Re: Is there a way to turn off EDNS Responses from Server globally for all the endpoints

[Mark Andrews]

In message 
,
 Harshith Mulky writes:
> Before anybody asks, why would I need to turn off EDNS, this is to verify
> the client falling back to TCP in case EDNS is not supported on server,
> and the server has to send response > 512 bytes, and the client falls
> back to TCP and queries the server

If you just want smaller responses "max-udp-size 512;".

> Appreciate any help
> 
> Thanks in advance
> Harshith
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple IPs Associated With A Single Name

[Matthew Pounsett]

On 29 September 2016 at 12:02, Tim Daneliuk  wrote:

> In the dark and dusty reaches of my elderly DNS experience, ISTR a way to
> set up A records so that the request to resolve a name returns a *list
> of associated IPs*.  This is distinct from DNS RR (I think?) which
> simply returns a different *single* IP for each call (I may well be wrong).
>
> Can some kind soul point me to a relevant explanation of how to do the
> hostname -> multiple IP mapping?
>

Just include multiple A resource records (RRs).   It's up to the client how
it uses those records, and what makes sense there is largely application
specific: round robin, try them in series, etc.


>
> Thanks,
> --
> 
> 
> Tim Daneliuk tun...@tundraware.com
> PGP Key: http://www.tundraware.com/PGP/
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple IPs Associated With A Single Name

[John Miller]

Hi Tim,

AFAIK, multiple A records are the only way to return multiple IPs for
a given FQDN.  there are multiple A records for a given name, BIND
will return all of those records -- it'll return all the IPs.  It's up
to the client in question to decide how to use that information.

John

On Thu, Sep 29, 2016 at 3:02 PM, Tim Daneliuk  wrote:
> In the dark and dusty reaches of my elderly DNS experience, ISTR a way to
> set up A records so that the request to resolve a name returns a *list
> of associated IPs*.  This is distinct from DNS RR (I think?) which
> simply returns a different *single* IP for each call (I may well be wrong).
>
> Can some kind soul point me to a relevant explanation of how to do the
> hostname -> multiple IP mapping?
>
> Thanks,
> --
> 
> Tim Daneliuk tun...@tundraware.com
> PGP Key: http://www.tundraware.com/PGP/
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
John Miller
Systems Engineer
Brandeis University
johnm...@brandeis.edu
(781) 736-4619
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Multiple IPs Associated With A Single Name

[Tim Daneliuk]

In the dark and dusty reaches of my elderly DNS experience, ISTR a way to
set up A records so that the request to resolve a name returns a *list
of associated IPs*.  This is distinct from DNS RR (I think?) which 
simply returns a different *single* IP for each call (I may well be wrong).

Can some kind soul point me to a relevant explanation of how to do the
hostname -> multiple IP mapping?

Thanks,
-- 

Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: adding zone forwards without restart

[Frank Even]

I am running chrooted.  I'm relying on the "feature" of BIND "mounting" the
standard dirs into a chroot via the standard startup scripts in Cent6/7.
My understanding is it's not "copying" the files anywhere, but using those
that are there.  I am modifying them via puppet on the system.  I've even
created a "service" to only do an "rndc reconfig" instead of refreshing the
service to ensure I can do safe puppet runs.  But yeah, no matter what I
do, nothing short of a restart of the service (typically "service named
restart" on EL6 and "service named-chroot restart" on EL7) works.

On Wed, Sep 21, 2016 at 1:53 AM, Tony Finch  wrote:

> Frank Even  wrote:
>
> > Is there a way to add forwarders for specific zones without a restart?
> > Everything I've read seems to indicate an "rndc reconfig" or an "rndc
> > reload" should take care of this, but they do not.  I add forwarders to
> > "named.conf" and neither will load the new forwarded zone until I do a
> full
> > daemon restart.
>
> I bet you are running chrooted, and you are editing named.conf outside the
> chroot, and the restart script copies it into the chroot.
>
> You need to find a way to run the copy independently of restarting the
> daemon.
>
> Maybe there is something like `systemctl reload named.service` which does
> a graceful reload ... but, looking at the srpm I think you might have to
> run `/usr/libexec/setup-named-chroot.sh /var/named/chroot on`. OBVIOUSLY.
>
> Tony.
> --
> f.anthony.n.finchhttp://dotat.at/  -  I xn--zr8h
> punycode
> Trafalgar: North or northwest 4 or 5. Moderate or rough. Fair. Good.
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: adding zone forwards without restart

[Frank Even]

None of that works.  Nothing short of a restart of the daemon notices new
forwarders added to the config.  That is inclusive of:

rndc reconfig
rndc reload
rndc flushname $nameofforwardersadded
rndc flush

A restart of the service however, that does work.  That is far more
disruptive than I like though (making adding a forwarder a bit more labor
intensive at this point than I was hoping it would be).

