what is the localnet with netmask 255.255.255.255?

2013-06-20 Thread Rolf Haynberg 
Hi Bind-Users and Devs,

We are running servers which have an IP netmask of 255.255.255.255 and on which 
we had configured BIND to "allow-recursion { localnets; };". In this setting I 
would expect that only requests from the localhost allow recursion as there is 
no localnet.  However, BIND allows recursion globally, here - and we were 
running open resolvers.

Could this be a bug or is this the wanted behavior?

To the background of my question: Every Parallels Plesk installation brings a 
BIND with default config set to "allow-recursion { localnets; };". I would 
humbly assume that the above described behavior could be the reason for at 
least some open resolvers in the wild.

I'm happy to read your comments,
Rolf


In article ,
Lance Spitzner   wrote:
>I am attempting to limit recursive requests
>to my internal network only.  However,
>
> allow-recursion { localnets; };
>
> Doesn't seem to be doing the trick.  What
> is the proper way of limiting recursive lookups
> to a specific system/network?

That's the way to do it.  What seems to be going wrong?

--
Barry Margolin, barmar at genuity.net
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

AW: what is the localnet with netmask 255.255.255.255?

2013-06-20 Thread Rolf Haynberg 
Sorry, I forgot to mention that the Servers were running "Windows Server 2008". 
Linux does not seem to be affected.

Von: bind-users-bounces+rolf.haynberg=1und1...@lists.isc.org 
[mailto:bind-users-bounces+rolf.haynberg=1und1...@lists.isc.org] Im Auftrag von 
Rolf Haynberg
Gesendet: Donnerstag, 20. Juni 2013 14:57
An: bind-users@lists.isc.org
Betreff: what is the localnet with netmask 255.255.255.255?

Hi Bind-Users and Devs,

We are running servers which have an IP netmask of 255.255.255.255 and on which 
we had configured BIND to "allow-recursion { localnets; };". In this setting I 
would expect that only requests from the localhost allow recursion as there is 
no localnet.  However, BIND allows recursion globally, here - and we were 
running open resolvers.

Could this be a bug or is this the wanted behavior?

To the background of my question: Every Parallels Plesk installation brings a 
BIND with default config set to "allow-recursion { localnets; };". I would 
humbly assume that the above described behavior could be the reason for at 
least some open resolvers in the wild.

I'm happy to read your comments,
Rolf


In article ,
Lance Spitzner   wrote:
>I am attempting to limit recursive requests
>to my internal network only.  However,
>
> allow-recursion { localnets; };
>
> Doesn't seem to be doing the trick.  What
> is the proper way of limiting recursive lookups
> to a specific system/network?

That's the way to do it.  What seems to be going wrong?

--
Barry Margolin, barmar at genuity.net
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

long SPF txt record

2013-06-20 Thread Koehler, Charles 
Our email group wants to change the current SPF txt record and replace it with 
one that is 274 characters. 

How can I put it in so that it works correctly?

Thanks
--cwk
==
Charles Koehler
Network Operations - IT Infrastructure
UCSF
500 Parnassus Ave P7-14
San Francisco, CA 94143
Email:  charles.koeh...@ucsf.edu
Office: 415.476-8767
Mobile: 650-204-0499



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: long SPF txt record

2013-06-20 Thread 风河 
You may take a look at google's setting as samples.
It's just grouping, I.e, gmail's SPF:

$ idig gmail.com txt
gmail.com.  300 IN  TXT "v=spf1 
redirect=_spf.google.com"

$ idig _spf.google.com txt
_spf.google.com.300 IN  TXT "v=spf1 
include:_netblocks.google.com
include:_netblocks2.google.com include:_netblocks3.google.com ?all"

$ idig _netblocks.google.com txt
_netblocks.google.com.  3600IN  TXT "v=spf1 ip4:216.239.32.0/19
ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18
ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20
ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"



在 13-6-21 上午1:13, "Koehler, Charles"  写入:

>Our email group wants to change the current SPF txt record and replace it
>with one that is 274 characters.
>
>How can I put it in so that it works correctly?
>


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: long SPF txt record

2013-06-20 Thread Lawrence K. Chen, P.Eng. 
3.1.3. Multiple Strings in a Single DNS record

As defined in RFC 1035 sections 3.3.14 and 3.3, a single text DNS record 
(either TXT or SPF RR types) can be composed of more than one string. If a 
published record contains multiple strings, then the record MUST be treated as 
if those strings are concatenated together without adding spaces. For example:

IN TXT "v=spf1  first" "second string..."
MUST be treated as equivalent to

IN TXT "v=spf1  firstsecond string..."

SPF or TXT records containing multiple strings are useful in constructing 
records that would exceed the 255-byte maximum length of a string within a 
single TXT or SPF RR record.

