Wild cards in zone file

2011-05-24 Thread John Kennedy 
I tried to google this but could not hit the right keywords (been a long
week)...

I have 3 hosts on a domain (example.com) like so:

int.project   A   10.10.10.2
stage.project   A  10.10.10.3
test.project A   10.10.10.4

Now I want everything else to go to 10.10.10.5
*.project A   10.10.10.5

Is this possible?

Thanks,
John

-- 
 John Kennedy
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Wild cards in zone file

2011-05-24 Thread Torsten Segner 
Am Tue, 24 May 2011 09:55:19 +0100
schrieb John Kennedy :

> I tried to google this but could not hit the right keywords (been a long
> week)...
> 
> I have 3 hosts on a domain (example.com) like so:
> 
> int.project   A   10.10.10.2
> stage.project   A  10.10.10.3
> test.project A   10.10.10.4
> 
> Now I want everything else to go to 10.10.10.5
> *.project A   10.10.10.5
> 
> Is this possible?
> 
> Thanks,
> John
> 


Yes, just add the wildcard record to the zone and it will work.


Ciao
Torsten
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Wild cards in zone file

2011-05-24 Thread Matus UHLAR - fantomas 
On 24.05.11 09:55, John Kennedy wrote:
> I tried to google this but could not hit the right keywords (been a long
> week)...
> 
> I have 3 hosts on a domain (example.com) like so:
> 
> int.project   A   10.10.10.2
> stage.project   A  10.10.10.3
> test.project A   10.10.10.4
> 
> Now I want everything else to go to 10.10.10.5
> *.project A   10.10.10.5
> 
> Is this possible?

yes, this is how wildcards work. Note that this could have side effects,
e.g. anyone can use randomnonexistingdomain.project.example.com as source
address for spam e-mails, and many others.
I advise only use wildcards for cases they are REALLY needed.

see RFC4592 for more informations about DNS wildcards.
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Wild cards in zone file

2011-05-24 Thread John Kennedy 
That worked. Thanks guys.
John

On Tue, May 24, 2011 at 10:25, Matus UHLAR - fantomas wrote:

> On 24.05.11 09:55, John Kennedy wrote:
> > I tried to google this but could not hit the right keywords (been a long
> > week)...
> >
> > I have 3 hosts on a domain (example.com) like so:
> >
> > int.project   A   10.10.10.2
> > stage.project   A  10.10.10.3
> > test.project A   10.10.10.4
> >
> > Now I want everything else to go to 10.10.10.5
> > *.project A   10.10.10.5
> >
> > Is this possible?
>
> yes, this is how wildcards work. Note that this could have side effects,
> e.g. anyone can use randomnonexistingdomain.project.example.com as source
> address for spam e-mails, and many others.
> I advise only use wildcards for cases they are REALLY needed.
>
> see RFC4592 for more informations about DNS wildcards.
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Linux IS user friendly, it's just selective who its friends are...
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
 John Kennedy
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Why DNSSEC errors for bund.de?

2011-05-24 Thread Chris Thompson 

We are getting DNSSEC-related SERVFAILs on names in bund.de (e.g.
mx1.bind.de). This happens with all of BIND 9.7.3-P1, 9.7.4b1 and
9.8.0-P1 configured with the root and dlv.isc.org trust anchors.

However, I can't see what is actually wrong with it, using dig +cd as
necessary. All the signatures appear to have valid start/stop times, and
http://dnsviz.net/d/mx1.bund.de/dnssec/ seems pretty happy with it. There
are a lot of false trails (e.g. the DS records for it in "de") but that
shouldn't stop BIND finding the one that works (DLV in dlv.isc.org ->
KSK with tag 10923 -> ZSK with tag 4814), should it?

It may be significant that this problem was reported to us on the same
day that obscured DNSKEY records were introduced into the "de" zone...

--
Chris Thompson
Email: c...@cam.ac.uk
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Why DNSSEC errors for bund.de?

2011-05-24 Thread Lars Hecking 
Chris Thompson writes:
> We are getting DNSSEC-related SERVFAILs on names in bund.de (e.g.
> mx1.bind.de). This happens with all of BIND 9.7.3-P1, 9.7.4b1 and
> 9.8.0-P1 configured with the root and dlv.isc.org trust anchors.
> 
> However, I can't see what is actually wrong with it, using dig +cd as
> necessary. All the signatures appear to have valid start/stop times, and
> http://dnsviz.net/d/mx1.bund.de/dnssec/ seems pretty happy with it. There
> are a lot of false trails (e.g. the DS records for it in "de") but that
> shouldn't stop BIND finding the one that works (DLV in dlv.isc.org ->
> KSK with tag 10923 -> ZSK with tag 4814), should it?
> 
> It may be significant that this problem was reported to us on the same
> day that obscured DNSKEY records were introduced into the "de" zone...

 Maybe this is a symptom of DUdeZ (deliberately unvalidatable DE zone)?

 
http://www.heise.de/newsticker/meldung/DENIC-startet-unbemerkt-mit-der-Verteilung-der-signierten-de-Zone-1247415.html
 http://www.denic.de/domains/dnssec.html


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Why DNSSEC errors for bund.de?

2011-05-24 Thread Chris Thompson 

On May 24 2011, I wrote:


We are getting DNSSEC-related SERVFAILs on names in bund.de (e.g.
mx1.bind.de). This happens with all of BIND 9.7.3-P1, 9.7.4b1 and
9.8.0-P1 configured with the root and dlv.isc.org trust anchors.

However, I can't see what is actually wrong with it, using dig +cd as
necessary. All the signatures appear to have valid start/stop times, and
http://dnsviz.net/d/mx1.bund.de/dnssec/ seems pretty happy with it. There
are a lot of false trails (e.g. the DS records for it in "de") but that
shouldn't stop BIND finding the one that works (DLV in dlv.isc.org ->
KSK with tag 10923 -> ZSK with tag 4814), should it?

