date:20090223

Re: Zone serial not being updated in statistics-channel view of zone

2009-02-23 Thread Matus UHLAR - fantomas

> In message , Chris 
> Thom
> pson writes:
> > I have a dynamically updated zone, dynamic.local.test, on my workstation 
> > testbed (BIND 9.6.0-P1, Solaris 10_x86) which has "zone-statistics yes" 
> > set. Viewing the statistics at http://localhost:8053 I see under 
> > "Zones for View _default"
> > 
> > dynamic.local.test/IN   IN  2008093007   ...
> > ^^
> > 
> > But the current SOA serial is actually
> > 
> > $ dig +short soa dynamic.local.test
> > localhost. root.localhost. 2009022003 21600 3600 864000 10800

On 22.02.09 09:48, Mark Andrews wrote:
>   Chris when you see somthing that is obviously a bug in a
>   current release please log a bug report.  If you see a bug
>   and you are not running a current release please upgrade
>   to see if it is fixed, then if it still there please log a
>   bug report.  Sending things to bind-users then hoping a
>   developer will see the report and log the bug is not the
>   optimal way to do things.

It apparently didn't seem obviously a bug to him :)

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

forward to a dns server with a port different of 53

2009-02-23 Thread Luis Silva

Hi all,
I want to have two dns servers in the same machine, and I want the first
one to forward the dns messages to the second. The problem is that I don't
know how to configure bind to forward for a port different from 53. Is that
possible?
Many thanks.

Kind Regards,
Luis
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forward to a dns server with a port different of 53

2009-02-23 Thread Stefan Schmidt

On Mon, Feb 23, 2009 at 11:49:01AM +, Luis Silva wrote:
> Hi all,

Hi Luis,

> I want to have two dns servers in the same machine, and I want the first
> one to forward the dns messages to the second. The problem is that I don't
> know how to configure bind to forward for a port different from 53. Is that
> possible?
> Many thanks.

The options Statement Grammar [1] says:
[ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
so although i never tried it i'd say it should work like this:

options {
forward first;
forwarders {
127.0.0.1 port 5335;
};
};

Stefan, who likes PowerDNS better ;)

[1] https://www.isc.org/software/bind/documentation/arm95#id2576918
-- 
Children seldom misquote you. In fact, they usually repeat word for word exactly
what you shouldn't have said.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc -> wrong number of zones

2009-02-23 Thread squid proxy

thx,
but what I cannot understand is:

I have 2 internal DNS server:

Master BIND 9.3.4-P1.1 (debian Etch)
SLAVE BIND BIND 9.5.1-P1 (debian Lenny)

they have the same number of zones, on both server is

recursion yes

and both have the same file zones.rfc1918 with the same zones.

whay at master rndc shows 22 number of zones and at slave 35 ?




On Mon, Feb 23, 2009 at 7:28 AM, Gregory Hicks  wrote:
>
>> Date: Mon, 23 Feb 2009 03:52:08 +0100
>> Subject: rndc -> wrong number of zones
>> From: squid proxy 
>> To: bind-users@lists.isc.org
>>
>> I've bind9 installed under Lenny.
>>
>> rndc status shows 35 zones, but I have only 21 zones in
>> /etc/bind/named.conf.local.
>
>> So...?  Where DO the number of zones I'm serving come from?
>
>Named has added a number of zones to the trusted view.
>They wern't added to the external view as recursion is
>disabled in it.
>
> static const struct {
>const char  *zone;
>isc_boolean_t   rfc1918;
> } empty_zones[] = {
> #ifdef notyet
>/* RFC 1918 */
>{ "10.IN-ADDR.ARPA", ISC_TRUE },
>{ "16.172.IN-ADDR.ARPA", ISC_TRUE },
>{ "17.172.IN-ADDR.ARPA", ISC_TRUE },
>{ "18.172.IN-ADDR.ARPA", ISC_TRUE },
>{ "19.172.IN-ADDR.ARPA", ISC_TRUE },
>{ "20.172.IN-ADDR.ARPA", ISC_TRUE },
>{ "21.172.IN-ADDR.ARPA", ISC_TRUE },
>{ "22.172.IN-ADDR.ARPA", ISC_TRUE },
>{ "23.172.IN-ADDR.ARPA", ISC_TRUE },
>{ "24.172.IN-ADDR.ARPA", ISC_TRUE },
>{ "25.172.IN-ADDR.ARPA", ISC_TRUE },
>{ "26.172.IN-ADDR.ARPA", ISC_TRUE },
>{ "27.172.IN-ADDR.ARPA", ISC_TRUE },
>{ "28.172.IN-ADDR.ARPA", ISC_TRUE },
>{ "29.172.IN-ADDR.ARPA", ISC_TRUE },
>{ "30.172.IN-ADDR.ARPA", ISC_TRUE },
>{ "31.172.IN-ADDR.ARPA", ISC_TRUE },
>{ "168.192.IN-ADDR.ARPA", ISC_TRUE },
> #endif
>
>/* RFC 3330 */
>{ "0.IN-ADDR.ARPA", ISC_FALSE },/* THIS NETWORK */
>{ "127.IN-ADDR.ARPA", ISC_FALSE },  /* LOOPBACK */
>{ "254.169.IN-ADDR.ARPA", ISC_FALSE },  /* LINK LOCAL */
>{ "2.0.192.IN-ADDR.ARPA", ISC_FALSE },  /* TEST NET */
>{ "255.255.255.255.IN-ADDR.ARPA", ISC_FALSE },  /* BROADCAST */
>
>/* Local IPv6 Unicast Addresses */
>{
> "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.AR
> PA", ISC_FALSE },
>{
> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.AR
> PA", ISC_FALSE },
>/* LOCALLY ASSIGNED LOCAL ADDRES S SCOPE */
>{ "D.F.IP6.ARPA", ISC_FALSE },
>{ "8.E.F.IP6.ARPA", ISC_FALSE },/* LINK LOCAL */
>{ "9.E.F.IP6.ARPA", ISC_FALSE },/* LINK LOCAL */
>{ "A.E.F.IP6.ARPA", ISC_FALSE },/* LINK LOCAL */
>{ "B.E.F.IP6.ARPA", ISC_FALSE },/* LINK LOCAL */
>
>{ NULL, ISC_FALSE }
> };
>
>>
>> # rndc status
>> version: 9.5.1-P1
>> number of zones: 35
>> debug level: 0
>> xfers running: 1
>> xfers deferred: 0
>> soa queries in progress: 1
>> query logging is OFF
>> recursive clients: 0/0/1000
>> tcp clients: 0/100
>> server is up and running
>>
>> in /etc/bind/named.conf I have just 5 default zones.
>> where else read rndc zones?
>>
>> kind regards
>> Piotr
>> ___
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> -
> Gregory Hicks   | Principal Systems Engineer
>| Direct:   408.569.7928
>
> People sleep peaceably in their beds at night only because rough men
> stand ready to do violence on their behalf -- George Orwell
>
> The price of freedom is eternal vigilance.  -- Thomas Jefferson
>
> "The best we can hope for concerning the people at large is that they
> be properly armed." --Alexander Hamilton
>
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: client query logging (refused message)

