date:20110728

Insufficient DNS Source Port Randmoization

2011-07-28 Thread Pete Fong

Hi Everybody,

My Linux is OpenSuSE 11.4 with Kernel 2.6.37.6-0.5 which is used for
DNS server. I have installed bind-9.7.3P3-0.2.1

Our external auditor used "NeXpose" for scanning my system. It showed
"Insufficient DNS Source Port Randomization Vulnerability". Therefore
I have followed BIND 9 Configuration Reference Guide, I have adjusted
named.conf configuration file as below :

query-source address * port * ;
query-source-v6 address * port *;

use-v4-udp-ports { range 1024 65535; };
use-v6-upd-ports ( range 1024 65535; };

But I am not lucky, The NeXpose software still showed the same
vulnerability. Anybody has some issue ? Anybody can help me ?

Thanks a lot,
Pete Fong
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Insufficient DNS Source Port Randmoization

2011-07-28 Thread Matus UHLAR - fantomas


On 28.07.11 15:33, Pete Fong wrote:

My Linux is OpenSuSE 11.4 with Kernel 2.6.37.6-0.5 which is used for
DNS server. I have installed bind-9.7.3P3-0.2.1

Our external auditor used "NeXpose" for scanning my system. It showed
"Insufficient DNS Source Port Randomization Vulnerability".


The insufficient randomization was afaik fixed in 9.5.0.


Therefore
I have followed BIND 9 Configuration Reference Guide, I have adjusted
named.conf configuration file as below :

query-source address * port * ;
query-source-v6 address * port *;

use-v4-udp-ports { range 1024 65535; };
use-v6-upd-ports ( range 1024 65535; };


Did you have these before? I think that BIND tries those ports by 
default, so configuring them should not affect it.



But I am not lucky, The NeXpose software still showed the same
vulnerability. Anybody has some issue ? Anybody can help me ?


Is your resolving server behind firewall? Does the firewall change 
source port?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Insufficient DNS Source Port Randmoization

2011-07-28 Thread Stephane Bortzmeyer

On Thu, Jul 28, 2011 at 03:33:11PM +0800,
 Pete Fong  wrote 
 a message of 27 lines which said:

> I have adjusted named.conf configuration file as below :
> 
> query-source address * port * ;
> query-source-v6 address * port *;

BIND randomizes properly by default. I would suggest to delete all
these lines.

> The NeXpose software still showed the same vulnerability.

Did you try to obtain an independent confirmation from a reliable
source? (I do not know this product, but I distrust private black
boxes.) I recommend:

https://www.dns-oarc.net/oarc/services/porttest
https://www.dns-oarc.net/oarc/services/dnsentropy
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

no servers could be reached

2011-07-28 Thread uifid...@gmail.com

dig kia.czj

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> kia.czj
;; global options:  printcmd
;; connection timed out; no servers could be reached

my ip is 192.168.18.128

my named.conf

options {
listen-on port 53 { 192.168.18.128; 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory   "/var/named";
dump-file   "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";

// Those options should be used carefully because they disable port
// randomization
// query-sourceport 53; 
// query-source-v6 port 53;

allow-query { 192.168.18.128; 127.0.0.1; };
allow-query-cache { 192.168.18.128; 127.0.0.1; };
};

view localhost_resolver {
match-clients  { localhost; };
match-destinations { localhost; };
recursion yes;
include "/etc/named.rfc1912.zones";
};
view czj {
match-clients   { 192.168.18.128; localhost; };
match-destinations { 192.168.18.128; localhost; };
recursion yes;
zone "czj" {
type master;
file "czj.zone";
};
};

# End of named.conf


my czj.zone
$TTL86400
czj.   IN  SOA localhost. root.localhost.  (
  1997022700 ; Serial
  28800  ; Refresh
  14400  ; Retry
  360; Expire
  86400 ); Minimum
czj. IN  NS  localhost.
kia IN  A   192.168.18.1



my /etc/resolve.conf

; generated by /sbin/dhclient-script
search czj
nameserver 192.168.18.128

named-checkzone named-checkconf passed, I suppose the configure works
but only get no servers could be reached.What's wrong with my config?
Thanks in advance.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Insufficient DNS Source Port Randmoization

2011-07-28 Thread Pete Fong

Hi, Matus UHLAR

No, The scanner PC and  DNS server is connected by crossover cable in
my environment. Therefore I have not any idea.

Thanks a lot,
Pete Fong

2011/7/28 Matus UHLAR - fantomas :
> On 28.07.11 15:33, Pete Fong wrote:
>>
>> My Linux is OpenSuSE 11.4 with Kernel 2.6.37.6-0.5 which is used for
>> DNS server. I have installed bind-9.7.3P3-0.2.1
>>
>> Our external auditor used "NeXpose" for scanning my system. It showed
>> "Insufficient DNS Source Port Randomization Vulnerability".
>
> The insufficient randomization was afaik fixed in 9.5.0.
>
>> Therefore
>> I have followed BIND 9 Configuration Reference Guide, I have adjusted
>> named.conf configuration file as below :
>>
>> query-source address * port * ;
>> query-source-v6 address * port *;
>>
>> use-v4-udp-ports { range 1024 65535; };
>> use-v6-upd-ports ( range 1024 65535; };
>
> Did you have these before? I think that BIND tries those ports by default,
> so configuring them should not affect it.
>
>> But I am not lucky, The NeXpose software still showed the same
>> vulnerability. Anybody has some issue ? Anybody can help me ?
>
> Is your resolving server behind firewall? Does the firewall change source
> port?
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Nothing is fool-proof to a talented fool.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Insufficient DNS Source Port Randmoization

2011-07-28 Thread Danilo Godec

If I understand correctly, the connection between the scanner PC and 
your DNS server is not really the issue here.