It may be significant that this problem was reported to us on the same
day that obscured DNSKEY records were introduced into the "de" zone...


That seems almost certain to be the precipitating event, in fact.
I can produce the same effect for all 31 zones that are both registered
in dlv.isc.org *and* have a DS record in dlv.isc.org:

 adns1.de.   ralf-pulz.de.
 brj-berlin.de.  reichel-jens.de.
 btw-kinderdorf.de.  schrimpe.de.
 buergerhaushalt-marzahn.de. sgfun.de.
 bund.de.sgmail.de.
 com.de. stadtteilzeitung-nordwest.de.
 exanames.de.stefan-gransow.de.
 gun.de. stegranet.de.
 idkom-networks.de.  steinmuss.de.
 ifw-dresden.de. unixbuero.de.
 iks-jena.de.verein-kiekin.de.
 ipse-online.de. wartenbergerhof.de.
 judo-dresden.de.wikileaks.de.
 ombudschaft.de. zrb-kiekin.de.
 ombudschaft-jugendhilfe.de.

Among other oddities:

 dig +dnssec dnskey [zone] gives the right answer *without* the ad bit
 dig +dnssec soa [zone] gives SERVFAIL, unless +cd is used as well.

--
Chris Thompson
Email: c...@cam.ac.uk
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Why DNSSEC errors for bund.de?

2011-05-24 Thread Chris Thompson 

On May 24 2011, I wrote:

[...]

That seems almost certain to be the precipitating event, in fact.
I can produce the same effect for all 31 zones that are both registered
in dlv.isc.org *and* have a DS record in dlv.isc.org:


Aaargh ... I meant "*and* have a DS record in de", of course.

--
Chris Thompson
Email: c...@cam.ac.uk

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

subdomain delegation question #2: (simple config)

2011-05-24 Thread dalton stickney 
Hi all.

I have set up a simple bind config to test this. I am very obviously
missing something simple here, but i can't figure out what it is for
some reason.
I am trying to delegate name servers for the subdomain
sccnj04.example.com to ns sip.example.com.

When i dig i get no error, but also no answer:

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> ns sccnj04.example.com @ns1
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8850
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;sccnj04.example.com.   IN  NS

;; AUTHORITY SECTION:
example.com.86400   IN  SOA ns1.example.com. 
hostmaster.example.com.
2011052405 3600 900 864000 86400

;; Query time: 0 msec
;; SERVER: 10.1.0.8#53(10.1.0.8)
;; WHEN: Tue May 24 13:08:03 2011
;; MSG SIZE  rcvd: 88


Here is my simple config:

named.conf


options {
   directory "/var/named";
   version "Nope.";
};

zone "example.com" in {
  type master;
  file "example.com";
};

Here is the zone file:

$TTL 86400

; Start of Authority
example.com.86400  IN SOA   ns1.example.com.
  hostmaster.example.com. (
  2011052405 ; Serial
  3600   ; Refresh
  900; Retry
  864000 ; Expire
  86400  ; Min TTL
  )
; Host

sip.example.com.IN A 10.1.0.8
; Nameserver
example.com.IN NS ns1.example.com.

$ORIGIN sccnj04.example.com.
sccnj04 IN NS sip.example.com.

Thanks for any help or insight. I know i'm missing something obvious here.

Thanks,
Dalton
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Limiting DDoS attacks on a nameserver

2011-05-24 Thread /dev/rob0 
I'm being hit by a collection of scoundrels all using source port 53, 
seeking 'x.kyuhhh.strangled.net/TXT/IN'. No, I am not authoritative 
for that name. This happened on cardinal.lizella.net.

Attackers:
=
50.19.102.31 :: ec2-50-19-102-31.compute-1.amazonaws.com.
50.19.106.0 :: ec2-50-19-106-0.compute-1.amazonaws.com.
66.228.54.207 :: li296-207.members.linode.com.
67.21.85.227 :: 227.85.21.67.in-addr.arpa not found: 2(SERVFAIL)
network:NetName:MICHAEL-STOWE-67.21.85.192  
 
network:OrgName:RAVENOUS-NETWORKS
68.243.98.206 :: 68-243-98-206.pools.spcsdns.net.
108.118.122.235 :: 108-118-122-235.pools.spcsdns.net.
(NXDOMAIN, but owned by Sprint)
173.137.7.112 :: 173-137-7-112.pools.spcsdns.net.
174.151.36.3 :: 174-151-36-3.pools.spcsdns.net.
174.97.168.166 :: cpe-174-097-168-166.nc.res.rr.com.
174.97.171.72 :: cpe-174-097-171-072.nc.res.rr.com.
184.254.7.84 :: 184-254-7-84.pools.spcsdns.net.
(NXDOMAIN, but owned by Sprint)
184.73.197.248 :: ec2-184-73-197-248.compute-1.amazonaws.com.

Logs of the last one:

May 24 01:13:45 cardinal named[1096]: client 184.73.197.248#53: query 
(cache) 'x.kyuhhh.strangled.net/TXT/IN' denied
May 24 01:14:15 cardinal last message repeated 956 times
May 24 01:15:15 cardinal last message repeated 1998 times
May 24 01:16:15 cardinal last message repeated 2886 times
May 24 01:17:15 cardinal last message repeated 3839 times
May 24 01:18:15 cardinal last message repeated 3872 times
May 24 01:19:15 cardinal last message repeated 3952 times
May 24 01:20:15 cardinal last message repeated 3981 times
May 24 01:21:10 cardinal last message repeated 3530 times
May 24 01:21:11 cardinal named[1096]: client 184.73.197.248#53: query 
(cache) 'x.kyuhhh.strangled.net/TXT/IN' denied
May 24 01:21:42 cardinal last message repeated 1973 times
May 24 01:22:43 cardinal last message repeated 3925 times
May 24 01:23:44 cardinal last message repeated 3849 times
May 24 01:24:45 cardinal last message repeated 3850 times
May 24 01:25:45 cardinal last message repeated 3857 times
May 24 01:26:24 cardinal last message repeated 2457 times

If you're keeping score at home, that was 44927 until I blocked it in 
the firewall. Another 4695 hits on the firewall means it did almost 
50K queries in approximately 13-15 minutes total.

