Questions: BIND Dynamic Update DoS
According to this link: https://www.isc.org/node/474 The dynamic update vulnerability affects all BIND 9 versions, but what about BIND 8? Is it not affected or not tested? As we are running BIND 8 (can't upgrade to BIND 9 due to restricted to Windows2000), how can we test if dynamic update is a problem for us? TIA. Peter ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Questions: BIND Dynamic Update DoS
> According to this link: https://www.isc.org/node/474 > > The dynamic update vulnerability affects all BIND 9 versions, but what > about BIND 8? Is it not affected or not tested? BIND 8 is End of Life. It has several known vulnerabilities. See for instance https://www.isc.org/node/378 I don't know if the recent dynamic update vulnerability affects BIND 8. However, given the number of *other* known vulnerabilities in BIND 8 you should definitely think about upgrading. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: change NXDOMAIN to a A type response
On 03.08.09 13:59, Ryan Qian wrote: > some isp change NXDOMAIN to a A type response, I know this is can not be > realized by bind software by default source code, so is there anyone know > how do they realize this function? change the source code or use proxy > software upon DNS bind? Many people consider that a bad idea. the DNS is used by many applications in many manners and providing false answers can break them in many ways. You won't get different answer on this list, i guess. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: change NXDOMAIN to a A type response
On Aug 3 2009, Matus UHLAR - fantomas wrote: On 03.08.09 13:59, Ryan Qian wrote: some isp change NXDOMAIN to a A type response, I know this is can not be realized by bind software by default source code, so is there anyone know how do they realize this function? change the source code or use proxy software upon DNS bind? Many people consider that a bad idea. the DNS is used by many applications in many manners and providing false answers can break them in many ways. You won't get different answer on this list, i guess. You could read the rather heated discussion of Internet Draft draft-livingood-dns-redirect-00 over on the dnsop mailing list - see http://www.ietf.org/mail-archive/web/dnsop -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig shows wrong ip
On Aug 3 2009, Danny Mayer wrote: Chris Thompson wrote: [...] You are misinterpreting what I said. Of course erroneous glue needs to be corrected. But there is no need for the servers to return IP addresses provided for glue as an *answer* to a query, as the *.gtld-servers.net ones do, rather than giving a proper referral. (At least their answers are not marked authoritative, unlike those from some other nameservers.) It needs to be part of the answer if the nameserver is in the same domain as the FQDN otherwise it won't know where to go for the answers. That's the point of the glue. It needs to be part of the *response*, not part of the *answer* (section). In a referral, glue records appear in the additional section: the answer section is empty. When the *.gtld-servers.net servers are asked about dns3.potomacnetworks.com (for example), they don't give a referral. They give an answer based on what ought to be the glue record. This means that if the NS records for potomacnetworks.com have not already been cached, a recursive nameserver will believe this answer (and cache it). This would only be proper behaviour if the *.gtld-servers.net were slaving (possibly stealth slaving) potomacnetworks.com - which of course they aren't, but how is the poor recursive nameserver to know that? -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Tim Debolt/AHM/AM/HONDA is out of the office.
I will be out of the office starting 08/03/2009 and will not return until 08/04/2009. I will respond to your message when I return. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: change NXDOMAIN to a A type response
--- On Mon, 3/8/09, Matus UHLAR - fantomas wrote: > > Many people consider that a bad idea. the DNS is used by > many applications > in many manners and providing false answers can break them > in many ways. > Here the primary ISP CN Telecom does do DNS hijack, though I hate this. anybody could try it using their DNS with nslookup: > server 202.96.128.166 Default Server: cache-b.guangzhou.gd.cn Address: 202.96.128.166 > www.notexists234256235.com Server: cache-b.guangzhou.gd.cn Address: 202.96.128.166 Non-authoritative answer: Name:www.notexists234256235.com Address: 59.37.71.85 www.notexists234256235.com doesn't exist, but this DNS does return an A RR. Wah. Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Dave Mason is on vacation..
I will be out of the office starting 07/31/2009 and will not return until 08/17/2009. I will respond to your message when I return. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig shows wrong ip
At 03 Aug 2009 11:52:10 +0100, Chris Thompson wrote: > will believe this answer (and cache it). This would only be proper > behaviour if the *.gtld-servers.net were slaving (possibly stealth slaving) > potomacnetworks.com - which of course they aren't, but how is the poor > recursive nameserver to know that? By seeing the aa bit of the response. We're aware of this problem and have a patch to fix the behavior at the resolver side. The fix will (hopefully) appear in next release versions of BIND9. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind9.6.0 Statistics Output
At Thu, 30 Jul 2009 09:53:13 +0200, "Dangl, Thomas" wrote: > I collect statistics data via the http interface and parse the XML file. > > There are some differences of the layout of the XML result between > Bind9.5 and Bind9.6. To be precise, there have been substantial changes in (IIRC) 9.5.1 from 9.5.0, so it's actually not between 9.5 and 9.6. Note that the XML format is still considered "experimental", and backward incompatible changes may still happen. However, we understand such changes are very inconvenient even if it's still "experimental", and we'll try to keep future changes in a backward compatible manner as much as possible. > Is there an option or configuration parameter that allows to control the > XML format? No, but you can at least check the statistics version to see if it's compatible for your parser. The current version is 2.0, and, in general, changes in the same major version (currently "2") should be backward compatible. > There are 2 views found in the XML file named "_default" and "bind". > Is there a view - or rather one of these views - that is included in > each XML statistics result that contains the total of the counter across > all views? > Or is it necessary to parse across all views and calculate the sum? The latter. If a statistics counter is provided per-view basis, you need to sum up the counters of all views to get the total. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Questions: BIND Dynamic Update DoS
> The dynamic update vulnerability affects all BIND 9 versions, but what > about BIND 8? Is it not affected or not tested? As I know, there is no effect at bind 8 version. Thanks. _ 메신저 10살 생일도 축하해 주시고,이벤트도 참여하세요~! http://im.msn.co.kr/im/main/mainCoverDetail.asp?BbsCode=bbs01&Seq=2688 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How many available compile options are on bind-9.4.3-P3
In message , "David M. D owdle" writes: > So, as he originally asked, how do you find out what the feature MEANS? > > --enable-getifaddrsEnable the use of getifaddrs() [yes|no]. > > All the documentation I could find on it for bind was a 2006 'fixed bug in > linux with getifaddrs'. So what's the advantage and disadvantage of this > 'feature'. IE what features does this feature do? These days it does little. CHANGES references to getifaddrs. 2342. [func] Use getifaddrs() if available under Linux. [RT #17224] 2160. [bug] libisc wasn't handling NULL ifa_addr pointers returned from getifaddrs(). [RT #16708] 1751. [bug] --enable-getifaddrs failed under linux. [RT #12867] 1626. [bug] --enable-getifaddrs was broken. [RT#11259] 1454. [port] Use getifaddrs() if available for interface scanning. --disable-getifaddrs to override. Glibc currently has a getifaddrs() that does not support IPv6. Use --enable-getifaddrs=glibc to force the use of this version under linux machines. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
