Re: BIND9 Return different IP address based on subnet
On 28.12.14 19:59, Christian Kette wrote:
Thank you for the helpful answer.
I changed the file /etc/bind/named.conf.local to
[...]
view "ext" {
match-clients { 192.168.2.0/24;};
zone "2.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.rev.2.168.192.in-addr.arpa";
};
};
view "wlan0" {
match-clients { 192.168.3.0/24;};
zone "3.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.rev.3.168.192.in-addr.arpa";
};
};
[...]
the point of views it not to have different zones, you need views when you
have different versions of the same zone.
in your example you could use single view with all of the zones.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Strange DLZ issues
Following the last Debian Jessie update, my Samba attached bind ceased working. Since there was no Samba update, the DLZ libs were unchanged, as was the configuration. I'm now running BIND 9.9.5-7-Debian, which imports zones from a Samba4 installation. Actually, Samba is expected to only serve the forward zones, i.e. if I check the Samba AD, there are no reverse zones defined. But this is what I see when starting bind: Dec 29 10:43:07 verdandi named[2763]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-' 'CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks -DDIG_SIGCHASE -O2' Dec 29 10:43:07 verdandi named[2763]: Dec 29 10:43:07 verdandi named[2763]: BIND 9 is maintained by Internet Systems Consortium, Dec 29 10:43:07 verdandi named[2763]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Dec 29 10:43:07 verdandi named[2763]: corporation. Support and training for BIND 9 are Dec 29 10:43:07 verdandi named[2763]: available at https://www.isc.org/support Dec 29 10:43:07 verdandi named[2763]: Dec 29 10:43:07 verdandi named[2763]: adjusted limit on open files from 4096 to 1048576 Dec 29 10:43:07 verdandi named[2763]: found 4 CPUs, using 4 worker threads Dec 29 10:43:07 verdandi named[2763]: using 4 UDP listeners per interface Dec 29 10:43:07 verdandi named[2763]: using up to 4096 sockets Dec 29 10:43:07 verdandi named[2763]: loading configuration from '/etc/bind/named.conf' Dec 29 10:43:07 verdandi named[2763]: reading built-in trusted keys from file '/etc/bind/bind.keys' Dec 29 10:43:07 verdandi named[2763]: using default UDP/IPv4 port range: [1024, 65535] Dec 29 10:43:07 verdandi named[2763]: using default UDP/IPv6 port range: [1024, 65535] Dec 29 10:43:07 verdandi named[2763]: no IPv6 interfaces found Dec 29 10:43:07 verdandi named[2763]: listening on IPv4 interface lo, 127.0.0.1#53 Dec 29 10:43:07 verdandi named[2763]: listening on IPv4 interface eth0, 172.16.10.17#53 Dec 29 10:43:07 verdandi named[2763]: generating session key for dynamic DNS Dec 29 10:43:07 verdandi named[2763]: sizing zone task pool based on 22 zones Dec 29 10:43:07 verdandi named[2763]: Loading 'AD Zones' using driver dlopen Dec 29 10:43:07 verdandi named[2763]: samba_dlz: started for DN DC=ad,DC=microsult,DC=de Dec 29 10:43:07 verdandi named[2763]: samba_dlz: starting configure Dec 29 10:43:07 verdandi named[2763]: zone 10.16.172.in-addr.arpa/NONE: has 0 SOA records Dec 29 10:43:07 verdandi named[2763]: zone 10.16.172.in-addr.arpa/NONE: has no NS records Dec 29 10:43:07 verdandi named[2763]: samba_dlz: Failed to configure zone '10.16.172.in-addr.arpa.' Dec 29 10:43:07 verdandi named[2763]: loading configuration: bad zone Dec 29 10:43:07 verdandi named[2763]: exiting (due to fatal error) Dec 29 10:43:07 verdandi named[2763]: samba_dlz: shutting down Okay, the reverse zone does not exist, but I could create it in Samba, which changes the game slightly: Dec 29 10:31:12 verdandi named[2601]: samba_dlz: started for DN DC=ad,DC=microsult,DC=de Dec 29 10:31:12 verdandi named[2601]: samba_dlz: starting configure Dec 29 10:31:12 verdandi named[2601]: samba_dlz: configured writeable zone '10.16.172.in-addr.arpa.' Dec 29 10:31:12 verdandi named[2601]: zone 1.16.172.in-addr.arpa/NONE: has 0 SOA records Dec 29 10:31:12 verdandi named[2601]: zone 1.16.172.in-addr.arpa/NONE: has no NS records Dec 29 10:31:12 verdandi named[2601]: samba_dlz: Failed to configure zone '1.16.172.in-addr.arpa.' Dec 29 10:31:12 verdandi named[2601]: loading configuration: bad zone Okay, another reverse zone. Let's iterate successful steps: Dec 29 10:29:20 verdandi named[2522]: samba_dlz: started for DN DC=ad,DC=microsult,DC=de Dec 29 10:29:20 verdandi named[2522]: samba_dlz: starting configure Dec 29 10:29:20 verdandi named[2522]: samba_dlz: configured writeable zone '10.16.172.in-addr.arpa.' Dec 29 10:29:20 verdandi named[2522]: samba_dlz: configured writeable zone '1.16.172.in-addr.arpa.' Dec 29 10:29:20 verdandi named[2522]: samba_dlz: Failed to configure zone '10.16.172.in-addr.arpa' Dec 29 10:29:20 verdandi named[2522]: loading configuration: already exists Ooops! It fails on the zone added first! And what does it want to tell me by "already exists"? Any ideas how to troubleshoot the issue? Thanks for your help, - lars. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange DLZ issues