All the attackers were doing similar things, but most were not so 
easy to calculate the total. because at 2011-05-23 01:12 UTC there 
were two of them hitting at the same time. And that also leads to an 
interesting observation: when there were two hitting, there were 
*exactly* two. One would stop, and another (which might have been 
previously attacking) would take its place. This kept up until 01:39, 
when I saw the activity and blocked the offending (spoofed?) IP 
addresses in the firewall.

Above is all that I have seen so far on 2011-05-24, but there too the 
timing is interesting: it leads me to believe I can expect a resumed 
assault at 01:10-:15 UTC tonight. But since some of the attacking IP 
addresses might already be blocked, it might not show in the log.

Questions:
=
1. What is this? Is it targeted at me (my site) personally, or some 
   kind of worm/malware crawling the Internet?
2. Is it harming me, other than the waste of bandwidth and logging?
3. Is there anything that I can (or should) do with named to limit
   or mitigate these attacks?
  3a. Can named trigger an external action on receipt of a certain
  query?
4. What can be done outside of named about this?
  4a. fail2ban, I know about, but would rather not.
  4b. Linux iptables -m recent connection limiting

Linux iptables "recent" match:
=
I know how to do this; in fact I have firewalls limiting both SSH and 
SIP access using -m recent rules. What I am not so sure about: how 
much is a "safe" limit? I think if I set a limit of maybe a hundred
queries in 10 seconds, I would stop this kind of attack without 
affecting normal resolution.

In a related matter, as noted, this attack was all on source port 53. 
It's not safe to block source port 53, is it? I suppose there are 
lots of broken resolvers out there which are still using source port 
53. But maybe my "recent" limitations should only apply to --sport 53 
queries?

Here is what I did with -m recent for SIP:
http://www.spinics.net/lists/netfilter/msg49676.html
The approach for DNS, at least on the UDP side, will have to be 
similar, because this whole attack would be in conntrack --ctstate 
ESTABLISHED (after the initial refused query.)
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: subdomain delegation question #2: (simple config)

2011-05-24 Thread Andrey G. Sergeev (AKA Andris) 
Hi Dalton,


Tue, 24 May 2011 10:09:00 -0700 dalton stickney wrote:

> Hi all.
> 
> I have set up a simple bind config to test this. I am very obviously
> missing something simple here, but i can't figure out what it is for
> some reason.
> I am trying to delegate name servers for the subdomain
> sccnj04.example.com to ns sip.example.com.
> 
> When i dig i get no error, but also no answer:
> 
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> ns
> sccnj04.example.com @ns1
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8850
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL:
> 0
> 
> ;; QUESTION SECTION:
> ;sccnj04.example.com. IN  NS
> 
> ;; AUTHORITY SECTION:
> example.com.  86400   IN  SOA ns1.example.com. 
> hostmaster.example.com.
> 2011052405 3600 900 864000 86400
> 
> ;; Query time: 0 msec
> ;; SERVER: 10.1.0.8#53(10.1.0.8)
> ;; WHEN: Tue May 24 13:08:03 2011
> ;; MSG SIZE  rcvd: 88
> 
> 
> Here is my simple config:
> 
> named.conf
> 
> 
> options {
>directory "/var/named";
>version "Nope.";
> };
> 
> zone "example.com" in {
>   type master;
>   file "example.com";
> };
> 
> Here is the zone file:
> 
> $TTL 86400
> 
> ; Start of Authority
> example.com. 86400 IN SOA   ns1.example.com. hostmaster.example.com.
(
> 2011052405 ; Serial
> 3600   ; Refresh
> 900; Retry
> 864000 ; Expire
> 86400  ; Min TTL
> )
> ; Host
> 
> sip.example.com.   IN A 10.1.0.8
> ; Nameserver
> example.com.   IN NS ns1.example.com.
> 
> $ORIGIN sccnj04.example.com.
> sccnj04IN NS sip.example.com.
^
You current $ORIGIN is sccnj04.example.com, so the non-FQDN label
"sccnj04" at the line above would be sccnj04.sccnj04.example.com when
converted to FQDN.


-- 

Yours sincerely,

Andrey G. Sergeev (AKA Andris) http://www.andris.name/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Deny MX query

2011-05-24 Thread Igor da Silva Cagnin 
Hi list,

I have a doubt about querys, as fact I'd like to deny just querys type MX. 
Other querys types must be available. Is it possible?

Thanks

--
Igor Cagnin
Email: icag...@timbrasil.com.br



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: subdomain delegation question #2: (simple config)

2011-05-24 Thread Eivind Olsen 
dalton stickney wrote:

> ;; QUESTION SECTION:
> ;sccnj04.example.com. IN  NS

So, you ask for sccnj04.example.com, but apparantly that's not what you
have in your zonefile:

> $ORIGIN sccnj04.example.com.
> sccnj04   IN NS sip.example.com.

The $ORIGIN will be appended here to the non-FQDN, meaning you really have:

sccnj04.sccnj04.example.com.  IN NS sip.example.com.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

IPv4 & IPv6 named processes on a dual stack host

2011-05-24 Thread Timothy Stoddard 
List,

Has any one run into a issue with two named processes running on the same
host.  We want to begin serving up DNS on our IPv6 address space and do not
want to duplicate each of our DNS servers.  We have started two named
processes one with "-6" option.  All seems to be working.  I am concerned
how journal files will be handled.  Question will the "-4" named process
coexist with "-6" on the same box???