2009-02-23 Thread asdlkf

62.109.4.89 and 195.68.176.4 are compromized/attackers

See my post here:http://www.linuxforums.org/forum/redhat-fedora-linux-
help/140848-var-log-messages-question.html

Sample log entries:
Feb 19 08:24:17 asdlkf named[6459]: client 62.109.4.89#32721: query
(cache) './NS/IN' denied
Feb 19 08:24:18 asdlkf named[6459]: client 195.68.176.4#25853: query
(cache) './NS/IN' denied
Frequency: 40 to 90 queries from those hosts per minute.

-- Chris



On Feb 17, 2:19 pm, JINMEI Tatuya / 神明達哉 
wrote:
> At Tue, 17 Feb 2009 08:15:39 -0500,
>
> Matthew Huff  wrote:
> > 17-Feb-2009 08:14:17.376 queries: client 62.109.4.89#49464: view
> > external-in: query: . IN NS +
> > ...
>
> > logged, and I have verified that the query is refused, but nothing in the
> > log shows that it was refused. Is there anyway to log the success/failure of
> > the queries?
>
> Not yet, but BIND 9.7 (and perhaps next minor versions of 9.6 and 9.5)
> will provide a new logging category that can log the information you
> seem to want:
>
> 17-Feb-2009 14:15:45.998 debug 3: client ::1#50076: query failed (REFUSED) 
> for ./IN/NS at query.c:3887
>
> ---
> JINMEI, Tatuya
> Internet Systems Consortium, Inc.
> ___
> bind-users mailing list
> bind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Is it possible to set a ddns hostname to access a name-based virtual host?

2009-02-23 Thread Hongyi Zhao

Hi all,

Suppose a file named file.pdf stored in the following web location:   

http://some_domain/path/to/file.pdf

Where, the *some_domain* is a name-based virtual host.  In this case,
is it possible to set a ddns hostname, say through
http://www.changeip.net/, without using *some_domain* itself,  to
access this file?

-- 
.: Hongyi Zhao [ hongyi.zhao AT gmail.com ] Free as in Freedom :.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

empty DoS queries

2009-02-23 Thread Frank Kirschner


Hello,
since last night we log emtpty queries (approx. 4000 per seconds) like 
this from a client in our LAN:


23-Feb-2009 13:20:15.516 queries: info: client 10.48.0.19#2048: query: 
\(none\) IN A +
23-Feb-2009 13:20:15.518 queries: info: client 10.48.0.19#2048: query: 
\(none\) IN A +
23-Feb-2009 13:20:15.519 queries: info: client 10.48.0.19#2048: query: 
\(none\) IN A +
23-Feb-2009 13:20:15.523 queries: info: client 10.48.0.19#2048: query: 
\(none\) IN A +
23-Feb-2009 13:20:15.524 queries: info: client 10.48.0.19#2048: query: 
\(none\) IN A +
23-Feb-2009 13:20:15.525 queries: info: client 10.48.0.19#2048: query: 
\(none\) IN A +
23-Feb-2009 13:20:15.527 queries: info: client 10.48.0.19#2048: query: 
\(none\) IN A +
23-Feb-2009 13:20:15.531 queries: info: client 10.48.0.19#2048: query: 
\(none\) IN A +
23-Feb-2009 13:20:15.533 queries: info: client 10.48.0.19#2048: query: 
\(none\) IN A +



Additional there are also such log entries, (approx. 4000 per seconds):

23-Feb-2009 14:05:56.464 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.470 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.483 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.489 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.500 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.508 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.517 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.521 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.533 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.539 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.546 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.558 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.565 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.572 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.584 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.591 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +


What could be the resons for it? Should I investigate and limit the 
packet flow by iptables/netfilter on port 53 of my BIND 9, actual 
release for Centos 5.2


best regards
Frank
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

comp.protocols.dns.bind

2009-02-23 Thread Hongyi Zhao

Hi all,

Suppose a file named file.pdf stored in the following web location:   

http://some_domain/path/to/file.pdf

Where, the *some_domain* is a name-based virtual host.  In this case,
is it possible to set a ddns hostname, say through
http://www.changeip.net/, without using *some_domain* itself,  to
access this file?

