-cache "specifies which hosts are allowed to get answers from the cache." Which cache is it refering to? Could the cache also contain records which a master server is authoritative for? With allow-query-cache set to "none", does it mean a master dns host would forgo looking at its memory cache to serve records its authoritative for? Thank you. - Original Message - From: Matthew Pounsett To: LENA MATUSOVSKAYA (BLOOMBERG/ 731 LEXIN) Cc: BIND-USERS@lists.isc.org At: 1/22 16:21:46 On 22-Jan-2009, at 16:00 , LENA MATUSOVSKAYA, BLOOMBERG/ 731 LEXIN wrote: > Hello, > > Thank you for answering my quesiton yesterday. > > I have a new question about allow-query-cache and its effect on a > dns server' response resolution time. > > allow-query-cache "specifies which hosts are allowed to get answers > from the cache". I'm assuming this is refering to the memory cache. > If allow-query-cache is set to "none" in options/views statement > does it mean that the DNS server's query response time would be less > efficient/slower than with setting allow-query-cache to "any"? > If the answer is allow-query-cache is leff efficient, is it possible > to override the setting for some zones and how? allow-query-cache > cannot be used within zone statements. I'm going to assume you're talking about a recursive server and not an authoritative server. You generally do not want to restrict caching by zone, but rather by query source. That is, you want the computers in your network to be able to do recursion (and get responses from cache) for all zones, but you do not want computers outside your network (outside of your control) using your recursive server at all, because that makes you a vector for denial of service against other people's networks. Normally, the setting on a recursive server for allow-query-cache will match your restrictions on recursion. That is, the same clients which are allowed to send recursive queries are allowed to get answers from cache. PGP.sig Description: Binary data ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-query-cache and resolution time
On 22 Jan 2009 17:09:28 -0500, LENA MATUSOVSKAYA, BLOOMBERG/ 731 LEXIN wrote: > My goal is for my authoritiative server to use its memory cache to reply to > the queries its authoritiative for. However, it should not satisfy all other > queries - NO to recursion ;) . Overall, I'm wondering what affect setting > "allow-query-cache" to "none" has on the performance of authoritative name > servers. Certainly authoritative servers do load all data from zone files to RAM. And the data which the server is authoritative for are NOT in the cache. That memory segment is not referred to as 'cache'. Authoritative server _never_ stores in it's cache the data which it is authoritative for. In context of BIND the "cache" (and the option "allow-query-cache") is only about data which are retreived via recursion process and never about the data which the server is authoritative for. -- Anton ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-query-cache and resolution time
On Jan 22 2009, LENA MATUSOVSKAYA, BLOOMBERG/ 731 LEXIN wrote:
My goal is for my authoritiative server to use its memory cache to
reply to the queries its authoritiative for. However, it should not
satisfy all other queries - NO to recursion ;) . Overall, I'm wondering
what affect setting "allow-query-cache" to "none" has on the performance
of authoritative name servers.
On performance? None at all, to a good approximation. It's more
a security issue.
If you set "recursion no", then no-one external can cause anything
to be fetched into the cache. However, BIND itself can still use it
for internal purposes. For example, it will look up the addresses
of hosts specified in NS records so that it can send NOTIFY packets
to them.
It's probably best if you don't let the outside world see the (small)
cache content thus populated. We use
allow-query { any; };
allow-query-cache { [local debugging interfaces only]; };
recursion no;
for our authoritative-only nameservers. (Some individual zones then have
overrides on allow-query.)
I think a lot of your confusion is due to thinking that the cache
includes the authoritative zone data. It doesn't.
--
Chris Thompson
Email: c...@cam.ac.uk
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc halt -p behavior
Niall O'Reilly wrote: > On Wed, 2009-01-21 at 19:14 -0600, Jeremy C. Reed wrote: >> Maybe we should just remove the "immediately" part. >> >> Any suggestions would be appreciated. > > If you're going to make a change, adding a little more > information wouldn't hurt, would it? The output of 'rndc -h' is already quite lengthy, and there is an 80-column terminal limit to consider Doug ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