OS:  FBSD 8.2-Release
Bind 9.8.0 (from ports)
DHCP 4.1

--
Tim
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Getting different name resolution for news.google.com from master and slave BIND

2011-05-24 Thread Lightner, Jeff 
Is anyone else seeing odd results with news.google.com?   My BIND 9
master and slave are getting different results.   If I go out to other
sites such as Kloth.net or iptools.com they also get different results
from each other and different from what my master and slave are
reporting.

 

I'm running BIND 9.3 (The RedHat version that has backported patches and
enhancements from later BIND versions in it so please don't tell me to
use a newer version.)

 

On doing some research I found that Google has made a couple of changes
in the past week or so affecting their news stuff.The one that seems
like it might explain why Kloth.net, iptools.com and my server get
different answers is the May 13th introduction of "news near you"
discussed in this article:

http://www.pcmag.com/article2/0,2817,2385369,00.asp

 

That is aimed at mobile devices but I could see how they might also try
to make it work with static sites.   However it wouldn't explain why
both my servers coming from the same location would get different
results.   I'm thinking maybe there is something else obvious I'm
missing.

 

I am not caching on these servers and have bounced named on both but it
didn't help.

 

Does anyone have any ideas?   Other than the fact that they're master
and slave with different IPs and setup to talk to each other the
named.conf on both hosts is the same.   They both have the same OS and
same hardware.   Also we have some Windows DNS servers in house and they
seem to be giving the same results as my slave so the master appears to
be the odd man out.

  

When I run "dig news.google.com" from my BIND 9 master I'm getting:

; <<>> DiG 9.3.4-P1 <<>> news.google.com

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46508

;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 2

 

;; QUESTION SECTION:

;news.google.com.   IN  A

 

;; ANSWER SECTION:

news.google.com.603615  IN  CNAME   news.l.google.com.

news.l.google.com.  300 IN  A   72.14.209.99

news.l.google.com.  300 IN  A   72.14.209.104

 

;; AUTHORITY SECTION:

google.com. 170523  IN  NS  ns1.google.com.

google.com. 170523  IN  NS  ns2.google.com.

google.com. 170523  IN  NS  ns3.google.com.

google.com. 170523  IN  NS  ns4.google.com.

 

;; ADDITIONAL SECTION:

ns3.google.com. 344424  IN  A   216.239.36.10

ns4.google.com. 343339  IN  A   216.239.38.10

 

;; Query time: 6 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Tue May 24 14:17:14 2011

;; MSG SIZE  rcvd: 190

 

Yet on my slave I get:

; <<>> DiG 9.3.4-P1 <<>> news.google.com

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30872

;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 4, ADDITIONAL: 0

 

;; QUESTION SECTION:

;news.google.com.   IN  A

 

;; ANSWER SECTION:

news.google.com.603986  IN  CNAME   news.l.google.com.

news.l.google.com.  300 IN  A   74.125.65.99

news.l.google.com.  300 IN  A   74.125.65.103

news.l.google.com.  300 IN  A   74.125.65.104

news.l.google.com.  300 IN  A   74.125.65.105

news.l.google.com.  300 IN  A   74.125.65.106

news.l.google.com.  300 IN  A   74.125.65.147

 

;; AUTHORITY SECTION:

google.com. 171986  IN  NS  ns4.google.com.

google.com. 171986  IN  NS  ns1.google.com.

google.com. 171986  IN  NS  ns2.google.com.

google.com. 171986  IN  NS  ns3.google.com.

 

;; Query time: 5 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Tue May 24 14:18:03 2011

;; MSG SIZE  rcvd: 222
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Deny MX query

2011-05-24 Thread Eivind Olsen 
Igor da Silva Cagnin wrote:

> I have a doubt about querys, as fact I'd like to deny just querys type MX.
> Other querys types must be available. Is it possible?

Not with a regular BIND 9, no - at least not that I'm aware of.
I guess it can be done by hacking the source code, but is it worth it?

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: IPv4 & IPv6 named processes on a dual stack host

2011-05-24 Thread Christian Laursen 

On 05/24/11 20:22, Timothy Stoddard wrote:

List,

Has any one run into a issue with two named processes running on the
same host.  We want to begin serving up DNS on our IPv6 address space
and do not want to duplicate each of our DNS servers.  We have started
two named processes one with "-6" option.  All seems to be working.  I
am concerned how journal files will be handled.  Question will the "-4"
named process coexist with "-6" on the same box???


Why not just have the one process listen on both IPv4 and IPv6?

It seems a bit simpler and works perfectly.

--
Christian Laursen
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: IPv4 & IPv6 named processes on a dual stack host

2011-05-24 Thread Eivind Olsen 
Timothy Stoddard wrote:

> Has any one run into a issue with two named processes running on the same
> host.  We want to begin serving up DNS on our IPv6 address space and do
> not
> want to duplicate each of our DNS servers.  We have started two named
> processes one with "-6" option.  All seems to be working.  I am concerned
> how journal files will be handled.  Question will the "-4" named process
> coexist with "-6" on the same box???

Well, I guess it should work, assuming you let it deal with separate
files/directories and don't mix too much between the two instances.

But - why would you prefer to do 2 separate instances, instead of just
having 1 listening on both IPv4 and IPv6? Just run it without any "-4" or
"-6" options, and tell it to listen to your IPv6-address(es) as well, with
adding something like this to your options block in named.conf:

listen-on-v6{ any; };

I see you mention you run ISC DHCP 4.1 of some version: yes, the DHCP
software can currently only run either IPv4 or IPv6. BIND can easily deal
with both protocols at the same time.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Deny MX query

2011-05-24 Thread Warren Kumari 

On May 24, 2011, at 1:55 PM, Igor da Silva Cagnin wrote:

> Hi list,
>  
> I have a doubt about querys, as fact I’d like to deny just querys type MX. 
> Other querys types must be available. Is it possible?