-- 
.: Hongyi Zhao [ hongyi.zhao AT gmail.com ] Free as in Freedom :.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

empty DoS queries

2009-02-23 Thread Frank Kirschner


Hello,
since last night we log emtpty queries (approx. 4000 per seconds) like 
this from a client in our LAN:


23-Feb-2009 13:20:15.516 queries: info: client 10.48.0.19#2048: query: 
\(none\) IN A +
23-Feb-2009 13:20:15.518 queries: info: client 10.48.0.19#2048: query: 
\(none\) IN A +
23-Feb-2009 13:20:15.519 queries: info: client 10.48.0.19#2048: query: 
\(none\) IN A +
23-Feb-2009 13:20:15.523 queries: info: client 10.48.0.19#2048: query: 
\(none\) IN A +
23-Feb-2009 13:20:15.524 queries: info: client 10.48.0.19#2048: query: 
\(none\) IN A +
23-Feb-2009 13:20:15.525 queries: info: client 10.48.0.19#2048: query: 
\(none\) IN A +
23-Feb-2009 13:20:15.527 queries: info: client 10.48.0.19#2048: query: 
\(none\) IN A +
23-Feb-2009 13:20:15.531 queries: info: client 10.48.0.19#2048: query: 
\(none\) IN A +
23-Feb-2009 13:20:15.533 queries: info: client 10.48.0.19#2048: query: 
\(none\) IN A +



Additional there are also such log entries, (approx. 4000 per seconds):

23-Feb-2009 14:05:56.464 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.470 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.483 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.489 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.500 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.508 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.517 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.521 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.533 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.539 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.546 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.558 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.565 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.572 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.584 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +
23-Feb-2009 14:05:56.591 queries: info: client 10.48.0.19#2048: query: 
luca.inetgate.net IN A +


What could be the resons for it? Should I investigate and limit the 
packet flow by iptables/netfilter on port 53 of my BIND 9, actual 
release for Centos 5.2


best regards
Frank
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9.60p1 on solaris 10

2009-02-23 Thread Gary Mills

In  Mark Andrews  writes:

>In message <937393c4-77a8-4dba-8a4f-14560c25c...@o11g2000yql.googlegroups.com>,
> SN writes:
>> 
>> libcrypto.so.0.9.8 is not being found as a link library.  Trying to
>> run as in a chroot'ed environment on solaris 10 (core install).
>> Kindly advise.

>   Install the package that includes OpenSSL.
> 

The Solaris 10 package is SUNWopenssl-libraries, but that provides
only /usr/sfw/lib/libcrypto.so.0.9.7.  If bind requires
libcrypto.so.0.9.8, it's not going to build on Solaris 10.

-- 
-Gary Mills--Unix Support--U of M Academic Computing and Networking-
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9.60p1 on solaris 10

2009-02-23 Thread SN

On Feb 19, 7:14 pm, Mark Andrews  wrote:
> In message 
> <937393c4-77a8-4dba-8a4f-14560c25c...@o11g2000yql.googlegroups.com>,
>
>  SN writes:
> > Hi Group.
>
> > libcrypto.so.0.9.8 is not being found as a link library.  Trying to
> > run as in a chroot'ed environment on solaris 10 (core install).
> > Kindly advise.
>
>         Install the package that includes OpenSSL.
>
>
>
>
>
> > r...@qdc-dns2(bash-3.0)/dns/chroot/usr/local/sbin# ldd /dns/chroot/usr/
> > local/sbin/named
> >         libcrypto.so.0.9.8 =>    (file not found)
> >         libnsl.so.1 =>   /usr/lib/libnsl.so.1
> >         libnsl.so.1 (SUNW_1.9.1) =>      (version not found)
> >         libsocket.so.1 =>        /usr/lib/libsocket.so.1
> >         libscf.so.1 =>   /usr/lib/libscf.so.1
> >         libpthread.so.1 =>       /usr/lib/libpthread.so.1
> >         libthread.so.1 =>        /usr/lib/libthread.so.1
> >         libxml2.so.2 =>  /usr/lib/libxml2.so.2
> >         libz.so.1 =>     /usr/lib/libz.so.1
> >         libm.so.2 =>     /usr/lib/libm.so.2
> >         libc.so.1 =>     /usr/lib/libc.so.1
> >         libmp.so.2 =>    /lib/libmp.so.2
> >         libmd.so.1 =>    /lib/libmd.so.1
> >         libdoor.so.1 =>  /lib/libdoor.so.1
> >         libuutil.so.1 =>         /lib/libuutil.so.1
> >         libgen.so.1 =>   /lib/libgen.so.1
> >         /platform/SUNW,Serverblade1/lib/libc_psr.so.1
> >         /platform/SUNW,Serverblade1/lib/libmd_psr.so.1
>
> > r...@qdc-dns2(bash-3.0)/dns/chroot/usr/local/sbin# /etc/init.d/dns
> > start
> > ld.so.1: named: fatal: libcrypto.so.0.9.8: open failed: No such file
> > or directory
> > Killed
>
> > Kind Regards,
> > -Sajed Naseem
> > ___
> > bind-users mailing list
> > bind-us...@lists.isc.org
> >https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: mark_andr...@isc.org
> ___
> bind-users mailing list
> bind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users- 
> Hide quoted text -
>
> - Show quoted text -

thank you.  I installed openssl on the server and it worked.  I had
forgotten that.  It was installed on the server I compiled on.

new error.  Any help would be appreciated.