- Original Message -
> Our email group wants to change the current SPF txt record and
> replace it with one that is 274 characters.
> 
> How can I put it in so that it works correctly?
> 
> Thanks
> --cwk
> ==
> Charles Koehler
> Network Operations - IT Infrastructure
> UCSF
> 500 Parnassus Ave P7-14
> San Francisco, CA 94143
> Email:  charles.koeh...@ucsf.edu
> Office: 415.476-8767
> Mobile: 650-204-0499
> 
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

-- 
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
Snail: Computing and Telecommunications Services (CTS)
Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102
Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu
Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: long SPF txt record

2013-06-20 Thread David Miller 

On 6/20/2013 1:13 PM, Koehler, Charles wrote:
> Our email group wants to change the current SPF txt record and replace it 
> with one that is 274 characters. 
> 
> How can I put it in so that it works correctly?
> 
> Thanks
> --cwk

>From RFC 4408 ( http://www.ietf.org/rfc/rfc4408.txt )

3.1.3.  Multiple Strings in a Single DNS record

   As defined in [RFC1035] sections 3.3.14 and 3.3, a single text DNS
   record (either TXT or SPF RR types) can be composed of more than one
   string.  If a published record contains multiple strings, then the
   record MUST be treated as if those strings are concatenated together
   without adding spaces.  For example:

  IN TXT "v=spf1  first" "second string..."

   MUST be treated as equivalent to

  IN TXT "v=spf1  firstsecond string..."

   SPF or TXT records containing multiple strings are useful in
   constructing records that would exceed the 255-byte maximum length of
   a string within a single TXT or SPF RR record.


-DMM
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

THANKS! RE: long SPF txt record

2013-06-20 Thread Koehler, Charles 
My thanks to everyone who responded. --cwk :-)

-Original Message-
From: bind-users-bounces+charles.koehler=ucsf@lists.isc.org 
[mailto:bind-users-bounces+charles.koehler=ucsf@lists.isc.org] On Behalf Of 
David Miller
Sent: Thursday, June 20, 2013 10:26 AM
To: bind-users@lists.isc.org
Subject: Re: long SPF txt record


On 6/20/2013 1:13 PM, Koehler, Charles wrote:
> Our email group wants to change the current SPF txt record and replace it 
> with one that is 274 characters. 
> 
> How can I put it in so that it works correctly?
> 
> Thanks
> --cwk

>From RFC 4408 ( http://www.ietf.org/rfc/rfc4408.txt )

3.1.3.  Multiple Strings in a Single DNS record

   As defined in [RFC1035] sections 3.3.14 and 3.3, a single text DNS
   record (either TXT or SPF RR types) can be composed of more than one
   string.  If a published record contains multiple strings, then the
   record MUST be treated as if those strings are concatenated together
   without adding spaces.  For example:

  IN TXT "v=spf1  first" "second string..."

   MUST be treated as equivalent to

  IN TXT "v=spf1  firstsecond string..."

   SPF or TXT records containing multiple strings are useful in
   constructing records that would exceed the 255-byte maximum length of
   a string within a single TXT or SPF RR record.


-DMM
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: SPF record with include:

2013-06-20 Thread Julie Xu 
Hi Steven, Jason, Ged and Bind expert

Thanks for the reply. It is great help.

However, I need ask more.

For this include clause to be added in, I have also need to add DKIM records. 

we do not use it currently, which means the mx part do not use, but include 
part will use it.

Could I get advice on if the DKIM records will impact the email service which 
related to mx related environment?

Thousands thanks for advice

Julie

-Original Message-
From: Steven Carr [mailto:sjc...@gmail.com] 
Sent: Tuesday, 18 June 2013 4:11 PM
To: Julie Xu
Cc: bind-users@lists.isc.org
Subject: Re: SPF record with include:

Remove the part... "", whatever mailer agent 
you use has screwed with the information that you were sent, it is not 
required. So your finished TXT record will be...

TXT "v=spf1 mx include:otheremailsrv.otherdomain ~all"

Steve


On 18 June 2013 06:56, Julie Xu  wrote:
> Hi
>
>
>
> I be asked to add:
>
> include:otheremailsrv.otherdomain
>
>  so the TXT records will be looked like:
>
> TXT "v=spf1 mx
> include:otheremailsrv.otherdomain  ~all"
>
>
>
> Question, from my limited research, I have not found any example to 
> put http part into TXT records, and a little bit worried.
>
>
>
> Could any one advice me if I can put http in spf record like above?
>
>
>
> If so, is my statement right?
>
>
>
> Any comments will be appreciated
>
>
>
> Thanks in advance
>
>
>
> julie
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Secondary DNS question...

2013-06-20 Thread SH Development 
Our secondary DNS machine went down (and unnoticed for 24 hours).

Today, we had multiple people calling about email that hadn't come in, and 
trouble with outgoing emails not going out.

Our primary DNS was up the whole time.  So my question is, why would my 
secondary being down, and only my primary being up cause so many problems?  I 
thought the whole idea behind having two DNS servers on different networks was 
to never have a failure like this.

My understanding was that when DNS is queried, the one that responds fastest is 
the information that is used.  If the secondary is down, then the primary would 
by default always be fastest (and only).

I think I reasonably understand basic DNS and the setup, but this has me 
thinking that something isn't set up right.

Can anyone shed any light on what might have happened here?  Could my primary 
not be responding as it should?  All the tests I have run on it show that it is 
responding normally.

