Re: Minimum TTL?
Am 09.02.2018 um 07:02 schrieb sth...@nethelp.no: Yesterday I measured, on our busiest resolvers, the amount of replies with TTL=0 the resolvers received (from the authoritative servers). Turns out we receive around 2.3 percent replies with TTL=0. This is a percentage I can live with, and I see no reason to artificially inflate the TTL. That being said - if the percentage had been significantly higher, I would feel it was perfectly reasonable to set a minimum TTL of for instance 10s. I agree that this is a decision for each operator. On 09.02.18 08:21, Reindl Harald wrote: and i can tell you from where they are coming: CISCO router with "DNS-ALG" between primary and slave writing in front of every CNAME explicit a TTL 0 statement - was there and it takes a long time until you realize that your slave repsonds with differnt data as you configured which, in advance, hugely increases the amount of DNS queries sent by clients for hosts that are widely used. That can backfire and hugely increase load (session count) on those cisco routers. Using min-ttl would help much there. And it's the part that can be fixed on side of BIND without waiting for network admins. been there too... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Reindl Harald wrote: > > CISCO router with "DNS-ALG" Oh god, never turn on PIX/ASA protocol fuxup features. Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Malin: West 5 or 6, backing south 7 to severe gale 9 for a time. Very rough or high. Rain or wintry showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Leave off the "protocol fixup feature", its cleaner :-P On Fri, Feb 9, 2018 at 7:15 AM, Tony Finch wrote: > Reindl Harald wrote: >> >> CISCO router with "DNS-ALG" > > Oh god, never turn on PIX/ASA protocol fuxup features. > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode > Malin: West 5 or 6, backing south 7 to severe gale 9 for a time. Very rough or > high. Rain or wintry showers. Good, occasionally poor. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Am 09.02.2018 um 13:15 schrieb Tony Finch: Reindl Harald wrote: CISCO router with "DNS-ALG" Oh god, never turn on PIX/ASA protocol fuxup features well, i did not know that the ISP ships that crap with the feature enabled and even if i did not imagine that it takes a zone-transfer on the wire and starts to playing games with the data ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: frequent client query errors: "rpz_rewrite_name: mismatched summary data" ?
ping, anyone? On 2/1/18 10:22 AM, PGNet Dev wrote: I recently updated to named -v BIND 9.12.0 compiled locally with ... --enable-rpz-nsip --enable-rpz-nsdname --enable-querytrace ... Now, in logs I'm seeing many of these errors, for numerous domain queries, ... Feb 1 09:58:51 dns001 named[37642]: 01-Feb-2018 09:58:51.316 client: error: query client=0x7fed700dccf0 thread=0x7fed75bbd700 (api.stacksocial.com/A): rpz_rewrite_name: mismatched summary data; continuing ... Per this thread Latest BIND: Error "rpz_rewrite_name: mismatched summary data; continuing" https://lists.isc.org/pipermail/bind-users/2016-September/097550.html suggested to 'avoid' the error by (1) Don't use regular BIND 9.9 for RPZ. For using RPZ, please use 9.10 and higher and (2) ... if you want to just not see this log message, just recompile after removing the offending CTRACE statement from bin/named/query.c. In fact, this code is normally enabled when configured with --enable-querytrace ... which doesn't address the problem, beyond "not seeing" the errors. What are these errors actually DUE to, and how are they to be fixed? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: frequent client query errors: "rpz_rewrite_name: mismatched summary data" ?