Yes.

1: Don't list the MX record in your zone.

or

2: Have multiple views, one with MX records, one without

If you are talking about for a recursive resolver, then, no, not that I know 
of...

W


>  
> Thanks
>  
> --
> Igor Cagnin
> Email: icag...@timbrasil.com.br
>  
>  
>  
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Getting different name resolution for news.google.com from master and slave BIND

2011-05-24 Thread Eivind Olsen 
Lightner, Jeff wrote:
> Is anyone else seeing odd results with news.google.com?   My BIND 9
> master and slave are getting different results.   If I go out to other

Normally, you'd have master/slave nameservers in different networks - is
this the case here as well for your servers? Will their outgoing queries
to the Google nameservers come from completely different source
IP-addresses?

I see different results as well when I look up news.google.com from my
different servers on different continents - so it does look like Google
are giving different replies depending on where you come from.

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Getting different name resolution for news.google.com from master and slave BIND

2011-05-24 Thread Warren Kumari 

On May 24, 2011, at 2:28 PM, Lightner, Jeff wrote:

> Is anyone else seeing odd results with news.google.com?   My BIND 9 master 
> and slave are getting different results.  


Presumably your slave and master are in different subnets?

Google (and many other large networks) perform geolocation and hand out A 
records that a "close" to your resolver. Presumably we believe that 
72.14.209.99 is (network wise) close to your master and 74.125.65.99 is close 
to your slave.

If you provide IPs and actual locations for your slaves and master I can 
check

W


> If I go out to other sites such as Kloth.net or iptools.com they also get 
> different results from each other and different from what my master and slave 
> are reporting.
>  
> I’m running BIND 9.3 (The RedHat version that has backported patches and 
> enhancements from later BIND versions in it so please don’t tell me to use a 
> newer version.)
>  
> On doing some research I found that Google has made a couple of changes in 
> the past week or so affecting their news stuff.The one that seems like it 
> might explain why Kloth.net, iptools.com and my server get different answers 
> is the May 13th introduction of “news near you” discussed in this article:
> http://www.pcmag.com/article2/0,2817,2385369,00.asp
>  
> That is aimed at mobile devices but I could see how they might also try to 
> make it work with static sites.   However it wouldn’t explain why both my 
> servers coming from the same location would get different results.   I’m 
> thinking maybe there is something else obvious I’m missing.
>  
> I am not caching on these servers and have bounced named on both but it 
> didn’t help.   
>  
> Does anyone have any ideas?   Other than the fact that they’re master and 
> slave with different IPs and setup to talk to each other the named.conf on 
> both hosts is the same.   They both have the same OS and same hardware.   
> Also we have some Windows DNS servers in house and they seem to be giving the 
> same results as my slave so the master appears to be the odd man out.
>  
> When I run “dig news.google.com” from my BIND 9 master I’m getting:
> ; <<>> DiG 9.3.4-P1 <<>> news.google.com
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46508
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 2
>  
> ;; QUESTION SECTION:
> ;news.google.com.   IN  A
>  
> ;; ANSWER SECTION:
> news.google.com.603615  IN  CNAME   news.l.google.com.
> news.l.google.com.  300 IN  A   72.14.209.99
> news.l.google.com.  300 IN  A   72.14.209.104
>  
> ;; AUTHORITY SECTION:
> google.com. 170523  IN  NS  ns1.google.com.
> google.com. 170523  IN  NS  ns2.google.com.
> google.com. 170523  IN  NS  ns3.google.com.
> google.com. 170523  IN  NS  ns4.google.com.
>  
> ;; ADDITIONAL SECTION:
> ns3.google.com. 344424  IN  A   216.239.36.10
> ns4.google.com. 343339  IN  A   216.239.38.10
>  
> ;; Query time: 6 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue May 24 14:17:14 2011
> ;; MSG SIZE  rcvd: 190
>  
> Yet on my slave I get:
> ; <<>> DiG 9.3.4-P1 <<>> news.google.com
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30872
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 4, ADDITIONAL: 0
>  
> ;; QUESTION SECTION:
> ;news.google.com.   IN  A
>  
> ;; ANSWER SECTION:
> news.google.com.603986  IN  CNAME   news.l.google.com.
> news.l.google.com.  300 IN  A   74.125.65.99
> news.l.google.com.  300 IN  A   74.125.65.103
> news.l.google.com.  300 IN  A   74.125.65.104
> news.l.google.com.  300 IN  A   74.125.65.105
> news.l.google.com.  300 IN  A   74.125.65.106
> news.l.google.com.  300 IN  A   74.125.65.147
>  
> ;; AUTHORITY SECTION:
> google.com. 171986  IN  NS  ns4.google.com.
> google.com. 171986  IN  NS  ns1.google.com.
> google.com. 171986  IN  NS  ns2.google.com.
> google.com. 171986  IN  NS  ns3.google.com.
>  
> ;; Query time: 5 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue May 24 14:18:03 2011
> ;; MSG SIZE  rcvd: 222
>  
>  
> Proud partner. Susan G. Komen for the Cure.
>  
> Please consider our environment before printing this e-mail or attachments.
> --
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
> information and is for the sole use of the intended recipient(s). If you are 
> not the intended recipient, any disclosure, copying, distribution, or use of 
> the contents of this information is prohibited and may be unlawful. If you 
> have received this electronic transmission in error,

Re: IPv4 & IPv6 named processes on a dual stack host

2011-05-24 Thread Doug Barton 

On 05/24/2011 11:22, Timothy Stoddard wrote:

List,

Has any one run into a issue with two named processes running on the
same host.  We want to begin serving up DNS on our IPv6 address space
and do not want to duplicate each of our DNS servers.  We have started
two named processes one with "-6" option.  All seems to be working.  I
am concerned how journal files will be handled.  Question will the "-4"
named process coexist with "-6" on the same box???


