date:20120904

Re: cache does truely in local and doesn't work in remote

2012-09-04 Thread Kevin Oberman

On Mon, Sep 3, 2012 at 5:24 PM, Mohsen Pahlevanzadeh
 wrote:
> On Mon, 2012-09-03 at 15:42 -0700, Kevin Oberman wrote:
>> On Sun, Sep 2, 2012 at 10:12 AM, Mohsen Pahlevanzadeh
>>  wrote:
>> > Dear all,
>> >
>> > I installed bind in Debian/lenny, and i run the following command on
>> > server:
>> > ///
>> > root@shared:/etc/bind# dig @localhost yahoo.com
>> >
>> > ; <<>> DiG 9.7.3 <<>> @localhost yahoo.com
>> > ; (2 servers found)
>> > ;; global options: +cmd
>> > ;; Got answer:
>> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24259
>> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 2
>> >
>> > ;; QUESTION SECTION:
>> > ;yahoo.com. IN  A
>> >
>> > ;; ANSWER SECTION:
>> > yahoo.com.  3600IN  A   72.30.38.140
>> > yahoo.com.  3600IN  A   98.138.253.109
>> > yahoo.com.  3600IN  A   98.139.183.24
>> >
>> > ;; AUTHORITY SECTION:
>> > yahoo.com.  172800  IN  NS  ns6.yahoo.com.
>> > yahoo.com.  172800  IN  NS  ns2.yahoo.com.
>> > yahoo.com.  172800  IN  NS  ns1.yahoo.com.
>> > yahoo.com.  172800  IN  NS  ns4.yahoo.com.
>> > yahoo.com.  172800  IN  NS  ns8.yahoo.com.
>> > yahoo.com.  172800  IN  NS  ns5.yahoo.com.
>> > yahoo.com.  172800  IN  NS  ns3.yahoo.com.
>> >
>> > ;; ADDITIONAL SECTION:
>> > ns6.yahoo.com.  172800  IN  A   202.43.223.170
>> > ns8.yahoo.com.  172800  IN  A   202.165.104.22
>> >
>> > ;; Query time: 136 msec
>> > ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> > ;; WHEN: Sun Sep  2 17:09:03 2012
>> > ;; MSG SIZE  rcvd: 233
>> > 
>> > According to result, my bind work truly, But when i the same command on
>> > my machine , i get the following result:
>> > /
>> > root@debian:/home/mohsen# dig yahoo.com @184.22.226.206
>> >
>> > ; <<>> DiG 9.8.1-P1 <<>> yahoo.com @184.22.226.206
>> > ;; global options: +cmd
>> > ;; connection timed out; no servers could be reached
>> >
>> > 
>> >
>> > What do  i set to solve it?
>> Two things that might be the issue:
>> 1. Doe the BIND configuration (named.conf) enable BIND on your
>> external interface?
>> 2. Does a firewall allow access to port 53/UDP?
>>
>> There are other possibilities, depending on thins like you network
>> configuration. Make sure that you can ping the server from the remote
>> system. And, please do not run an open recursive server. (Don't know
>> that you are trying to, but it looked quite possible.)
> Would you like explain more?

A recursive DNS server that is available to the world can be used as
an amplifier for DDOS attacks. It is generally considered unacceptable
to allow public access to recursive servers. If you have the resources
of a Google, you can build tools to monitor for this and prevent this,
but it is not trivial and does not work with stock BIND or any other
free DNS server of which I am aware.

Further, if the server is authoritative for some zones and is also
does recursion, it is far more vulnerable to cache poisoning attacks,
so the bast common practice is to run separate authoritative and
recursive servers and limit recursion to internal, and customer
systems.
-- 
R. Kevin Oberman, Network Engineer
E-mail: kob6...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: cache does truely in local and doesn't work in remote