On Wed, Sep 21, 2016 at 8:30 AM, Tony Finch  wrote:

> Benny Pedersen  wrote:
> >
> > why does reload not flush ?
>
> Often you want to reload zone files without throwing away the cache.
>
> Tony.
> --
> f.anthony.n.finchhttp://dotat.at/  -  I xn--zr8h
> punycode
> Bailey: Southeast 6 to gale 8, becoming cyclonic, mainly southwest, gale 8
> to
> storm 10, backing south 5 to 7 later. Very rough or high, becoming rough.
> Rain
> then showers. Moderate or poor, occasionally good.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: adding zone forwards without restart

[Frank Even]

I'm adding forwarders, not adding an authoritative domain.  I'm not working
directly with a zone at all.  Just intercepting DNS traffic for a specific
zone intended to be internal only and forwarding it to another group of
resolvers instead of dumping the queries to the Internet.

On Wed, Sep 21, 2016 at 5:03 PM, Sten Carlsen  wrote:

> I assume you did increase the serial, if not this is what I would expect
> to happen.
>
> On 21/09/16 10:53, Tony Finch wrote:
>
> Frank Even   wrote:
>
>
> Is there a way to add forwarders for specific zones without a restart?
> Everything I've read seems to indicate an "rndc reconfig" or an "rndc
> reload" should take care of this, but they do not.  I add forwarders to
> "named.conf" and neither will load the new forwarded zone until I do a full
> daemon restart.
>
> I bet you are running chrooted, and you are editing named.conf outside the
> chroot, and the restart script copies it into the chroot.
>
> You need to find a way to run the copy independently of restarting the
> daemon.
>
> Maybe there is something like `systemctl reload named.service` which does
> a graceful reload ... but, looking at the srpm I think you might have to
> run `/usr/libexec/setup-named-chroot.sh /var/named/chroot on`. OBVIOUSLY.
>
> Tony.
>
>
> --
> Best regards
>
> Sten Carlsen
>
> No improvements come from shouting:
>
>"MALE BOVINE MANURE!!!"
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple IPs Associated With A Single Name

[Tim Daneliuk]

On 09/29/2016 02:08 PM, John Miller wrote:
> Hi Tim,
> 
> AFAIK, multiple A records are the only way to return multiple IPs for
> a given FQDN.  there are multiple A records for a given name, BIND
> will return all of those records -- it'll return all the IPs.  It's up
> to the client in question to decide how to use that information.
> 
> John
>


Thanks all, for responding.

One followup question.  I am currently doing some engineering work for
GreatBigHugeCo, wherein getting things like DNS updates done is very
time and paperwork intensive.  Sometimes I think it would be easier
to do tensor analysis with an abacus, but I digress ...

For reasons too long and complex to explain, I may want to do the following
and need some input on how to implement this or whether it's even practical:

  - Run an instance of bind in user space so I can control all the 
configuration without having root.

  - Forward all lookups not in my database to a "real" DNS server


What I am stuck on is this:  Is there any simple (i.e., non-root) way
to write a client or otherwise configure userspace to go to the non-standard
port and run my sort of man-in-the-middle server?  Or is this just a stupid
idea?


-- 

Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple IPs Associated With A Single Name

[Tim Daneliuk]

On 09/29/2016 04:18 PM, Tim Daneliuk wrote:
> On 09/29/2016 02:08 PM, John Miller wrote:
>> Hi Tim,
>>
>> AFAIK, multiple A records are the only way to return multiple IPs for
>> a given FQDN.  there are multiple A records for a given name, BIND
>> will return all of those records -- it'll return all the IPs.  It's up
>> to the client in question to decide how to use that information.
>>
>> John
>>
> 
> 
> Thanks all, for responding.
> 
> One followup question.  I am currently doing some engineering work for
> GreatBigHugeCo, wherein getting things like DNS updates done is very
> time and paperwork intensive.  Sometimes I think it would be easier
> to do tensor analysis with an abacus, but I digress ...
> 
> For reasons too long and complex to explain, I may want to do the following
> and need some input on how to implement this or whether it's even practical:
> 
>   - Run an instance of bind in user space so I can control all the 
> configuration without having root.
> 
>   - Forward all lookups not in my database to a "real" DNS server
> 
> 
> What I am stuck on is this:  Is there any simple (i.e., non-root) way
> to write a client or otherwise configure userspace to go to the non-standard
> port and run my sort of man-in-the-middle server?  Or is this just a stupid
> idea?
> 
> 