What can cause problems is a firewall between your DNS server and the 
Internet.



   Danilo



On 07/28/2011 10:08 AM, Pete Fong wrote:

Hi, Matus UHLAR

No, The scanner PC and  DNS server is connected by crossover cable in
my environment. Therefore I have not any idea.

Thanks a lot,
Pete Fong

2011/7/28 Matus UHLAR - fantomas:

On 28.07.11 15:33, Pete Fong wrote:

My Linux is OpenSuSE 11.4 with Kernel 2.6.37.6-0.5 which is used for
DNS server. I have installed bind-9.7.3P3-0.2.1

Our external auditor used "NeXpose" for scanning my system. It showed
"Insufficient DNS Source Port Randomization Vulnerability".

The insufficient randomization was afaik fixed in 9.5.0.


Therefore
I have followed BIND 9 Configuration Reference Guide, I have adjusted
named.conf configuration file as below :

query-source address * port * ;
query-source-v6 address * port *;

use-v4-udp-ports { range 1024 65535; };
use-v6-upd-ports ( range 1024 65535; };

Did you have these before? I think that BIND tries those ports by default,
so configuring them should not affect it.


But I am not lucky, The NeXpose software still showed the same
vulnerability. Anybody has some issue ? Anybody can help me ?

Is your resolving server behind firewall? Does the firewall change source
port?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



--
Danilo Godec, sistemska podpora / system administration

Predlog! Obiscite prenovljeno spletno stran www.agenda.si

ODPRTA KODA IN LINUX
STORITVE : POSLOVNE RESITVE : UPRAVLJANJE IT : INFRASTRUKTURA IT : 
IZOBRAZEVANJE : PROGRAMSKA OPREMA

Visit our updated web page at www.agenda.si

OPEN SOURCE AND LINUX
SERVICES : BUSINESS SOLUTIONS : IT MANAGEMENT : IT INFRASTRUCTURE : TRAINING : 
SOFTWARE

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: no servers could be reached

2011-07-28 Thread Daniel McDonald




On 7/28/11 3:16 AM, "uifid...@gmail.com"  wrote:

> my czj.zone
> $TTL 86400
> czj.   IN  SOA localhost. root.localhost.  (
>   1997022700 ; Serial
>   28800  ; Refresh
>   14400  ; Retry
>   360; Expire
>   86400 ); Minimum
> czj. IN  NS  localhost.
> kia IN A 192.168.18.1

Don't you need 
$ORIGIN czj. 
in order to add an unrooted entry?

SOA and NS of localhost. seems wrong.  localhost.localdomain. seems more
likely.
-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: no servers could be reached

2011-07-28 Thread Alan Clegg

On 7/28/2011 4:16 AM, uifid...@gmail.com wrote:

> view localhost_resolver {
>   match-clients  { localhost; };
>   match-destinations { localhost; };
>   recursion yes;
>   include "/etc/named.rfc1912.zones";
> };
> view czj {
>   match-clients   { 192.168.18.128; localhost; };
>   match-destinations { 192.168.18.128; localhost; };
>   recursion yes;
>   zone "czj" {
>   type master;
>   file "czj.zone";
> };
> };

> named-checkzone named-checkconf passed

These check syntax but not semantics.  As someone else pointed out, it
looks like your zone file is messed up a bit.  Additionally, the views
above have both match-clients and match-destinations which I doubt you
want, and you have localhost listed in both...

What is it that you are trying to do and we might be able to help you
out some...

AlanC

signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS update on host down

2011-07-28 Thread david klein

There are tools which do this, such as F5's GTM or Cisco's GSS;
essentially, you have multiple servers in a pool/answer group, and
during normal operations, they are handed out in either RR or WRR. If
one server fails his health-check, he is taken out of the mix. I
believe under the covers, it is essentially a rules-engine, BIND,
nsupdate and a few monitoring scripts.

 -DTK

On Tue, Jul 26, 2011 at 9:23 AM, Paul Reilly  wrote:
> Is there a simple utility, which can ICMP ping or HTTP ping a host, and
> update the hosts DNS entry if the host is down?
> I'm thinking I could have 2 include files, and swap between then if the host
> is down or not.
>
> Any pointers ?
>
> Paul
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

-- 

david t. klein

Cisco Certified Network Associate (CSCO11281885)
Linux Professional Institute Certification (LPI000165615)
Redhat Certified Engineer (805009745938860)

Quis custodiet ipsos custodes?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: no servers could be reached

2011-07-28 Thread uifid...@gmail.com

I'm trying to config a bind server which could answering queries (at
least from 127.0.0.1 and 192.168.18.128) like "dig kia.czj" but I
failed to. perhaps my ignorance about  match-clients and
match-destinations statements failed my attempt, or more likely, "SOA
and NS of localhost. seems wrong".  It should be
localhost.localdomain.And I used to think the $origin statement is not
necessary, the idea about the zone name could be got from named.conf.
I'll do some testing before come back, thanks.

