Re: Minimal responses and speeding up queries

[Tony Finch]

Mark Andrews  wrote:
>
> Both of these are on my to do list.

Yay!

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/  -  I xn--zr8h punycode
Rockall: South 5 to 7, occasionally gale 8 later. Moderate or rough, becoming
very rough later in west. Rain or showers. Moderate or good, occasionally
poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

db.domainsurvey.isc.org 204.152.184.104 queries

[David A. Evans]

I'm moving the authoritative servers for some of my V4 reverse 
zones and have noticed 204.152.184.104 querying me for 
180.x.x.x.in-addr.arpa over and over again.   Any given /24 combination 
gets several queries per day for the 180 IP.   Across my class B's its 
generating thousands queries per day which is not a big deal, but it 
continues to query the old severs for days after the TTL's on the 
delegation has expired.  Hence the reason it stuck out and I started 
looking at it.

I could only find sales email addresses listed for the "ISC Domain 
Survey" data so I decided to try here.   Its not breaking anything, I just 
found it ironic that ISC's data mining was not honoring the TTL's in the 
reverse zone delegations.   Also, I found it annoying that they were 
asking for the same reverse tens to hundreds of times over the course of 
several days.


David Evans
Enterprise IP/DNS Management
Network Infrastructure Tools and Services
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: db.domainsurvey.isc.org 204.152.184.104 queries

[Mark Andrews]

In message 
, 
"David A. Evans" writes:
> 
> I'm moving the authoritative servers for some of my V4 reverse 
> zones and have noticed 204.152.184.104 querying me for 
> 180.x.x.x.in-addr.arpa over and over again.   Any given /24 combination 
> gets several queries per day for the 180 IP.   Across my class B's its 
> generating thousands queries per day which is not a big deal, but it 
> continues to query the old severs for days after the TTL's on the 
> delegation has expired.  Hence the reason it stuck out and I started 
> looking at it.
> 
> I could only find sales email addresses listed for the "ISC Domain 
> Survey" data so I decided to try here.   Its not breaking anything, I just 
> found it ironic that ISC's data mining was not honoring the TTL's in the 
> reverse zone delegations.   Also, I found it annoying that they were 
> asking for the same reverse tens to hundreds of times over the course of 
> several days.
> 
> 
> David Evans
> Enterprise IP/DNS Management
> Network Infrastructure Tools and Services

Did you try clicking on "Contact" on the main isc.org web page which
leads to https://www.isc.org/mission/contact/ or even the SOA contact
field hostmas...@isc.org or even i...@isc.org from the domain survey
page.  All of these methods are monitored.

I'll forward this on.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: disable ipv6 source query

[Hillary Nelson]

We have this configured on our server

server ::/0 { bogus yes; };

Just recently noticed the config above can  actually cause problems to
resolve hostnames. It works if hostname and the nameserver hosted it are on
same TLD, for example  isc.org's nameserver are all on isc.org domain so
server doesn't need to make extra trip to get nameserver IP. But if the
hostname and nameservers are on different TLD like org.org(hosted by
gandi.net), mit.edu(hosted by akam.net), trying to resolve those names can
cause random ServFail.

For example to resolve org.org,  our nameserver sends separate A/ query
for each NS of org.org(a|b|c.dns.gandi.net), if gandi's nameserver returns
 query to our nameserver first, our nameserver immediately sends back
'ServFail' to client.

Here are relevant tcpdumps, 192.168.2.1 is our nameserver IP, immediately
after got " 2001:4b98:abcb::1", 192.168.2.1sends ServFail to client
10.0.2.1. Can someone help explain why??

Server is linux with private IPv6 and public IPv4, bind-9.9.9-P2, also
tried on server with only IPv4 stack but not running with '-4', same
problem.

21:50:06.241074 IP 192.168.2.1.40214 > 217.70.177.45.53: 39763% [1au] ?
b.dns.gandi.net. (44)
21:50:06.244717 IP 192.33.14.30.53 > 192.168.2.1.36814: 4- 0/9/9 (788)
21:50:06.244828 IP 192.33.14.30.53 > 192.168.2.1.21146: 51773- 0/9/9 (788)
21:50:06.244949 IP 192.168.2.1.44748 > 217.70.177.45.53: 58879% [1au] A?
c.dns.gandi.net. (44)
21:50:06.245028 IP 192.168.2.1.31154 > 217.70.177.45.53: 20056% [1au] ?
a.dns.gandi.net. (44)
21:50:06.245312 IP 192.33.14.30.53 > 192.168.2.1.52630: 45706- 0/9/9 (788)
21:50:06.245323 IP 192.33.14.30.53 > 192.168.2.1.24836: 29881- 0/9/9 (788)
21:50:06.245367 IP 192.33.14.30.53 > 192.168.2.1.41506: 55177- 0/9/9 (788)
21:50:06.245482 IP 192.168.2.1.33406 > 217.70.177.45.53: 60412% [1au] ?
c.dns.gandi.net. (44)
21:50:06.245488 IP 192.168.2.1.7636 > 217.70.177.45.53: 56644% [1au] A?
b.dns.gandi.net. (44)
21:50:06.245723 IP 192.168.2.1.52639 > 217.70.177.45.53: 50741% [1au] A?
a.dns.gandi.net. (44)
21:50:06.351604 IP 217.70.177.45.53 > 192.168.2.1.40214: 39763*- 1/5/10
 2001:4b98:abcb::1 (359)
21:50:06.352037 IP 192.168.2.1.53 > 10.0.2.1.57356: 57631 ServFail 0/0/1
(36)

Thanks!
Hillary



On Tue, Jun 21, 2016 at 9:55 PM, Warren Kumari  wrote:

>
>
> On Tuesday, June 21, 2016, Mark Andrews  wrote:
>
>>
>> server ::/0 { bogus yes; };
>
>
> Eeeeww! That's gross, but in a bizarrely satisfying way.
>
> W
>
>
>
>>
>> In message > hvy05q26lmpt...@mail.gmail.com>, Hillary Nelson writes:
>> > We are moving our v6 DNS from F5 to anycast, since F5 can translate
>> address
>> > from v6 to v4, our backend servers are still only v4 and we never have
>> > problem to resolve hostname with v4 only.
>> >
>> > Now for anycast, I want to enable v6 with private address only, but
>> seems
>> > like named favors v6 and using it to source query other nameserver, it
>> will
>> > try v4 if v6 fails, like this(I've configured source-query-v6 address
>> ::1
>> > so v6 always fails):
>> >
>> > 21:04:33.303536 IP6 ::1.34892 > 2001:dcd:1::7.53: 33940% [1au] A?
>> > example.com. (48)
>> > 21:04:34.146521 IP 1.1.1.1.58822 > 2.2.2.2: 55501% [1au] A? example.com
>> .
>> > (48)
>> >
>> >
>> > My question is how to config named to only using v4 address to query
>> other
>> > nameserver, but still keep an listening v6 address?
>> >
>> > Thanks in advance!!
>> > Hillary
>> >
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
> --
> I don't think the execution is relevant when it was obviously a bad idea
> in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair of
> pants.
>---maf
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users