I'm confused. Why not just have the same process listen on both addresses?

--

Nothin' ever doesn't change, but nothin' changes much.
-- OK Go

Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price.  :)  http://SupersetSolutions.com/

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Getting different name resolution for news.google.com from master and slave BIND

2011-05-24 Thread Lightner, Jeff 
They aren't in different subnets from an internet perspective and are
not geographically separated.   (Yes I know not best practice but I
don't make those decisions.)   

The master is dswadns1.water.com at 12.44.84.213 and the slave is
dswadns2.water.com at 12.44.84.214.

The fact they are not in different locations or in a separate subnet is
why I don't understand why I'd be getting separate "location specific"
IPs handed to the two servers.

-Original Message-
From: Warren Kumari [mailto:war...@kumari.net] 
Sent: Tuesday, May 24, 2011 4:06 PM
To: Lightner, Jeff
Cc: bind-users@lists.isc.org
Subject: Re: Getting different name resolution for news.google.com from
master and slave BIND


On May 24, 2011, at 2:28 PM, Lightner, Jeff wrote:

> Is anyone else seeing odd results with news.google.com?   My BIND 9
master and slave are getting different results.  


Presumably your slave and master are in different subnets?

Google (and many other large networks) perform geolocation and hand out
A records that a "close" to your resolver. Presumably we believe that
72.14.209.99 is (network wise) close to your master and 74.125.65.99 is
close to your slave.

If you provide IPs and actual locations for your slaves and master I can
check

W


> If I go out to other sites such as Kloth.net or iptools.com they also
get different results from each other and different from what my master
and slave are reporting.
>  
> I'm running BIND 9.3 (The RedHat version that has backported patches
and enhancements from later BIND versions in it so please don't tell me
to use a newer version.)
>  
> On doing some research I found that Google has made a couple of
changes in the past week or so affecting their news stuff.The one
that seems like it might explain why Kloth.net, iptools.com and my
server get different answers is the May 13th introduction of "news near
you" discussed in this article:
> http://www.pcmag.com/article2/0,2817,2385369,00.asp
>  
> That is aimed at mobile devices but I could see how they might also
try to make it work with static sites.   However it wouldn't explain why
both my servers coming from the same location would get different
results.   I'm thinking maybe there is something else obvious I'm
missing.
>  
> I am not caching on these servers and have bounced named on both but
it didn't help.   
>  
> Does anyone have any ideas?   Other than the fact that they're master
and slave with different IPs and setup to talk to each other the
named.conf on both hosts is the same.   They both have the same OS and
same hardware.   Also we have some Windows DNS servers in house and they
seem to be giving the same results as my slave so the master appears to
be the odd man out.
>  
> When I run "dig news.google.com" from my BIND 9 master I'm getting:
> ; <<>> DiG 9.3.4-P1 <<>> news.google.com
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46508
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 2
>  
> ;; QUESTION SECTION:
> ;news.google.com.   IN  A
>  
> ;; ANSWER SECTION:
> news.google.com.603615  IN  CNAME   news.l.google.com.
> news.l.google.com.  300 IN  A   72.14.209.99
> news.l.google.com.  300 IN  A   72.14.209.104
>  
> ;; AUTHORITY SECTION:
> google.com. 170523  IN  NS  ns1.google.com.
> google.com. 170523  IN  NS  ns2.google.com.
> google.com. 170523  IN  NS  ns3.google.com.
> google.com. 170523  IN  NS  ns4.google.com.
>  
> ;; ADDITIONAL SECTION:
> ns3.google.com. 344424  IN  A   216.239.36.10
> ns4.google.com. 343339  IN  A   216.239.38.10
>  
> ;; Query time: 6 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue May 24 14:17:14 2011
> ;; MSG SIZE  rcvd: 190
>  
> Yet on my slave I get:
> ; <<>> DiG 9.3.4-P1 <<>> news.google.com
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30872
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 4, ADDITIONAL: 0
>  
> ;; QUESTION SECTION:
> ;news.google.com.   IN  A
>  
> ;; ANSWER SECTION:
> news.google.com.603986  IN  CNAME   news.l.google.com.
> news.l.google.com.  300 IN  A   74.125.65.99
> news.l.google.com.  300 IN  A   74.125.65.103
> news.l.google.com.  300 IN  A   74.125.65.104
> news.l.google.com.  300 IN  A   74.125.65.105
> news.l.google.com.  300 IN  A   74.125.65.106
> news.l.google.com.  300 IN  A   74.125.65.147
>  
> ;; AUTHORITY SECTION:
> google.com. 171986  IN  NS  ns4.google.com.
> google.com. 171986  IN  NS  ns1.google.com.
> google.com. 171986  IN  NS  ns2.google.com.
> google.com. 171986  IN  NS  ns3.google.com.
>  
> ;; Query tim

Re: IPv4 & IPv6 named processes on a dual stack host

2011-05-24 Thread Mark Elkins 
On Tue, 2011-05-24 at 13:22 -0500, Timothy Stoddard wrote:

> Has any one run into a issue with two named processes running on the
> same host.  We want to begin serving up DNS on our IPv6 address space
> and do not want to duplicate each of our DNS servers.  We have started
> two named processes one with "-6" option.  All seems to be working.  I
> am concerned how journal files will be handled.  Question will the
> "-4" named process coexist with "-6" on the same box???

Are you nuts?!?

Are you planning on just serving IPv6 answers over IPv6 transport
and IPv4 answers over IPv4 transport?