2011/7/28 Alan Clegg :
> On 7/28/2011 4:16 AM, uifid...@gmail.com wrote:
>
>> view localhost_resolver {
>>       match-clients      { localhost; };
>>       match-destinations { localhost; };
>>       recursion yes;
>>       include "/etc/named.rfc1912.zones";
>> };
>> view czj {
>>       match-clients   { 192.168.18.128; localhost; };
>>       match-destinations { 192.168.18.128; localhost; };
>>       recursion yes;
>>       zone "czj" {
>>       type master;
>>       file "czj.zone";
>> };
>> };
>
>> named-checkzone named-checkconf passed
>
> These check syntax but not semantics.  As someone else pointed out, it
> looks like your zone file is messed up a bit.  Additionally, the views
> above have both match-clients and match-destinations which I doubt you
> want, and you have localhost listed in both...
>
> What is it that you are trying to do and we might be able to help you
> out some...
>
> AlanC
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Split PTR zone (internal and external)

2011-07-28 Thread CT


I am wondering what might be a good "workaround" for this
legacy setup...

Will do my best to explain..

IP Space
- 1 Class B Global Unique (used Externally and Internally)
- 1 Class B RFC1918

DNS Setup

External DNS (Linux - Bind 9.8.x)
- example-ext.com DNS domain
- authoritative for PTR Global Unique

Mid Teir DNS  (Linux - Bind 9.8.x)
- Mixture of Class B Global and RFC 1918
- not accessible "from the Internet"
- forwards all RFC 1918 PTR to the Internal DNS
- can resolve any Internal / External A records

Internal DNS(MS DNS - w/DDNS)
- only internal DNS zones (i.e. inside.example.com)
- MS DNS use Mid Tier DNS for "external" name resolution (i.e. isc.org)
- Has the *same* Global Unique Class B PTR as the External DNS
**

Scenario

- internal hosts using the Internal DNS can not resolve  External PTR
for example-ext.com. since a valid PTR zone already exists..

The only solution that I have come up with is to manually
put the "external" PTR records in the AD PTR Zone file.

Not sure if there is a resolution to do in MS DNS but will ask the same
question in that group.  Wanted to start here..

Thx
CT

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Views and no answers ...

2011-07-28 Thread Thomas Schweikle

Am 28.07.2011 01:18, schrieb Bob:
> These two views are identical in any way I can see, so the fault may
> be in an included configuration file that is not included in your
> message.
> 
> Look for allow-query, allow-recursion or allow-cache statements in
> your other config files.

Did this. The only "allow" I could find was "allow-transfer".

The only two parts I left out where "options", the included keys and
"logging":

!options {
!directory   "/var/tmp/named";
!pid-file"/var/run/named/named.pid";
!dump-file   "/var/run/named/named_dump.db";
!statistics-file "/var/run/named/named.stats";
!listen-on   { any; };
!#listen-on-v6   { any; };
!
!recursion yes;
!auth-nxdomain no;
!};

!include "/etc/named/mskey.key";
!include "/etc/named/bind.keys";
!include "/etc/bind/key.rndc";

mskey.key:
!key mskey {
!  algorithm hmac-md5;
!  secret ".";
!};

bind.keys:
!managed-keys {
!# NOTE: This key is current as of October 2009.
!# If it fails to initialize correctly, it may have expired;
!# see https://www.isc.org/solutions/dlv for a replacement.
!dlv.isc.org. initial-key 257 3 5
!"BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
!brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
!1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
!ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
!Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
!QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
!TDN0YUuWrBNh";
!};

key.rndc:
!key "xompukey" {
!algorithm hmac-md5;
!secret "";
!};


!logging {
!channel security_log {
!file "/var/log/named/security.log";
!severity info;
!print-time yes;
!};
!channel update_log {
!file "/var/log/named/update.log";
!severity info;
!print-time yes;
!};
!channel query_log {
!file "/var/log/named/query.log";
!severity debug 3;
!print-time yes;
!};
!channel debug_log {
!file "/var/log/named/debug.log";
!severity info;
!print-time yes;
!};
!category update { update_log; };
!category queries { query_log; };
!category default { debug_log; };
!category security { security_log; };
!category unmatched { null; };
!};


calling "dig +trace google.com" on systems located 192.168.180.0/23:
!; <<>> DiG 9.7.3 <<>> +trace google.com
!;; global options: +cmd
!.   518400  IN  NS  e.root-servers.net.
!.   518400  IN  NS  f.root-servers.net.
!.   518400  IN  NS  h.root-servers.net.
!.   518400  IN  NS  i.root-servers.net.
!.   518400  IN  NS  m.root-servers.net.
!.   518400  IN  NS  d.root-servers.net.
!.   518400  IN  NS  a.root-servers.net.
!.   518400  IN  NS  g.root-servers.net.
!.   518400  IN  NS  b.root-servers.net.
!.   518400  IN  NS  c.root-servers.net.
!.   518400  IN  NS  l.root-servers.net.
!.   518400  IN  NS  j.root-servers.net.
!.   518400  IN  NS  k.root-servers.net.
!;; Received 244 bytes from 192.168.180.28#53(ns.example.de) in
!0 ms
!
!com.172800  IN  NS  c.gtld-servers.net.
!com.172800  IN  NS  j.gtld-servers.net.
!com.172800  IN  NS  l.gtld-servers.net.
!com.172800  IN  NS  e.gtld-servers.net.
!com.172800  IN  NS  f.gtld-servers.net.
!com.172800  IN  NS  h.gtld-servers.net.
!com.172800  IN  NS  a.gtld-servers.net.
!com.172800  IN  NS  g.gtld-servers.net.
!com.172800  IN  NS  k.gtld-servers.net.
!com.172800  IN  NS  b.gtld-servers.net.
!com.172800  IN  NS  i.gtld-servers.net.
!com.172800  IN  NS  m.gtld-servers.net.
!com.172800  IN  NS  d.gtld-servers.net.
!;; Received 488 bytes from 128.8.10.90#53(d.root-servers.net) in
!100 ms
!
!google.com. 172800  IN  NS  ns2.google.com.
!google.com. 172800  IN  NS  ns1.google.com.
!google.com. 172800  IN  NS  ns3.google.com.
!google.com. 172800  IN  NS  ns4.google.com.
!;; Received 164 bytes from 192.42.93.30#53(g.gtld-servers.net) in
!161 ms
!
!g