PGNet Dev wrote: > ping, anyone? You know as much about these errors as I do ... Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Fisher, German Bight: Mainly southerly 5 to 7. Moderate or rough. Occasional rain. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
In article , Grant Taylor wrote: > On 02/08/2018 08:51 AM, Mukund Sivaraman wrote: > > Also, just for argument's sake, one user wants to extend TTLs to > > 5s. Another wants 60s TTLs. What is OK and what is going too far? > > I think what is "OK" is up to each administrator. > > Obviously the zone administrators have decided that they want people to > use the 2s TTL. > > That being said, it is up to each individual recursive server operator > if they want to honor what the zone administrators have published, or if > the recursive administrators want to override published desires. > > > It really is something for the zone owner to consider. > > Yes and no. Yes it's up to the zone owner to consider what intentions > that they want to publish. No, the zone owner has no influence on how I > operate my servers. I choose how I operate my servers. > > If I choose to operate my servers in a manner that ignores the zone > owner's published desires, that's on me. > > I feel like this discussion is really two issues: 1) Does the > capability to override published values and 2) should I use said > capability. They really are two different questions. I personally > would like to see BIND have the option to do #1, even if I never use it. As long as you understand the implications of what you're doing? The zone owner may be using short TTLs to implement load balancing and/or quick failover. If you extend the TTLs, your users may experience poor performance when they try to go to these sites using out-of-date cache entries. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Am 09.02.2018 um 17:37 schrieb Barry Margolin: In article , Grant Taylor wrote: On 02/08/2018 08:51 AM, Mukund Sivaraman wrote: Also, just for argument's sake, one user wants to extend TTLs to 5s. Another wants 60s TTLs. What is OK and what is going too far? I think what is "OK" is up to each administrator. Obviously the zone administrators have decided that they want people to use the 2s TTL. That being said, it is up to each individual recursive server operator if they want to honor what the zone administrators have published, or if the recursive administrators want to override published desires. It really is something for the zone owner to consider. Yes and no. Yes it's up to the zone owner to consider what intentions that they want to publish. No, the zone owner has no influence on how I operate my servers. I choose how I operate my servers. If I choose to operate my servers in a manner that ignores the zone owner's published desires, that's on me. I feel like this discussion is really two issues: 1) Does the capability to override published values and 2) should I use said capability. They really are two different questions. I personally would like to see BIND have the option to do #1, even if I never use it. As long as you understand the implications of what you're doing? The zone owner may be using short TTLs to implement load balancing and/or quick failover. If you extend the TTLs, your users may experience poor performance when they try to go to these sites using out-of-date cache entries but that's my problem then and not yours - it's that simple ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
In article , Reindl Harald wrote: > > As long as you understand the implications of what you're doing? > > > > The zone owner may be using short TTLs to implement load balancing > > and/or quick failover. If you extend the TTLs, your users may experience > > poor performance when they try to go to these sites using out-of-date > > cache entries > > but that's my problem then and not yours - it's that simple Sure, but the Internet was designed on a philosophy of cooperation. An ISP could also drop every other packet, and say "that's my problem, not yours", but we wouldn't consider that to be a reasonable way to run a network. IMHO you should at least be transparent about it, so your users know what they're in for. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Am 09.02.2018 um 17:45 schrieb Barry Margolin: In article , Reindl Harald wrote: As long as you understand the implications of what you're doing? The zone owner may be using short TTLs to implement load balancing and/or quick failover. If you extend the TTLs, your users may experience poor performance when they try to go to these sites using out-of-date cache entries but that's my problem then and not yours - it's that simple Sure, but the Internet was designed on a philosophy of cooperation. An ISP could also drop every other packet, and say "that's my problem, not yours", but we wouldn't consider that to be a reasonable way to run a network. IMHO you should at least be transparent about it, so your users know what they're in for where i would place that option "my users" are my servers (inbound MX, RBL's hence unbound there, but you would know that if you would have followed the thread) another usecase are 5 seconds or so to mask problems of the zone-owner where all his slaves are victims of Cisco hardware and mangle CNAMEs in zone-transfers with a "$TLL 0" in front of them while the whole domain was intened to have a global 86400 seconds TTL one needs me to show a single example where human users would have a non-theoretical differnece between 2 and 5 seconds.. but you would also know that if you have followed the thread ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