r...@qdc-dns2(bash-3.0)/dns/chroot# chroot /dns/chroot /usr/local/sbin/
named-checkconf /etc/named.conf
Segmentation Fault (core dumped)

This is off a default named.conf I got off sean boran's website.  No
named.conf is working.


acl "nameservers" {
  localhost;
  // my primary/sec
  192.168.128.33;
  192.168.128.34;
  // Internet & ISP:
  164.128.36.34;   //ip-plus
  130.59.1.80; //domreg.nic.ch
};

options {
directory "/var/named";
// query-source address * port 53;
pid-file "/var/run/named.pid";
stacksize 30M;
datasize 20M;
auth-nxdomain yes;  // v9 wants this?
allow-transfer { nameservers; };   // this limits ALL zones
transfer-format many-answers;   // faster transfers
version "DNS server";   // hide BIND version
};

/// default zones //

// this is the main file for the domain name server. Each line gives
// the file where is stored the name table for a particular domain.

// named.root / root.hint is not needed for BIND9

// localhost
zone "localhost" {
type master;
file "localhost.zone";
allow-update { none; };
};
// reverse mapping of Loopback address
zone "0.0.127.in-addr.arpa" IN {
type master;
file "localhost.rev";
notify no;
allow-update { none; };
};

 primaries //
// Transfer ACLs are governered globally above
zone "test1.com" {
type master;
file "test1.com";
allow-update { none; };
};

// reverse mapping example
zone "128.168.192.in-addr.arpa" IN {
type master;
file "rev.192.168.128";
};

//eof

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rndc -> wrong number of zones

2009-02-23 Thread Chris Thompson


On Feb 23 2009, squid proxy wrote:


thx,
but what I cannot understand is:

I have 2 internal DNS server:

Master BIND 9.3.4-P1.1 (debian Etch)
SLAVE BIND BIND 9.5.1-P1 (debian Lenny)

they have the same number of zones, on both server is

recursion yes

and both have the same file zones.rfc1918 with the same zones.

whay at master rndc shows 22 number of zones and at slave 35 ?


Because "automatic empty zones" were first added in BIND 9.4.

--
Chris Thompson
Email: c...@cam.ac.uk



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: empty DoS queries

2009-02-23 Thread Stephane Bortzmeyer

On Mon, Feb 23, 2009 at 02:20:03PM +0100,
 Frank Kirschner <147...@celebrate.de> wrote 
 a message of 65 lines which said:

> 23-Feb-2009 13:20:15.516 queries: info: client 10.48.0.19#2048: query:  
> \(none\) IN A +

I have no idea. But capturing such queries with something like:

tcpdump -w dos-of-the-day.pcap -c 10 src host 10.48.0.19 and dst port 53 

and posting the resulting pcap here (or on a public site like
pcapr.net) would be quite interesting. (Because what you posted is
BIND's view of these queries and the raw queries could reveal more.)
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to set a ddns hostname to access a name-based virtual host?

2009-02-23 Thread Serge Fonville

When using apache (you haven't told what web server you are using) you can
define a virtual host which has a server name hongyi_zhao.changeip.net and a
serveralias of some_domain. then apache will respond to urls which have
either in the host header with the defined virtual host. This assumes that
either can be resolved to an IP from the requesting host.
Perhaps it is advisable to start googling for "virtual hosts" to further
determine how you should do it.

Hope this helps.

Regards,

Serge Fonville

On Fri, Feb 20, 2009 at 10:02 AM, Hongyi Zhao  wrote:

> Hi all,
>
> Suppose a file named file.pdf stored in the following web location:
>
> http://some_domain/path/to/file.pdf
>
> Where, the *some_domain* is a name-based virtual host.  In this case,
> is it possible to set a ddns hostname, say through
> http://www.changeip.net/, without using *some_domain* itself,  to
> access this file?
>
> --
> .: Hongyi Zhao [ hongyi.zhao AT gmail.com ] Free as in Freedom :.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9.60p1 on solaris 10

2009-02-23 Thread bsfinkel

In  Mark Andrews  writes:

In message <937393c4-77a8-4dba-8a4f-14560c25c...@o11g2000yql.googlegroups.com>,
>> SN writes:
>>> 
>>> libcrypto.so.0.9.8 is not being found as a link library.  Trying to
>>> run as in a chroot'ed environment on solaris 10 (core install).
>>> Kindly advise.

>>  Install the package that includes OpenSSL.
>> 

and Gary Mills  replied:

>The Solaris 10 package is SUNWopenssl-libraries, but that provides
>only /usr/sfw/lib/libcrypto.so.0.9.7.  If bind requires

On a Solaris 10 Sparc system:

solaris% strings /usr/sfw/lib/libcrypto.so.0.9.7 | grep security
OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
AES part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
ASN.1 part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
Blowfish part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
Big Number part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
CAST part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
CONF part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
CONF_def part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
libdes part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
DES part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
Diffie-Hellman part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 
2006-09-29)
DSA part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
EVP part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
lhash part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
MD2 part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
MD4 part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
MD5 part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
id-smime-aa-securityLabel
id-smime-aa-securityLabel
security
PEM part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
RAND part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
RC2 part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
RC4 part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
RIPE-MD160 part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
RSA part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
SHA part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
SHA1 part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
Stack part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
TXT_DB part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
X.509 part of OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29)
solaris%

The filename contains "0.9.7" but the file itself contains security
patches which, I believe, makes it equivalent to 0.9.8.  That is what
my libcrypto expert told me.