Format of the IPv6 reversed zone

2011-07-28 Thread Khuu, Linh Contractor

Hello,

I'm new to IPv6 configuring in BIND. I need help. The forward zone is simple 
enough with  record, but the reversed zone is a bit confusing to me.

For example, I want to add a hostname of 
www.example.com to 2001:1930:c00::2. This IPv6 address 
is /48.

How can I add this IPv6 address in a reversed format?

$ORIGIN 0.0.0.0.0.0.0.c.0.3.9.1.1.0.0.2.ip6.arpa. IN SOA ..

@ NS dnstemp1.example.com

What should I put for the PTR???

Is the reversed for IPv6 in the ip6.arpa file or IP6.int file???

Thanks,
Linh Khuu

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Format of the IPv6 reversed zone

2011-07-28 Thread Jay Ford


On Thu, 28 Jul 2011, Khuu, Linh   Contractor wrote:

I'm new to IPv6 configuring in BIND. I need help. The forward zone is
simple enough with  record, but the reversed zone is a bit confusing to
me.

For example, I want to add a hostname of www.example.com to
2001:1930:c00::2. This IPv6 address is /48.

How can I add this IPv6 address in a reversed format?

$ORIGIN 0.0.0.0.0.0.0.c.0.3.9.1.1.0.0.2.ip6.arpa. IN SOA ..

@ NS dnstemp1.example.com

What should I put for the PTR???

Is the reversed for IPv6 in the ip6.arpa file or IP6.int file???


It's in ip6.arpa.  The whole name for 2001:1930:c00::2 should be:
   2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.C.0.0.3.9.1.1.0.0.2.IP6.ARPA

In your origin above you lost a "0" right of the "c".  The ":c00:" chunk is
actually ":0c00:", so the correct origin is:
   0.0.0.0.0.0.c.0.0.3.9.1.1.0.0.2.ip6.arpa
in which the PTR RR would be:
   2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0  IN  PTR www.example.com


Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Format of the IPv6 reversed zone

2011-07-28 Thread Khuu, Linh Contractor

Thanks Jay and Leonard for the pointers of IPv6 format.

Linh Khuu


-Original Message-
From: Jay Ford [mailto:jay-f...@uiowa.edu] 
Sent: Thursday, July 28, 2011 2:22 PM
To: Khuu, Linh Contractor
Cc: 'bind-users@lists.isc.org'
Subject: Re: Format of the IPv6 reversed zone

On Thu, 28 Jul 2011, Khuu, Linh   Contractor wrote:
> I'm new to IPv6 configuring in BIND. I need help. The forward zone is
> simple enough with  record, but the reversed zone is a bit confusing to
> me.
> 
> For example, I want to add a hostname of www.example.com to
> 2001:1930:c00::2. This IPv6 address is /48.
> 
> How can I add this IPv6 address in a reversed format?
> 
> $ORIGIN 0.0.0.0.0.0.0.c.0.3.9.1.1.0.0.2.ip6.arpa. IN SOA ..
> 
> @ NS dnstemp1.example.com
> 
> What should I put for the PTR???
> 
> Is the reversed for IPv6 in the ip6.arpa file or IP6.int file???

It's in ip6.arpa.  The whole name for 2001:1930:c00::2 should be:
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.C.0.0.3.9.1.1.0.0.2.IP6.ARPA

In your origin above you lost a "0" right of the "c".  The ":c00:" chunk is
actually ":0c00:", so the correct origin is:
0.0.0.0.0.0.c.0.0.3.9.1.1.0.0.2.ip6.arpa
in which the PTR RR would be:
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN  PTR www.example.com


Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Format of the IPv6 reversed zone

2011-07-28 Thread Mark Elkins

On Thu, 2011-07-28 at 14:07 -0400, Khuu, Linh Contractor wrote:
> Hello,
>  
> I’m new to IPv6 configuring in BIND. I need help. The forward zone is
> simple enough with  record, but the reversed zone is a bit
> confusing to me.
>  
> For example, I want to add a hostname of www.example.com to
> 2001:1930:c00::2. This IPv6 address is /48.
>  
> How can I add this IPv6 address in a reversed format?
>  
> $ORIGIN 0.0.0.0.0.0.0.c.0.3.9.1.1.0.0.2.ip6.arpa. IN SOA
> ..
>  
> @ NS dnstemp1.example.com
>  
> What should I put for the PTR??? 
>  
> Is the reversed for IPv6 in the ip6.arpa file or IP6.int file???