Please don't try - run dual-stack (every box runs both addressing) and
have a single instance of BIND listening on both IPv4 and IPv6
transports serving both types of addresses as needed.

Your forward zone files should containing both IPv4 and IPv6 addresses
(as appropriate).
You'll obviously just need to add a suitable zone or two for your IPv6
reverses! (to match your IPv4 reverses).

-- 
  .  . ___. .__  Posix Systems - Sth Africa
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496



smime.p7s
Description: S/MIME cryptographic signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: IPv4 & IPv6 named processes on a dual stack host

2011-05-24 Thread Matthew Seaman 
On 24/05/2011 19:22, Timothy Stoddard wrote:
> Has any one run into a issue with two named processes running on the same
> host.  We want to begin serving up DNS on our IPv6 address space and do not
> want to duplicate each of our DNS servers.  We have started two named
> processes one with "-6" option.  All seems to be working.  I am concerned
> how journal files will be handled.  Question will the "-4" named process
> coexist with "-6" on the same box???

Curious. Why do you think you need two named processes?  One named
process is perfectly capable of listening and serving data on both IPv4
and IPv6 interfaces simultaneously.  So for instance this is from
named.conf on my own nameserver:

listen-on {
127.0.0.1;
81.187.76.162;
};
listen-on-v6 {
::1;
2001:8b0:151:1:e2cb:4eff:fe26:6481;
};

There's nothing particularly special about the option flags I'm using --
pretty much the default FreeBSD settings other than the changes required
to run the ports version of bind rather than the base system one:

% grep named_ /etc/rc.conf
named_enable="YES"
named_program="/usr/local/sbin/named"
named_flags="-c /etc/namedb/named.conf"

Not that it makes much difference to this question, but I'm running
FreeBSD stable/8 running bind-9.8.0 from ports similarly to you.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Getting different name resolution for news.google.com from master and slave BIND

2011-05-24 Thread Warren Kumari 
And are those definitely the source addresses that the queries are coming from 
(e.g you don't have multiple interfaces / tunnels? you are not forwarding, etc?)

W
On May 24, 2011, at 4:33 PM, Lightner, Jeff wrote:

> They aren't in different subnets from an internet perspective and are
> not geographically separated.   (Yes I know not best practice but I
> don't make those decisions.)   
> 
> The master is dswadns1.water.com at 12.44.84.213 and the slave is
> dswadns2.water.com at 12.44.84.214.
> 
> The fact they are not in different locations or in a separate subnet is
> why I don't understand why I'd be getting separate "location specific"
> IPs handed to the two servers.
> 
> -Original Message-
> From: Warren Kumari [mailto:war...@kumari.net] 
> Sent: Tuesday, May 24, 2011 4:06 PM
> To: Lightner, Jeff
> Cc: bind-users@lists.isc.org
> Subject: Re: Getting different name resolution for news.google.com from
> master and slave BIND
> 
> 
> On May 24, 2011, at 2:28 PM, Lightner, Jeff wrote:
> 
>> Is anyone else seeing odd results with news.google.com?   My BIND 9
> master and slave are getting different results.  
> 
> 
> Presumably your slave and master are in different subnets?
> 
> Google (and many other large networks) perform geolocation and hand out
> A records that a "close" to your resolver. Presumably we believe that
> 72.14.209.99 is (network wise) close to your master and 74.125.65.99 is
> close to your slave.
> 
> If you provide IPs and actual locations for your slaves and master I can
> check
> 
> W
> 
> 
>> If I go out to other sites such as Kloth.net or iptools.com they also
> get different results from each other and different from what my master
> and slave are reporting.
>> 
>> I'm running BIND 9.3 (The RedHat version that has backported patches
> and enhancements from later BIND versions in it so please don't tell me
> to use a newer version.)
>> 
>> On doing some research I found that Google has made a couple of
> changes in the past week or so affecting their news stuff.The one
> that seems like it might explain why Kloth.net, iptools.com and my
> server get different answers is the May 13th introduction of "news near
> you" discussed in this article:
>> http://www.pcmag.com/article2/0,2817,2385369,00.asp
>> 
>> That is aimed at mobile devices but I could see how they might also
> try to make it work with static sites.   However it wouldn't explain why
> both my servers coming from the same location would get different
> results.   I'm thinking maybe there is something else obvious I'm
> missing.
>> 
>> I am not caching on these servers and have bounced named on both but
> it didn't help.   
>> 
>> Does anyone have any ideas?   Other than the fact that they're master
> and slave with different IPs and setup to talk to each other the
> named.conf on both hosts is the same.   They both have the same OS and
> same hardware.   Also we have some Windows DNS servers in house and they
> seem to be giving the same results as my slave so the master appears to
> be the odd man out.
>> 
>> When I run "dig news.google.com" from my BIND 9 master I'm getting:
>> ; <<>> DiG 9.3.4-P1 <<>> news.google.com
>> ;; global options:  printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46508
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 2
>> 
>> ;; QUESTION SECTION:
>> ;news.google.com.   IN  A
>> 
>> ;; ANSWER SECTION:
>> news.google.com.603615  IN  CNAME   news.l.google.com.
>> news.l.google.com.  300 IN  A   72.14.209.99
>> news.l.google.com.  300 IN  A   72.14.209.104
>> 
>> ;; AUTHORITY SECTION:
>> google.com. 170523  IN  NS  ns1.google.com.
>> google.com. 170523  IN  NS  ns2.google.com.
>> google.com. 170523  IN  NS  ns3.google.com.
>> google.com. 170523  IN  NS  ns4.google.com.
>> 
>> ;; ADDITIONAL SECTION:
>> ns3.google.com. 344424  IN  A   216.239.36.10
>> ns4.google.com. 343339  IN  A   216.239.38.10
>> 
>> ;; Query time: 6 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Tue May 24 14:17:14 2011
>> ;; MSG SIZE  rcvd: 190
>> 
>> Yet on my slave I get:
>> ; <<>> DiG 9.3.4-P1 <<>> news.google.com
>> ;; global options:  printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30872
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 4, ADDITIONAL: 0
>> 
>> ;; QUESTION SECTION:
>> ;news.google.com.   IN  A
>> 
>> ;; ANSWER SECTION:
>> news.google.com.603986  IN  CNAME   news.l.google.com.
>> news.l.google.com.  300 IN  A   74.125.65.99
>> news.l.google.com.  300 IN  A   74.125.65.103
>> news.l.google.com.  300 IN  A   74.125.65.104
>> news.l.google.com.  300 IN  A   74.125.65.105
>> news.l.google.com.  300 IN  A   74.125.65.106