I have built 9.6.0-P1 on Solaris 10, and I am running it as a cacheing-
only name server.  My production name servers are also 9.6.0-P1,
but those computers are still running Solaris 9.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

libbind 6.0b1 bug?

2009-02-23 Thread Jack Tavares


Actually, it is a compile time problem.

Is there a place on the isc.org website to report a bug on libbind?

I ddn't see it anywhere.

Thanks


--
Jack Tavares
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: libbind 6.0b1 bug?

2009-02-23 Thread Evan Hunt

> Actually, it is a compile time problem.
> 
> Is there a place on the isc.org website to report a bug on libbind?
> 
> I ddn't see it anywhere.

libbind-b...@isc.org

--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: comp.protocols.dns.bind

2009-02-23 Thread Chris Buxton


On Feb 20, 2009, at 1:05 AM, Hongyi Zhao wrote:

Hi all,

Suppose a file named file.pdf stored in the following web location:

http://some_domain/path/to/file.pdf

Where, the *some_domain* is a name-based virtual host.  In this case,
is it possible to set a ddns hostname, say through
http://www.changeip.net/, without using *some_domain* itself,  to
access this file?



The domain name in the browser is the domain name presented to the web  
server in the host header field. That name must resolve, somehow, to  
the IP address of the server. That can be either with an address  
record of that name or a CNAME record of that name, referring to  
another name that resolves to the correct address.


Without knowing your intent, I don't think this list can be any more  
helpful than that.


Chris Buxton
Professional Services
Men & Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Hostname Naming Compliance

2009-02-23 Thread Eric C. Davis

Are there plans for Bind to enforce hostname compliance according to 
RFC's or is this going to be left up to each DNS operator?


Eric Davis
Rockefeller University

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hostname Naming Compliance

2009-02-23 Thread Chris Buxton


On Feb 23, 2009, at 10:19 AM, Eric C. Davis wrote:

Are there plans for Bind to enforce hostname compliance according to  
RFC's or is this going to be left up to each DNS operator?


It's present in BIND 9.3 and later. All characters except a-z, A-Z,  
0-9, and "-" itself are forbidden to appear in the labels of any  
domain name that is to be treated as a hostname. That is, any name  
that has an A or  record, or that appears in the RData of an NS,  
MX, or SRV record (if I'm not mistaken).


This can be disabled with:

options {
check-names master warn; # or fail
};

or:

zone "some.name" {
check-names warn; # or fail
};

Chris Buxton
Professional Services
Men & Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hostname Naming Compliance

2009-02-23 Thread Eric C. Davis

I know the option to use this compliance checker is present, but I'm 
curious to know if there are plans to make it mandatory to comply.  We 
aren't using this feature now, but I would like to.  My problem is 
politicking my way around the issue of breaking something that works.  
If Bind were to say they were going to start forcing compliance with 
this naming standard, then I simply have to say it's a standard that is 
being enforced.  Shouldn't enforcement be applied across the board 
anyway instead of at the operator's discretion?


Eric
Chris Buxton wrote:

On Feb 23, 2009, at 10:19 AM, Eric C. Davis wrote:

Are there plans for Bind to enforce hostname compliance according to 
RFC's or is this going to be left up to each DNS operator?


It's present in BIND 9.3 and later. All characters except a-z, A-Z, 
0-9, and "-" itself are forbidden to appear in the labels of any 
domain name that is to be treated as a hostname. That is, any name 
that has an A or  record, or that appears in the RData of an NS, 
MX, or SRV record (if I'm not mistaken).


This can be disabled with:

options {
check-names master warn; # or fail
};

or:

zone "some.name" {
check-names warn; # or fail
};

Chris Buxton
Professional Services
Men & Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hostname Naming Compliance

2009-02-23 Thread Evan Hunt

On Mon, Feb 23, 2009 at 01:54:46PM -0500, Eric C. Davis wrote:
> I know the option to use this compliance checker is present, but I'm 
> curious to know if there are plans to make it mandatory to comply.  We 
> aren't using this feature now, but I would like to.  My problem is 
> politicking my way around the issue of breaking something that works.  
> If Bind were to say they were going to start forcing compliance with 
> this naming standard, then I simply have to say it's a standard that is 
> being enforced.  Shouldn't enforcement be applied across the board 
> anyway instead of at the operator's discretion?

I haven't heard anyone at ISC suggest this, but if I did, I'd argue
against it.  I don't think we have any wish to be the "enforcers". :)
And anyway, if we put "mandatory" compliance into BIND, people who
wanted to break the rule would just hack it back out again.

--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hostname Naming Compliance

2009-02-23 Thread Chris Thompson


On Feb 23 2009, Evan Hunt wrote:


On Mon, Feb 23, 2009 at 01:54:46PM -0500, Eric C. Davis wrote:
I know the option to use this compliance checker is present, but I'm 
curious to know if there are plans to make it mandatory to comply.  We 
aren't using this feature now, but I would like to.  My problem is 
politicking my way around the issue of breaking something that works.  
If Bind were to say they were going to start forcing compliance with 
this naming standard, then I simply have to say it's a standard that is 
being enforced.  Shouldn't enforcement be applied across the board 
anyway instead of at the operator's discretion?


I haven't heard anyone at ISC suggest this, but if I did, I'd argue
against it.  I don't think we have any wish to be the "enforcers". :)
And anyway, if we put "mandatory" compliance into BIND, people who
wanted to break the rule would just hack it back out again.


Or switch to different nameserver software that wasn't so proscriptive.

There's a strong argument that it isn't the job of BIND to be enforcing
restrictions that are not strictly DNS-related (vide RFC 2181 section 11).
The current uneasy compromise, in which there are restrictions that are
meant to be helpful, but which can be turned off, is probably the best
that can be achieved.