I have '2001:42a0::/32', in 'named.conf - I have...
zone "0.a.2.4.1.0.0.2.ip6.arpa" {
type master;
file "pri/db.0.a.2.4.1.0.0.2.ip6.arpa";
};

Top of the file could look like
$TTL 7200
@   IN SOA  blah. usual stuff..


Then - networks are all /64's - so - using the $ORIGIN variable...
do something like this per network 

; 2001:42a0:0:ff02::/64, Some description of this network
$ORIGIN 2.0.f.f.0.0.0.0.0.a.2.4.1.0.0.2.ip6.arpa.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0   IN  PTR  cisco.posix.co.za.
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0   IN  PTR  dns1.posix.co.za.

or simply delegate them off
; 2001:42a0:1:82::/64, another network
2.8.0.0.1.0.0.0.0.a.2.4.1.0.0.2.ip6.arpa. NS  dns1.posix.co.za.
  NS  dns2.posix.co.za.

'dig -x' is your friend for expanding the address!

eg - dig -x 2001:42a0:1:82:: +noall +question
...then cut'n'paste!
 
>  
> Thanks,
> Linh Khuu
> 
>  
>  
>  
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
  .  . ___. .__  Posix Systems - Sth Africa.  e.164 VOIP ready
 /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Views and no answers ...

2011-07-28 Thread Bob


You also have these acl's, which I find quite useful:

allow-query {acl-list}
allow-query-cache {acl-list}
allow-recursion {acl-list}

As I recall, all of them are valid inside a view.

You could also try to throw in some debug logging.
Here is what I do for troubleshooting:

#> rndc querylog
#> rndc trace 3

Then I tail all the relevant logfiles.


Mvh. / Regards

Bob

On 2011-07-28 18:31, Thomas Schweikle wrote:

Am 28.07.2011 01:18, schrieb Bob:

These two views are identical in any way I can see, so the fault may
be in an included configuration file that is not included in your
message.

Look for allow-query, allow-recursion or allow-cache statements in
your other config files.


Did this. The only "allow" I could find was "allow-transfer".

The only two parts I left out where "options", the included keys and
"logging":

!options {
!directory   "/var/tmp/named";
!pid-file"/var/run/named/named.pid";
!dump-file   "/var/run/named/named_dump.db";
!statistics-file "/var/run/named/named.stats";
!listen-on   { any; };
!#listen-on-v6   { any; };
!
!recursion yes;
!auth-nxdomain no;
!};

!include "/etc/named/mskey.key";
!include "/etc/named/bind.keys";
!include "/etc/bind/key.rndc";

mskey.key:
!key mskey {
!  algorithm hmac-md5;
!  secret ".";
!};

bind.keys:
!managed-keys {
!# NOTE: This key is current as of October 2009.
!# If it fails to initialize correctly, it may have expired;
!# see https://www.isc.org/solutions/dlv for a replacement.
!dlv.isc.org. initial-key 257 3 5
!"BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
!brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
!1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
!ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
!Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
!QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
!TDN0YUuWrBNh";
!};

key.rndc:
!key "xompukey" {
!algorithm hmac-md5;
!secret "";
!};


!logging {
!channel security_log {
!file "/var/log/named/security.log";
!severity info;
!print-time yes;
!};
!channel update_log {
!file "/var/log/named/update.log";
!severity info;
!print-time yes;
!};
!channel query_log {
!file "/var/log/named/query.log";
!severity debug 3;
!print-time yes;
!};
!channel debug_log {
!file "/var/log/named/debug.log";
!severity info;
!print-time yes;
!};
!category update { update_log; };
!category queries { query_log; };
!category default { debug_log; };
!category security { security_log; };
!category unmatched { null; };
!};


calling "dig +trace google.com" on systems located 192.168.180.0/23:
!;<<>>  DiG 9.7.3<<>>  +trace google.com
!;; global options: +cmd
!.   518400  IN  NS  e.root-servers.net.
!.   518400  IN  NS  f.root-servers.net.
!.   518400  IN  NS  h.root-servers.net.
!.   518400  IN  NS  i.root-servers.net.
!.   518400  IN  NS  m.root-servers.net.
!.   518400  IN  NS  d.root-servers.net.
!.   518400  IN  NS  a.root-servers.net.
!.   518400  IN  NS  g.root-servers.net.
!.   518400  IN  NS  b.root-servers.net.
!.   518400  IN  NS  c.root-servers.net.
!.   518400  IN  NS  l.root-servers.net.
!.   518400  IN  NS  j.root-servers.net.
!.   518400  IN  NS  k.root-servers.net.
!;; Received 244 bytes from 192.168.180.28#53(ns.example.de) in
!0 ms
!
!com.172800  IN  NS  c.gtld-servers.net.
!com.172800  IN  NS  j.gtld-servers.net.
!com.172800  IN  NS  l.gtld-servers.net.
!com.172800  IN  NS  e.gtld-servers.net.
!com.172800  IN  NS  f.gtld-servers.net.
!com.172800  IN  NS  h.gtld-servers.net.
!com.172800  IN  NS  a.gtld-servers.net.
!com.172800  IN  NS  g.gtld-servers.net.
!com.172800  IN  NS  k.gtld-servers.net.
!com.172800  IN  NS  b.gtld-servers.net.
!com.172800  IN  NS  i.gtld-servers.net.
!com.172800  IN  NS  m.gtld-servers.net.
!com.172800  IN  NS  d.gtld-servers.net.
!;; R

Re: Format of the IPv6 reversed zone

2011-07-28 Thread eugene tsuno


There is a little perl ipv6 calc that I use ipv6calc so I don't mis-typo it.

 ipv6calc --addr_to_ip6arpa 2001:1930:c00::2
No input type specified, try autodetection...found type: ipv6addr
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.0.3.9.1.1.0.0.2.ip6.arpa.