Re: Deny MX query

2011-05-24 Thread Grant Taylor 

On 05/24/11 12:55, Igor da Silva Cagnin wrote:

I have a doubt about querys, as fact I'd like to deny just querys
type MX. Other querys types must be available. Is it possible?


Would using response-policy zone filtering to alter MX queries suffice?



Grant. . . .
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Getting different name resolution for news.google.com from master and slave BIND

2011-05-24 Thread /dev/rob0 
On Tue, May 24, 2011 at 02:28:42PM -0400, Lightner, Jeff wrote:
> Is anyone else seeing odd results with news.google.com?  My BIND
> 9 master and slave are getting different results.  If I go out
> to other sites such as Kloth.net or iptools.com they also get
> different results from each other and different from what my
> master and slave are reporting.

A nitpick here: the terms "master" and "slave" only apply in regards 
to authoritative name service. When you are doing recursion, this 
distinction is irrelevant.

And no, this is not odd at all. This is typical for many or most busy 
domains: they do a rudimentary form of load balancing through DNS 
results. Nothing interesting here.
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Getting different name resolution for news.google.com from master and slave BIND

2011-05-24 Thread Eivind Olsen 
Lightner, Jeff wrote:

> The master is dswadns1.water.com at 12.44.84.213 and the slave is
> dswadns2.water.com at 12.44.84.214.

So, they leave your network in the same way, through the same router etc?
Are they configured to use any forwarders? Stub-zones? Etc? Or do they
both talk directly out to the Internet?

Or, how about.. what do you get if you query the same Google nameserver
from both your hosts? Do you get the same results if you for example query
ns1.google.com from with dig on both your nameservers, or do you then also
get different answers? How about if you check from a single of your
nameservers, doing manual queries to all 4 Google nameservers (ns1 - 4)?
Same result from all 4, or different results?

Regards
Eivind Olsen


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: IPv4 & IPv6 named processes on a dual stack host

2011-05-24 Thread Doug Barton 

On 05/24/2011 13:48, Matthew Seaman wrote:

named_flags="-c /etc/namedb/named.conf"


If your /etc is up to date this is no longer necessary, as 
/etc/defaults/rc.conf has named_conf="/etc/namedb/named.conf" already.



hth,

Doug

--

Nothin' ever doesn't change, but nothin' changes much.
-- OK Go

Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price.  :)  http://SupersetSolutions.com/

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: subdomain delegation question #2: (simple config)

2011-05-24 Thread dalton stickney 
Thanks to all of you for the great advice and insights! Everything is
working now, it was a combination of different issues and the advice
i received was invaluable to solving the issues.

Thanks again!

dalton

On Tue, May 24, 2011 at 10:36 AM, Andrey G. Sergeev (AKA Andris)
 wrote:
> Hi Dalton,
>
>
> Tue, 24 May 2011 10:09:00 -0700 dalton stickney wrote:
>
>> Hi all.
>>
>> I have set up a simple bind config to test this. I am very obviously
>> missing something simple here, but i can't figure out what it is for
>> some reason.
>> I am trying to delegate name servers for the subdomain
>> sccnj04.example.com to ns sip.example.com.
>>
>> When i dig i get no error, but also no answer:
>>
>> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> ns
>> sccnj04.example.com @ns1
>> ;; global options:  printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8850
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL:
>> 0
>>
>> ;; QUESTION SECTION:
>> ;sccnj04.example.com.         IN      NS
>>
>> ;; AUTHORITY SECTION:
>> example.com.          86400   IN      SOA     ns1.example.com. 
>> hostmaster.example.com.
>> 2011052405 3600 900 864000 86400
>>
>> ;; Query time: 0 msec
>> ;; SERVER: 10.1.0.8#53(10.1.0.8)
>> ;; WHEN: Tue May 24 13:08:03 2011
>> ;; MSG SIZE  rcvd: 88
>>
>>
>> Here is my simple config:
>>
>> named.conf
>>
>>
>> options {
>>    directory "/var/named";
>>    version "Nope.";
>> };
>>
>> zone "example.com" in {
>>       type master;
>>       file "example.com";
>> };
>>
>> Here is the zone file:
>>
>> $TTL 86400
>>
>> ; Start of Authority
>> example.com. 86400 IN SOA   ns1.example.com. hostmaster.example.com.
> (
>>                             2011052405 ; Serial
>>                             3600       ; Refresh
>>                             900        ; Retry
>>                             864000     ; Expire
>>                             86400      ; Min TTL
>>                             )
>> ; Host
>>
>> sip.example.com.   IN A 10.1.0.8
>> ; Nameserver
>> example.com.       IN NS ns1.example.com.
>>
>> $ORIGIN sccnj04.example.com.
>> sccnj04            IN NS sip.example.com.
> ^
> You current $ORIGIN is sccnj04.example.com, so the non-FQDN label
> "sccnj04" at the line above would be sccnj04.sccnj04.example.com when
> converted to FQDN.
>
>
> --
>
> Yours sincerely,
>
> Andrey G. Sergeev (AKA Andris)     http://www.andris.name/
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users