Am 09.02.2018 um 17:45 schrieb Barry Margolin: In article , Reindl Harald wrote: As long as you understand the implications of what you're doing? The zone owner may be using short TTLs to implement load balancing and/or quick failover. If you extend the TTLs, your users may experience poor performance when they try to go to these sites using out-of-date cache entries but that's my problem then and not yours - it's that simple Sure, but the Internet was designed on a philosophy of cooperation. An ISP could also drop every other packet, and say "that's my problem, not yours", but we wouldn't consider that to be a reasonable way to run a network you mix things which must never be mixed - never the ISP has no business to touch any package bewteen source and me because he can't know the implications - he even must not know about them because it#s not his business the admin of the destination network is in a completly differnt position and knos about the implications because it's his job ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
In article you write: >As long as you understand the implications of what you're doing? > >The zone owner may be using short TTLs to implement load balancing >and/or quick failover. If you extend the TTLs, your users may experience >poor performance when they try to go to these sites using out-of-date >cache entries. The zone in question is a DNSBL. When an address is added to or removed from a dynamically maintained BL, the short TTL means clients pick it the change promptly. If you want your mail filtering to work reliably, you pay attention to that. Some of Spamhaus' BLs have minimum TTLs of 10 seconds, and they do update that fast (not using BIND, of course.) The person who asked the original question made it quite clear that his goal is use a commercial DNSBL but avoid paying for it, so I don't see any need to offer further help. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
On 02/09/2018 09:37 AM, Barry Margolin wrote: As long as you understand the implications of what you're doing? I don't think my level of understanding has any impact of my ability to override what the zone publisher sets the desired TTL (or any value) to be. I have the right to run my network the way that I want to, even in my ignorance or while shooting myself in the foot. The zone owner may be using short TTLs to implement load balancing and/or quick failover. If you extend the TTLs, your users may experience poor performance when they try to go to these sites using out-of-date cache entries. Again, by choosing to do something, as questionable as it may be, I am also choosing the responsibility for the outcome, for better or for worse. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
On 2018-02-08 (03:10 MST), Michelle Konzack wrote: > > Hi, > > Am 2018-02-08 hackte LuKreme in die Tasten: >> Is it possible to tell bind to ignore very short TTLs and enforce >> a...say... 5 second minimum TTL? > > VERY SHORT TTL? YEs. > 5 sec minimum? Yes. > What Du you mean with ignoring? Ignoring responses with TTLs or <5 seconds and treating them as if the TTL was 5 seconds. > It is you YOU have to configure Bind9 correctly to longer TTLs. I cannot configure bind for other DNS servers. > If the NS Entry is not a Dyn-DNS entry, > it should have anyway at least 3600 seconds. "Should" is a pointless word 99.999% of the time it is used. -- i wasn't born a programmer. i became one because i was impatient. - Dave Winer ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
On 2018-02-08 (08:51 MST), Mukund Sivaraman wrote: > > Also, just for argument's sake, one user wants to extend TTLs to > 5s. Another wants 60s TTLs. What is OK and what is going too far? For the record, the issue is not RBLs or legitimate domains, it is spammer scum that set super-low DNS because they are shotgunning spam from a a vast botnet and they want to have maximal impact, so you get a different IP for every spam they send. It is a way of trying to overwhelm a machines tarpits, blacklists, sshguard protections, and others. But to answer your question, off-hand, I'd say that any TTL under 60s is suspicious and any TTL under 10s is almost certainly intentionally abusive. But that's just me, giving it maybe 20 seconds of thought. -- So now you know the words to our song, pretty soon you'll all be singing along, when you're sad, when you're lonely and it all turns out wrong... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
On 02/09/2018 05:26 PM, @lbutlr wrote: But to answer your question, off-hand, I'd say that any TTL under 60s is suspicious and any TTL under 10s is almost certainly intentionally abusive. I thought there was a lower recommended boundary, particularly to detect and avoid things like fast flux. I /thought/ it was somewhere between 1 and 5 minutes. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
In article you write: >For the record, the issue is not RBLs or legitimate domains, it is = >spammer scum that set super-low DNS because they are shotgunning spam = >from a a vast botnet and they want to have maximal impact, so you get a = >different IP for every spam they send. It is a way of trying to = >overwhelm a machines tarpits, blacklists, sshguard protections, and = >others. Um, you have it completely backward. Botnets are computers with IP addresses. They don't need DNS pointing at them to send spam. DNSBLs with low TTLs try and list them the moment the first spam hits the spamtraps. There is fast flux DNS for computers running landing pages, but they tend to use a lot of A records at once and don't care about the TTL since they're going for quantity, not quality. >But to answer your question, off-hand, I'd say that any TTL under 60s is = >suspicious and any TTL under 10s is almost certainly intentionally = >abusive. I hope you're not planning to do much spam filtering. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