Jeff
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DDoS or Hijacking? Some tips for you delete poisoned cache

2013-06-20 Thread ISC Support Engineering Staff 
https://www.isc.org/blogs/hijacking-dns-error-ddos-what-happened-and-what-you-can-do/

>From ISC Support Engineering staff
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Secondary DNS question...

2013-06-20 Thread John Miller 
Hi Jeff,

You've pointed out two separate problems (incoming e-mail not coming in &
outgoing e-mail not going out), so some more details about your environment
would probably be useful here:

- are you combining both authoritative and recursive DNS on the same
servers?
- Are you using different MXes for incoming and outgoing e-mail?
- How is name resolution configured on each? For example, are your MXes
running local caching NS?  Are they forwarding to another NS?  What's their
nameserver order?

Not sure if you're posting from the same domain that had the outage, so
won't make any assumptions there.

That said, some general info: outside MXes use authoritative DNS to send to
you; your incoming MX servers use recursive DNS to do any reverse lookups
on sender IPs, to query DNSBLs, and to get SPF/DKIM/DMARC info; outgoing
MXes use recursive DNS to find outside MXes.

John



On Thu, Jun 20, 2013 at 11:02 PM, SH Development <
listacco...@starionline.com> wrote:

> Our secondary DNS machine went down (and unnoticed for 24 hours).
>
> Today, we had multiple people calling about email that hadn't come in, and
> trouble with outgoing emails not going out.
>
> Our primary DNS was up the whole time.  So my question is, why would my
> secondary being down, and only my primary being up cause so many problems?
>  I thought the whole idea behind having two DNS servers on different
> networks was to never have a failure like this.
>
> My understanding was that when DNS is queried, the one that responds
> fastest is the information that is used.  If the secondary is down, then
> the primary would by default always be fastest (and only).
>
> I think I reasonably understand basic DNS and the setup, but this has me
> thinking that something isn't set up right.
>
> Can anyone shed any light on what might have happened here?  Could my
> primary not be responding as it should?  All the tests I have run on it
> show that it is responding normally.
>
> Jeff
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
John Miller
Systems Engineer
Brandeis University
johnm...@brandeis.edu
(781) 736-4619
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Secondary DNS question...

2013-06-20 Thread SH Development 
I agree that the incoming and outgoing are different issues.  I just mention it 
because I dealt with issues on both fronts today.  The few claims that I had 
about email not being delivered were proved false by reviewing the logs that 
showed they had actually been delivered.  So I don't think that really has 
anything to do with the issue.

I believe we are authoritative, as outgoing DNS requests are handled by our 
ISP's DNS servers.  Does that sound right?

Incoming mail (MX record) on most of our hosted domains is pointed to our spam 
filtering appliance at mailfoundry.starionhost.net with a priority of 10. We 
are testing out a new spam server appliance on a couple of our own domains and 
have a secondary MX set up with a priority of 20.

All outgoing mail that customers send goes through their respective domain, ex. 
mail.starionline.com

Feel free to poke around our ns1.starionhost.net and ns2.starionhost.net

I would be interested to hear about any red flags you may see.

Jeff


On Jun 20, 2013, at 10:49 PM, John Miller  wrote:

> Hi Jeff,
> 
> You've pointed out two separate problems (incoming e-mail not coming in & 
> outgoing e-mail not going out), so some more details about your environment 
> would probably be useful here:
> 
> - are you combining both authoritative and recursive DNS on the same servers?
> - Are you using different MXes for incoming and outgoing e-mail?
> - How is name resolution configured on each? For example, are your MXes 
> running local caching NS?  Are they forwarding to another NS?  What's their 
> nameserver order?
> 
> Not sure if you're posting from the same domain that had the outage, so won't 
> make any assumptions there.
> 
> That said, some general info: outside MXes use authoritative DNS to send to 
> you; your incoming MX servers use recursive DNS to do any reverse lookups on 
> sender IPs, to query DNSBLs, and to get SPF/DKIM/DMARC info; outgoing MXes 
> use recursive DNS to find outside MXes.
> 
> John
> 
> 
> 
> On Thu, Jun 20, 2013 at 11:02 PM, SH Development 
>  wrote:
> Our secondary DNS machine went down (and unnoticed for 24 hours).
> 
> Today, we had multiple people calling about email that hadn't come in, and 
> trouble with outgoing emails not going out.
> 
> Our primary DNS was up the whole time.  So my question is, why would my 
> secondary being down, and only my primary being up cause so many problems?  I 
> thought the whole idea behind having two DNS servers on different networks 
> was to never have a failure like this.
> 
> My understanding was that when DNS is queried, the one that responds fastest 
> is the information that is used.  If the secondary is down, then the primary 
> would by default always be fastest (and only).
> 
> I think I reasonably understand basic DNS and the setup, but this has me 
> thinking that something isn't set up right.
> 
> Can anyone shed any light on what might have happened here?  Could my primary 
> not be responding as it should?  All the tests I have run on it show that it 
> is responding normally.
> 
> Jeff
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> 
> -- 
> John Miller
> Systems Engineer
> Brandeis University
> johnm...@brandeis.edu
> (781) 736-4619

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users