I forgot to mention:  At least one use case for this might be a case where
I can force the client in user space to use the DNS server and port of my
choosing.  In that case, they won't be using the system DNS config and the
above would not apply.   However, I am unclear on whether bind can be run
as an unprivileged user on a non-standard port.

-- 

Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple IPs Associated With A Single Name

[Matthew Pounsett]

On 29 September 2016 at 14:18, Tim Daneliuk  wrote:

>
> What I am stuck on is this:  Is there any simple (i.e., non-root) way
> to write a client or otherwise configure userspace to go to the
> non-standard
> port and run my sort of man-in-the-middle server?  Or is this just a stupid
> idea?
>
>
There's no way to specify a port number in a delegation, so if this is an
authoritative DNS server that you expect random clients on the Internet to
contact, it must run on port 53... so you'll need root access to start it
up.  I'm not aware of stub resolvers that accept port numbers in their
configuration either  (e.g. glibc and resolv.conf) ... although I'll admit
I haven't gone to double check that... but I think you're out of luck for a
recursive server as well.

Configuration for forwarders and stub zones can include a port number,
however.  So in theory you could have a server somewhere that answers on
port 53 forwarding queries to your server that answers on an unprivileged
port.

That seems like a lot of complexity to go to in order to avoid running a
name server as root, though.  You'd probably be better off convincing your
systems people to set up sudo in such a way that you can administer a DNS
server running on a privileged port, and nothing else.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Multiple IPs Associated With A Single Name

[Darcy Kevin (FCA)]

Yeah, sure, just run it with your own special config file (with -c); in that 
config file, set the listen-on to an unprivileged port, and make sure all of 
the pathnames (including implicit pathnames like the pid-file) are to 
files/directories to which the unprivileged user has read and (where necessary) 
write access.

As a sanity check, I just fired up an instance on a Red Hat box, as an 
unprivileged user, listening on port 12345. It's a caching-only config, with 
our own internal-root hints, and it's resolving (internal) names just fine.


- Kevin



-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Tim 
Daneliuk
Sent: Thursday, September 29, 2016 5:24 PM
To: John Miller
Cc: Bind Users
Subject: Re: Multiple IPs Associated With A Single Name

On 09/29/2016 04:18 PM, Tim Daneliuk wrote:
> On 09/29/2016 02:08 PM, John Miller wrote:
>> Hi Tim,
>>
>> AFAIK, multiple A records are the only way to return multiple IPs for 
>> a given FQDN.  there are multiple A records for a given name, BIND 
>> will return all of those records -- it'll return all the IPs.  It's 
>> up to the client in question to decide how to use that information.
>>
>> John
>>
> 
> 
> Thanks all, for responding.
> 
> One followup question.  I am currently doing some engineering work for 
> GreatBigHugeCo, wherein getting things like DNS updates done is very 
> time and paperwork intensive.  Sometimes I think it would be easier to 
> do tensor analysis with an abacus, but I digress ...
> 
> For reasons too long and complex to explain, I may want to do the 
> following and need some input on how to implement this or whether it's even 
> practical:
> 
>   - Run an instance of bind in user space so I can control all the 
> configuration without having root.
> 
>   - Forward all lookups not in my database to a "real" DNS server
> 
> 
> What I am stuck on is this:  Is there any simple (i.e., non-root) way 
> to write a client or otherwise configure userspace to go to the 
> non-standard port and run my sort of man-in-the-middle server?  Or is 
> this just a stupid idea?
> 
> 


I forgot to mention:  At least one use case for this might be a case where I 
can force the client in user space to use the DNS server and port of my 
choosing.  In that case, they won't be using the system DNS config and the
above would not apply.   However, I am unclear on whether bind can be run
as an unprivileged user on a non-standard port.