--
Chris Thompson
Email: c...@cam.ac.uk

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hostname Naming Compliance

2009-02-23 Thread Gregory Hicks

> Date: Mon, 23 Feb 2009 19:07:31 +
> From: Evan Hunt 
> To: "Eric C. Davis" 
> Subject: Re: Hostname Naming Compliance
> Cc: "bind-users@lists.isc.org" 
> 
> On Mon, Feb 23, 2009 at 01:54:46PM -0500, Eric C. Davis wrote:
> > I know the option to use this compliance checker is present, but I'm 
> > curious to know if there are plans to make it mandatory to comply.  We 
> > aren't using this feature now, but I would like to.  My problem is 
> > politicking my way around the issue of breaking something that works.  
> > If Bind were to say they were going to start forcing compliance with 
> > this naming standard, then I simply have to say it's a standard that is 
> > being enforced.  Shouldn't enforcement be applied across the board 
> > anyway instead of at the operator's discretion?
> 
> I haven't heard anyone at ISC suggest this, but if I did, I'd argue
> against it.  I don't think we have any wish to be the "enforcers". :)
> And anyway, if we put "mandatory" compliance into BIND, people who
> wanted to break the rule would just hack it back out again.

If you want to "enforce" compliance, get M$ on board.  Otherwise it
ain't gonna fly.

I had good luck with $PREVIOUS_JOB with getting the company to
implement a "policy" of what host names should look like and then, when
a user tried to register a host via the helpdesk, the HelpDesk
personnel 'enforced' the naming standard.  (We also ran into several
places where non-compliance "broke things".  (And no, I don't remember
what they were...)

I personally, whenever I saw a non-compliant hostname, would contact
the user and tell them that their hostname, formatted thus-and-so,
could cause problems and "Why don't you let me fix the name for you?"
990 times out of a 1,000, I got a "Go ahead.  Let me know when you're
finished."  ($COMPANY's host table had some 48,000-50,000 names in it
any one time...  There were MANY chances to excel there.)

Regards,
Gregory Hicks

> 
> --
> Evan Hunt -- e...@isc.org
> Internet Systems Consortium, Inc.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Hostname Naming Compliance

2009-02-23 Thread Jeff Lightner

And of course you can legitimately say it is a "Standard" even if it
isn't enforced by the software.   Your argument would be that people
implementing new servers or attempting to access the systems wouldn't be
able to do so because they wouldn't have added the "exception to
Standard" that your PHBs are requiring.

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Chris Thompson
Sent: Monday, February 23, 2009 2:31 PM
To: Bind Users Mailing List
Subject: Re: Hostname Naming Compliance

On Feb 23 2009, Evan Hunt wrote:

>On Mon, Feb 23, 2009 at 01:54:46PM -0500, Eric C. Davis wrote:
>> I know the option to use this compliance checker is present, but I'm 
>> curious to know if there are plans to make it mandatory to comply.
We 
>> aren't using this feature now, but I would like to.  My problem is 
>> politicking my way around the issue of breaking something that works.

>> If Bind were to say they were going to start forcing compliance with 
>> this naming standard, then I simply have to say it's a standard that
is 
>> being enforced.  Shouldn't enforcement be applied across the board 
>> anyway instead of at the operator's discretion?
>
>I haven't heard anyone at ISC suggest this, but if I did, I'd argue
>against it.  I don't think we have any wish to be the "enforcers". :)
>And anyway, if we put "mandatory" compliance into BIND, people who
>wanted to break the rule would just hack it back out again.

Or switch to different nameserver software that wasn't so proscriptive.

There's a strong argument that it isn't the job of BIND to be enforcing
restrictions that are not strictly DNS-related (vide RFC 2181 section
11).
The current uneasy compromise, in which there are restrictions that are
meant to be helpful, but which can be turned off, is probably the best
that can be achieved.

-- 
Chris Thompson
Email: c...@cam.ac.uk

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ResendRE: ns_type question

2009-02-23 Thread JINMEI Tatuya / 神明達哉

At Tue, 17 Feb 2009 23:05:27 -0800,
Jack Tavares  wrote:

> > My question is;
> >
> > the arpa/nameser.h file included does not include
> > type definitions for DNSKEY (or other dnssec rr types)
> > in the ns_type enum.
> >
> > am I looking in the wrong place?
> 
> > No, you're looking at the right place, and libbind isn't supposed to
> > provide any new feature regarding the new DNSSEC spec.
> 
> Ok. So is there a 'C' api for dealing with DNSSEC in this regard?

Hmm...I was wrong.  There's actually a planned patch to introduce
newer types in nameser.h, including DNSKEY.  If what you need as "a
'C' api for dealing with DNSSEC" is just new enum elements for these
RR types, a near future version of libbind will satisfy you.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hostname Naming Compliance

2009-02-23 Thread Danny Thomas

Eric C. Davis wrote:
> Are there plans for Bind to enforce hostname compliance according
> to RFC's or is this going to be left up to each DNS operator?

the question of benefit always arises when considering the
application of RFCs. It's probably better not enforcing things
just for the sake of complying to some RFC unless the
issue is known to cause problems.

For records not created through DDNS, it's better that your
dns administration mechanisms do this, plus they can enforce
more restrictive naming policies particular to your organization.
For the hack of it, I did implement something in our system
which would reject names not matching a regex. What's more the
regex could be specific to the sub-groups, so hostnames in the
SI group would have to begin "si-...". It was never enabled
as there would have been some effort involved in cleaning up
the existing entries.