On Mon, 2014-12-29 at 10:57 +0100, Lars Hanke wrote: > Ooops! It fails on the zone added first! And what does it want to tell > me by "already exists"? > Any ideas how to troubleshoot the issue? Inspect your input files very carefully. That smells like a cut and paste error to me. Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389 GPG fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882 Old fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange DLZ issues
Hi Lars On Mon, Dec 29, 2014 at 10:57:57AM +0100, Lars Hanke wrote: > Dec 29 10:29:20 verdandi named[2522]: samba_dlz: starting configure > Dec 29 10:29:20 verdandi named[2522]: samba_dlz: configured writeable zone > '10.16.172.in-addr.arpa.' > Dec 29 10:29:20 verdandi named[2522]: samba_dlz: configured writeable zone > '1.16.172.in-addr.arpa.' > Dec 29 10:29:20 verdandi named[2522]: samba_dlz: Failed to configure zone > '10.16.172.in-addr.arpa' > Dec 29 10:29:20 verdandi named[2522]: loading configuration: already exists > > Ooops! It fails on the zone added first! And what does it want to tell me by > "already exists"? The samba_dlz driver is trying to create a writeable DLZ zone by calling into named, but named sees that the zone already exists (it is failing on the attempt to add a duplicate). This could be due to various reasons in a Samba environment. I suggest asking on the Samba lists. Look at these discussions for example: https://lists.samba.org/archive/samba-technical/2013-September/094688.html https://lists.samba.org/archive/samba/2014-March/179456.html https://lists.samba.org/archive/samba/2012-July/168239.html https://lists.samba.org/archive/samba-technical/2012-July/085386.html Mukund pgpPwF_597Rqc.pgp Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
The ISC Website (www.isc.org) was recently compromised and was found to be serving malware.
Last week ISC received a report from security firm Cyphort Labs informing us that our website, www.isc.org, was delivering malware content to visitors. Here is a summary of what we know and what we believe to be true about this incident. What we know to a high degree of confidence: + Security on www.isc.org was compromised and the site was serving malware known as the Angler Exploit to visitors. Angler Exploit primarily targets Flash, Silverlight, and Microsoft Internet Explorer. Diagnosis and removal instructions for Angler Exploit malware are available on the web and existing resources do a better job of explaining than we could within the scope of this message. Please consult with them or with your chosen security vendor to find out what steps you need to take. + Only the main ISC website was compromised. There is no evidence that other ISC information services or critical ISC infrastructure (such as the F-root nameservers) were affected at all. While the main ISC web site has been replaced with a static page until it can be secured, other ISC information resources such as our Knowledge Base (kb.isc.org), FTP service (ftp.isc.org), and GIT repository (source.isc.org) were not compromised and continue to operate normally. + Although many visitors discover the links by visiting www.isc.org, ISC software products such as DHCP and BIND are actually delivered via the ISC ftp server (ftp.isc.org) which was not affected. For additional security, all official ISC software releases are cryptographically signed using the ISC code signing key (codes...@isc.org) and their integrity can be verified using PGP or GPG in conjunction with the codes...@isc.org public key. What we strongly suspect: + The intrusion is believed to have been accomplished by exploiting a vulnerability in one of the plug-ins used by our Wordpress content management system. + We have no reason to believe that ISC was specifically targeted; we believe we were simply a convenient target because we used a vulnerable Wordpress component. According to security researchers at Sucuri.net, on the order of 100,000 Wordpress sites may have been compromised by this or similar attacks. What are we doing to prevent this from happening again? + ISC took down the affected site and replaced it with a static page which will remain until we are confident that the site has been secured. + In the immediate short term, a new site is being built on a freshly-installed VM with more stringent security restrictions on Wordpress. All of the content on the site is being scrutinized by an engineer to make sure that the restored site does not contain any content introduced during the intrusion. Going forward, ISC will re-assess whether Wordpress is an appropriate choice for the foundation of our public website. + New policies will be adopted to track staff edits which, in conjunction with software tools which track changes in site content, will allow site admins to quickly identify any unexpected changes to the site in the future and respond accordingly. ISC is deeply sorry for any inconvenience or risk caused to people who visited the www.isc.org site and we pledge to do our best to ensure that this situation does not reoccur. Michael McNally (writing for ISC Security Officer) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