--

Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple IPs Associated With A Single Name

[Tim Daneliuk]

On 09/29/2016 04:33 PM, Matthew Pounsett wrote:
> 
> 
> On 29 September 2016 at 14:18, Tim Daneliuk  > wrote:
> 
> 
> What I am stuck on is this:  Is there any simple (i.e., non-root) way
> to write a client or otherwise configure userspace to go to the 
> non-standard
> port and run my sort of man-in-the-middle server?  Or is this just a 
> stupid
> idea?
> 
> 
> There's no way to specify a port number in a delegation, so if this is an 
> authoritative DNS server that you expect random clients on the Internet to 
> contact, it must run on port 53... so you'll need root access to start it up. 
>  I'm not aware of stub resolvers that accept port numbers in their 
> configuration either  (e.g. glibc and resolv.conf) ... although I'll admit I 
> haven't gone to double check that... but I think you're out of luck for a 
> recursive server as well.
> 
> Configuration for forwarders and stub zones can include a port number, 
> however.  So in theory you could have a server somewhere that answers on port 
> 53 forwarding queries to your server that answers on an unprivileged port.   

Yeah, kind of what I figured.

> That seems like a lot of complexity to go to in order to avoid running a name 
> server as root, though.  You'd probably be better off convincing your systems 
> people to set up sudo in such a way that you can administer a DNS server 
> running on a privileged port, and nothing else.
> 
> 

This is very, very, very hard to do.

One hope I have is that my team controls all the client-side apps code.
I want to explore the possibility of forcing that code to do lookups
to a server we control at a non-standard port that would only answer
lookups for a very narrow range of internal app servers (none of this
is on a public facing network) and forward everything else up to a real
DNS servers.




-- 

Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple IPs Associated With A Single Name

[Niall O'Reilly]

On 29 Sep 2016, at 22:33, Matthew Pounsett wrote:

That seems like a lot of complexity to go to in order to avoid running 
a name server as root, though.  You'd probably be better off 
convincing your systems people to set up sudo in such a way that you 
can administer a DNS server running on a privileged port, and nothing 
else.


  If this is for testing and you control all the clients, a VM of your 
own,

  perhaps under VirtualBox on your laptop, may meet your need.

  Niall O'Reilly
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple IPs Associated With A Single Name

[Tim Daneliuk]

On 09/29/2016 04:57 PM, Niall O'Reilly wrote:
> On 29 Sep 2016, at 22:33, Matthew Pounsett wrote:
> 
>> That seems like a lot of complexity to go to in order to avoid running a 
>> name server as root, though.  You'd probably be better off convincing your 
>> systems people to set up sudo in such a way that you can administer a DNS 
>> server running on a privileged port, and nothing else.
> 
>   If this is for testing and you control all the clients, a VM of your own,
>   perhaps under VirtualBox on your laptop, may meet your need.
> 
>   Niall O'Reilly


No, not really.  It's for a private cloud microservices system we're
thinking through.  We already run most/many of the various service
backends in user space so that the app devs and support folks can control
their own universe without having to constantly invoke someone with sudo
or root or firecall permissions.   Because of very strict audit and
regulatory constraints, there is zero chance they'll ever get root/sudo
access to the DNS config, so running our private DNS just for this
subset of private client/cloud users may make sense.

I really appreciate everyone jumping in to help with this.

-- 

Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple IPs Associated With A Single Name

[Matthew Pounsett]

On 29 September 2016 at 15:07, Tim Daneliuk  wrote:

>
>
> No, not really.  It's for a private cloud microservices system we're
> thinking through.  We already run most/many of the various service
> backends in user space so that the app devs and support folks can control
> their own universe without having to constantly invoke someone with sudo
> or root or firecall permissions.   Because of very strict audit and
> regulatory constraints, there is zero chance they'll ever get root/sudo
> access to the DNS config, so running our private DNS just for this
> subset of private client/cloud users may make sense.
>
> I suppose you could leave yourself an unprivileged config file... have
them put you in group 'dns' or something, and make all the configs and zone
files writable by that group.   At least that way all you need your
sysadmins for is to issue the 'rndc reconfig' command.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: adding zone forwards without restart

[Reindl Harald]

Am 29.09.2016 um 21:27 schrieb Frank Even:

None of that works.  Nothing short of a restart of the daemon notices
new forwarders added to the config.  That is inclusive of:

rndc reconfig
rndc reload
rndc flushname $nameofforwardersadded
rndc flush


our named instances are running chrooted and i defined a SIGHUP to 
realod the named configuration in the system-unit years just for no need 
to configure "rndc" and don't make it useable since we don't have a 
usecase for it at all


ExecReload=/usr/bin/kill -HUP $MAINPID
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users