A document discussing hostnames written 7 years ago
 http://www.its.uq.edu.au/choosing-hostnames

One of the zones we secondary has very little sub-structure
and basically thousands of desktops were registering themselves
with DDNS. Several years ago when developing my dnswalk2 script,
it reported roughly a hundred bad names like
 137
 botany_ew (underscores were common)
 jb's\0329200  (spaces were common)

I just checked and the situation is no better. Probably quite a few
of these are machines not owned by the organization, though they
they could insist on a valid hstname for connection to their network.

Apart from zones we secondary, the only time we disable the check
is for the _msdcs part of AD. Specifically only the gc records
involve A records. I know it's not specified in the RFCs, but
a pragmatic approach would be to have an option reporting bad
hostnames ... except those A records matching "^gc\._msdcs\.".
NB we always have AD a sub-zones, so it's easy to liberalize
hostname checking just for that part of dns space, but that's
not possible if the AD records exist in the main zone.

Danny

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: client query logging (refused message)

2009-02-23 Thread Mark Andrews


In message ,
 asd...@gmail.com writes:
> 62.109.4.89 and 195.68.176.4 are compromized/attackers

Actually they are more likely to be under attack.

Make sure that you (and your ISP) have deployed the measures
in BCP 38 to ensure that you are not the source of such a
attack.

Mark
 
> See my post here:http://www.linuxforums.org/forum/redhat-fedora-linux-
> help/140848-var-log-messages-question.html
> 
> Sample log entries:
> Feb 19 08:24:17 asdlkf named[6459]: client 62.109.4.89#32721: query
> (cache) './NS/IN' denied
> Feb 19 08:24:18 asdlkf named[6459]: client 195.68.176.4#25853: query
> (cache) './NS/IN' denied
> Frequency: 40 to 90 queries from those hosts per minute.
> 
> -- Chris
> 
> 
> 
> On Feb 17, 2:19 pm, JINMEI Tatuya / ...@l@C#:H(B 
> wrote:
> > At Tue, 17 Feb 2009 08:15:39 -0500,
> >
> > Matthew Huff  wrote:
> > > 17-Feb-2009 08:14:17.376 queries: client 62.109.4.89#49464: view
> > > external-in: query: . IN NS +
> > > ...
> >
> > > logged, and I have verified that the query is refused, but nothing in the
> > > log shows that it was refused. Is there anyway to log the success/failure
>  of
> > > the queries?
> >
> > Not yet, but BIND 9.7 (and perhaps next minor versions of 9.6 and 9.5)
> > will provide a new logging category that can log the information you
> > seem to want:
> >
> > 17-Feb-2009 14:15:45.998 debug 3: client ::1#50076: query failed (REFUSED) 
> for ./IN/NS at query.c:3887
> >
> > ---
> > JINMEI, Tatuya
> > Internet Systems Consortium, Inc.
> > ___
> > bind-users mailing list
> > bind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: empty DoS queries

2009-02-23 Thread Mark Andrews


I suspect you have a broken application on 10.48.0.19.

Mark

In message <70fo2df49pf...@mid.individual.net>, Frank Kirschner writes:
> Hello,
> since last night we log emtpty queries (approx. 4000 per seconds) like 
> this from a client in our LAN:
> 
> 23-Feb-2009 13:20:15.516 queries: info: client 10.48.0.19#2048: query: 
> \(none\) IN A +
> 23-Feb-2009 13:20:15.518 queries: info: client 10.48.0.19#2048: query: 
> \(none\) IN A +
> 23-Feb-2009 13:20:15.519 queries: info: client 10.48.0.19#2048: query: 
> \(none\) IN A +
> 23-Feb-2009 13:20:15.523 queries: info: client 10.48.0.19#2048: query: 
> \(none\) IN A +
> 23-Feb-2009 13:20:15.524 queries: info: client 10.48.0.19#2048: query: 
> \(none\) IN A +
> 23-Feb-2009 13:20:15.525 queries: info: client 10.48.0.19#2048: query: 
> \(none\) IN A +
> 23-Feb-2009 13:20:15.527 queries: info: client 10.48.0.19#2048: query: 
> \(none\) IN A +
> 23-Feb-2009 13:20:15.531 queries: info: client 10.48.0.19#2048: query: 
> \(none\) IN A +
> 23-Feb-2009 13:20:15.533 queries: info: client 10.48.0.19#2048: query: 
> \(none\) IN A +
> 
> 
> Additional there are also such log entries, (approx. 4000 per seconds):
> 
> 23-Feb-2009 14:05:56.464 queries: info: client 10.48.0.19#2048: query: 
> luca.inetgate.net IN A +
> 23-Feb-2009 14:05:56.470 queries: info: client 10.48.0.19#2048: query: 
> luca.inetgate.net IN A +
> 23-Feb-2009 14:05:56.483 queries: info: client 10.48.0.19#2048: query: 
> luca.inetgate.net IN A +
> 23-Feb-2009 14:05:56.489 queries: info: client 10.48.0.19#2048: query: 
> luca.inetgate.net IN A +
> 23-Feb-2009 14:05:56.500 queries: info: client 10.48.0.19#2048: query: 
> luca.inetgate.net IN A +
> 23-Feb-2009 14:05:56.508 queries: info: client 10.48.0.19#2048: query: 
> luca.inetgate.net IN A +
> 23-Feb-2009 14:05:56.517 queries: info: client 10.48.0.19#2048: query: 
> luca.inetgate.net IN A +
> 23-Feb-2009 14:05:56.521 queries: info: client 10.48.0.19#2048: query: 
> luca.inetgate.net IN A +
> 23-Feb-2009 14:05:56.533 queries: info: client 10.48.0.19#2048: query: 
> luca.inetgate.net IN A +
> 23-Feb-2009 14:05:56.539 queries: info: client 10.48.0.19#2048: query: 
> luca.inetgate.net IN A +
> 23-Feb-2009 14:05:56.546 queries: info: client 10.48.0.19#2048: query: 
> luca.inetgate.net IN A +
> 23-Feb-2009 14:05:56.558 queries: info: client 10.48.0.19#2048: query: 
> luca.inetgate.net IN A +
> 23-Feb-2009 14:05:56.565 queries: info: client 10.48.0.19#2048: query: 
> luca.inetgate.net IN A +
> 23-Feb-2009 14:05:56.572 queries: info: client 10.48.0.19#2048: query: 
> luca.inetgate.net IN A +
> 23-Feb-2009 14:05:56.584 queries: info: client 10.48.0.19#2048: query: 
> luca.inetgate.net IN A +
> 23-Feb-2009 14:05:56.591 queries: info: client 10.48.0.19#2048: query: 
> luca.inetgate.net IN A +
> 
> What could be the resons for it? Should I investigate and limit the 
> packet flow by iptables/netfilter on port 53 of my BIND 9, actual 
> release for Centos 5.2
> 
> best regards
> Frank
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it possible to set a ddns hostname to access a name-based virtual host?