The web page is dead, but the ftp download works.
http://mirrors.bieringer.de/www.deepspace6.net/projects/ipv6calc.html#id2860191

and of course one can easily run a script to spit out the reverses.

On 7/28/11 12:31 PM, Khuu, Linh Contractor wrote:
> Thanks Jay and Leonard for the pointers of IPv6 format.
>
> Linh Khuu
>
>
> -Original Message-
> From: Jay Ford [mailto:jay-f...@uiowa.edu] 
> Sent: Thursday, July 28, 2011 2:22 PM
> To: Khuu, Linh Contractor
> Cc: 'bind-users@lists.isc.org'
> Subject: Re: Format of the IPv6 reversed zone
>
> On Thu, 28 Jul 2011, Khuu, Linh   Contractor wrote:
>> I'm new to IPv6 configuring in BIND. I need help. The forward zone is
>> simple enough with  record, but the reversed zone is a bit confusing to
>> me.
>>
>> For example, I want to add a hostname of www.example.com to
>> 2001:1930:c00::2. This IPv6 address is /48.
>>
>> How can I add this IPv6 address in a reversed format?
>>
>> $ORIGIN 0.0.0.0.0.0.0.c.0.3.9.1.1.0.0.2.ip6.arpa. IN SOA ..
>>
>> @ NS dnstemp1.example.com
>>
>> What should I put for the PTR???
>>
>> Is the reversed for IPv6 in the ip6.arpa file or IP6.int file???
> It's in ip6.arpa.  The whole name for 2001:1930:c00::2 should be:
> 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.C.0.0.3.9.1.1.0.0.2.IP6.ARPA
>
> In your origin above you lost a "0" right of the "c".  The ":c00:" chunk is
> actually ":0c00:", so the correct origin is:
> 0.0.0.0.0.0.c.0.0.3.9.1.1.0.0.2.ip6.arpa
> in which the PTR RR would be:
> 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0   IN  PTR www.example.com
>
> 
> Jay Ford, Network Engineering Group, Information Technology Services
> University of Iowa, Iowa City, IA 52242
> email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


-- 
eugene tsuno
NOAA Boulder/NOC
325 broadway, boulder,co 80305
303-497-6392

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: no servers could be reached

2011-07-28 Thread Michael McNally


On 7/28/11 12:16 AM, uifid...@gmail.com wrote:

my /etc/resolve.conf


Note: ^^^


named-checkzone named-checkconf passed, I suppose the configure works
but only get no servers could be reached.What's wrong with my config?


Your resolv.conf is in the wrong place.  Let's see what happens when
that occurs:

With resolv.conf in place:


Chickamin-River:~ $ dig www.isc.org

; <<>> DiG 9.6.0-APPLE-P2 <<>> www.isc.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5913
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.isc.org.   IN  A

;; ANSWER SECTION:
www.isc.org.263 IN  A   149.20.64.42

;; Query time: 49 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jul 28 11:42:34 2011
;; MSG SIZE  rcvd: 45



With resolv.conf in the wrong place:



Chickamin-River:~ $ mv /etc/resolv.conf /etc/resolv.conf.moved
Chickamin-River:~ $ dig www.isc.org

; <<>> DiG 9.6.0-APPLE-P2 <<>> www.isc.org
;; global options: +cmd
;; connection timed out; no servers could be reached

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: no servers could be reached

2011-07-28 Thread Lightner, Jeff

Also has a wrong name:  Should be resolv.conf NOT resolve.conf.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Michael McNally
Sent: Thursday, July 28, 2011 3:47 PM
To: bind-users@lists.isc.org
Subject: Re: no servers could be reached

On 7/28/11 12:16 AM, uifid...@gmail.com wrote:
> my /etc/resolve.conf

Note: ^^^
>
> named-checkzone named-checkconf passed, I suppose the configure works
> but only get no servers could be reached.What's wrong with my config?

Your resolv.conf is in the wrong place.  Let's see what happens when
that occurs:

With resolv.conf in place:

> Chickamin-River:~ $ dig www.isc.org
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> www.isc.org
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5913
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.isc.org. IN  A
>
> ;; ANSWER SECTION:
> www.isc.org.  263 IN  A   149.20.64.42
>
> ;; Query time: 49 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Thu Jul 28 11:42:34 2011
> ;; MSG SIZE  rcvd: 45


With resolv.conf in the wrong place:


> Chickamin-River:~ $ mv /etc/resolv.conf /etc/resolv.conf.moved
> Chickamin-River:~ $ dig www.isc.org
>
> ; <<>> DiG 9.6.0-APPLE-P2 <<>> www.isc.org
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



Proud partner. Susan G. Komen for the Cure.


Please consider our environment before printing this e-mail or attachments.

--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Format of the IPv6 reversed zone

2011-07-28 Thread Alan Clegg

On 7/28/2011 3:35 PM, eugene tsuno wrote:
> 
> There is a little perl ipv6 calc that I use ipv6calc so I don't mis-typo it.
> 
>  ipv6calc --addr_to_ip6arpa 2001:1930:c00::2
> No input type specified, try autodetection...found type: ipv6addr
> 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.0.3.9.1.1.0.0.2.ip6.arpa.