2012-09-04 Thread Mohsen Pahlevanzadeh

On Tue, 2012-09-04 at 09:51 -0700, Kevin Oberman wrote:
> On Mon, Sep 3, 2012 at 5:24 PM, Mohsen Pahlevanzadeh
>  wrote:
> > On Mon, 2012-09-03 at 15:42 -0700, Kevin Oberman wrote:
> >> On Sun, Sep 2, 2012 at 10:12 AM, Mohsen Pahlevanzadeh
> >>  wrote:
> >> > Dear all,
> >> >
> >> > I installed bind in Debian/lenny, and i run the following command on
> >> > server:
> >> > ///
> >> > root@shared:/etc/bind# dig @localhost yahoo.com
> >> >
> >> > ; <<>> DiG 9.7.3 <<>> @localhost yahoo.com
> >> > ; (2 servers found)
> >> > ;; global options: +cmd
> >> > ;; Got answer:
> >> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24259
> >> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 2
> >> >
> >> > ;; QUESTION SECTION:
> >> > ;yahoo.com. IN  A
> >> >
> >> > ;; ANSWER SECTION:
> >> > yahoo.com.  3600IN  A   72.30.38.140
> >> > yahoo.com.  3600IN  A   98.138.253.109
> >> > yahoo.com.  3600IN  A   98.139.183.24
> >> >
> >> > ;; AUTHORITY SECTION:
> >> > yahoo.com.  172800  IN  NS  ns6.yahoo.com.
> >> > yahoo.com.  172800  IN  NS  ns2.yahoo.com.
> >> > yahoo.com.  172800  IN  NS  ns1.yahoo.com.
> >> > yahoo.com.  172800  IN  NS  ns4.yahoo.com.
> >> > yahoo.com.  172800  IN  NS  ns8.yahoo.com.
> >> > yahoo.com.  172800  IN  NS  ns5.yahoo.com.
> >> > yahoo.com.  172800  IN  NS  ns3.yahoo.com.
> >> >
> >> > ;; ADDITIONAL SECTION:
> >> > ns6.yahoo.com.  172800  IN  A   202.43.223.170
> >> > ns8.yahoo.com.  172800  IN  A   202.165.104.22
> >> >
> >> > ;; Query time: 136 msec
> >> > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> >> > ;; WHEN: Sun Sep  2 17:09:03 2012
> >> > ;; MSG SIZE  rcvd: 233
> >> > 
> >> > According to result, my bind work truly, But when i the same command on
> >> > my machine , i get the following result:
> >> > /
> >> > root@debian:/home/mohsen# dig yahoo.com @184.22.226.206
> >> >
> >> > ; <<>> DiG 9.8.1-P1 <<>> yahoo.com @184.22.226.206
> >> > ;; global options: +cmd
> >> > ;; connection timed out; no servers could be reached
> >> >
> >> > 
> >> >
> >> > What do  i set to solve it?
> >> Two things that might be the issue:
> >> 1. Doe the BIND configuration (named.conf) enable BIND on your
> >> external interface?
> >> 2. Does a firewall allow access to port 53/UDP?
> >>
> >> There are other possibilities, depending on thins like you network
> >> configuration. Make sure that you can ping the server from the remote
> >> system. And, please do not run an open recursive server. (Don't know
> >> that you are trying to, but it looked quite possible.)
> > Would you like explain more?
> 
> A recursive DNS server that is available to the world can be used as
> an amplifier for DDOS attacks. It is generally considered unacceptable
> to allow public access to recursive servers. If you have the resources
> of a Google, you can build tools to monitor for this and prevent this,
> but it is not trivial and does not work with stock BIND or any other
> free DNS server of which I am aware.
> 
> Further, if the server is authoritative for some zones and is also
> does recursion, it is far more vulnerable to cache poisoning attacks,
> so the bast common practice is to run separate authoritative and
> recursive servers and limit recursion to internal, and customer
> systems.
It's beautiful idea...thank you.


signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question related to domain names and less to bind straight.

2012-09-04 Thread Eliezer Croitoru

I am working on a blacklist and in order to filter the list and to do 
some Error checks I first want to identify the TLD part of the domain to 
make the search prefix at least of the domain and not the tld.


the basic list exists at: http://data.iana.org/TLD/tlds-alpha-by-domain.txt

But in a case of a regional tld such as "il" I want to filter the domain 
in the second 3rd level.


is there an rfc that talks about regional tld?
is there any known restriction for regional tlds sub-domains naming?
like: under "il" tld there will be only the domains: net,gov,co.. etc ?

Thanks,
Eliezer


--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer  ngtech.co.il
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question related to domain names and less to bind straight.

2012-09-04 Thread SM


At 22:04 04-09-2012, Eliezer Croitoru wrote:
I am working on a blacklist and in order to filter the list and to 
do some Error checks I first want to identify the TLD part of the 
domain to make the search prefix at least of the domain and not the tld.


the basic list exists at: http://data.iana.org/TLD/tlds-alpha-by-domain.txt

But in a case of a regional tld such as "il" I want to filter the 
domain in the second 3rd level.


is there an rfc that talks about regional tld?


No.


is there any known restriction for regional tlds sub-domains naming?


It's ccTLD policy.

See the public suffix list for an informal lower level break-down.

Regards,
-sm 


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question related to domain names and less to bind straight.

2012-09-04 Thread Doron Shikmoni

Hello Eliezer,

Not an RFC, but you may find this list helpful:
http://mxr.mozilla.org/mozilla-central/source/netwerk/dns/effective_tld_names.dat?raw=1

Cheers,
Doron



On Wed, Sep 5, 2012 at 8:04 AM, Eliezer Croitoru wrote:

> I am working on a blacklist and in order to filter the list and to do some
> Error checks I first want to identify the TLD part of the domain to make
> the search prefix at least of the domain and not the tld.
>
> the basic list exists at: http://data.iana.org/TLD/tlds-**
> alpha-by-domain.txt 
>
> But in a case of a regional tld such as "il" I want to filter the domain
> in the second 3rd level.
>
> is there an rfc that talks about regional tld?
> is there any known restriction for regional tlds sub-domains naming?
> like: under "il" tld there will be only the domains: net,gov,co.. etc ?
>
> Thanks,
> Eliezer
>
>
> --
> Eliezer Croitoru
> https://www1.ngtech.co.il
> IT consulting for Nonprofit organizations
> eliezer  ngtech.co.il
> __**_
> Please visit 
> https://lists.isc.org/mailman/**listinfo/bind-usersto
>  unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/**listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question related to domain names and less to bind straight.

2012-09-04 Thread Phil Mayers


On 09/05/2012 07:31 AM, Doron Shikmoni wrote:

Hello Eliezer,

Not an RFC, but you may find this list helpful:
http://mxr.mozilla.org/mozilla-central/source/netwerk/dns/effective_tld_names.dat?raw=1


See also:

http://publicsuffix.org/
http://www.dkim-reputation.org/regdom-libs/

...which are more generalised versions.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: cache does truely in local and doesn't work in remote

Re: cache does truely in local and doesn't work in remote

Question related to domain names and less to bind straight.

Re: Question related to domain names and less to bind straight.

Re: Question related to domain names and less to bind straight.

Re: Question related to domain names and less to bind straight.

6 matches

Site Navigation

Mail list logo

Footer information