2009-02-23 Thread Barry Margolin

In article , hongyi.z...@gmail.com wrote:

> On Friday, February 20, 2009 at 22:15, serge.fonvi...@gmail.com wrote:
> > Let me give an example to illustrate my problem:
> 
> > In the following url, the prola.aps.org is a name-based  virtual host:
> 
> > http://prola.aps.org/pdf/PRB/v1/i1/p1_1
> 
> > On  the other hand, my institute has subscribed to prola and many other
> > journals, so I want to use some self-made and easy-to-memory hostnames for
> > each  of them.  For example, I want to use the following url to access
> > the above one:
> 
> > http://myprola.myddns.org/pdf/PRB/v1/i1/p1_1
> 
> > Is this possible?
> 
> > You can specify a domainalias for every virtualhost in the apache
> > configuration (other http servers should support similar functionality)
> 
> I cann't figure it out.  I only have a web
> client  such  as  ie  or firefox to access the above url?  Do you mean
> that I must setup a local webserver, say by using apache to do that thing?

The operators of the dynamic DNS service may offer an HTTP redirect 
service that does this for you.

-- 
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [OT] Is it possible to set a ddns hostname to access a name-based virtual host?

2009-02-23 Thread Michael Milligan

hongyi.z...@gmail.com wrote:
> 
>> You *must* reference the location using the same URI if you expect to
>> see the same expected results.
> 
> Thanks  for  your  detailed  explanations.  Another issue: what do you
> mean by saying URI?  What's the differences between URI and URL?

Just being more general.  A URL is a HTTP URI... Google has plenty of
explanations.

> 
>> Regards,
>> Mike
> 
>> PS:  There are other maintenance problems with your approach too, but
> 
> What for example?

This biggest problem is when the IP of the original server changes, you
have to track that and periodically update your name.  Unless you take a
proxy approach.

Regards,
Mike

-- 
Michael Milligan   -> mi...@acmeps.com

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hostname Naming Compliance

2009-02-23 Thread Michael Milligan

Ah yes, the perennial rathole...

Eric C. Davis wrote:
> I know the option to use this compliance checker is present, but I'm
> curious to know if there are plans to make it mandatory to comply.  We

RFC 1123 has always been mandatory for Internet connected hosts.  Valid
characters for a hostname are very clearly defined in that ancient
document.  Enforcement (or lack there of) is another issue.  DNS is not
the right place to enforce it IMHO, it's a host-level thing, an
operating system thing.  Blame Apple and Microsoft (and others) for not
getting it right, most especially in regards to underscores.  Until they
change, we all are stuck with the mess.

Regards,
Mike

-- 
Michael Milligan   -> mi...@acmeps.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Hostname Naming Compliance

2009-02-23 Thread David Ford

Here's a question.  Are we incapable of dealing with things like
underscores in hostnames?  Is there any significant harm in adapting?

-david

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone serial not being updated in statistics-channel view of zone

forward to a dns server with a port different of 53

Re: forward to a dns server with a port different of 53

Re: rndc -> wrong number of zones

Re: client query logging (refused message)

Is it possible to set a ddns hostname to access a name-based virtual host?

empty DoS queries

comp.protocols.dns.bind

empty DoS queries

Re: bind 9.60p1 on solaris 10

Re: bind 9.60p1 on solaris 10

Re: rndc -> wrong number of zones

Re: empty DoS queries

Re: Is it possible to set a ddns hostname to access a name-based virtual host?

Re: bind 9.60p1 on solaris 10

libbind 6.0b1 bug?

Re: libbind 6.0b1 bug?

Re: comp.protocols.dns.bind

Hostname Naming Compliance

Re: Hostname Naming Compliance

Re: Hostname Naming Compliance

Re: Hostname Naming Compliance

Re: Hostname Naming Compliance

Re: Hostname Naming Compliance

RE: Hostname Naming Compliance

Re: ResendRE: ns_type question

Re: Hostname Naming Compliance

Re: client query logging (refused message)

Re: empty DoS queries

Re: Is it possible to set a ddns hostname to access a name-based virtual host?

Re: [OT] Is it possible to set a ddns hostname to access a name-based virtual host?

Re: Hostname Naming Compliance

Re: Hostname Naming Compliance

33 matches

Site Navigation

Mail list logo

Footer information