Or 'arpaname' that comes with BIND:

aclegg@baremetal:~$ arpaname 2001:1930:c00::2
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.C.0.0.3.9.1.1.0.0.2.IP6.ARPA


AlanC



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

.hu ns records incorrect?

2011-07-28 Thread Carl Byington

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Am I missing something, or are the hu NS records incomplete?

dig d.hu +trace

;; AUTHORITY SECTION:
hu. 86400   IN  NS  e.hu.
hu. 86400   IN  NS  ns-se.nic.hu.
hu. 86400   IN  NS  b.hu.
hu. 86400   IN  NS  ns2.nic.fr.
hu. 86400   IN  NS  c.hu.
hu. 86400   IN  NS  d.hu.
hu. 86400   IN  NS  ns.nic.hu.
hu. 86400   IN  NS  ns-com.nic.hu.

dig: couldn't get address for 'b.hu': not found


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFOMcQKL6j7milTFsERAqbWAJ9Cl4/VZFLq0yVYDpEMLRI4XYcTlQCbBXQS
o0VleIVPSv28wwiER/pPQ+8=
=3jMY
-END PGP SIGNATURE-


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: .hu ns records incorrect?

2011-07-28 Thread Stephane Bortzmeyer

On Thu, Jul 28, 2011 at 01:18:29PM -0700,
 Carl Byington  wrote 
 a message of 35 lines which said:

> dig: couldn't get address for 'b.hu': not found

Strange. It works for me.

b.hu.   86292   IN  A   193.239.149.3
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Split PTR zone (internal and external)

2011-07-28 Thread Kevin Darcy


On 7/28/2011 12:26 PM, CT wrote:

I am wondering what might be a good "workaround" for this
legacy setup...

Will do my best to explain..

IP Space
- 1 Class B Global Unique (used Externally and Internally)
- 1 Class B RFC1918

DNS Setup

External DNS (Linux - Bind 9.8.x)
- example-ext.com DNS domain
- authoritative for PTR Global Unique

Mid Teir DNS  (Linux - Bind 9.8.x)
- Mixture of Class B Global and RFC 1918
- not accessible "from the Internet"
- forwards all RFC 1918 PTR to the Internal DNS
- can resolve any Internal / External A records

Internal DNS(MS DNS - w/DDNS)
- only internal DNS zones (i.e. inside.example.com)
- MS DNS use Mid Tier DNS for "external" name resolution (i.e. isc.org)
- Has the *same* Global Unique Class B PTR as the External DNS
**

Scenario

- internal hosts using the Internal DNS can not resolve  External PTR
for example-ext.com. since a valid PTR zone already exists..

The only solution that I have come up with is to manually
put the "external" PTR records in the AD PTR Zone file.

Not sure if there is a resolution to do in MS DNS but will ask the same
question in that group.  Wanted to start here..
Delegate out the relevant /24 ranges as subzones of your main /16 
in-addr.arpa zone. Define only the internal reverse subzones in your 
"Internal DNS" and then use slave/stub/forward to resolve all of the 
external ones.



- Kevin


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: no servers could be reached

2011-07-28 Thread uifid...@gmail.com

Sorry, it's a typo in the maillist, but not in my file system. My
resolv.conf is in the right place.

2011/7/29 Michael McNally :
> On 7/28/11 12:16 AM, uifid...@gmail.com wrote:
>>
>> my /etc/resolve.conf
>
> Note:     ^^^
>>
>> named-checkzone named-checkconf passed, I suppose the configure works
>> but only get no servers could be reached.What's wrong with my config?
>
> Your resolv.conf is in the wrong place.  Let's see what happens when
> that occurs:
>
> With resolv.conf in place:
>
>> Chickamin-River:~ $ dig www.isc.org
>>
>> ; <<>> DiG 9.6.0-APPLE-P2 <<>> www.isc.org
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5913
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;www.isc.org.                   IN      A
>>
>> ;; ANSWER SECTION:
>> www.isc.org.            263     IN      A       149.20.64.42
>>
>> ;; Query time: 49 msec
>> ;; SERVER: 8.8.8.8#53(8.8.8.8)
>> ;; WHEN: Thu Jul 28 11:42:34 2011
>> ;; MSG SIZE  rcvd: 45
>
>
> With resolv.conf in the wrong place:
>
>
>> Chickamin-River:~ $ mv /etc/resolv.conf /etc/resolv.conf.moved
>> Chickamin-River:~ $ dig www.isc.org
>>
>> ; <<>> DiG 9.6.0-APPLE-P2 <<>> www.isc.org
>> ;; global options: +cmd
>> ;; connection timed out; no servers could be reached
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Split PTR zone (internal and external)

2011-07-28 Thread CT


On 7/28/2011 4:58 PM, Kevin Darcy wrote:

On 7/28/2011 12:26 PM, CT wrote:

I am wondering what might be a good "workaround" for this
legacy setup...

Will do my best to explain..

IP Space
- 1 Class B Global Unique (used Externally and Internally)
- 1 Class B RFC1918

DNS Setup

External DNS (Linux - Bind 9.8.x)
- example-ext.com DNS domain
- authoritative for PTR Global Unique

Mid Teir DNS  (Linux - Bind 9.8.x)
- Mixture of Class B Global and RFC 1918
- not accessible "from the Internet"
- forwards all RFC 1918 PTR to the Internal DNS
- can resolve any Internal / External A records

Internal DNS(MS DNS - w/DDNS)
- only internal DNS zones (i.e. inside.example.com)
- MS DNS use Mid Tier DNS for "external" name resolution (i.e. isc.org)
- Has the *same* Global Unique Class B PTR as the External DNS
**

Scenario

- internal hosts using the Internal DNS can not resolve  External PTR
for example-ext.com. since a valid PTR zone already exists..

The only solution that I have come up with is to manually
put the "external" PTR records in the AD PTR Zone file.

Not sure if there is a resolution to do in MS DNS but will ask the same
question in that group.  Wanted to start here..
Delegate out the relevant /24 ranges as subzones of your main /16 
in-addr.arpa zone. Define only the internal reverse subzones in your 
"Internal DNS" and then use slave/stub/forward to resolve all of the 
external ones.



- Kevin


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Much Thanks..
I will see if the /16 can be delegated out..

CT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: no servers could be reached

2011-07-28 Thread uifid...@gmail.com

still get "no servers could be reached", need help.

#dig @127.0.0.1 nsc1.domainx

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> @127.0.0.1 nsc1.domainx.
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached

cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search domainx localdomain
nameserver 127.0.0.1

cat var/named/named.conf
//
// named.caching-nameserver.conf
//
options {
listen-on port 53 { 192.168.18.128; 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory   "/var/named";
dump-file   "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view localhost_resolver {
match-clients  { localhost; };
match-destinations { localhost; };
recursion yes;
include "/etc/named.rfc1912.zones";
};
view viewx {
include "domainx.zones";
};


#cat var/domainx.zones
zone "domainx" IN {
type master;
file "domainx.zone";
allow-update { none; };
};

#cat var/domainx.zone
$TTL86400
$origin domainx.
@   IN  SOA ns1  root.localhost.  (
  1997022704 ; Serial
  28800  ; Refresh
  14400  ; Retry
  360; Expire
  86400 ); Minimum

IN  NS  ns1
ns1.domainx.IN  A   192.168.18.128
ns2.domainx.IN  A   127.0.0.1
nsc1IN  CNAME   ns1
nsc2IN  CNAME   ns2
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: no servers could be reached

2011-07-28 Thread uifid...@gmail.com

#hostname
CentOS3

Is it matter?

2011/7/29 uifid...@gmail.com :
> still get "no servers could be reached", need help.
>
> #dig @127.0.0.1 nsc1.domainx
>
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> @127.0.0.1 nsc1.domainx.
> ; (1 server found)
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
>
> cat /etc/resolv.conf
> ; generated by /sbin/dhclient-script
> search domainx localdomain
> nameserver 127.0.0.1
>
> cat var/named/named.conf
> //
> // named.caching-nameserver.conf
> //
> options {
>        listen-on port 53 { 192.168.18.128; 127.0.0.1; };
>        listen-on-v6 port 53 { ::1; };
>        directory       "/var/named";
>        dump-file       "/var/named/data/cache_dump.db";
>        statistics-file "/var/named/data/named_stats.txt";
>        memstatistics-file "/var/named/data/named_mem_stats.txt";
> };
> logging {
>        channel default_debug {
>                file "data/named.run";
>                severity dynamic;
>        };
> };
> view localhost_resolver {
>        match-clients      { localhost; };
>        match-destinations { localhost; };
>        recursion yes;
>        include "/etc/named.rfc1912.zones";
> };
> view viewx {
>        include "domainx.zones";
> };
>
>
> #cat var/domainx.zones
> zone "domainx" IN {
>        type master;
>        file "domainx.zone";
>        allow-update { none; };
> };
>
> #cat var/domainx.zone
> $TTL    86400
> $origin domainx.
> @       IN      SOA     ns1      root.localhost.  (
>                                      1997022704 ; Serial
>                                      28800      ; Refresh
>                                      14400      ; Retry
>                                      360    ; Expire
>                                      86400 )    ; Minimum
>
>        IN      NS      ns1
> ns1.domainx.    IN      A       192.168.18.128
> ns2.domainx.    IN      A       127.0.0.1
> nsc1            IN      CNAME   ns1
> nsc2            IN      CNAME   ns2
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Insufficient DNS Source Port Randmoization

Re: Insufficient DNS Source Port Randmoization

Re: Insufficient DNS Source Port Randmoization

no servers could be reached

Re: Insufficient DNS Source Port Randmoization

Re: Insufficient DNS Source Port Randmoization

Re: no servers could be reached

Re: no servers could be reached

Re: DNS update on host down

Re: no servers could be reached

Split PTR zone (internal and external)

Re: Views and no answers ...

Format of the IPv6 reversed zone

Re: Format of the IPv6 reversed zone

RE: Format of the IPv6 reversed zone

Re: Format of the IPv6 reversed zone

Re: Views and no answers ...

Re: Format of the IPv6 reversed zone

Re: no servers could be reached

RE: no servers could be reached

Re: Format of the IPv6 reversed zone

.hu ns records incorrect?

Re: .hu ns records incorrect?

Re: Split PTR zone (internal and external)

Re: no servers could be reached

Re: Split PTR zone (internal and external)

Re: no servers could be reached

Re: no servers could be reached

28 matches

Site Navigation

Mail list logo

Footer information